diff --git a/esp-mbedtls-sys/gen/include/config.h b/esp-mbedtls-sys/gen/include/config.h index 8b7a1473..c5e8d596 100644 --- a/esp-mbedtls-sys/gen/include/config.h +++ b/esp-mbedtls-sys/gen/include/config.h @@ -9,19 +9,7 @@ */ /* * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /** @@ -168,19 +156,51 @@ * * Enable the memory allocation layer. * - * By default mbed TLS uses the system-provided calloc() and free(). + * By default Mbed TLS uses the system-provided calloc() and free(). * This allows different allocators (self-implemented or provided) to be * provided to the platform abstraction layer. * - * Enabling MBEDTLS_PLATFORM_MEMORY without the + * Enabling #MBEDTLS_PLATFORM_MEMORY without the * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and * free() function pointer at runtime. * - * Enabling MBEDTLS_PLATFORM_MEMORY and specifying + * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the * alternate function at compile time. * + * An overview of how the value of mbedtls_calloc is determined: + * + * - if !MBEDTLS_PLATFORM_MEMORY + * - mbedtls_calloc = calloc + * - if MBEDTLS_PLATFORM_MEMORY + * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO + * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. + * - How is MBEDTLS_PLATFORM_STD_CALLOC handled? + * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; + * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; + * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - if MBEDTLS_PLATFORM_STD_CALLOC is present: + * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; + * - if !MBEDTLS_PLATFORM_STD_CALLOC: + * - MBEDTLS_PLATFORM_STD_CALLOC = calloc + * + * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. + * - if !MBEDTLS_PLATFORM_STD_CALLOC + * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc + * + * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. + * + * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. + * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. + * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, + * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * * Requires: MBEDTLS_PLATFORM_C * * Enable this layer to allow use of alternative memory allocators. @@ -209,10 +229,10 @@ /** * \def MBEDTLS_PLATFORM_EXIT_ALT * - * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the + * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let Mbed TLS support the * function in the platform abstraction layer. * - * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will + * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, Mbed TLS will * provide a function "mbedtls_platform_set_printf()" that allows you to set an * alternative printf function pointer. * @@ -238,6 +258,49 @@ //#define MBEDTLS_PLATFORM_VSNPRINTF_ALT //#define MBEDTLS_PLATFORM_NV_SEED_ALT //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT +//#define MBEDTLS_PLATFORM_MS_TIME_ALT + +/** + * Uncomment the macro to let Mbed TLS use your alternate implementation of + * mbedtls_platform_gmtime_r(). This replaces the default implementation in + * platform_util.c. + * + * gmtime() is not a thread-safe function as defined in the C standard. The + * library will try to use safer implementations of this function, such as + * gmtime_r() when available. However, if Mbed TLS cannot identify the target + * system, the implementation of mbedtls_platform_gmtime_r() will default to + * using the standard gmtime(). In this case, calls from the library to + * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex + * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the + * library are also guarded with this mutex to avoid race conditions. However, + * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will + * unconditionally use the implementation for mbedtls_platform_gmtime_r() + * supplied at compile time. + */ +//#define MBEDTLS_PLATFORM_GMTIME_R_ALT + +/** + * Uncomment the macro to let Mbed TLS use your alternate implementation of + * mbedtls_platform_zeroize(), to wipe sensitive data in memory. This replaces + * the default implementation in platform_util.c. + * + * By default, the library uses a system function such as memset_s() + * (optional feature of C11), explicit_bzero() (BSD and compatible), or + * SecureZeroMemory (Windows). If no such function is detected, the library + * falls back to a plain C implementation. Compilers are technically + * permitted to optimize this implementation out, meaning that the memory is + * not actually wiped. The library tries to prevent that, but the C language + * makes it impossible to guarantee that the memory will always be wiped. + * + * If your platform provides a guaranteed method to wipe memory which + * `platform_util.c` does not detect, define this macro to the name of + * a function that takes two arguments, a `void *` pointer and a length, + * and wipes that many bytes starting at the specified address. For example, + * if your platform has explicit_bzero() but `platform_util.c` does not + * detect its presence, define `MBEDTLS_PLATFORM_ZEROIZE_ALT` to be + * `explicit_bzero` to use that function as mbedtls_platform_zeroize(). + */ +#define MBEDTLS_PLATFORM_ZEROIZE_ALT /** * \def MBEDTLS_DEPRECATED_WARNING @@ -269,7 +332,7 @@ /** \} name SECTION: System support */ /** - * \name SECTION: mbed TLS feature support + * \name SECTION: Mbed TLS feature support * * This section sets support for features that are or are not needed * within the modules that are enabled. @@ -292,7 +355,7 @@ /** * \def MBEDTLS_AES_ALT * - * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your + * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let Mbed TLS use your * alternate core implementation of a symmetric crypto, an arithmetic or hash * module (e.g. platform specific assembly optimized implementations). Keep * in mind that the function prototypes should remain the same. @@ -300,7 +363,7 @@ * This replaces the whole module. If you only want to replace one of the * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. * - * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer + * Example: In case you uncomment MBEDTLS_AES_ALT, Mbed TLS will no longer * provide the "struct mbedtls_aes_context" definition and omit the base * function declarations and implementations. "aes_alt.h" will be included from * "aes.h" to include the new function definitions. @@ -326,7 +389,6 @@ //#define MBEDTLS_ECJPAKE_ALT //#define MBEDTLS_GCM_ALT //#define MBEDTLS_NIST_KW_ALT -//#define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK //#define MBEDTLS_MD5_ALT //#define MBEDTLS_POLY1305_ALT //#define MBEDTLS_RIPEMD160_ALT @@ -349,14 +411,14 @@ /** * \def MBEDTLS_SHA256_PROCESS_ALT * - * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you + * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use you * alternate core implementation of symmetric crypto or hash function. Keep in * mind that function prototypes should remain the same. * - * This replaces only one function. The header file from mbed TLS is still + * This replaces only one function. The header file from Mbed TLS is still * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. * - * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will + * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, Mbed TLS will * no longer provide the mbedtls_sha1_process() function, but it will still provide * the other function (using your mbedtls_sha1_process() function) and the definition * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible @@ -406,11 +468,11 @@ * * Expose a part of the internal interface of the Elliptic Curve Point module. * - * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your + * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your * alternative core implementation of elliptic curve arithmetic. Keep in mind * that function prototypes should remain the same. * - * This partially replaces one function. The header file from mbed TLS is still + * This partially replaces one function. The header file from Mbed TLS is still * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation * is still present and it is used for group structures not supported by the * alternative. @@ -434,11 +496,11 @@ * implement optimized set up and tear down instructions. * * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and - * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac() + * MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac() * function, but will use your mbedtls_internal_ecp_double_jac() if the group * for the operation is supported by your implementation (i.e. your * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the - * group is not supported by your implementation, then the original mbed TLS + * group is not supported by your implementation, then the original Mbed TLS * implementation of ecp_double_jac() is used instead, unless this fallback * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE). @@ -469,7 +531,7 @@ /** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * - * Uncomment this macro to let mbed TLS use your own implementation of a + * Uncomment this macro to let Mbed TLS use your own implementation of a * hardware entropy collector. * * Your function must be called \c mbedtls_hardware_poll(), have the same @@ -496,7 +558,6 @@ * performance if ROM access is slower than RAM access. * * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. - * */ #define MBEDTLS_AES_ROM_TABLES @@ -518,10 +579,40 @@ * depends on the system and memory details. * * This option is independent of \c MBEDTLS_AES_ROM_TABLES. - * */ //#define MBEDTLS_AES_FEWER_TABLES +/** + * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + * + * Use only 128-bit keys in AES operations to save ROM. + * + * Uncomment this macro to remove support for AES operations that use 192- + * or 256-bit keys. + * + * Uncommenting this macro reduces the size of AES code by ~300 bytes + * on v8-M/Thumb2. + * + * Module: library/aes.c + * + * Requires: MBEDTLS_AES_C + */ +//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + +/* + * Disable plain C implementation for AES. + * + * When the plain C implementation is enabled, and an implementation using a + * special CPU feature (such as MBEDTLS_AESCE_C) is also enabled, runtime + * detection will be used to select between them. + * + * If only one implementation is present, runtime detection will not be used. + * This configuration will crash at runtime if running on a CPU without the + * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C + * and/or MBEDTLS_AESNI_C is enabled & present in the build. + */ +//#define MBEDTLS_AES_USE_HARDWARE_ONLY + /** * \def MBEDTLS_CAMELLIA_SMALL_MEMORY * @@ -640,10 +731,23 @@ /** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY * * Uncomment this macro to use a 128-bit key in the CTR_DRBG module. - * By default, CTR_DRBG uses a 256-bit key. + * Without this, CTR_DRBG uses a 256-bit key + * unless \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set. */ //#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +/** + * Enable the verified implementations of ECDH primitives from Project Everest + * (currently only Curve25519). This feature changes the layout of ECDH + * contexts and therefore is a compatibility break for applications that access + * fields of a mbedtls_ecdh_context structure directly. See also + * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h. + * + * The Everest code is provided under the Apache 2.0 license only; therefore enabling this + * option is not compatible with taking the library under the GPL v2.0-or-later license. + */ +//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * @@ -734,6 +838,14 @@ */ //#define MBEDTLS_ECP_RESTARTABLE +/** + * Uncomment to enable using new bignum code in the ECC modules. + * + * \warning This is currently experimental, incomplete and therefore should not + * be used in production. + */ +//#define MBEDTLS_ECP_WITH_MPI_UINT + /** * \def MBEDTLS_ECDSA_DETERMINISTIC * @@ -802,7 +914,7 @@ * * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C + * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -900,7 +1012,9 @@ * * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) + * MBEDTLS_RSA_C + * MBEDTLS_PKCS1_V15 * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are @@ -923,7 +1037,9 @@ * * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, + * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) + * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) + * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -945,7 +1061,9 @@ * * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C + * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) + * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) + * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -967,7 +1085,9 @@ * * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C + * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) + * MBEDTLS_RSA_C + * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -993,10 +1113,14 @@ * Thread v1.0.0 specification; incompatible changes to the specification * might still happen. For this reason, this is disabled by default. * - * Requires: MBEDTLS_ECJPAKE_C - * SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C) + * Requires: MBEDTLS_ECJPAKE_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_JPAKE) + * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver) * MBEDTLS_ECP_DP_SECP256R1_ENABLED * + * \warning If SHA-256 is provided only by a PSA driver, you must call + * psa_crypto_init() before the first handshake (even if + * MBEDTLS_USE_PSA_CRYPTO is disabled). + * * This enables the following ciphersuites (if other requisites are * enabled as well): * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 @@ -1017,6 +1141,19 @@ */ #define MBEDTLS_PK_PARSE_EC_EXTENDED +/** + * \def MBEDTLS_PK_PARSE_EC_COMPRESSED + * + * Enable the support for parsing public keys of type Short Weierstrass + * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the + * compressed point format. This parsing is done through ECP module's functions. + * + * \note As explained in the description of MBEDTLS_ECP_PF_COMPRESSED (in ecp.h) + * the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and + * MBEDTLS_ECP_DP_SECP224K1. + */ +//#define MBEDTLS_PK_PARSE_EC_COMPRESSED + /** * \def MBEDTLS_ERROR_STRERROR_DUMMY * @@ -1177,15 +1314,10 @@ * * Enable support for PKCS#1 v2.1 encoding. * - * Requires: MBEDTLS_RSA_C and (MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C). - * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any PKCS#1 v2.1 operation. + * Requires: MBEDTLS_RSA_C * - * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, - * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by - * this module in builds where MBEDTLS_MD_C is disabled. + * \warning If using a hash that is only provided by PSA drivers, you must + * call psa_crypto_init() before doing any PKCS#1 v2.1 operation. * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ @@ -1223,18 +1355,6 @@ */ //#define MBEDTLS_PSA_CRYPTO_CLIENT -/** \def MBEDTLS_PSA_CRYPTO_DRIVERS - * - * Enable support for the experimental PSA crypto driver interface. - * - * Requires: MBEDTLS_PSA_CRYPTO_C - * - * \warning This interface is experimental. We intend to maintain backward - * compatibility with application code that relies on drivers, - * but the driver interfaces may change without notice. - */ -//#define MBEDTLS_PSA_CRYPTO_DRIVERS - /** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG * * Make the PSA Crypto module use an external random generator provided @@ -1259,8 +1379,8 @@ * ); * ``` * The \c context value is initialized to 0 before the first call. - * The function must fill the \c output buffer with \p output_size bytes - * of random data and set \c *output_length to \p output_size. + * The function must fill the \c output buffer with \c output_size bytes + * of random data and set \c *output_length to \c output_size. * * Requires: MBEDTLS_PSA_CRYPTO_C * @@ -1281,12 +1401,77 @@ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process * Environment). * + * If you enable this option, your build environment must include a header + * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS + * header files, or in another directory on the compiler's include search + * path). Alternatively, your platform may customize the header + * `psa/crypto_platform.h`, in which case it can skip or replace the + * inclusion of `"crypto_spe.h"`. + * * Module: library/psa_crypto.c * Requires: MBEDTLS_PSA_CRYPTO_C * */ //#define MBEDTLS_PSA_CRYPTO_SPM +/** + * \def MBEDTLS_PSA_KEY_STORE_DYNAMIC + * + * Dynamically resize the PSA key store to accommodate any number of + * volatile keys (until the heap memory is exhausted). + * + * If this option is disabled, the key store has a fixed size + * #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys + * together. + * + * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled. + * + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + */ +//#define MBEDTLS_PSA_KEY_STORE_DYNAMIC + +/** + * Uncomment to enable p256-m. This is an alternative implementation of + * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. + * Compared to the default implementation: + * + * - p256-m has a much smaller code size and RAM footprint. + * - p256-m is only available via the PSA API. This includes the pk module + * when #MBEDTLS_USE_PSA_CRYPTO is enabled. + * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols + * over the core arithmetic, or deterministic derivation of keys. + * + * We recommend enabling this option if your application uses the PSA API + * and the only elliptic curve support it needs is ECDH and ECDSA over + * SECP256R1. + * + * If you enable this option, you do not need to enable any ECC-related + * MBEDTLS_xxx option. You do need to separately request support for the + * cryptographic mechanisms through the PSA API: + * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based + * configuration; + * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS; + * - #PSA_WANT_ECC_SECP_R1_256; + * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; + * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed. + * + * \note To benefit from the smaller code size of p256-m, make sure that you + * do not enable any ECC-related option not supported by p256-m: this + * would cause the built-in ECC implementation to be built as well, in + * order to provide the required option. + * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than + * SECP256R1 are disabled as they are not supported by this driver. + * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or + * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of + * the built-in ECC implementation, see docs/driver-only-builds.md. + */ +//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED + /** * \def MBEDTLS_PSA_INJECT_ENTROPY * @@ -1300,6 +1485,26 @@ */ //#define MBEDTLS_PSA_INJECT_ENTROPY +/** + * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS + * + * Assume all buffers passed to PSA functions are owned exclusively by the + * PSA function and are not stored in shared memory. + * + * This option may be enabled if all buffers passed to any PSA function reside + * in memory that is accessible only to the PSA function during its execution. + * + * This option MUST be disabled whenever buffer arguments are in memory shared + * with an untrusted party, for example where arguments to PSA calls are passed + * across a trust boundary. + * + * \note Enabling this option reduces memory usage and code size. + * + * \note Enabling this option causes overlap of input and output buffers + * not to be supported by PSA functions. + */ +//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS + /** * \def MBEDTLS_RSA_NO_CRT * @@ -1348,7 +1553,7 @@ * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES * * Enable sending of alert messages in case of encountered errors as per RFC. - * If you choose not to send the alert messages, mbed TLS can still communicate + * If you choose not to send the alert messages, Mbed TLS can still communicate * with other servers, only debugging of failures is harder. * * The advantage of not sending alert messages, is that no information is given @@ -1417,6 +1622,46 @@ */ //#define MBEDTLS_SSL_ASYNC_PRIVATE +/** \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * + * In TLS clients, when a client authenticates a server through its + * certificate, the client normally checks three things: + * - the certificate chain must be valid; + * - the chain must start from a trusted CA; + * - the certificate must cover the server name that is expected by the client. + * + * Omitting any of these checks is generally insecure, and can allow a + * malicious server to impersonate a legitimate server. + * + * The third check may be safely skipped in some unusual scenarios, + * such as networks where eavesdropping is a risk but not active attacks, + * or a private PKI where the client equally trusts all servers that are + * accredited by the root CA. + * + * You should call mbedtls_ssl_set_hostname() with the expected server name + * before starting a TLS handshake on a client (unless the client is + * set up to only use PSK-based authentication, which does not rely on the + * host name). This configuration option controls what happens if a TLS client + * is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED + * (default), certificate authentication is enabled and the client does not + * call mbedtls_ssl_set_hostname(): + * + * - If this option is unset (default), the connection attempt is aborted + * with the error #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + * - If this option is set, the TLS library does not check the server name + * that the certificate is valid for. This is the historical behavior + * of Mbed TLS, but may be insecure as explained above. + * + * Enable this option for strict backward compatibility if you have + * determined that it is secure in the scenario where you are using + * Mbed TLS. + * + * \deprecated This option exists only for backward compatibility and will + * be removed in the next major version of Mbed TLS. + * + */ +//#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /** * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION * @@ -1518,6 +1763,20 @@ */ #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +/** + * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + * + * When this option is enabled, the client and server can extract additional + * shared symmetric keys after an SSL handshake using the function + * mbedtls_ssl_export_keying_material(). + * + * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and + * in RFC 8446, Section 7.5, for TLS 1.3. + * + * Comment this macro to disable mbedtls_ssl_export_keying_material(). + */ +//#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + /** * \def MBEDTLS_SSL_RENEGOTIATION * @@ -1529,6 +1788,8 @@ * it has been associated with security issues in the past and is easy to * misuse/misunderstand. * + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 + * * Comment this to disable support for renegotiation. * * \note Even if this option is disabled, both client and server are aware @@ -1554,9 +1815,6 @@ * * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). * - * \warning This extension is currently in development and must NOT be used except - * for testing purposes. - * * Requires: MBEDTLS_SSL_PROTO_TLS1_3 * * Uncomment this macro to enable support for the record_size_limit extension @@ -1569,13 +1827,14 @@ * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). * * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and - * (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C) + * (MBEDTLS_SHA256_C or MBEDTLS_SHA384_C or + * SHA-256 or SHA-512 provided by a PSA driver) * With MBEDTLS_USE_PSA_CRYPTO: - * PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or - * PSA_WANT_ALG_SHA_512 + * PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 * - * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call - * psa_crypto_init() before doing any TLS operations. + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, or if the hash(es) used + * are only provided by PSA drivers, you must call psa_crypto_init() before + * doing any TLS operations. * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ @@ -1586,23 +1845,27 @@ * * Enable support for TLS 1.3. * - * \note The support for TLS 1.3 is not comprehensive yet, in particular - * pre-shared keys are not supported. - * See docs/architecture/tls13-support.md for a description of the TLS + * \note See docs/architecture/tls13-support.md for a description of the TLS * 1.3 support that this option enables. * * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * Requires: MBEDTLS_PSA_CRYPTO_C * * \note TLS 1.3 uses PSA crypto for cryptographic operations that are - * directly performed by TLS 1.3 code. As a consequence, you must - * call psa_crypto_init() before the first TLS 1.3 handshake. + * directly performed by TLS 1.3 code. As a consequence, when TLS 1.3 + * is enabled, a TLS handshake may call psa_crypto_init(), even + * if it ends up negotiating a different TLS version. * * \note Cryptographic operations performed indirectly via another module * (X.509, PK) or by code shared with TLS 1.2 (record protection, * running handshake hash) only use PSA crypto if * #MBEDTLS_USE_PSA_CRYPTO is enabled. * + * \note In multithreaded applications, you must also enable + * #MBEDTLS_THREADING_C, even if individual TLS contexts are not + * shared between threads, unless only one thread ever calls + * TLS functions. + * * Uncomment this macro to enable the support for TLS 1.3. */ #define MBEDTLS_SSL_PROTO_TLS1_3 @@ -1646,8 +1909,11 @@ * * Enable TLS 1.3 ephemeral key exchange mode. * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or - * MBEDTLS_PKCS1_V21 + * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH + * MBEDTLS_X509_CRT_PARSE_C + * and at least one of: + * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) + * MBEDTLS_PKCS1_V21 * * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any @@ -1661,7 +1927,7 @@ * * Enable TLS 1.3 PSK ephemeral key exchange mode. * - * Requires: MBEDTLS_ECDH_C + * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH * * Comment to disable support for the PSK ephemeral key exchange mode in * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not @@ -1682,29 +1948,12 @@ * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled, this option does not have any effect on the build. * - * This feature is experimental, not completed and thus not ready for - * production. + * \note The maximum amount of early data can be set with + * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE. * */ //#define MBEDTLS_SSL_EARLY_DATA -/** - * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE - * - * The default maximum amount of 0-RTT data. See the documentation of - * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. - * - * It must be positive and smaller than UINT32_MAX. - * - * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not - * have any impact on the build. - * - * This feature is experimental, not completed and thus not ready for - * production. - * - */ -#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 - /** * \def MBEDTLS_SSL_PROTO_DTLS * @@ -1901,7 +2150,19 @@ /** * \def MBEDTLS_THREADING_ALT * - * Provide your own alternate threading implementation. + * Provide your own alternate implementation of threading primitives + * for mutexes. If you enable this option: + * + * - Provide a header file `"threading_alt.h"`, defining the + * type `mbedtls_threading_mutex_t` of mutex objects. + * + * - Call the function mbedtls_threading_set_alt() in your application + * before calling any other library function (in particular before + * calling psa_crypto_init(), performing an asymmetric cryptography + * operation, or starting a TLS connection). + * + * See mbedtls/threading.h for more details, especially the documentation + * of mbedtls_threading_set_alt(). * * Requires: MBEDTLS_THREADING_C * @@ -1923,19 +2184,30 @@ /** * \def MBEDTLS_USE_PSA_CRYPTO * - * Make the X.509 and TLS library use PSA for cryptographic operations, and - * enable new APIs for using keys handled by PSA Crypto. + * Make the X.509 and TLS libraries use PSA for cryptographic operations as + * much as possible, and enable new APIs for using keys handled by PSA Crypto. * * \note Development of this option is currently in progress, and parts of Mbed * TLS's X.509 and TLS modules are not ported to PSA yet. However, these parts * will still continue to work as usual, so enabling this option should not * break backwards compatibility. * - * \note See docs/use-psa-crypto.md for a complete description of what this - * option currently does, and of parts that are not affected by it so far. - * * \warning If you enable this option, you need to call `psa_crypto_init()` - * before calling any function from the SSL/TLS, X.509 or PK modules. + * before calling any function from the SSL/TLS, X.509 or PK modules, except + * for the various mbedtls_xxx_init() functions which can be called at any time. + * + * \warning In multithreaded applications, you must also enable + * #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions + * (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK. + * + * \note An important and desirable effect of this option is that it allows + * PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling + * this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in + * those modules. However, note that even with this option disabled, some code + * in PK, X.509, TLS or the crypto library might still use PSA drivers, if it + * can determine it's safe to do so; currently that's the case for hashes. + * + * \note See docs/use-psa-crypto.md for a complete description this option. * * Requires: MBEDTLS_PSA_CRYPTO_C. * @@ -1963,8 +2235,15 @@ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies * an alternative header to include instead of include/psa/crypto_config.h. * - * This feature is still experimental and is not ready for production since - * it is not completed. + * \warning This option is experimental, in that the set of `PSA_WANT_XXX` + * symbols is not completely finalized yet, and the configuration + * tooling is not ideally adapted to having two separate configuration + * files. + * Future minor releases of Mbed TLS may make minor changes to those + * symbols, but we will endeavor to provide a transition path. + * Nonetheless, this option is considered mature enough to use in + * production, as long as you accept that you may need to make + * minor changes to psa/crypto_config.h when upgrading Mbed TLS. */ //#define MBEDTLS_PSA_CRYPTO_CONFIG @@ -2019,15 +2298,17 @@ * Enable parsing and verification of X.509 certificates, CRLs and CSRS * signed with RSASSA-PSS (aka PKCS#1 v2.1). * + * Requires: MBEDTLS_PKCS1_V21 + * * Comment this macro to disallow using RSASSA-PSS in certificates. */ #define MBEDTLS_X509_RSASSA_PSS_SUPPORT -/** \} name SECTION: mbed TLS feature support */ +/** \} name SECTION: Mbed TLS feature support */ /** - * \name SECTION: mbed TLS modules + * \name SECTION: Mbed TLS modules * - * This section enables or disables entire modules in mbed TLS + * This section enables or disables entire modules in Mbed TLS * \{ */ @@ -2037,7 +2318,7 @@ * Enable AES-NI support on x86-64 or x86-32. * * \note AESNI is only supported with certain compilers and target options: - * - Visual Studio 2013: supported. + * - Visual Studio: supported * - GCC, x86-64, target not explicitly supporting AESNI: * requires MBEDTLS_HAVE_ASM. * - GCC, x86-32, target not explicitly supporting AESNI: @@ -2066,18 +2347,26 @@ /** * \def MBEDTLS_AESCE_C * - * Enable AES cryptographic extension support on 64-bit Arm. + * Enable AES cryptographic extension support on Armv8. * * Module: library/aesce.c * Caller: library/aes.c * - * Requires: MBEDTLS_HAVE_ASM, MBEDTLS_AES_C + * Requires: MBEDTLS_AES_C * * \warning Runtime detection only works on Linux. For non-Linux operating * system, Armv8-A Cryptographic Extensions must be supported by * the CPU when this option is enabled. * - * This module adds support for the AES Armv8-A Cryptographic Extensions on Aarch64 systems. + * \note Minimum compiler versions for this feature when targeting aarch64 + * are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2. + * Minimum compiler versions for this feature when targeting 32-bit + * Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for + * armclang <= 6.9 + * + * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems. */ //#define MBEDTLS_AESCE_C @@ -2196,6 +2485,28 @@ */ #define MBEDTLS_BASE64_C +/** + * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT + * + * Remove decryption operation for AES, ARIA and Camellia block cipher. + * + * \note This feature is incompatible with insecure block cipher, + * MBEDTLS_DES_C, and cipher modes which always require decryption + * operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and + * MBEDTLS_NIST_KW_C. When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, + * this feature is incompatible with following supported PSA equivalence, + * PSA_WANT_ALG_ECB_NO_PADDING, PSA_WANT_ALG_CBC_NO_PADDING, + * PSA_WANT_ALG_CBC_PKCS7 and PSA_WANT_KEY_TYPE_DES. + * + * Module: library/aes.c + * library/aesce.c + * library/aesni.c + * library/aria.c + * library/camellia.c + * library/cipher.c + */ +//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT + /** * \def MBEDTLS_BIGNUM_C * @@ -2375,6 +2686,8 @@ * library/ssl_ciphersuites.c * library/ssl_msg.c * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) + * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled + * (see the documentation of that option for details). * * Uncomment to enable generic cipher wrappers. */ @@ -2405,6 +2718,15 @@ * The CTR_DRBG generator uses AES-256 by default. * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above. * + * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. + * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA + * is used. + * + * \warning When using PSA, the user should call `psa_crypto_init()` before + * using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`). + * + * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set. + * * \note To achieve a 256-bit security strength with CTR_DRBG, * you must use AES-256 *and* use sufficient entropy. * See ctr_drbg.h for more details. @@ -2412,7 +2734,9 @@ * Module: library/ctr_drbg.c * Caller: * - * Requires: MBEDTLS_AES_C + * Requires: MBEDTLS_AES_C or + * (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and + * MBEDTLS_PSA_CRYPTO_C) * * This module provides the CTR_DRBG AES random number generator. */ @@ -2523,13 +2847,8 @@ * * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any EC J-PAKE operations. - * - * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, - * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by - * this module in builds where MBEDTLS_MD_C is disabled. + * \warning If using a hash that is only provided by PSA drivers, you must + * call psa_crypto_init() before doing any EC J-PAKE operations. */ #define MBEDTLS_ECJPAKE_C @@ -2588,6 +2907,22 @@ */ #define MBEDTLS_GCM_C +/** + * \def MBEDTLS_GCM_LARGE_TABLE + * + * Enable large pre-computed tables for Galois/Counter Mode (GCM). + * Can significantly increase throughput on systems without GCM hardware + * acceleration (e.g., AESNI, AESCE). + * + * The mbedtls_gcm_context size will increase by 3840 bytes. + * The code size will increase by roughly 344 bytes. + * + * Module: library/gcm.c + * + * Requires: MBEDTLS_GCM_C + */ +//#define MBEDTLS_GCM_LARGE_TABLE + /** * \def MBEDTLS_HKDF_C * @@ -2663,7 +2998,8 @@ * * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, - * MBEDTLS_SHA512_C. + * MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least + * one hash. * Module: library/md.c * Caller: library/constant_time.c * library/ecdsa.c @@ -2719,7 +3055,7 @@ * Module: library/memory_buffer_alloc.c * * Requires: MBEDTLS_PLATFORM_C - * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) + * MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS) * * Enable this module to enable the buffer memory allocator. */ @@ -2794,6 +3130,10 @@ * library/x509_csr.c * * Requires: MBEDTLS_BASE64_C + * optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below) + * + * \warning When parsing password-protected files, if MD5 is provided only by + * a PSA driver, you must call psa_crypto_init() before the first file. * * This modules adds support for decoding / parsing PEM files. */ @@ -2842,7 +3182,7 @@ * Caller: library/x509_crt.c * library/x509_csr.c * - * Requires: MBEDTLS_PK_C + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C * * Uncomment to enable generic public key parse functions. */ @@ -2856,7 +3196,7 @@ * Module: library/pkwrite.c * Caller: library/x509write.c * - * Requires: MBEDTLS_PK_C + * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C * * Uncomment to enable generic public key write functions. */ @@ -2869,15 +3209,10 @@ * * Module: library/pkcs5.c * - * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C. - * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any PKCS5 operation. + * Auto-enables: MBEDTLS_MD_C * - * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, - * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by - * this module in builds where MBEDTLS_MD_C is disabled. + * \warning If using a hash that is only provided by PSA drivers, you must + * call psa_crypto_init() before doing any PKCS5 operations. * * This module adds support for the PKCS#5 functions. */ @@ -2908,16 +3243,11 @@ * Module: library/pkcs12.c * Caller: library/pkparse.c * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C and either - * MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C. + * Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or + * MBEDTLS_PSA_CRYPTO_C. * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any PKCS12 operation. - * - * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, - * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by - * this module in builds where MBEDTLS_MD_C is disabled. + * \warning If using a hash that is only provided by PSA drivers, you must + * call psa_crypto_init() before doing any PKCS12 operations. * * This module enables PKCS#12 functions. */ @@ -2956,15 +3286,27 @@ /** * \def MBEDTLS_PSA_CRYPTO_C * - * Enable the Platform Security Architecture cryptography API. + * Enable the Platform Security Architecture (PSA) cryptography API. + * + * \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C, + * unless only one thread ever calls `psa_xxx()` functions. + * That includes indirect calls, such as: + * - performing a TLS handshake if support for TLS 1.3 is enabled; + * - using a TLS 1.3 connection; + * - indirect calls from PK, X.509 or SSL functions when + * #MBEDTLS_USE_PSA_CRYPTO is enabled; + * - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled; + * - any other call to a function that requires calling psa_crypto_init() + * beforehand. * * Module: library/psa_crypto.c * - * Requires: MBEDTLS_CIPHER_C, - * either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. - * + * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher + * is enabled in PSA (unless it's fully accelerated, see + * docs/driver-only-builds.md about that). */ #define MBEDTLS_PSA_CRYPTO_C @@ -2974,8 +3316,11 @@ * Enable dynamic secure element support in the Platform Security Architecture * cryptography API. * - * \deprecated This feature is deprecated. Please switch to the driver - * interface enabled by #MBEDTLS_PSA_CRYPTO_DRIVERS. + * \deprecated This feature is deprecated. Please switch to the PSA driver + * interface. + * + * \warning This feature is not thread-safe, and should not be used in a + * multi-threaded environment. * * Module: library/psa_crypto_se.c * @@ -3009,6 +3354,26 @@ */ //#define MBEDTLS_PSA_ITS_FILE_C +/** + * \def MBEDTLS_PSA_STATIC_KEY_SLOTS + * + * Statically preallocate memory to store keys' material in PSA instead + * of allocating it dynamically when required. This allows builds without a + * heap, if none of the enabled cryptographic implementations or other features + * require it. + * This feature affects both volatile and persistent keys which means that + * it's not possible to persistently store a key which is larger than + * #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. + * + * \note This feature comes with a (potentially) higher RAM usage since: + * - All the key slots are allocated no matter if they are used or not. + * - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes. + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + */ +//#define MBEDTLS_PSA_STATIC_KEY_SLOTS + /** * \def MBEDTLS_RIPEMD160_C * @@ -3090,47 +3455,85 @@ #define MBEDTLS_SHA256_C /** - * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building - * for a non-Aarch64 build it will be silently ignored. + * \note If MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building + * for a non-Armv8-A build it will be silently ignored. + * + * \note Minimum compiler versions for this feature are Clang 4.0, + * armclang 6.6 or GCC 6.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for + * armclang <= 6.9 + * + * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. + * That name is deprecated, but may still be used as an alternative form for this + * option. * - * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. + * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA256_C. * * Module: library/sha256.c * - * Uncomment to have the library check for the A64 SHA-256 crypto extensions + * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions * and use them if available. */ +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + * + * \note Minimum compiler versions for this feature are Clang 4.0, + * armclang 6.6 or GCC 6.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for + * armclang <= 6.9 + * + * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. + * That name is deprecated, but may still be used as an alternative form for this + * option. * - * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. + * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA256_C. * * Module: library/sha256.c * - * Uncomment to have the library use the A64 SHA-256 crypto extensions + * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions * unconditionally. */ +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + * + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ //#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY /** @@ -3164,6 +3567,17 @@ */ #define MBEDTLS_SHA512_C +/** + * \def MBEDTLS_SHA3_C + * + * Enable the SHA3 cryptographic hash algorithm. + * + * Module: library/sha3.c + * + * This module adds support for SHA3. + */ +//#define MBEDTLS_SHA3_C + /** * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT * @@ -3174,8 +3588,11 @@ * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building * for a non-Aarch64 build it will be silently ignored. * - * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or - * Clang >= 7. + * \note Minimum compiler versions for this feature are Clang 7.0, + * armclang 6.9 or GCC 8.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for + * armclang 6.9 * * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. @@ -3199,8 +3616,11 @@ * \note This allows builds with a smaller code size than with * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT * - * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or - * Clang >= 7. + * \note Minimum compiler versions for this feature are Clang 7.0, + * armclang 6.9 or GCC 8.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for + * armclang 6.9 * * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. @@ -3297,10 +3717,38 @@ * \def MBEDTLS_THREADING_C * * Enable the threading abstraction layer. - * By default mbed TLS assumes it is used in a non-threaded environment or that - * contexts are not shared between threads. If you do intend to use contexts + * + * Traditionally, Mbed TLS assumes it is used in a non-threaded environment or + * that contexts are not shared between threads. If you do intend to use contexts * between threads, you will need to enable this layer to prevent race - * conditions. See also our Knowledge Base article about threading: + * conditions. + * + * The PSA subsystem has an implicit shared context. Therefore, you must + * enable this option if more than one thread may use any part of + * Mbed TLS that is implemented on top of the PSA subsystem. + * + * You must enable this option in multithreaded applications where more than + * one thread performs any of the following operations: + * + * - Any call to a PSA function (`psa_xxx()`). + * - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`, + * `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`) + * if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual + * TLS, X.509 or PK contexts are shared between threads). + * - A TLS 1.3 connection, regardless of the compile-time configuration. + * - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled. + * As an exception, algorithm-specific low-level modules do not require + * threading protection unless the contexts are shared between threads. + * - Any library feature that performs symmetric encryption or decryption, + * if `MBEDTLS_CIPHER_C` is disabled. + * As an exception, algorithm-specific low-level modules do not require + * threading protection unless the contexts are shared between threads. + * - Any use of a cryptographic context if the same context is used in + * multiple threads. + * - Any call to a function where the documentation specifies that + * psa_crypto_init() must be called prior to that function. + * + * See also our Knowledge Base article about threading: * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading * * Module: library/threading.c @@ -3311,7 +3759,7 @@ * You will have to enable either MBEDTLS_THREADING_ALT or * MBEDTLS_THREADING_PTHREAD. * - * Enable this layer to allow use of mutexes within mbed TLS + * Enable this layer to allow use of mutexes within Mbed TLS */ //#define MBEDTLS_THREADING_C @@ -3457,7 +3905,7 @@ */ #define MBEDTLS_X509_CSR_WRITE_C -/** \} name SECTION: mbed TLS modules */ +/** \} name SECTION: Mbed TLS modules */ /** * \name SECTION: General configuration options @@ -3638,8 +4086,29 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ -//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ + +/** \def MBEDTLS_PLATFORM_STD_CALLOC + * + * Default allocator to use, can be undefined. + * It must initialize the allocated buffer memory to zeroes. + * The size of the buffer is the product of the two parameters. + * The calloc function returns either a null pointer or a pointer to the allocated space. + * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details. + * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. + */ +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc + +/** \def MBEDTLS_PLATFORM_STD_FREE + * + * Default free to use, can be undefined. + * NULL is a valid parameter, and the function must do nothing. + * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). + */ +//#define MBEDTLS_PLATFORM_STD_FREE free //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ @@ -3653,10 +4122,10 @@ //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ -/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ +/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */ /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ -//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements. */ +//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements. */ //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ @@ -3668,6 +4137,8 @@ //#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ +//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t /**< Default milliseconds time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled. It must be signed, and at least 64 bits. If it is changed from the default, MBEDTLS_PRINTF_MS_TIME must be updated to match.*/ +//#define MBEDTLS_PRINTF_MS_TIME PRId64 /**< Default fmt for printf. That's avoid compiler warning if mbedtls_ms_time_t is redefined */ /** \def MBEDTLS_CHECK_RETURN * @@ -3697,25 +4168,57 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 /** \def MBEDTLS_PSA_KEY_SLOT_COUNT - * Restrict the PSA library to supporting a maximum amount of simultaneously - * loaded keys. A loaded key is a key stored by the PSA Crypto core as a - * volatile key, or a persistent key which is loaded temporarily by the - * library as part of a crypto operation in flight. * - * If this option is unset, the library will fall back to a default value of - * 32 keys. + * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled, + * the maximum amount of PSA keys simultaneously in memory. This counts all + * volatile keys, plus loaded persistent keys. + * + * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, + * the maximum number of loaded persistent keys. + * + * Currently, persistent keys do not need to be loaded all the time while + * a multipart operation is in progress, only while the operation is being + * set up. This may change in future versions of the library. + * + * Currently, the library traverses of the whole table on each access to a + * persistent key. Therefore large values may cause poor performance. + * + * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled. */ //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 +/** + * \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE + * + * Define the size (in bytes) of each static key buffer when + * #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not + * explicitly defined then it's automatically guessed from available PSA keys + * enabled in the build through PSA_WANT_xxx symbols. + * If required by the application this parameter can be set to higher values + * in order to store larger objects (ex: raw keys), but please note that this + * will increase RAM usage. + */ +//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256 + +/* RSA OPTIONS */ +//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */ + /* SSL Cache options */ //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ @@ -3827,23 +4330,39 @@ */ //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +/** + * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * The default maximum amount of 0-RTT data. See the documentation of + * \c mbedtls_ssl_conf_max_early_data_size() for more information. + * + * It must be positive and smaller than UINT32_MAX. + * + * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not + * have any impact on the build. + */ +#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 + /** * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE * - * Maximum time difference in milliseconds tolerated between the age of a - * ticket from the server and client point of view. - * From the client point of view, the age of a ticket is the time difference - * between the time when the client proposes to the server to use the ticket - * (time of writing of the Pre-Shared Key Extension including the ticket) and - * the time the client received the ticket from the server. - * From the server point of view, the age of a ticket is the time difference - * between the time when the server receives a proposition from the client - * to use the ticket and the time when the ticket was created by the server. - * The server age is expected to be always greater than the client one and - * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the - * maximum difference tolerated for the server to accept the ticket. - * This is not used in TLS 1.2. + * Maximum allowed ticket age difference in milliseconds tolerated between + * server and client. Default value is 6000. This is not used in TLS 1.2. + * + * - The client ticket age is the time difference between the time when the + * client proposes to the server to use the ticket and the time the client + * received the ticket from the server. + * - The server ticket age is the time difference between the time when the + * server receives a proposition from the client to use the ticket and the + * time when the ticket was created by the server. * + * The ages might be different due to the client and server clocks not running + * at the same pace. The typical accuracy of an RTC crystal is ±100 to ±20 parts + * per million (360 to 72 milliseconds per hour). Default tolerance window is + * 6s, thus in the worst case clients and servers must sync up their system time + * every 6000/360/2~=8 hours. + * + * See section 8.3 of the TLS 1.3 specification(RFC 8446) for more information. */ #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 @@ -3870,52 +4389,4 @@ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ -/** - * Uncomment the macro to let mbed TLS use your alternate implementation of - * mbedtls_platform_zeroize(). This replaces the default implementation in - * platform_util.c. - * - * mbedtls_platform_zeroize() is a widely used function across the library to - * zero a block of memory. The implementation is expected to be secure in the - * sense that it has been written to prevent the compiler from removing calls - * to mbedtls_platform_zeroize() as part of redundant code elimination - * optimizations. However, it is difficult to guarantee that calls to - * mbedtls_platform_zeroize() will not be optimized by the compiler as older - * versions of the C language standards do not provide a secure implementation - * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to - * configure their own implementation of mbedtls_platform_zeroize(), for - * example by using directives specific to their compiler, features from newer - * C standards (e.g using memset_s() in C11) or calling a secure memset() from - * their system (e.g explicit_bzero() in BSD). - */ -#define MBEDTLS_PLATFORM_ZEROIZE_ALT - -/** - * Uncomment the macro to let Mbed TLS use your alternate implementation of - * mbedtls_platform_gmtime_r(). This replaces the default implementation in - * platform_util.c. - * - * gmtime() is not a thread-safe function as defined in the C standard. The - * library will try to use safer implementations of this function, such as - * gmtime_r() when available. However, if Mbed TLS cannot identify the target - * system, the implementation of mbedtls_platform_gmtime_r() will default to - * using the standard gmtime(). In this case, calls from the library to - * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex - * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the - * library are also guarded with this mutex to avoid race conditions. However, - * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will - * unconditionally use the implementation for mbedtls_platform_gmtime_r() - * supplied at compile time. - */ -//#define MBEDTLS_PLATFORM_GMTIME_R_ALT - -/** - * Enable the verified implementations of ECDH primitives from Project Everest - * (currently only Curve25519). This feature changes the layout of ECDH - * contexts and therefore is a compatibility break for applications that access - * fields of a mbedtls_ecdh_context structure directly. See also - * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h. - */ -//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - -/** \} name SECTION: Module configuration options */ +/** \} name SECTION: Module configuration options */ \ No newline at end of file diff --git a/esp-mbedtls-sys/gen/sysroot/include/inttypes.h b/esp-mbedtls-sys/gen/sysroot/include/inttypes.h new file mode 100644 index 00000000..10ca5bcf --- /dev/null +++ b/esp-mbedtls-sys/gen/sysroot/include/inttypes.h @@ -0,0 +1,6 @@ +#ifndef __INTTYPES_H__ +#define __INTTYPES_H__ + +#define PRId64 __INT64_FMTd__ + +#endif \ No newline at end of file diff --git a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libeverest.a b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libeverest.a new file mode 100644 index 00000000..34762f3a Binary files /dev/null and b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libeverest.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedcrypto.a b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedcrypto.a index 688954f4..a5ee76f6 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedcrypto.a and b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedcrypto.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedtls.a b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedtls.a index dda3a7a8..69c257ce 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedtls.a and b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedtls.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedx509.a b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedx509.a index a1ffa580..e8593634 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedx509.a and b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libmbedx509.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libp256m.a b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libp256m.a new file mode 100644 index 00000000..02c9a674 Binary files /dev/null and b/esp-mbedtls-sys/libs/riscv32imac-unknown-none-elf/libp256m.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libeverest.a b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libeverest.a new file mode 100644 index 00000000..45ea6c3a Binary files /dev/null and b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libeverest.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedcrypto.a b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedcrypto.a index 8a6f335f..41e8fe65 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedcrypto.a and b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedcrypto.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedtls.a b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedtls.a index bfeabbdd..bb802fc7 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedtls.a and b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedtls.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedx509.a b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedx509.a index 3d4a014c..f9da9001 100644 Binary files a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedx509.a and b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libmbedx509.a differ diff --git a/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libp256m.a b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libp256m.a new file mode 100644 index 00000000..ce703a09 Binary files /dev/null and b/esp-mbedtls-sys/libs/riscv32imc-unknown-none-elf/libp256m.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libeverest.a b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libeverest.a new file mode 100644 index 00000000..709f693f Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libeverest.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedcrypto.a b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedcrypto.a index 6dca7f91..024bf3e5 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedcrypto.a and b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedcrypto.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedtls.a b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedtls.a index a972e52d..78dd0b59 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedtls.a and b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedtls.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedx509.a b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedx509.a index f500f315..2023313a 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedx509.a and b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libmbedx509.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libp256m.a b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libp256m.a new file mode 100644 index 00000000..addefaad Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32-none-elf/libp256m.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libeverest.a b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libeverest.a new file mode 100644 index 00000000..709f693f Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libeverest.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedcrypto.a b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedcrypto.a index 6dca7f91..024bf3e5 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedcrypto.a and b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedcrypto.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedtls.a b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedtls.a index a972e52d..78dd0b59 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedtls.a and b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedtls.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedx509.a b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedx509.a index f500f315..2023313a 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedx509.a and b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libmbedx509.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libp256m.a b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libp256m.a new file mode 100644 index 00000000..addefaad Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32s2-none-elf/libp256m.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libeverest.a b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libeverest.a new file mode 100644 index 00000000..709f693f Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libeverest.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedcrypto.a b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedcrypto.a index 6dca7f91..024bf3e5 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedcrypto.a and b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedcrypto.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedtls.a b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedtls.a index a972e52d..78dd0b59 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedtls.a and b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedtls.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedx509.a b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedx509.a index f500f315..2023313a 100644 Binary files a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedx509.a and b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libmbedx509.a differ diff --git a/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libp256m.a b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libp256m.a new file mode 100644 index 00000000..addefaad Binary files /dev/null and b/esp-mbedtls-sys/libs/xtensa-esp32s3-none-elf/libp256m.a differ diff --git a/esp-mbedtls-sys/mbedtls b/esp-mbedtls-sys/mbedtls index cadbbd91..ffb280bb 160000 --- a/esp-mbedtls-sys/mbedtls +++ b/esp-mbedtls-sys/mbedtls @@ -1 +1 @@ -Subproject commit cadbbd91bb15c64e7bd4e8490010ddb78eed2121 +Subproject commit ffb280bb63c78bfec1e1ab55040671768c85c923 diff --git a/esp-mbedtls-sys/src/accel/esp/exp_mod.rs b/esp-mbedtls-sys/src/accel/esp/exp_mod.rs index 75bd8eae..6a4c0c98 100644 --- a/esp-mbedtls-sys/src/accel/esp/exp_mod.rs +++ b/esp-mbedtls-sys/src/accel/esp/exp_mod.rs @@ -11,17 +11,15 @@ use crypto_bigint::U4096; use crypto_bigint::{U1024, U2048, U512}; #[cfg(not(feature = "accel-esp32"))] use crypto_bigint::{U256, U384}; +use esp_hal::rsa::{operand_sizes, RsaContext}; +use crate::hook::exp_mod::MbedtlsMpiExpMod; use crate::{ mbedtls_mpi, mbedtls_mpi_add_mpi, mbedtls_mpi_cmp_int, mbedtls_mpi_exp_mod_soft, mbedtls_mpi_free, mbedtls_mpi_grow, mbedtls_mpi_init, mbedtls_mpi_lset, mbedtls_mpi_mod_mpi, mbedtls_mpi_set_bit, merr, MbedtlsError, }; -use esp_hal::rsa::{operand_sizes, RsaContext}; - -use crate::hook::exp_mod::MbedtlsMpiExpMod; - #[cfg(not(feature = "accel-esp32"))] const SOC_RSA_MIN_BIT_LEN: usize = 256; #[cfg(feature = "accel-esp32")] @@ -332,7 +330,7 @@ fn compute_mprime(m: &mbedtls_mpi) -> u32 { /// Return the number of words actually used to represent an mpi number. #[inline(always)] fn mpi_words(x: &mbedtls_mpi) -> usize { - for index in (0..x.private_n).rev() { + for index in (0..usize::from(x.private_n)).rev() { if unsafe { x.private_p.add(index).read() } != 0 { return index + 1; } diff --git a/esp-mbedtls-sys/src/include/riscv32imac-unknown-none-elf.rs b/esp-mbedtls-sys/src/include/riscv32imac-unknown-none-elf.rs index 42738ece..a7588196 100644 --- a/esp-mbedtls-sys/src/include/riscv32imac-unknown-none-elf.rs +++ b/esp-mbedtls-sys/src/include/riscv32imac-unknown-none-elf.rs @@ -137,6 +137,36 @@ where } } } +#[repr(C)] +#[derive(Default)] +pub struct __IncompleteArrayField(::core::marker::PhantomData, [T; 0]); +impl __IncompleteArrayField { + #[inline] + pub const fn new() -> Self { + __IncompleteArrayField(::core::marker::PhantomData, []) + } + #[inline] + pub fn as_ptr(&self) -> *const T { + self as *const _ as *const T + } + #[inline] + pub fn as_mut_ptr(&mut self) -> *mut T { + self as *mut _ as *mut T + } + #[inline] + pub unsafe fn as_slice(&self, len: usize) -> &[T] { + ::core::slice::from_raw_parts(self.as_ptr(), len) + } + #[inline] + pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] { + ::core::slice::from_raw_parts_mut(self.as_mut_ptr(), len) + } +} +impl ::core::fmt::Debug for __IncompleteArrayField { + fn fmt(&self, fmt: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { + fmt.write_str("__IncompleteArrayField") + } +} pub const MBEDTLS_CONFIG_FILE: &[u8; 9] = b"config.h\0"; pub const MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT: u32 = 0; pub const MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: u32 = 1024; @@ -144,14 +174,33 @@ pub const MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE: u32 = 6000; pub const MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH: u32 = 32; pub const MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS: u32 = 1; pub const MBEDTLS_VERSION_MAJOR: u32 = 3; -pub const MBEDTLS_VERSION_MINOR: u32 = 4; -pub const MBEDTLS_VERSION_PATCH: u32 = 0; -pub const MBEDTLS_VERSION_NUMBER: u32 = 50593792; -pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.4.0\0"; -pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"mbed TLS 3.4.0\0"; +pub const MBEDTLS_VERSION_MINOR: u32 = 6; +pub const MBEDTLS_VERSION_PATCH: u32 = 5; +pub const MBEDTLS_VERSION_NUMBER: u32 = 50726144; +pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.6.5\0"; +pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"Mbed TLS 3.6.5\0"; +pub const PSA_WANT_ALG_MD5: u32 = 1; +pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; +pub const PSA_WANT_ALG_SHA_1: u32 = 1; +pub const PSA_WANT_ALG_SHA_224: u32 = 1; +pub const PSA_WANT_ALG_SHA_256: u32 = 1; +pub const PSA_WANT_ALG_SHA_384: u32 = 1; +pub const PSA_WANT_ALG_SHA_512: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_256: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_384: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_512: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_255: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_448: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_224: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_256: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_384: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_521: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CCM: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CMAC: u32 = 1; pub const PSA_WANT_ALG_CMAC: u32 = 1; @@ -162,10 +211,40 @@ pub const PSA_WANT_ALG_ECDSA: u32 = 1; pub const PSA_WANT_ALG_ECDSA_ANY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA: u32 = 1; pub const PSA_WANT_ALG_DETERMINISTIC_ECDSA: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_ALG_FFDH: u32 = 1; +pub const PSA_WANT_DH_RFC7919_2048: u32 = 1; +pub const PSA_WANT_DH_RFC7919_3072: u32 = 1; +pub const PSA_WANT_DH_RFC7919_4096: u32 = 1; +pub const PSA_WANT_DH_RFC7919_6144: u32 = 1; +pub const PSA_WANT_DH_RFC7919_8192: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_FFDH: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_GCM: u32 = 1; pub const PSA_WANT_ALG_GCM: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HMAC: u32 = 1; @@ -176,17 +255,16 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXTRACT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXPAND: u32 = 1; +pub const PSA_WANT_KEY_TYPE_HMAC: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF: u32 = 1; pub const PSA_WANT_ALG_TLS12_PRF: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const PSA_WANT_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_MD5: u32 = 1; -pub const PSA_WANT_ALG_MD5: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_PAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_JPAKE: u32 = 1; pub const PSA_WANT_ALG_JPAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160: u32 = 1; -pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const PSA_WANT_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN: u32 = 1; @@ -196,20 +274,19 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP: u32 = 1; pub const PSA_WANT_ALG_RSA_OAEP: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS: u32 = 1; pub const PSA_WANT_ALG_RSA_PSS: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_1: u32 = 1; -pub const PSA_WANT_ALG_SHA_1: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_224: u32 = 1; -pub const PSA_WANT_ALG_SHA_224: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_256: u32 = 1; -pub const PSA_WANT_ALG_SHA_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_384: u32 = 1; -pub const PSA_WANT_ALG_SHA_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_512: u32 = 1; -pub const PSA_WANT_ALG_SHA_512: u32 = 1; pub const PSA_WANT_KEY_TYPE_AES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES: u32 = 1; pub const PSA_WANT_KEY_TYPE_ARIA: u32 = 1; @@ -221,8 +298,8 @@ pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_KEY_TYPE_CHACHA20: u32 = 1; -pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20: u32 = 1; +pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER: u32 = 1; pub const PSA_WANT_ALG_CHACHA20_POLY1305: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305: u32 = 1; @@ -250,8 +327,7 @@ pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256: u32 = 1; -pub const PSA_HAVE_FULL_ECDSA: u32 = 1; -pub const PSA_HAVE_FULL_JPAKE: u32 = 1; +pub const PSA_WANT_ALG_SOME_PAKE: u32 = 1; pub const PSA_WANT_KEY_TYPE_DERIVE: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD_HASH: u32 = 1; @@ -272,7 +348,7 @@ pub const MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: i32 = -12; pub const MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: i32 = -14; pub const MBEDTLS_ERR_MPI_ALLOC_FAILED: i32 = -16; pub const MBEDTLS_MPI_MAX_LIMBS: u32 = 10000; -pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 2; +pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 3; pub const MBEDTLS_MPI_MAX_SIZE: u32 = 1024; pub const MBEDTLS_MPI_MAX_BITS: u32 = 8192; pub const MBEDTLS_MPI_MAX_BITS_SCALE100: u32 = 819200; @@ -320,6 +396,8 @@ pub const MBEDTLS_CIPHER_VARIABLE_KEY_LEN: u32 = 2; pub const MBEDTLS_MAX_IV_LENGTH: u32 = 16; pub const MBEDTLS_MAX_BLOCK_LENGTH: u32 = 16; pub const MBEDTLS_MAX_KEY_LENGTH: u32 = 64; +pub const MBEDTLS_KEY_BITLEN_SHIFT: u32 = 6; +pub const MBEDTLS_IV_SIZE_SHIFT: u32 = 2; pub const MBEDTLS_CCM_DECRYPT: u32 = 0; pub const MBEDTLS_CCM_ENCRYPT: u32 = 1; pub const MBEDTLS_CCM_STAR_DECRYPT: u32 = 2; @@ -332,7 +410,26 @@ pub const MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: i32 = -84; pub const MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: i32 = -86; pub const MBEDTLS_AES_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_DES3_BLOCK_SIZE: u32 = 8; +pub const MBEDTLS_CMAC_MAX_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_CIPHER_BLKSIZE_MAX: u32 = 16; +pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; +pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; +pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; +pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; +pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; +pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; +pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; +pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; +pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; +pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; +pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; +pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; +pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; +pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; +pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; +pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; +pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; +pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: i32 = -52; pub const MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: i32 = -54; pub const MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: i32 = -56; @@ -367,12 +464,6 @@ pub const MBEDTLS_ECP_MAX_PT_LEN: u32 = 133; pub const MBEDTLS_ECP_PF_UNCOMPRESSED: u32 = 0; pub const MBEDTLS_ECP_PF_COMPRESSED: u32 = 1; pub const MBEDTLS_ECP_TLS_NAMED_CURVE: u32 = 3; -pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; -pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; -pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; -pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; -pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; -pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; pub const MBEDTLS_ERR_RSA_BAD_INPUT_DATA: i32 = -16512; pub const MBEDTLS_ERR_RSA_INVALID_PADDING: i32 = -16640; pub const MBEDTLS_ERR_RSA_KEY_GEN_FAILED: i32 = -16768; @@ -387,6 +478,55 @@ pub const MBEDTLS_RSA_PKCS_V21: u32 = 1; pub const MBEDTLS_RSA_SIGN: u32 = 1; pub const MBEDTLS_RSA_CRYPT: u32 = 2; pub const MBEDTLS_RSA_SALT_LEN_ANY: i32 = -1; +pub const MBEDTLS_RSA_GEN_KEY_MIN_BITS: u32 = 1024; +pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; +pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; +pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; +pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; +pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; +pub const PSA_HASH_MAX_SIZE: u32 = 64; +pub const PSA_MAC_MAX_SIZE: u32 = 64; +pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; +pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; +pub const PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: u32 = 1024; +pub const PSA_VENDOR_FFDH_MAX_KEY_BITS: u32 = 8192; +pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; +pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; +pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; +pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; +pub const PSA_VENDOR_PBKDF2_MAX_ITERATIONS: u32 = 4294967295; +pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; +pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_SIGNATURE_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_KEY_PAIR_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_PUBLIC_KEY_MAX_SIZE: u32 = 1; +pub const PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE: u32 = 1; +pub const PSA_CIPHER_MAX_KEY_LENGTH: u32 = 32; +pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; +pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; +pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; +pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; +pub const MBEDTLS_ERR_SHA3_BAD_INPUT_DATA: i32 = -118; +pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; +pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; +pub const MBEDTLS_GCM_DECRYPT: u32 = 0; +pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; +pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; +pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; +pub const MBEDTLS_GCM_HTABLE_SIZE: u32 = 16; +pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; +pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; +pub const PSA_MAX_KEY_BITS: u32 = 65528; +pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; +pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; +pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; +pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; +pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; +pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; +pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_ERR_PK_ALLOC_FAILED: i32 = -16256; pub const MBEDTLS_ERR_PK_TYPE_MISMATCH: i32 = -16128; pub const MBEDTLS_ERR_PK_BAD_INPUT_DATA: i32 = -16000; @@ -597,45 +737,6 @@ pub const MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256: u32 = 4869; pub const MBEDTLS_CIPHERSUITE_WEAK: u32 = 1; pub const MBEDTLS_CIPHERSUITE_SHORT_TAG: u32 = 2; pub const MBEDTLS_CIPHERSUITE_NODTLS: u32 = 4; -pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; -pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; -pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; -pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; -pub const PSA_HASH_MAX_SIZE: u32 = 64; -pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; -pub const PSA_MAC_MAX_SIZE: u32 = 64; -pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; -pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; -pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; -pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; -pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; -pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; -pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; -pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; -pub const MBEDTLS_GCM_DECRYPT: u32 = 0; -pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; -pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; -pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; -pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; -pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; -pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; -pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; -pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; -pub const PSA_MAX_KEY_BITS: u32 = 65528; -pub const MBEDTLS_PSA_KA_MASK_DUAL_USE: u32 = 0; -pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; -pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; -pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; -pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; -pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; -pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; -pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_X509_MAX_INTERMEDIATE_CA: u32 = 8; pub const MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: i32 = -8320; pub const MBEDTLS_ERR_X509_UNKNOWN_OID: i32 = -8448; @@ -743,7 +844,9 @@ pub const MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: i32 = -30848; pub const MBEDTLS_ERR_SSL_BAD_CERTIFICATE: i32 = -31232; pub const MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET: i32 = -31488; pub const MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA: i32 = -31616; -pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31872; +pub const MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND: i32 = -32384; pub const MBEDTLS_ERR_SSL_ALLOC_FAILED: i32 = -32512; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FAILED: i32 = -32640; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: i32 = -28544; @@ -770,6 +873,7 @@ pub const MBEDTLS_ERR_SSL_EARLY_MESSAGE: i32 = -25728; pub const MBEDTLS_ERR_SSL_UNEXPECTED_CID: i32 = -24576; pub const MBEDTLS_ERR_SSL_VERSION_MISMATCH: i32 = -24320; pub const MBEDTLS_ERR_SSL_BAD_CONFIG: i32 = -24192; +pub const MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME: i32 = -23936; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: u32 = 1; pub const MBEDTLS_SSL_IANA_TLS_GROUP_NONE: u32 = 0; @@ -841,6 +945,8 @@ pub const MBEDTLS_SSL_TRUNC_HMAC_ENABLED: u32 = 1; pub const MBEDTLS_SSL_TRUNCATED_HMAC_LEN: u32 = 10; pub const MBEDTLS_SSL_SESSION_TICKETS_DISABLED: u32 = 0; pub const MBEDTLS_SSL_SESSION_TICKETS_ENABLED: u32 = 1; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED: u32 = 0; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED: u32 = 1; pub const MBEDTLS_SSL_PRESET_DEFAULT: u32 = 0; pub const MBEDTLS_SSL_PRESET_SUITEB: u32 = 2; pub const MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED: u32 = 1; @@ -854,6 +960,9 @@ pub const MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN: u32 = 48; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN: u32 = 1000; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX: u32 = 60000; +pub const MBEDTLS_SSL_EARLY_DATA_NO_DISCARD: u32 = 0; +pub const MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD: u32 = 1; +pub const MBEDTLS_SSL_EARLY_DATA_DISCARD: u32 = 2; pub const MBEDTLS_SSL_IN_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_OUT_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_DTLS_MAX_BUFFERING: u32 = 32768; @@ -988,18 +1097,6 @@ pub const MBEDTLS_SSL_UNEXPECTED_CID_IGNORE: u32 = 0; pub const MBEDTLS_SSL_UNEXPECTED_CID_FAIL: u32 = 1; pub const MBEDTLS_PRINTF_SIZET: &[u8; 3] = b"zu\0"; pub const MBEDTLS_PRINTF_LONGLONG: &[u8; 4] = b"lld\0"; -pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; -pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; -pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; -pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; -pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; -pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; -pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; -pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; -pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; -pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; -pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; -pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_HKDF_BAD_INPUT_DATA: i32 = -24448; pub const MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: i32 = -3; pub const MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: i32 = -5; @@ -1041,6 +1138,7 @@ pub const MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS: u32 = 4096; pub const MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY: u32 = 8192; pub const MBEDTLS_OID_X509_EXT_FRESHEST_CRL: u32 = 16384; pub const MBEDTLS_OID_X509_EXT_NS_CERT_TYPE: u32 = 65536; +pub const MBEDTLS_OID_MAX_COMPONENTS: u32 = 128; pub const MBEDTLS_OID_ISO_MEMBER_BODIES: &[u8; 2] = b"*\0"; pub const MBEDTLS_OID_ISO_IDENTIFIED_ORG: &[u8; 2] = b"+\0"; pub const MBEDTLS_OID_ISO_CCITT_DS: &[u8; 2] = b"U\0"; @@ -1055,6 +1153,8 @@ pub const MBEDTLS_OID_ORG_OIW: &[u8; 2] = b"\x0E\0"; pub const MBEDTLS_OID_OIW_SECSIG: &[u8; 3] = b"\x0E\x03\0"; pub const MBEDTLS_OID_OIW_SECSIG_ALG: &[u8; 4] = b"\x0E\x03\x02\0"; pub const MBEDTLS_OID_OIW_SECSIG_SHA1: &[u8; 5] = b"\x0E\x03\x02\x1A\0"; +pub const MBEDTLS_OID_ORG_THAWTE: &[u8; 2] = b"e\0"; +pub const MBEDTLS_OID_THAWTE: &[u8; 3] = b"+e\0"; pub const MBEDTLS_OID_ORG_CERTICOM: &[u8; 3] = b"\x81\x04\0"; pub const MBEDTLS_OID_CERTICOM: &[u8; 4] = b"+\x81\x04\0"; pub const MBEDTLS_OID_ORG_TELETRUST: &[u8; 2] = b"$\0"; @@ -1153,14 +1253,26 @@ pub const MBEDTLS_OID_DIGEST_ALG_SHA256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x pub const MBEDTLS_OID_DIGEST_ALG_SHA384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x02\0"; pub const MBEDTLS_OID_DIGEST_ALG_SHA512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x03\0"; pub const MBEDTLS_OID_DIGEST_ALG_RIPEMD160: &[u8; 6] = b"+$\x03\x02\x01\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x07\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x08\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\t\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA1: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x07\0"; pub const MBEDTLS_OID_HMAC_SHA224: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x08\0"; pub const MBEDTLS_OID_HMAC_SHA256: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\t\0"; pub const MBEDTLS_OID_HMAC_SHA384: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA512: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x0B\0"; +pub const MBEDTLS_OID_HMAC_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\r\0"; +pub const MBEDTLS_OID_HMAC_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0E\0"; +pub const MBEDTLS_OID_HMAC_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0F\0"; +pub const MBEDTLS_OID_HMAC_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x10\0"; +pub const MBEDTLS_OID_HMAC_RIPEMD160: &[u8; 9] = b"+\x06\x01\x05\x05\x08\x01\x04\0"; pub const MBEDTLS_OID_DES_CBC: &[u8; 6] = b"+\x0E\x03\x02\x07\0"; pub const MBEDTLS_OID_DES_EDE3_CBC: &[u8; 9] = b"*\x86H\x86\xF7\r\x03\x07\0"; pub const MBEDTLS_OID_AES: &[u8; 9] = b"`\x86H\x01e\x03\x04\x01\0"; +pub const MBEDTLS_OID_AES_128_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x02\0"; +pub const MBEDTLS_OID_AES_192_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x16\0"; +pub const MBEDTLS_OID_AES_256_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01*\0"; pub const MBEDTLS_OID_AES128_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x05\0"; pub const MBEDTLS_OID_AES128_KWP: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x08\0"; pub const MBEDTLS_OID_AES192_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x19\0"; @@ -1213,6 +1325,10 @@ pub const MBEDTLS_OID_ECDSA_SHA224: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x01\0"; pub const MBEDTLS_OID_ECDSA_SHA256: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x02\0"; pub const MBEDTLS_OID_ECDSA_SHA384: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x03\0"; pub const MBEDTLS_OID_ECDSA_SHA512: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x04\0"; +pub const MBEDTLS_OID_X25519: &[u8; 4] = b"+en\0"; +pub const MBEDTLS_OID_X448: &[u8; 4] = b"+eo\0"; +pub const MBEDTLS_OID_ED25519: &[u8; 4] = b"+ep\0"; +pub const MBEDTLS_OID_ED448: &[u8; 4] = b"+eq\0"; pub const MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT: i32 = -4224; pub const MBEDTLS_ERR_PEM_INVALID_DATA: i32 = -4352; pub const MBEDTLS_ERR_PEM_ALLOC_FAILED: i32 = -4480; @@ -1226,8 +1342,6 @@ pub const MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA: i32 = -12160; pub const MBEDTLS_ERR_PKCS5_INVALID_FORMAT: i32 = -12032; pub const MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE: i32 = -11904; pub const MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH: i32 = -11776; -pub const MBEDTLS_PKCS5_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS5_ENCRYPT: u32 = 1; pub const MBEDTLS_ERR_PKCS7_INVALID_FORMAT: i32 = -21248; pub const MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE: i32 = -21376; pub const MBEDTLS_ERR_PKCS7_INVALID_VERSION: i32 = -21504; @@ -1248,8 +1362,6 @@ pub const MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH: i32 = -7680; pub const MBEDTLS_PKCS12_DERIVE_KEY: u32 = 1; pub const MBEDTLS_PKCS12_DERIVE_IV: u32 = 2; pub const MBEDTLS_PKCS12_DERIVE_MAC_KEY: u32 = 3; -pub const MBEDTLS_PKCS12_PBE_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS12_PBE_ENCRYPT: u32 = 1; pub const MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT: u32 = 86400; pub const MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES: u32 = 50; pub const MBEDTLS_SSL_COOKIE_TIMEOUT: u32 = 60; @@ -1375,6 +1487,59 @@ unsafe extern "C" { /// \param len Length of the buffer in bytes pub fn mbedtls_platform_zeroize(buf: *mut ::core::ffi::c_void, len: usize); } +/// \brief The type of custom random generator (RNG) callbacks. +/// +/// Many Mbed TLS functions take two parameters +/// `mbedtls_f_rng_t *f_rng, void *p_rng`. The +/// library will call \c f_rng to generate +/// random values. +/// +/// \note This is typically one of the following: +/// - mbedtls_ctr_drbg_random() with \c p_rng +/// pointing to a #mbedtls_ctr_drbg_context; +/// - mbedtls_hmac_drbg_random() with \c p_rng +/// pointing to a #mbedtls_hmac_drbg_context; +/// - mbedtls_psa_get_random() with +/// `prng = MBEDTLS_PSA_RANDOM_STATE`. +/// +/// \note Generally, given a call +/// `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback +/// and the context only need to remain valid until +/// the call to `mbedtls_foo` returns. However, there +/// are a few exceptions where the callback is stored +/// in for future use. Check the documentation of +/// the calling function. +/// +/// \warning In a multithreaded environment, calling the +/// function should be thread-safe. The standard +/// functions provided by the library are thread-safe +/// when #MBEDTLS_THREADING_C is enabled. +/// +/// \warning This function must either provide as many +/// bytes as requested of **cryptographic quality** +/// random data, or return a negative error code. +/// +/// \param p_rng The \c p_rng argument that was passed along \c f_rng. +/// The library always passes \c p_rng unchanged. +/// This is typically a pointer to the random generator +/// state, or \c NULL if the custom random generator +/// doesn't need a context-specific state. +/// \param[out] output On success, this must be filled with \p output_size +/// bytes of cryptographic-quality random data. +/// \param output_size The number of bytes to output. +/// +/// \return \c 0 on success, or a negative error code on failure. +/// Library functions will generally propagate this +/// error code, so \c MBEDTLS_ERR_xxx values are +/// recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is +/// typically sensible for RNG failures. +pub type mbedtls_f_rng_t = ::core::option::Option< + unsafe extern "C" fn( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + ) -> ::core::ffi::c_int, +>; /// \brief The AES context-type definition. #[repr(C)] #[derive(Copy, Clone)] @@ -1933,6 +2098,10 @@ pub type mbedtls_t_udbl = u64; #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_mpi { + /// Pointer to limbs. + /// + /// This may be \c NULL if \c n is 0. + pub private_p: *mut mbedtls_mpi_uint, /// Sign: -1 if the mpi is negative, 1 otherwise. /// /// The number 0 must be represented with `s = +1`. Although many library @@ -1943,13 +2112,9 @@ pub struct mbedtls_mpi { /// /// Note that this implies that calloc() or `... = {0}` does not create /// a valid MPI representation. You must call mbedtls_mpi_init(). - pub private_s: ::core::ffi::c_int, + pub private_s: ::core::ffi::c_short, /// Total number of limbs in \c p. - pub private_n: usize, - /// Pointer to limbs. - /// - /// This may be \c NULL if \c n is 0. - pub private_p: *mut mbedtls_mpi_uint, + pub private_n: ::core::ffi::c_ushort, } impl Default for mbedtls_mpi { fn default() -> Self { @@ -2224,7 +2389,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2241,7 +2406,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2296,6 +2461,8 @@ unsafe extern "C" { /// \brief Perform a left-shift on an MPI: X <<= count /// /// \param X The MPI to shift. This must point to an initialized MPI. + /// The MPI pointed by \p X may be resized to fit + /// the resulting number. /// \param count The number of bits to shift by. /// /// \return \c 0 if successful. @@ -2588,7 +2755,7 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Perform a sliding-window exponentiation: X = A^E mod N + /// \brief Perform a modular exponentiation: X = A^E mod N /// /// \param X The destination MPI. This must point to an initialized MPI. /// This must not alias E or N. @@ -2639,13 +2806,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_fill_random( X: *mut mbedtls_mpi, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2685,13 +2846,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, min: mbedtls_mpi_sint, N: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2699,6 +2854,7 @@ unsafe extern "C" { /// \brief Compute the greatest common divisor: G = gcd(A, B) /// /// \param G The destination MPI. This must point to an initialized MPI. + /// This will always be positive or 0. /// \param A The first operand. This must point to an initialized MPI. /// \param B The second operand. This must point to an initialized MPI. /// @@ -2715,17 +2871,19 @@ unsafe extern "C" { /// \brief Compute the modular inverse: X = A^-1 mod N /// /// \param X The destination MPI. This must point to an initialized MPI. + /// The value returned on success will be between [1, N-1]. /// \param A The MPI to calculate the modular inverse of. This must point - /// to an initialized MPI. + /// to an initialized MPI. This value can be negative, in which + /// case a positive answer will still be returned in \p X. /// \param N The base of the modular inversion. This must point to an - /// initialized MPI. + /// initialized MPI and be greater than one. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. /// \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than /// or equal to one. - /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse - /// with respect to \p N. + /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular + /// inverse with respect to \p N. pub fn mbedtls_mpi_inv_mod( X: *mut mbedtls_mpi, A: *const mbedtls_mpi, @@ -2748,7 +2906,7 @@ unsafe extern "C" { /// This must point to an initialized MPI. /// \param rounds The number of bases to perform the Miller-Rabin primality /// test for. The probability of returning 0 on a composite is - /// at most 2-2*\p rounds. + /// at most 2-2*\p rounds . /// \param f_rng The RNG function to use. This must not be \c NULL. /// \param p_rng The RNG parameter to be passed to \p f_rng. /// This may be \c NULL if \p f_rng doesn't use @@ -2761,13 +2919,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_is_prime_ext( X: *const mbedtls_mpi, rounds: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2804,13 +2956,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, nbits: usize, flags: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -3187,7 +3333,7 @@ unsafe extern "C" { /// on a successful invocation. /// \param end The end of the ASN.1 SEQUENCE container. /// \param tag_must_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_must_value. + /// the SEQUENCE before comparing to \p tag_must_val. /// \param tag_must_val The required value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_must_mask. /// Mismatching tags lead to an error. @@ -3196,7 +3342,7 @@ unsafe extern "C" { /// while a value of \c 0xFF for \p tag_must_mask means /// that \p tag_must_val is the only allowed tag. /// \param tag_may_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_may_value. + /// the SEQUENCE before comparing to \p tag_may_val. /// \param tag_may_val The desired value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_may_mask. /// Mismatching tags will be silently ignored. @@ -3489,6 +3635,30 @@ unsafe extern "C" { par_len: usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Write an AlgorithmIdentifier sequence in ASN.1 format. + /// + /// \note This function works backwards in data buffer. + /// + /// \param p The reference to the current position pointer. + /// \param start The start of the buffer, for bounds-checking. + /// \param oid The OID of the algorithm to write. + /// \param oid_len The length of the algorithm's OID. + /// \param par_len The length of the parameters, which must be already written. + /// \param has_par If there are any parameters. If 0, par_len must be 0. If 1 + /// and \p par_len is 0, NULL parameters are added. + /// + /// \return The number of bytes written to \p p on success. + /// \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_asn1_write_algorithm_identifier_ext( + p: *mut *mut ::core::ffi::c_uchar, + start: *const ::core::ffi::c_uchar, + oid: *const ::core::ffi::c_char, + oid_len: usize, + par_len: usize, + has_par: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value /// in ASN.1 format. @@ -3991,32 +4161,17 @@ pub struct mbedtls_cipher_base_t { /// mbedtls_cipher_info_from_type(), /// mbedtls_cipher_info_from_values(), /// mbedtls_cipher_info_from_psa(). +/// +/// \note Some fields store a value that has been right-shifted to save +/// code-size, so should not be used directly. The accessor +/// functions adjust for this and return the "natural" value. #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_cipher_info_t { - /// Full cipher identifier. For example, - /// MBEDTLS_CIPHER_AES_256_CBC. - pub private_type: mbedtls_cipher_type_t, - /// The cipher mode. For example, MBEDTLS_MODE_CBC. - pub private_mode: mbedtls_cipher_mode_t, - /// The cipher key length, in bits. This is the - /// default length for variable sized ciphers. - /// Includes parity bits for ciphers like DES. - pub private_key_bitlen: ::core::ffi::c_uint, /// Name of the cipher. pub private_name: *const ::core::ffi::c_char, - /// IV or nonce size, in Bytes. - /// For ciphers that accept variable IV sizes, - /// this is the recommended size. - pub private_iv_size: ::core::ffi::c_uint, - /// Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and - /// MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the - /// cipher supports variable IV or variable key sizes, respectively. - pub private_flags: ::core::ffi::c_int, - /// The block size, in Bytes. - pub private_block_size: ::core::ffi::c_uint, - /// Struct for base cipher information and functions. - pub private_base: *const mbedtls_cipher_base_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 4usize]>, } impl Default for mbedtls_cipher_info_t { fn default() -> Self { @@ -4027,46 +4182,321 @@ impl Default for mbedtls_cipher_info_t { } } } -/// Generic cipher context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_cipher_context_t { - /// Information about the associated cipher. - pub private_cipher_info: *const mbedtls_cipher_info_t, - /// Key length to use. - pub private_key_bitlen: ::core::ffi::c_int, - /// Operation that the key of the context has been - /// initialized for. - pub private_operation: mbedtls_operation_t, - /// Padding functions to use, if relevant for - /// the specific cipher mode. - pub private_add_padding: ::core::option::Option< - unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), - >, - pub private_get_padding: ::core::option::Option< - unsafe extern "C" fn( - input: *mut ::core::ffi::c_uchar, - ilen: usize, - data_len: *mut usize, - ) -> ::core::ffi::c_int, - >, - /// Buffer for input that has not been processed yet. - pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], - /// Number of Bytes that have not been processed yet. - pub private_unprocessed_len: usize, - /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number - /// for XTS-mode. - pub private_iv: [::core::ffi::c_uchar; 16usize], - /// IV size in Bytes, for ciphers with variable-length IVs. - pub private_iv_size: usize, - /// The cipher-specific context. - pub private_cipher_ctx: *mut ::core::ffi::c_void, - /// CMAC-specific context. - pub private_cmac_ctx: *mut mbedtls_cmac_context_t, -} -impl Default for mbedtls_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); +impl mbedtls_cipher_info_t { + #[inline] + pub fn private_block_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_block_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_block_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_block_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(5usize, 3u8) as u32) } + } + #[inline] + pub fn set_private_iv_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(5usize, 3u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 5usize, + 3u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 5usize, + 3u8, + val as u64, + ) + } + } + #[inline] + pub fn private_key_bitlen(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(8usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_key_bitlen(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(8usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_key_bitlen_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 8usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_key_bitlen_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 8usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_mode(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(12usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_mode(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(12usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_mode_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 12usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_mode_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 12usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_type(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(16usize, 8u8) as u32) } + } + #[inline] + pub fn set_private_type(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(16usize, 8u8, val as u64) + } + } + #[inline] + pub unsafe fn private_type_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 16usize, + 8u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_type_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 16usize, + 8u8, + val as u64, + ) + } + } + #[inline] + pub fn private_flags(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(24usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_flags(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(24usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_flags_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 24usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_flags_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 24usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_base_idx(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(26usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_base_idx(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(26usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_base_idx_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 26usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_base_idx_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 26usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_block_size: ::core::ffi::c_uint, + private_iv_size: ::core::ffi::c_uint, + private_key_bitlen: ::core::ffi::c_uint, + private_mode: ::core::ffi::c_uint, + private_type: ::core::ffi::c_uint, + private_flags: ::core::ffi::c_uint, + private_base_idx: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 4usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 4usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 5u8, { + let private_block_size: u32 = unsafe { ::core::mem::transmute(private_block_size) }; + private_block_size as u64 + }); + __bindgen_bitfield_unit.set(5usize, 3u8, { + let private_iv_size: u32 = unsafe { ::core::mem::transmute(private_iv_size) }; + private_iv_size as u64 + }); + __bindgen_bitfield_unit.set(8usize, 4u8, { + let private_key_bitlen: u32 = unsafe { ::core::mem::transmute(private_key_bitlen) }; + private_key_bitlen as u64 + }); + __bindgen_bitfield_unit.set(12usize, 4u8, { + let private_mode: u32 = unsafe { ::core::mem::transmute(private_mode) }; + private_mode as u64 + }); + __bindgen_bitfield_unit.set(16usize, 8u8, { + let private_type: u32 = unsafe { ::core::mem::transmute(private_type) }; + private_type as u64 + }); + __bindgen_bitfield_unit.set(24usize, 2u8, { + let private_flags: u32 = unsafe { ::core::mem::transmute(private_flags) }; + private_flags as u64 + }); + __bindgen_bitfield_unit.set(26usize, 5u8, { + let private_base_idx: u32 = unsafe { ::core::mem::transmute(private_base_idx) }; + private_base_idx as u64 + }); + __bindgen_bitfield_unit + } +} +/// Generic cipher context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_cipher_context_t { + /// Information about the associated cipher. + pub private_cipher_info: *const mbedtls_cipher_info_t, + /// Key length to use. + pub private_key_bitlen: ::core::ffi::c_int, + /// Operation that the key of the context has been + /// initialized for. + pub private_operation: mbedtls_operation_t, + /// Padding functions to use, if relevant for + /// the specific cipher mode. + pub private_add_padding: ::core::option::Option< + unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), + >, + pub private_get_padding: ::core::option::Option< + unsafe extern "C" fn( + input: *mut ::core::ffi::c_uchar, + ilen: usize, + data_len: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int, + >, + /// Buffer for input that has not been processed yet. + pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], + /// Number of Bytes that have not been processed yet. + pub private_unprocessed_len: usize, + /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number + /// for XTS-mode. + pub private_iv: [::core::ffi::c_uchar; 16usize], + /// IV size in Bytes, for ciphers with variable-length IVs. + pub private_iv_size: usize, + /// The cipher-specific context. + pub private_cipher_ctx: *mut ::core::ffi::c_void, + /// CMAC-specific context. + pub private_cmac_ctx: *mut mbedtls_cmac_context_t, +} +impl Default for mbedtls_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); s.assume_init() @@ -4134,7 +4564,7 @@ unsafe extern "C" { ) -> *const mbedtls_cipher_info_t; } unsafe extern "C" { - /// \brief This function initializes a \p cipher_context as NONE. + /// \brief This function initializes a \p ctx as NONE. /// /// \param ctx The context to be initialized. This must not be \c NULL. pub fn mbedtls_cipher_init(ctx: *mut mbedtls_cipher_context_t); @@ -4205,7 +4635,6 @@ unsafe extern "C" { /// \brief This function sets the padding mode, for cipher modes /// that use padding. /// - /// The default passing mode is PKCS7 padding. /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a cipher information structure. @@ -4255,23 +4684,24 @@ unsafe extern "C" { /// /// \note With non-AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update() one or more times - /// 4. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update() zero, one or more times; + /// 4. mbedtls_cipher_finish_padded() (recommended for decryption + /// if the mode uses padding) or mbedtls_cipher_finish(). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. /// /// \note With AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update_ad() - /// 4. mbedtls_cipher_update() one or more times - /// 5. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update_ad(); + /// 4. mbedtls_cipher_update() zero, one or more times; + /// 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded()); /// 6. mbedtls_cipher_check_tag() (for decryption) or - /// mbedtls_cipher_write_tag() (for encryption). + /// mbedtls_cipher_write_tag() (for encryption). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. @@ -4306,7 +4736,8 @@ unsafe extern "C" { /// many block-sized blocks of data as possible to output. /// Any data that cannot be written immediately is either /// added to the next block, or flushed when - /// mbedtls_cipher_finish() is called. + /// mbedtls_cipher_finish() or mbedtls_cipher_finish_padded() + /// is called. /// Exception: For MBEDTLS_MODE_ECB, expects a single block /// in size. For example, 16 Bytes for AES. /// @@ -4342,12 +4773,30 @@ unsafe extern "C" { /// contained in it is padded to the size of /// the last block, and written to the \p output buffer. /// + /// \warning This function reports invalid padding through an error + /// code. Adversaries may be able to decrypt encrypted + /// data if they can submit chosen ciphertexts and + /// detect whether it has valid padding or not, + /// either through direct observation or through a side + /// channel such as timing. This is known as a + /// padding oracle attack. + /// Therefore applications that call this function for + /// decryption with a cipher that involves padding + /// should take care around error handling. Preferably, + /// such applications should use + /// mbedtls_cipher_finish_padded() instead of this function. + /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a key. /// \param output The buffer to write data to. This needs to be a writable - /// buffer of at least \p block_size Bytes. + /// buffer of at least block_size Bytes. /// \param olen The length of the data written to the \p output buffer. /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// above), although less efficiently than through + /// the invalid-padding condition. /// /// \return \c 0 on success. /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -4355,7 +4804,8 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption /// expecting a full block but not receiving one. /// \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - /// while decrypting. + /// while decrypting. Note that invalid-padding errors + /// should be handled carefully; see the warning above. /// \return A cipher-specific error code on failure. pub fn mbedtls_cipher_finish( ctx: *mut mbedtls_cipher_context_t, @@ -4363,10 +4813,60 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief The generic cipher finalization function. If data still + /// needs to be flushed from an incomplete block, the data + /// contained in it is padded to the size of + /// the last block, and written to the \p output buffer. + /// + /// \note This function is similar to mbedtls_cipher_finish(). + /// The only difference is that it reports invalid padding + /// decryption differently, through the \p invalid_padding + /// parameter rather than an error code. + /// For encryption, and in modes without padding (including + /// all authenticated modes), this function is identical + /// to mbedtls_cipher_finish(). + /// + /// \param[in,out] ctx The generic cipher context. This must be initialized and + /// bound to a key. + /// \param[out] output The buffer to write data to. This needs to be a writable + /// buffer of at least block_size Bytes. + /// \param[out] olen The length of the data written to the \p output buffer. + /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// on mbedtls_cipher_finish()). + /// \param[out] invalid_padding + /// If this function returns \c 0 on decryption, + /// \p *invalid_padding is \c 0 if the ciphertext was + /// valid, and all-bits-one if the ciphertext had invalid + /// padding. + /// On encryption, or in a mode without padding (including + /// all authenticated modes), \p *invalid_padding is \c 0 + /// on success. + /// The value in \p *invalid_padding is unspecified if + /// this function returns a nonzero status. + /// + /// \return \c 0 on success. + /// Also \c 0 for decryption with invalid padding. + /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + /// parameter-verification failure. + /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption + /// expecting a full block but not receiving one. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_cipher_finish_padded( + ctx: *mut mbedtls_cipher_context_t, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief This function writes a tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized, /// bound to a key, and have just completed a cipher @@ -4387,7 +4887,8 @@ unsafe extern "C" { unsafe extern "C" { /// \brief This function checks the tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized. /// \param tag The buffer holding the tag. This must be a readable @@ -4572,8 +5073,6 @@ pub struct mbedtls_ccm_context { pub private_y: [::core::ffi::c_uchar; 16usize], ///< The counter buffer pub private_ctr: [::core::ffi::c_uchar; 16usize], - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Total plaintext length pub private_plaintext_len: usize, ///< Total authentication data length @@ -4588,16 +5087,17 @@ pub struct mbedtls_ccm_context { ///auth data input is finished. pub private_processed: usize, ///< The Q working value - pub private_q: ::core::ffi::c_uchar, + pub private_q: ::core::ffi::c_uint, ///< The operation to perform: ///#MBEDTLS_CCM_ENCRYPT or ///#MBEDTLS_CCM_DECRYPT or ///#MBEDTLS_CCM_STAR_ENCRYPT or ///#MBEDTLS_CCM_STAR_DECRYPT. - pub private_mode: ::core::ffi::c_uchar, + pub private_mode: ::core::ffi::c_uint, + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Working value holding context's - ///state. Used for chunked data - ///input + ///state. Used for chunked data input pub private_state: ::core::ffi::c_int, } impl Default for mbedtls_ccm_context { @@ -5840,47 +6340,59 @@ unsafe extern "C" { /// \return \c 1 on failure. pub fn mbedtls_cmac_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -/// \brief The CTR_DRBG context structure. +///< None. +pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; +///< The MD5 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 3; +///< The RIPEMD-160 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 4; +///< The SHA-1 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 5; +///< The SHA-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 8; +///< The SHA-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 9; +///< The SHA-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 10; +///< The SHA-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 11; +///< The SHA3-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_224: mbedtls_md_type_t = 16; +///< The SHA3-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_256: mbedtls_md_type_t = 17; +///< The SHA3-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_384: mbedtls_md_type_t = 18; +///< The SHA3-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_512: mbedtls_md_type_t = 19; +/// \brief Supported message digests. +/// +/// \warning MD5 and SHA-1 are considered weak message digests and +/// their use constitutes a security risk. We recommend considering +/// stronger message digests instead. +pub type mbedtls_md_type_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct mbedtls_ctr_drbg_context { - ///< The counter (V). - pub private_counter: [::core::ffi::c_uchar; 16usize], - ///< The reseed counter. - /// This is the number of requests that have - /// been made since the last (re)seeding, - /// minus one. - /// Before the initial seeding, this field - /// contains the amount of entropy in bytes - /// to use as a nonce for the initial seeding, - /// or -1 if no nonce length has been explicitly - /// set (see mbedtls_ctr_drbg_set_nonce_len()). - pub private_reseed_counter: ::core::ffi::c_int, - ///< This determines whether prediction - ///resistance is enabled, that is - ///whether to systematically reseed before - ///each random generation. - pub private_prediction_resistance: ::core::ffi::c_int, - ///< The amount of entropy grabbed on each - ///seed or reseed operation, in bytes. - pub private_entropy_len: usize, - ///< The reseed interval. - /// This is the maximum number of requests - /// that can be made between reseedings. - pub private_reseed_interval: ::core::ffi::c_int, - ///< The AES context. - pub private_aes_ctx: mbedtls_aes_context, - pub private_f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - ///< The context for the entropy function. - pub private_p_entropy: *mut ::core::ffi::c_void, +pub struct mbedtls_md_info_t { + _unused: [u8; 0], } -impl Default for mbedtls_ctr_drbg_context { +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; +/// Used internally to indicate whether a context uses legacy or PSA. +/// +/// Internal use only. +pub type mbedtls_md_engine_t = ::core::ffi::c_uint; +/// The generic message-digest context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md_context_t { + /// Information about the associated message digest. + pub private_md_info: *const mbedtls_md_info_t, + /// The digest-specific context (legacy) or the PSA operation. + pub private_md_ctx: *mut ::core::ffi::c_void, + /// The HMAC part of the context. + pub private_hmac_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_md_context_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -5890,4389 +6402,3745 @@ impl Default for mbedtls_ctr_drbg_context { } } unsafe extern "C" { - /// \brief This function initializes the CTR_DRBG context, - /// and prepares it for mbedtls_ctr_drbg_seed() - /// or mbedtls_ctr_drbg_free(). + /// \brief This function returns the message-digest information + /// associated with the given digest type. /// - /// \note The reseed interval is - /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. - /// You can override it by calling - /// mbedtls_ctr_drbg_set_reseed_interval(). + /// \param md_type The type of digest to search for. /// - /// \param ctx The CTR_DRBG context to initialize. - pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); + /// \return The message-digest information associated with \p md_type. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// - The \p custom string. - /// - /// \note To achieve the nominal security strength permitted - /// by CTR_DRBG, the entropy length must be: - /// - at least 16 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 32 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// In addition, if you do not pass a nonce in \p custom, - /// the sum of the entropy length - /// and the entropy nonce length must be: - /// - at least 24 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 48 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// \param ctx The CTR_DRBG context to seed. - /// It must have been initialized with - /// mbedtls_ctr_drbg_init(). - /// After a successful call to mbedtls_ctr_drbg_seed(), - /// you may not call mbedtls_ctr_drbg_seed() again on - /// the same context unless you call - /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() - /// again first. - /// After a failed call to mbedtls_ctr_drbg_seed(), - /// you must call mbedtls_ctr_drbg_free(). - /// \param f_entropy The entropy callback, taking as arguments the - /// \p p_entropy context, the buffer to fill, and the - /// length of the buffer. - /// \p f_entropy is always called with a buffer size - /// less than or equal to the entropy length. - /// \param p_entropy The entropy context to pass to \p f_entropy. - /// \param custom The personalization string. - /// This can be \c NULL, in which case the personalization - /// string is empty regardless of the value of \p len. - /// \param len The length of the personalization string. - /// This must be at most - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function initializes a message-digest context without + /// binding it to a particular message-digest algorithm. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_seed( - ctx: *mut mbedtls_ctr_drbg_context, - f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_entropy: *mut ::core::ffi::c_void, - custom: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// This function should always be called first. It prepares the + /// context for mbedtls_md_setup() for binding it to a + /// message-digest algorithm. + pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function resets CTR_DRBG context to the state immediately - /// after initial call of mbedtls_ctr_drbg_init(). + /// \brief This function clears the internal structure of \p ctx and + /// frees any embedded internal structure, but does not free + /// \p ctx itself. /// - /// \param ctx The CTR_DRBG context to clear. - pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); + /// If you have called mbedtls_md_setup() on \p ctx, you must + /// call mbedtls_md_free() when you are no longer using the + /// context. + /// Calling this function if you have previously + /// called mbedtls_md_init() and nothing else is optional. + /// You must not call this function if you have not called + /// mbedtls_md_init(). + pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function turns prediction resistance on or off. - /// The default value is off. + /// \brief This function selects the message digest algorithm to use, + /// and allocates internal structures. /// - /// \note If enabled, entropy is gathered at the beginning of - /// every call to mbedtls_ctr_drbg_random_with_add() - /// or mbedtls_ctr_drbg_random(). - /// Only use this if your entropy source has sufficient - /// throughput. + /// It should be called after mbedtls_md_init() or + /// mbedtls_md_free(). Makes it necessary to call + /// mbedtls_md_free() later. /// - /// \param ctx The CTR_DRBG context. - /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. - pub fn mbedtls_ctr_drbg_set_prediction_resistance( - ctx: *mut mbedtls_ctr_drbg_context, - resistance: ::core::ffi::c_int, - ); + /// \param ctx The context to set up. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), + /// or non-zero: HMAC is used with this context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. + pub fn mbedtls_md_setup( + ctx: *mut mbedtls_md_context_t, + md_info: *const mbedtls_md_info_t, + hmac: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed on each - /// seed or reseed. - /// - /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function clones the state of a message-digest + /// context. /// - /// \note The security strength of CTR_DRBG is bounded by the - /// entropy length. Thus: - /// - When using AES-256 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, - /// which is the default), - /// \p len must be at least 32 (in bytes) - /// to achieve a 256-bit strength. - /// - When using AES-128 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) - /// \p len must be at least 16 (in bytes) - /// to achieve a 128-bit strength. + /// \note You must call mbedtls_md_setup() on \c dst before calling + /// this function. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. - pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); -} -unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed - /// as a nonce for the initial seeding. + /// \note The two contexts must have the same type, + /// for example, both are SHA-256. /// - /// Call this function before calling mbedtls_ctr_drbg_seed() to read - /// a nonce from the entropy source during the initial seeding. + /// \warning This function clones the message-digest state, not the + /// HMAC state. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab for the nonce, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. + /// \param dst The destination context. + /// \param src The context to be cloned. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is - /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED - /// if the initial seeding has already taken place. - pub fn mbedtls_ctr_drbg_set_nonce_len( - ctx: *mut mbedtls_ctr_drbg_context, - len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. + /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are + /// not using the same engine. This can be avoided by moving + /// the call to psa_crypto_init() before the first call to + /// mbedtls_md_setup(). + pub fn mbedtls_md_clone( + dst: *mut mbedtls_md_context_t, + src: *const mbedtls_md_context_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the reseed interval. - /// - /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() - /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function - /// is called again. + /// \brief This function extracts the message-digest size from the + /// message-digest information structure. /// - /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param interval The reseed interval. - pub fn mbedtls_ctr_drbg_set_reseed_interval( - ctx: *mut mbedtls_ctr_drbg_context, - interval: ::core::ffi::c_int, - ); + /// \return The size of the message-digest output in Bytes. + pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; } unsafe extern "C" { - /// \brief This function reseeds the CTR_DRBG context, that is - /// extracts data from the entropy source. + /// \brief This function extracts the message-digest type from the + /// message-digest information structure. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param additional Additional data to add to the state. Can be \c NULL. - /// \param len The length of the additional data. - /// This must be less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \return The type of the message digest. + pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; +} +unsafe extern "C" { + /// \brief This function starts a message-digest computation. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_reseed( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// You must call this function after setting up the context + /// with mbedtls_md_setup(), and before passing data with + /// mbedtls_md_update(). + /// + /// \param ctx The generic message-digest context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates the state of the CTR_DRBG context. + /// \brief This function feeds an input buffer into an ongoing + /// message-digest computation. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// You must call mbedtls_md_starts() before calling this + /// function. You may call this function multiple times. + /// Afterwards, call mbedtls_md_finish(). /// - /// \param ctx The CTR_DRBG context. - /// \param additional The data to update the state with. This must not be - /// \c NULL unless \p add_len is \c 0. - /// \param add_len Length of \p additional in bytes. This must be at - /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \param ctx The generic message-digest context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if - /// \p add_len is more than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return An error from the underlying AES cipher on failure. - pub fn mbedtls_ctr_drbg_update( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - add_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates a CTR_DRBG instance with additional - /// data and uses it to generate random data. - /// - /// This function automatically reseeds if the reseed counter is exceeded - /// or prediction resistance is enabled. + /// \brief This function finishes the digest operation, + /// and writes the result to the output buffer. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// Call this function after a call to mbedtls_md_starts(), + /// followed by any number of calls to mbedtls_md_update(). + /// Afterwards, you may either clear the context with + /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse + /// the context for another digest operation with the same + /// algorithm. /// - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. - /// \param additional Additional data to update. Can be \c NULL, in which - /// case the additional data is empty regardless of - /// the value of \p add_len. - /// \param add_len The length of the additional data - /// if \p additional is not \c NULL. - /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT - /// and less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \param ctx The generic message-digest context. + /// \param output The buffer for the generic message-digest checksum result. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random_with_add( - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_finish( + ctx: *mut mbedtls_md_context_t, output: *mut ::core::ffi::c_uchar, - output_len: usize, - additional: *const ::core::ffi::c_uchar, - add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. + /// \brief This function calculates the message-digest of a buffer, + /// with respect to a configurable message-digest algorithm + /// in a single call. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random( - p_rng: *mut ::core::ffi::c_void, + /// The result is calculated as + /// Output = message_digest(input buffer). + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param input The buffer holding the data. + /// \param ilen The length of the input data. + /// \param output The generic message-digest checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md( + md_info: *const mbedtls_md_info_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, output: *mut ::core::ffi::c_uchar, - output_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The CTR_DRBG checkup routine. + /// \brief This function returns the list of digests supported by the + /// generic digest module. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< Curve not defined. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; -///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; -///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; -///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; -///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; -///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; -///< Domain parameters for 256-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; -///< Domain parameters for 384-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; -///< Domain parameters for 512-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; -///< Domain parameters for Curve25519. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; -///< Domain parameters for 192-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; -///< Domain parameters for 224-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; -///< Domain parameters for 256-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; -///< Domain parameters for Curve448. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; -/// Domain-parameter identifiers: curve, subgroup, and generator. -/// -/// \note Only curves over prime fields are supported. -/// -/// \warning This library does not support validation of arbitrary domain -/// parameters. Therefore, only standardized domain parameters from trusted -/// sources should be used. See mbedtls_ecp_group_load(). -pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; -pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_NONE: mbedtls_ecp_modulus_type = 0; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_COORDINATE: mbedtls_ecp_modulus_type = 1; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_SCALAR: mbedtls_ecp_modulus_type = 2; -pub type mbedtls_ecp_modulus_type = ::core::ffi::c_uint; -/// Curve information, for use by other modules. -/// -/// The fields of this structure are part of the public API and can be -/// accessed directly by applications. Future versions of the library may -/// add extra fields or reorder existing fields. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_curve_info { - ///< An internal identifier. - pub grp_id: mbedtls_ecp_group_id, - ///< The TLS NamedCurve identifier. - pub tls_id: u16, - ///< The curve size in bits. - pub bit_size: u16, - ///< A human-friendly name. - pub name: *const ::core::ffi::c_char, + /// \note The list starts with the strongest available hashes. + /// + /// \return A statically allocated array of digests. Each element + /// in the returned list is an integer belonging to the + /// message-digest enumeration #mbedtls_md_type_t. + /// The last entry is 0. + pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; } -impl Default for mbedtls_ecp_curve_info { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief This function returns the message-digest information + /// associated with the given digest name. + /// + /// \param md_name The name of the digest to search for. + /// + /// \return The message-digest information associated with \p md_name. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_string( + md_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_md_info_t; } -/// \brief The ECP point structure, in Jacobian coordinates. -/// -/// \note All functions expect and return points satisfying -/// the following condition: Z == 0 or -/// Z == 1. Other values of \p Z are -/// used only by internal functions. -/// The point is zero, or "at infinity", if Z == 0. -/// Otherwise, \p X and \p Y are its standard (affine) -/// coordinates. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_point { - ///< The X coordinate of the ECP point. - pub private_X: mbedtls_mpi, - ///< The Y coordinate of the ECP point. - pub private_Y: mbedtls_mpi, - ///< The Z coordinate of the ECP point. - pub private_Z: mbedtls_mpi, -} -impl Default for mbedtls_ecp_point { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief The ECP group structure. -/// -/// We consider two types of curve equations: -///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P -/// (SEC1 + RFC-4492)
    • -///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, -/// Curve448)
-/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. -/// -/// For Short Weierstrass, this subgroup is the whole curve, and its -/// cardinality is denoted by \p N. Our code requires that \p N is an -/// odd prime as mbedtls_ecp_mul() requires an odd number, and -/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. -/// -/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, -/// which is the quantity used in the formulas. Additionally, \p nbits is -/// not the size of \p N but the required size for private keys. -/// -/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. -/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the -/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer -/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits -/// in size, so that it may be efficiently brought in the 0..P-1 range by a few -/// additions or subtractions. Therefore, it is only an approximative modular -/// reduction. It must return 0 on success and non-zero on failure. -/// -/// \note Alternative implementations of the ECP module must obey the -/// following constraints. -/// * Group IDs must be distinct: if two group structures have -/// the same ID, then they must be identical. -/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, -/// \c pbits and \c nbits must have the same type and semantics -/// as in the built-in implementation. -/// They must be available for reading, but direct modification -/// of these fields does not need to be supported. -/// They do not need to be at the same offset in the structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_group { - ///< An internal group identifier. - pub id: mbedtls_ecp_group_id, - ///< The prime modulus of the base field. - pub P: mbedtls_mpi, - ///< For Short Weierstrass: \p A in the equation. For - ///Montgomery curves: (A + 2) / 4. - pub A: mbedtls_mpi, - ///< For Short Weierstrass: \p B in the equation. - ///For Montgomery curves: unused. - pub B: mbedtls_mpi, - ///< The generator of the subgroup used. - pub G: mbedtls_ecp_point, - ///< The order of \p G. - pub N: mbedtls_mpi, - ///< The number of bits in \p P. - pub pbits: usize, - ///< For Short Weierstrass: The number of bits in \p P. - ///For Montgomery curves: the number of bits in the - ///private keys. - pub nbits: usize, - ///< \internal 1 if the constants are static. - pub private_h: ::core::ffi::c_uint, - ///< The function for fast pseudo-reduction - ///mod \p P (see above). - pub private_modp: - ::core::option::Option ::core::ffi::c_int>, - ///< Unused. - pub private_t_pre: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_post: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_data: *mut ::core::ffi::c_void, - ///< Pre-computed points for ecp_mul_comb(). - pub private_T: *mut mbedtls_ecp_point, - ///< The number of dynamic allocated pre-computed points. - pub private_T_size: usize, -} -impl Default for mbedtls_ecp_group { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; -/// \brief The ECP key-pair structure. -/// -/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. -/// -/// \note Members are deliberately in the same order as in the -/// ::mbedtls_ecdsa_context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_keypair { - ///< Elliptic curve and base point - pub private_grp: mbedtls_ecp_group, - ///< our secret value - pub private_d: mbedtls_mpi, - ///< our public value - pub private_Q: mbedtls_ecp_point, -} -impl Default for mbedtls_ecp_keypair { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +unsafe extern "C" { + /// \brief This function returns the name of the message digest for + /// the message-digest information structure given. + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// + /// \return The name of the message digest. + pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; } unsafe extern "C" { - /// \brief This function retrieves the information defined in - /// mbedtls_ecp_curve_info() for all supported curves. + /// \brief This function returns the message-digest information + /// from the given context. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// \param ctx The context from which to extract the information. + /// This must be initialized (or \c NULL). /// - /// \return A statically allocated array. The last entry is 0. - pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; + /// \return The message-digest information associated with \p ctx. + /// \return \c NULL if \p ctx is \c NULL. + pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// \brief This function retrieves the list of internal group - /// identifiers of all supported curves in the order of - /// preference. + /// \brief This function sets the HMAC key and prepares to + /// authenticate a new message. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// Call this function after mbedtls_md_setup(), to use + /// the MD context for an HMAC calculation, then call + /// mbedtls_md_hmac_update() to provide the input data, and + /// mbedtls_md_hmac_finish() to get the HMAC value. /// - /// \return A statically allocated array, - /// terminated with MBEDTLS_ECP_DP_NONE. - pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC key in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_starts( + ctx: *mut mbedtls_md_context_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from an internal - /// group identifier. + /// \brief This function feeds an input buffer into an ongoing HMAC + /// computation. /// - /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + /// before calling this function. + /// You may call this function multiple times to pass the + /// input piecewise. + /// Afterwards, call mbedtls_md_hmac_finish(). /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_grp_id( - grp_id: mbedtls_ecp_group_id, - ) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a TLS - /// NamedCurve value. + /// \brief This function finishes the HMAC operation, and writes + /// the result to the output buffer. /// - /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call this function after mbedtls_md_hmac_starts() and + /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards + /// you may either call mbedtls_md_free() to clear the context, + /// or call mbedtls_md_hmac_reset() to reuse the context with + /// the same HMAC key. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param output The generic HMAC checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_finish( + ctx: *mut mbedtls_md_context_t, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a - /// human-readable name. + /// \brief This function prepares to authenticate a new message with + /// the same key as the previous HMAC operation. /// - /// \param name The human-readable name. + /// You may call this function after mbedtls_md_hmac_finish(). + /// Afterwards call mbedtls_md_hmac_update() to pass the new + /// input. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_name( - name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ecp_curve_info; -} -unsafe extern "C" { - /// \brief This function initializes a point as zero. + /// \param ctx The message digest context containing an embedded HMAC + /// context. /// - /// \param pt The point to initialize. - pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECP group context - /// without loading any domain parameters. + /// \brief This function calculates the full generic HMAC + /// on the input buffer with the provided key. /// - /// \note After this function is called, domain parameters - /// for various ECP groups can be loaded through the - /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() - /// functions. - pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); -} -unsafe extern "C" { - /// \brief This function initializes a key pair as an invalid one. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param key The key pair to initialize. - pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); -} -unsafe extern "C" { - /// \brief This function frees the components of a point. + /// The HMAC result is calculated as + /// output = generic HMAC(hmac key, input buffer). /// - /// \param pt The point to free. - pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); -} -unsafe extern "C" { - /// \brief This function frees the components of an ECP group. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC secret key in Bytes. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// \param output The generic HMAC result. /// - /// \param grp The group to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP group. - pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac( + md_info: *const mbedtls_md_info_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function frees the components of a key pair. - /// - /// \param key The key pair to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP key pair. - pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +/// \brief Entropy poll callback pointer +/// +/// \param data Callback-specific data pointer +/// \param output Data to fill +/// \param len Maximum size to provide +/// \param olen The actual amount of bytes put into the buffer (Can be 0) +/// +/// \return 0 if no critical failures occurred, +/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise +pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< + unsafe extern "C" fn( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + ) -> ::core::ffi::c_int, +>; +/// \brief Entropy source state +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_source_state { + ///< The entropy source callback + pub private_f_source: mbedtls_entropy_f_source_ptr, + ///< The callback data pointer + pub private_p_source: *mut ::core::ffi::c_void, + ///< Amount received in bytes + pub private_size: usize, + ///< Minimum bytes required before release + pub private_threshold: usize, + ///< Is the source strong? + pub private_strong: ::core::ffi::c_int, } -unsafe extern "C" { - /// \brief This function copies the contents of point \p Q into - /// point \p P. - /// - /// \param P The destination point. This must be initialized. - /// \param Q The source point. This must be initialized. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code for other kinds of failure. - pub fn mbedtls_ecp_copy( - P: *mut mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_entropy_source_state { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +/// \brief Entropy context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_context { + pub private_accumulator: mbedtls_md_context_t, + pub private_accumulator_started: ::core::ffi::c_int, + pub private_source_count: ::core::ffi::c_int, + pub private_source: [mbedtls_entropy_source_state; 20usize], +} +impl Default for mbedtls_entropy_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function copies the contents of group \p src into - /// group \p dst. - /// - /// \param dst The destination group. This must be initialized. - /// \param src The source group. This must be initialized. + /// \brief Initialize the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_copy( - dst: *mut mbedtls_ecp_group, - src: *const mbedtls_ecp_group, - ) -> ::core::ffi::c_int; + /// \param ctx Entropy context to initialize + pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function sets a point to the point at infinity. - /// - /// \param pt The point to set. This must be initialized. + /// \brief Free the data in the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \param ctx Entropy context to free + pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function checks if a point is the point at infinity. + /// \brief Adds an entropy source to poll + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param pt The point to test. This must be initialized. + /// \param ctx Entropy context + /// \param f_source Entropy function + /// \param p_source Function data + /// \param threshold Minimum required from source before entropy is released + /// ( with mbedtls_entropy_func() ) (in bytes) + /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or + /// MBEDTLS_ENTROPY_SOURCE_WEAK. + /// At least one strong source needs to be added. + /// Weaker sources (such as the cycle counter) can be used as + /// a complement. /// - /// \return \c 1 if the point is zero. - /// \return \c 0 if the point is non-zero. - /// \return A negative error code on failure. - pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES + pub fn mbedtls_entropy_add_source( + ctx: *mut mbedtls_entropy_context, + f_source: mbedtls_entropy_f_source_ptr, + p_source: *mut ::core::ffi::c_void, + threshold: usize, + strong: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function compares two points. - /// - /// \note This assumes that the points are normalized. Otherwise, - /// they may compare as "not equal" even if they are. + /// \brief Trigger an extra gather poll for the accumulator + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The first point to compare. This must be initialized. - /// \param Q The second point to compare. This must be initialized. + /// \param ctx Entropy context /// - /// \return \c 0 if the points are equal. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. - pub fn mbedtls_ecp_point_cmp( - P: *const mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a non-zero point from two ASCII - /// strings. + /// \brief Retrieve entropy from the accumulator + /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The destination point. This must be initialized. - /// \param radix The numeric base of the input. - /// \param x The first affine coordinate, as a null-terminated string. - /// \param y The second affine coordinate, as a null-terminated string. + /// \param data Entropy context + /// \param output Buffer to fill + /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. - pub fn mbedtls_ecp_point_read_string( - P: *mut mbedtls_ecp_point, - radix: ::core::ffi::c_int, - x: *const ::core::ffi::c_char, - y: *const ::core::ffi::c_char, + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_func( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point into unsigned binary data. + /// \brief Add data to the accumulator manually + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The point to export. This must be initialized. - /// \param format The point format. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// (For groups without these formats, this parameter is - /// ignored. But it still has to be either of the above - /// values.) - /// \param olen The address at which to store the length of - /// the output in Bytes. This must not be \c NULL. - /// \param buf The output buffer. This must be a writable buffer - /// of length \p buflen Bytes. - /// \param buflen The length of the output buffer \p buf in Bytes. + /// \param ctx Entropy context + /// \param data Data to add + /// \param len Length of data /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer - /// is too small to hold the point. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format - /// or the export for the given group is not implemented. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_point_write_binary( - grp: *const mbedtls_ecp_group, - P: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, + /// \return 0 if successful + pub fn mbedtls_entropy_update_manual( + ctx: *mut mbedtls_entropy_context, + data: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a point from unsigned binary data. + /// \brief Checkup routine /// - /// \note This function does not check that the point actually - /// belongs to the given group, see mbedtls_ecp_check_pubkey() - /// for that. + /// This module self-test also calls the entropy self-test, + /// mbedtls_entropy_source_self_test(); /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The CTR_DRBG context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ctr_drbg_context { + ///< The counter (V). + pub private_counter: [::core::ffi::c_uchar; 16usize], + ///< The reseed counter. + /// This is the number of requests that have + /// been made since the last (re)seeding, + /// minus one. + /// Before the initial seeding, this field + /// contains the amount of entropy in bytes + /// to use as a nonce for the initial seeding, + /// or -1 if no nonce length has been explicitly + /// set (see mbedtls_ctr_drbg_set_nonce_len()). + pub private_reseed_counter: ::core::ffi::c_int, + ///< This determines whether prediction + ///resistance is enabled, that is + ///whether to systematically reseed before + ///each random generation. + pub private_prediction_resistance: ::core::ffi::c_int, + ///< The amount of entropy grabbed on each + ///seed or reseed operation, in bytes. + pub private_entropy_len: usize, + ///< The reseed interval. + /// This is the maximum number of requests + /// that can be made between reseedings. + pub private_reseed_interval: ::core::ffi::c_int, + ///< The AES context. + pub private_aes_ctx: mbedtls_aes_context, + pub private_f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + ///< The context for the entropy function. + pub private_p_entropy: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_ctr_drbg_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes the CTR_DRBG context, + /// and prepares it for mbedtls_ctr_drbg_seed() + /// or mbedtls_ctr_drbg_free(). /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The destination context to import the point to. - /// This must be initialized. - /// \param buf The input buffer. This must be a readable buffer - /// of length \p ilen Bytes. - /// \param ilen The length of the input buffer \p buf in Bytes. + /// \note The reseed interval is + /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. + /// You can override it by calling + /// mbedtls_ctr_drbg_set_reseed_interval(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the - /// given group is not implemented. - pub fn mbedtls_ecp_point_read_binary( - grp: *const mbedtls_ecp_group, - P: *mut mbedtls_ecp_point, - buf: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to initialize. + pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function imports a point from a TLS ECPoint record. + /// - The \p custom string. /// - /// \note On function return, \p *buf is updated to point immediately - /// after the ECPoint record. + /// \note To achieve the nominal security strength permitted + /// by CTR_DRBG, the entropy length must be: + /// - at least 16 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 32 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The destination point. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the buffer. + /// In addition, if you do not pass a nonce in \p custom, + /// the sum of the entropy length + /// and the entropy nonce length must be: + /// - at least 24 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 48 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization - /// failure. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - pub fn mbedtls_ecp_tls_read_point( - grp: *const mbedtls_ecp_group, - pt: *mut mbedtls_ecp_point, - buf: *mut *const ::core::ffi::c_uchar, + /// \param ctx The CTR_DRBG context to seed. + /// It must have been initialized with + /// mbedtls_ctr_drbg_init(). + /// After a successful call to mbedtls_ctr_drbg_seed(), + /// you may not call mbedtls_ctr_drbg_seed() again on + /// the same context unless you call + /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + /// again first. + /// After a failed call to mbedtls_ctr_drbg_seed(), + /// you must call mbedtls_ctr_drbg_free(). + /// \param f_entropy The entropy callback, taking as arguments the + /// \p p_entropy context, the buffer to fill, and the + /// length of the buffer. + /// \p f_entropy is always called with a buffer size + /// less than or equal to the entropy length. + /// \param p_entropy The entropy context to pass to \p f_entropy. + /// \param custom The personalization string. + /// This can be \c NULL, in which case the personalization + /// string is empty regardless of the value of \p len. + /// \param len The length of the personalization string. + /// This must be at most + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_seed( + ctx: *mut mbedtls_ctr_drbg_context, + f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + p_entropy: *mut ::core::ffi::c_void, + custom: *const ::core::ffi::c_uchar, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point as a TLS ECPoint record - /// defined in RFC 4492, Section 5.4. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to be exported. This must be initialized. - /// \param format The point format to use. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// \param olen The address at which to store the length in Bytes - /// of the data written. - /// \param buf The target buffer. This must be a writable buffer of - /// length \p blen Bytes. - /// \param blen The length of the target buffer \p buf in Bytes. + /// \brief This function resets CTR_DRBG context to the state immediately + /// after initial call of mbedtls_ctr_drbg_init(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer - /// is too small to hold the exported point. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_point( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to clear. + pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function sets up an ECP group context - /// from a standardized set of domain parameters. - /// - /// \note The index should be a value of the NamedCurve enum, - /// as defined in RFC-4492: Elliptic Curve Cryptography - /// (ECC) Cipher Suites for Transport Layer Security (TLS), - /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. + /// \brief This function turns prediction resistance on or off. + /// The default value is off. /// - /// \param grp The group context to setup. This must be initialized. - /// \param id The identifier of the domain parameter set to load. + /// \note If enabled, entropy is gathered at the beginning of + /// every call to mbedtls_ctr_drbg_random_with_add() + /// or mbedtls_ctr_drbg_random(). + /// Only use this if your entropy source has sufficient + /// throughput. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_load( - grp: *mut mbedtls_ecp_group, - id: mbedtls_ecp_group_id, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. + pub fn mbedtls_ctr_drbg_set_prediction_resistance( + ctx: *mut mbedtls_ctr_drbg_context, + resistance: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function sets up an ECP group context from a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed on each + /// seed or reseed. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. /// - /// \param grp The group context to setup. This must be initialized. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \note The security strength of CTR_DRBG is bounded by the + /// entropy length. Thus: + /// - When using AES-256 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, + /// which is the default), + /// \p len must be at least 32 (in bytes) + /// to achieve a 256-bit strength. + /// - When using AES-128 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) + /// \p len must be at least 16 (in bytes) + /// to achieve a 128-bit strength. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group( - grp: *mut mbedtls_ecp_group, - buf: *mut *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. + pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); } unsafe extern "C" { - /// \brief This function extracts an elliptic curve group ID from a - /// TLS ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed + /// as a nonce for the initial seeding. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// Call this function before calling mbedtls_ctr_drbg_seed() to read + /// a nonce from the entropy source during the initial seeding. /// - /// \param grp The address at which to store the group id. - /// This must not be \c NULL. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab for the nonce, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group_id( - grp: *mut mbedtls_ecp_group_id, - buf: *mut *const ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is + /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + /// if the initial seeding has already taken place. + pub fn mbedtls_ctr_drbg_set_nonce_len( + ctx: *mut mbedtls_ctr_drbg_context, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports an elliptic curve as a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the reseed interval. /// - /// \param grp The ECP group to be exported. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param olen The address at which to store the number of Bytes written. - /// This must not be \c NULL. - /// \param buf The buffer to write to. This must be a writable buffer - /// of length \p blen Bytes. - /// \param blen The length of the output buffer \p buf in Bytes. + /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() + /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function + /// is called again. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output - /// buffer is too small to hold the exported group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_group( - grp: *const mbedtls_ecp_group, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// + /// \param ctx The CTR_DRBG context. + /// \param interval The reseed interval. + pub fn mbedtls_ctr_drbg_set_reseed_interval( + ctx: *mut mbedtls_ctr_drbg_context, + interval: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function performs a scalar multiplication of a point - /// by an integer: \p R = \p m * \p P. - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function reseeds the CTR_DRBG context, that is + /// extracts data from the entropy source. /// - /// \note To prevent timing attacks, this function - /// executes the exact same sequence of base-field - /// operations for any valid \p m. It avoids any if-branch or - /// array index depending on the value of \p m. It also uses - /// \p f_rng to randomize some intermediate results. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param ctx The CTR_DRBG context. + /// \param additional Additional data to add to the state. Can be \c NULL. + /// \param len The length of the additional data. + /// This must be less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_reseed( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication of a point by - /// an integer: \p R = \p m * \p P in a restartable way. - /// - /// \see mbedtls_ecp_mul() + /// \brief This function updates the state of the CTR_DRBG context. /// - /// \note This function does the same as \c mbedtls_ecp_mul(), but - /// it can return early and restart according to the limit set - /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. - /// \param rs_ctx The restart context (NULL disables restart). + /// \param ctx The CTR_DRBG context. + /// \param additional The data to update the state with. This must not be + /// \c NULL unless \p add_len is \c 0. + /// \param add_len Length of \p additional in bytes. This must be at + /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecp_restart_ctx, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if + /// \p add_len is more than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return An error from the underlying AES cipher on failure. + pub fn mbedtls_ctr_drbg_update( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function updates a CTR_DRBG instance with additional + /// data and uses it to generate random data. /// - /// \note In contrast to mbedtls_ecp_mul(), this function does not - /// guarantee a constant execution flow and timing. + /// This function automatically reseeds if the reseed counter is exceeded + /// or prediction resistance is enabled. /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. + /// \param additional Additional data to update. Can be \c NULL, in which + /// case the additional data is empty regardless of + /// the value of \p add_len. + /// \param add_len The length of the additional data + /// if \p additional is not \c NULL. + /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT + /// and less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random_with_add( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q in a - /// restartable way. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. /// - /// \see \c mbedtls_ecp_muladd() + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The CTR_DRBG checkup routine. /// - /// \note This function works the same as \c mbedtls_ecp_muladd(), - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. - /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. - /// \param rs_ctx The restart context (NULL disables restart). - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, - rs_ctx: *mut mbedtls_ecp_restart_ctx, - ) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function checks that a point is a valid public key - /// on this curve. - /// - /// It only checks that the point is non-zero, has - /// valid coordinates and lies on the curve. It does not verify - /// that it is indeed a multiple of \p G. This additional - /// check is computationally more expensive, is not required - /// by standards, and should not be necessary if the group - /// used has a small cofactor. In particular, it is useless for - /// the NIST groups which all have a cofactor of 1. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure, to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the point should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid public key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not - /// a valid public key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_pubkey( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +///< Curve not defined. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; +///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; +///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; +///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; +///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; +///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; +///< Domain parameters for 256-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; +///< Domain parameters for 384-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; +///< Domain parameters for 512-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; +///< Domain parameters for Curve25519. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; +///< Domain parameters for 192-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; +///< Domain parameters for 224-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; +///< Domain parameters for 256-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; +///< Domain parameters for Curve448. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; +/// Domain-parameter identifiers: curve, subgroup, and generator. +/// +/// \note Only curves over prime fields are supported. +/// +/// \warning This library does not support validation of arbitrary domain +/// parameters. Therefore, only standardized domain parameters from trusted +/// sources should be used. See mbedtls_ecp_group_load(). +pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; +pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; +/// Curve information, for use by other modules. +/// +/// The fields of this structure are part of the public API and can be +/// accessed directly by applications. Future versions of the library may +/// add extra fields or reorder existing fields. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_curve_info { + ///< An internal identifier. + pub grp_id: mbedtls_ecp_group_id, + ///< The TLS NamedCurve identifier. + pub tls_id: u16, + ///< The curve size in bits. + pub bit_size: u16, + ///< A human-friendly name. + pub name: *const ::core::ffi::c_char, } -unsafe extern "C" { - /// \brief This function checks that an \p mbedtls_mpi is a - /// valid private key for this curve. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the private key should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The integer to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid private key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid - /// private key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_privkey( - grp: *const mbedtls_ecp_group, - d: *const mbedtls_mpi, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_curve_info { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates a private key. - /// - /// \param grp The ECP group to generate a private key for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_privkey( - grp: *const mbedtls_ecp_group, - d: *mut mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +/// \brief The ECP point structure, in Jacobian coordinates. +/// +/// \note All functions expect and return points satisfying +/// the following condition: Z == 0 or +/// Z == 1. Other values of \p Z are +/// used only by internal functions. +/// The point is zero, or "at infinity", if Z == 0. +/// Otherwise, \p X and \p Y are its standard (affine) +/// coordinates. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_point { + ///< The X coordinate of the ECP point. + pub private_X: mbedtls_mpi, + ///< The Y coordinate of the ECP point. + pub private_Y: mbedtls_mpi, + ///< The Z coordinate of the ECP point. + pub private_Z: mbedtls_mpi, } -unsafe extern "C" { - /// \brief This function generates a keypair with a configurable base - /// point. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param G The base point to use. This must be initialized - /// and belong to \p grp. It replaces the default base - /// point \c grp->G used by mbedtls_ecp_gen_keypair(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair_base( - grp: *mut mbedtls_ecp_group, - G: *const mbedtls_ecp_point, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_point { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates an ECP keypair. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. +/// \brief The ECP group structure. +/// +/// We consider two types of curve equations: +///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P +/// (SEC1 + RFC-4492)
    • +///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, +/// Curve448)
+/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. +/// +/// For Short Weierstrass, this subgroup is the whole curve, and its +/// cardinality is denoted by \p N. Our code requires that \p N is an +/// odd prime as mbedtls_ecp_mul() requires an odd number, and +/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. +/// +/// The default implementation only initializes \p A without setting it to the +/// authentic value for curves with A = -3(SECP256R1, etc), in which +/// case you need to load \p A by yourself when using domain parameters directly, +/// for example: +/// \code +/// mbedtls_mpi_init(&A); +/// mbedtls_ecp_group_init(&grp); +/// CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); +/// if (mbedtls_ecp_group_a_is_minus_3(&grp)) { +/// CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); +/// } else { +/// CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); +/// } +/// +/// do_something_with_a(&A); +/// +/// cleanup: +/// mbedtls_mpi_free(&A); +/// mbedtls_ecp_group_free(&grp); +/// \endcode +/// +/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, +/// which is the quantity used in the formulas. Additionally, \p nbits is +/// not the size of \p N but the required size for private keys. +/// +/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. +/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the +/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer +/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits +/// in size, so that it may be efficiently brought in the 0..P-1 range by a few +/// additions or subtractions. Therefore, it is only an approximate modular +/// reduction. It must return 0 on success and non-zero on failure. +/// +/// \note Alternative implementations of the ECP module must obey the +/// following constraints. +/// * Group IDs must be distinct: if two group structures have +/// the same ID, then they must be identical. +/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, +/// \c pbits and \c nbits must have the same type and semantics +/// as in the built-in implementation. +/// They must be available for reading, but direct modification +/// of these fields does not need to be supported. +/// They do not need to be at the same offset in the structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_group { + ///< An internal group identifier. + pub id: mbedtls_ecp_group_id, + ///< The prime modulus of the base field. + pub P: mbedtls_mpi, + ///< For Short Weierstrass: \p A in the equation. Note that + ///\p A is not set to the authentic value in some cases. + ///Refer to detailed description of ::mbedtls_ecp_group if + ///using domain parameters in the structure. + ///For Montgomery curves: (A + 2) / 4. + pub A: mbedtls_mpi, + ///< For Short Weierstrass: \p B in the equation. + ///For Montgomery curves: unused. + pub B: mbedtls_mpi, + ///< The generator of the subgroup used. + pub G: mbedtls_ecp_point, + ///< The order of \p G. + pub N: mbedtls_mpi, + ///< The number of bits in \p P. + pub pbits: usize, + ///< For Short Weierstrass: The number of bits in \p P. + ///For Montgomery curves: the number of bits in the + ///private keys. + pub nbits: usize, + ///< \internal 1 if the constants are static. + pub private_h: ::core::ffi::c_uint, + ///< The function for fast pseudo-reduction + ///mod \p P (see above). + pub private_modp: + ::core::option::Option ::core::ffi::c_int>, + ///< Unused. + pub private_t_pre: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_post: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_data: *mut ::core::ffi::c_void, + ///< Pre-computed points for ecp_mul_comb(). + pub private_T: *mut mbedtls_ecp_point, + ///< The number of dynamic allocated pre-computed points. + pub private_T_size: usize, +} +impl Default for mbedtls_ecp_group { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; +/// \brief The ECP key-pair structure. +/// +/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. +/// +/// \note Members are deliberately in the same order as in the +/// ::mbedtls_ecdsa_context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_keypair { + ///< Elliptic curve and base point + pub private_grp: mbedtls_ecp_group, + ///< our secret value + pub private_d: mbedtls_mpi, + ///< our public value + pub private_Q: mbedtls_ecp_point, +} +impl Default for mbedtls_ecp_keypair { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +} +unsafe extern "C" { + /// \brief This function retrieves the information defined in + /// mbedtls_ecp_curve_info() for all supported curves. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair( - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. + /// + /// \return A statically allocated array. The last entry is 0. + pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function generates an ECP key. + /// \brief This function retrieves the list of internal group + /// identifiers of all supported curves in the order of + /// preference. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. This must be initialized. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_key( - grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return A statically allocated array, + /// terminated with MBEDTLS_ECP_DP_NONE. + pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function reads an elliptic curve private key. + /// \brief This function retrieves curve information from an internal + /// group identifier. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. - /// \param buf The buffer containing the binary representation of the - /// key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The length of the buffer in bytes. + /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is - /// invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_read_key( + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_grp_id( grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - buf: *const ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports an elliptic curve private key. + /// \brief This function retrieves curve information from a TLS + /// NamedCurve value. /// - /// \param key The private key. - /// \param buf The output buffer for containing the binary representation - /// of the key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The total length of the buffer in bytes. + /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - ///representation is larger than the available space in \p buf. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_write_key( - key: *mut mbedtls_ecp_keypair, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function checks that the keypair objects - /// \p pub and \p prv have the same group and the - /// same public point, and that the private key in - /// \p prv is consistent with the public key. + /// \brief This function retrieves curve information from a + /// human-readable name. /// - /// \param pub The keypair structure holding the public key. This - /// must be initialized. If it contains a private key, that - /// part is ignored. - /// \param prv The keypair structure holding the full keypair. - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param name The human-readable name. /// - /// \return \c 0 on success, meaning that the keys are valid and match. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. - /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX - /// error code on calculation failure. - pub fn mbedtls_ecp_check_pub_priv( - pub_: *const mbedtls_ecp_keypair, - prv: *const mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_name( + name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports generic key-pair parameters. - /// - /// \param key The key pair to export from. - /// \param grp Slot for exported ECP group. - /// It must point to an initialized ECP group. - /// \param d Slot for the exported secret value. - /// It must point to an initialized mpi. - /// \param Q Slot for the exported public value. - /// It must point to an initialized ECP point. + /// \brief This function initializes a point as zero. /// - /// \return \c 0 on success, - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_export( - key: *const mbedtls_ecp_keypair, - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \param pt The point to initialize. + pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief The ECP checkup routine. + /// \brief This function initializes an ECP group context + /// without loading any domain parameters. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< None. -pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; -///< The MD5 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 1; -///< The SHA-1 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 2; -///< The SHA-224 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 3; -///< The SHA-256 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 4; -///< The SHA-384 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 5; -///< The SHA-512 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 6; -///< The RIPEMD-160 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 7; -/// \brief Supported message digests. -/// -/// \warning MD5 and SHA-1 are considered weak message digests and -/// their use constitutes a security risk. We recommend considering -/// stronger message digests instead. -pub type mbedtls_md_type_t = ::core::ffi::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_info_t { - _unused: [u8; 0], -} -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; -/// Used internally to indicate whether a context uses legacy or PSA. -/// -/// Internal use only. -pub type mbedtls_md_engine_t = ::core::ffi::c_uint; -/// The generic message-digest context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_context_t { - /// Information about the associated message digest. - pub private_md_info: *const mbedtls_md_info_t, - /// The digest-specific context (legacy) or the PSA operation. - pub private_md_ctx: *mut ::core::ffi::c_void, - /// The HMAC part of the context. - pub private_hmac_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_md_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \note After this function is called, domain parameters + /// for various ECP groups can be loaded through the + /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() + /// functions. + pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest type. - /// - /// \param md_type The type of digest to search for. + /// \brief This function initializes a key pair as an invalid one. /// - /// \return The message-digest information associated with \p md_type. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; + /// \param key The key pair to initialize. + pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); } unsafe extern "C" { - /// \brief This function initializes a message-digest context without - /// binding it to a particular message-digest algorithm. + /// \brief This function frees the components of a point. /// - /// This function should always be called first. It prepares the - /// context for mbedtls_md_setup() for binding it to a - /// message-digest algorithm. - pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); + /// \param pt The point to free. + pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief This function clears the internal structure of \p ctx and - /// frees any embedded internal structure, but does not free - /// \p ctx itself. + /// \brief This function frees the components of an ECP group. /// - /// If you have called mbedtls_md_setup() on \p ctx, you must - /// call mbedtls_md_free() when you are no longer using the - /// context. - /// Calling this function if you have previously - /// called mbedtls_md_init() and nothing else is optional. - /// You must not call this function if you have not called - /// mbedtls_md_init(). - pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); + /// \param grp The group to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP group. + pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function selects the message digest algorithm to use, - /// and allocates internal structures. + /// \brief This function frees the components of a key pair. /// - /// It should be called after mbedtls_md_init() or - /// mbedtls_md_free(). Makes it necessary to call - /// mbedtls_md_free() later. + /// \param key The key pair to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP key pair. + pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +} +unsafe extern "C" { + /// \brief This function copies the contents of point \p Q into + /// point \p P. /// - /// \param ctx The context to set up. - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), - /// or non-zero: HMAC is used with this context. + /// \param P The destination point. This must be initialized. + /// \param Q The source point. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. - pub fn mbedtls_md_setup( - ctx: *mut mbedtls_md_context_t, - md_info: *const mbedtls_md_info_t, - hmac: ::core::ffi::c_int, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code for other kinds of failure. + pub fn mbedtls_ecp_copy( + P: *mut mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function clones the state of a message-digest - /// context. - /// - /// \note You must call mbedtls_md_setup() on \c dst before calling - /// this function. - /// - /// \note The two contexts must have the same type, - /// for example, both are SHA-256. - /// - /// \warning This function clones the message-digest state, not the - /// HMAC state. + /// \brief This function copies the contents of group \p src into + /// group \p dst. /// - /// \param dst The destination context. - /// \param src The context to be cloned. + /// \param dst The destination group. This must be initialized. + /// \param src The source group. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. - /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are - /// not using the same engine. This can be avoided by moving - /// the call to psa_crypto_init() before the first call to - /// mbedtls_md_setup(). - pub fn mbedtls_md_clone( - dst: *mut mbedtls_md_context_t, - src: *const mbedtls_md_context_t, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_copy( + dst: *mut mbedtls_ecp_group, + src: *const mbedtls_ecp_group, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest size from the - /// message-digest information structure. + /// \brief This function sets a point to the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to set. This must be initialized. /// - /// \return The size of the message-digest output in Bytes. - pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest type from the - /// message-digest information structure. + /// \brief This function checks if a point is the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to test. This must be initialized. /// - /// \return The type of the message digest. - pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; + /// \return \c 1 if the point is zero. + /// \return \c 0 if the point is non-zero. + /// \return A negative error code on failure. + pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function starts a message-digest computation. + /// \brief This function compares two points. /// - /// You must call this function after setting up the context - /// with mbedtls_md_setup(), and before passing data with - /// mbedtls_md_update(). + /// \note This assumes that the points are normalized. Otherwise, + /// they may compare as "not equal" even if they are. /// - /// \param ctx The generic message-digest context. + /// \param P The first point to compare. This must be initialized. + /// \param Q The second point to compare. This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return \c 0 if the points are equal. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. + pub fn mbedtls_ecp_point_cmp( + P: *const mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// message-digest computation. - /// - /// You must call mbedtls_md_starts() before calling this - /// function. You may call this function multiple times. - /// Afterwards, call mbedtls_md_finish(). + /// \brief This function imports a non-zero point from two ASCII + /// strings. /// - /// \param ctx The generic message-digest context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param P The destination point. This must be initialized. + /// \param radix The numeric base of the input. + /// \param x The first affine coordinate, as a null-terminated string. + /// \param y The second affine coordinate, as a null-terminated string. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. + pub fn mbedtls_ecp_point_read_string( + P: *mut mbedtls_ecp_point, + radix: ::core::ffi::c_int, + x: *const ::core::ffi::c_char, + y: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the digest operation, - /// and writes the result to the output buffer. - /// - /// Call this function after a call to mbedtls_md_starts(), - /// followed by any number of calls to mbedtls_md_update(). - /// Afterwards, you may either clear the context with - /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse - /// the context for another digest operation with the same - /// algorithm. + /// \brief This function exports a point into unsigned binary data. /// - /// \param ctx The generic message-digest context. - /// \param output The buffer for the generic message-digest checksum result. + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The point to export. This must be initialized. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_point_write_binary( + grp: *const mbedtls_ecp_group, + P: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the message-digest of a buffer, - /// with respect to a configurable message-digest algorithm - /// in a single call. + /// \brief This function imports a point from unsigned binary data. /// - /// The result is calculated as - /// Output = message_digest(input buffer). + /// \note This function does not check that the point actually + /// belongs to the given group, see mbedtls_ecp_check_pubkey() + /// for that. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param input The buffer holding the data. - /// \param ilen The length of the input data. - /// \param output The generic message-digest checksum result. + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md( - md_info: *const mbedtls_md_info_t, - input: *const ::core::ffi::c_uchar, + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The destination context to import the point to. + /// This must be initialized. + /// \param buf The input buffer. This must be a readable buffer + /// of length \p ilen Bytes. + /// \param ilen The length of the input buffer \p buf in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the + /// given group is not implemented. + pub fn mbedtls_ecp_point_read_binary( + grp: *const mbedtls_ecp_group, + P: *mut mbedtls_ecp_point, + buf: *const ::core::ffi::c_uchar, ilen: usize, - output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the list of digests supported by the - /// generic digest module. - /// - /// \note The list starts with the strongest available hashes. + /// \brief This function imports a point from a TLS ECPoint record. /// - /// \return A statically allocated array of digests. Each element - /// in the returned list is an integer belonging to the - /// message-digest enumeration #mbedtls_md_type_t. - /// The last entry is 0. - pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest name. + /// \note On function return, \p *buf is updated to point immediately + /// after the ECPoint record. /// - /// \param md_name The name of the digest to search for. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The destination point. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the buffer. /// - /// \return The message-digest information associated with \p md_name. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_string( - md_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_md_info_t; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization + /// failure. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + pub fn mbedtls_ecp_tls_read_point( + grp: *const mbedtls_ecp_group, + pt: *mut mbedtls_ecp_point, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest name from the - /// message-digest information structure. + /// \brief This function exports a point as a TLS ECPoint record + /// defined in RFC 4492, Section 5.4. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to be exported. This must be initialized. + /// \param format The point format to use. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// \param olen The address at which to store the length in Bytes + /// of the data written. + /// \param buf The target buffer. This must be a writable buffer of + /// length \p blen Bytes. + /// \param blen The length of the target buffer \p buf in Bytes. /// - /// \return The name of the message digest. - pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer + /// is too small to hold the exported point. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_point( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// from the given context. + /// \brief This function sets up an ECP group context + /// from a standardized set of domain parameters. /// - /// \param ctx The context from which to extract the information. - /// This must be initialized (or \c NULL). + /// \note The index should be a value of the NamedCurve enum, + /// as defined in RFC-4492: Elliptic Curve Cryptography + /// (ECC) Cipher Suites for Transport Layer Security (TLS), + /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. /// - /// \return The message-digest information associated with \p ctx. - /// \return \c NULL if \p ctx is \c NULL. - pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; + /// \param grp The group context to setup. This must be initialized. + /// \param id The identifier of the domain parameter set to load. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_load( + grp: *mut mbedtls_ecp_group, + id: mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the HMAC key and prepares to - /// authenticate a new message. + /// \brief This function sets up an ECP group context from a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_setup(), to use - /// the MD context for an HMAC calculation, then call - /// mbedtls_md_hmac_update() to provide the input data, and - /// mbedtls_md_hmac_finish() to get the HMAC value. + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC key in Bytes. + /// \param grp The group context to setup. This must be initialized. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_starts( - ctx: *mut mbedtls_md_context_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group( + grp: *mut mbedtls_ecp_group, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing HMAC - /// computation. + /// \brief This function extracts an elliptic curve group ID from a + /// TLS ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - /// before calling this function. - /// You may call this function multiple times to pass the - /// input piecewise. - /// Afterwards, call mbedtls_md_hmac_finish(). + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param grp The address at which to store the group id. + /// This must not be \c NULL. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group_id( + grp: *mut mbedtls_ecp_group_id, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the HMAC operation, and writes - /// the result to the output buffer. + /// \brief This function exports an elliptic curve as a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_hmac_starts() and - /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards - /// you may either call mbedtls_md_free() to clear the context, - /// or call mbedtls_md_hmac_reset() to reuse the context with - /// the same HMAC key. - /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param output The generic HMAC checksum result. + /// \param grp The ECP group to be exported. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param olen The address at which to store the number of Bytes written. + /// This must not be \c NULL. + /// \param buf The buffer to write to. This must be a writable buffer + /// of length \p blen Bytes. + /// \param blen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output + /// buffer is too small to hold the exported group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_group( + grp: *const mbedtls_ecp_group, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function prepares to authenticate a new message with - /// the same key as the previous HMAC operation. + /// \brief This function performs a scalar multiplication of a point + /// by an integer: \p R = \p m * \p P. /// - /// You may call this function after mbedtls_md_hmac_finish(). - /// Afterwards call mbedtls_md_hmac_update() to pass the new - /// input. + /// It is not thread-safe to use same group in multiple threads. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. + /// \note To prevent timing attacks, this function + /// executes the exact same sequence of base-field + /// operations for any valid \p m. It avoids any if-branch or + /// array index depending on the value of \p m. It also uses + /// \p f_rng to randomize some intermediate results. + /// + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the full generic HMAC - /// on the input buffer with the provided key. + /// \brief This function performs multiplication of a point by + /// an integer: \p R = \p m * \p P in a restartable way. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// \see mbedtls_ecp_mul() /// - /// The HMAC result is calculated as - /// output = generic HMAC(hmac key, input buffer). + /// \note This function does the same as \c mbedtls_ecp_mul(), but + /// it can return early and restart according to the limit set + /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC secret key in Bytes. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. - /// \param output The generic HMAC result. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac( - md_info: *const mbedtls_md_info_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecp_restart_ctx, ) -> ::core::ffi::c_int; } -/// \brief The RSA context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_rsa_context { - ///< Reserved for internal purposes. - /// Do not set this field in application - /// code. Its meaning might change without - /// notice. - pub private_ver: ::core::ffi::c_int, - ///< The size of \p N in Bytes. - pub private_len: usize, - ///< The public modulus. - pub private_N: mbedtls_mpi, - ///< The public exponent. - pub private_E: mbedtls_mpi, - ///< The private exponent. - pub private_D: mbedtls_mpi, - ///< The first prime factor. - pub private_P: mbedtls_mpi, - ///< The second prime factor. - pub private_Q: mbedtls_mpi, - ///< D % (P - 1). - pub private_DP: mbedtls_mpi, - ///< D % (Q - 1). - pub private_DQ: mbedtls_mpi, - ///< 1 / (Q % P). - pub private_QP: mbedtls_mpi, - ///< cached R^2 mod N. - pub private_RN: mbedtls_mpi, - ///< cached R^2 mod P. - pub private_RP: mbedtls_mpi, - ///< cached R^2 mod Q. - pub private_RQ: mbedtls_mpi, - ///< The cached blinding value. - pub private_Vi: mbedtls_mpi, - ///< The cached un-blinding value. - pub private_Vf: mbedtls_mpi, - ///< Selects padding mode: - ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. - pub private_padding: ::core::ffi::c_int, - ///< Hash identifier of mbedtls_md_type_t type, - ///as specified in md.h for use in the MGF - ///mask generating function used in the - ///EME-OAEP and EMSA-PSS encodings. - pub private_hash_id: ::core::ffi::c_int, -} -impl Default for mbedtls_rsa_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes an RSA context. - /// - /// \note This function initializes the padding and the hash - /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and - /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more - /// information about those parameters. - /// - /// \param ctx The RSA context to initialize. This must not be \c NULL. - pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); -} -unsafe extern "C" { - /// \brief This function sets padding for an already initialized RSA - /// context. - /// - /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP - /// encryption scheme and the RSASSA-PSS signature scheme. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q /// - /// \note The \p hash_id parameter is ignored when using - /// #MBEDTLS_RSA_PKCS_V15 padding. + /// It is not thread-safe to use same group in multiple threads. /// - /// \note The choice of padding mode is strictly enforced for private - /// key operations, since there might be security concerns in - /// mixing padding modes. For public key operations it is - /// a default value, which can be overridden by calling specific - /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx - /// functions. + /// \note In contrast to mbedtls_ecp_mul(), this function does not + /// guarantee a constant execution flow and timing. /// - /// \note The hash selected in \p hash_id is always used for OEAP - /// encryption. For PSS signatures, it is always used for - /// making signatures, but can be overridden for verifying them. - /// If set to #MBEDTLS_MD_NONE, it is always overridden. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \param ctx The initialized RSA context to be configured. - /// \param padding The padding mode to use. This must be either - /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is - /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this - /// function but may be not suitable for some operations. - /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - /// \p padding or \p hash_id is invalid. - pub fn mbedtls_rsa_set_padding( - ctx: *mut mbedtls_rsa_context, - padding: ::core::ffi::c_int, - hash_id: mbedtls_md_type_t, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves padding mode of initialized - /// RSA context. - /// - /// \param ctx The initialized RSA context. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q in a + /// restartable way. /// - /// \return RSA padding mode. - pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function retrieves hash identifier of mbedtls_md_type_t - /// type. + /// \see \c mbedtls_ecp_muladd() /// - /// \param ctx The initialized RSA context. + /// \note This function works the same as \c mbedtls_ecp_muladd(), + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return Hash identifier of mbedtls_md_type_t type. - pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function imports a set of core parameters into an - /// RSA context. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, + rs_ctx: *mut mbedtls_ecp_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function checks that a point is a valid public key + /// on this curve. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// It only checks that the point is non-zero, has + /// valid coordinates and lies on the curve. It does not verify + /// that it is indeed a multiple of \c G. This additional + /// check is computationally more expensive, is not required + /// by standards, and should not be necessary if the group + /// used has a small cofactor. In particular, it is useless for + /// the NIST groups which all have a cofactor of 1. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure, to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param E The public exponent. This may be \c NULL. + /// \param grp The ECP group the point should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to check. This must be initialized. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import( - ctx: *mut mbedtls_rsa_context, - N: *const mbedtls_mpi, - P: *const mbedtls_mpi, - Q: *const mbedtls_mpi, - D: *const mbedtls_mpi, - E: *const mbedtls_mpi, + /// \return \c 0 if the point is a valid public key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not + /// a valid public key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_pubkey( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports core RSA parameters, in raw big-endian - /// binary format, into an RSA context. - /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \brief This function checks that an \c mbedtls_mpi is a + /// valid private key for this curve. /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// \param grp The ECP group the private key should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The integer to check. This must be initialized. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \return \c 0 if the point is a valid private key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid + /// private key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_privkey( + grp: *const mbedtls_ecp_group, + d: *const mbedtls_mpi, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates a private key. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. - /// \param E The public exponent. This may be \c NULL. - /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// \param grp The ECP group to generate a private key for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import_raw( - ctx: *mut mbedtls_rsa_context, - N: *const ::core::ffi::c_uchar, - N_len: usize, - P: *const ::core::ffi::c_uchar, - P_len: usize, - Q: *const ::core::ffi::c_uchar, - Q_len: usize, - D: *const ::core::ffi::c_uchar, - D_len: usize, - E: *const ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_privkey( + grp: *const mbedtls_ecp_group, + d: *mut mbedtls_mpi, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function completes an RSA context from - /// a set of imported core parameters. - /// - /// To setup an RSA public key, precisely \p N and \p E - /// must have been imported. + /// \brief This function generates a keypair with a configurable base + /// point. /// - /// To setup an RSA private key, sufficient information must - /// be present for the other parameters to be derivable. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// The default implementation supports the following: - ///
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • - ///
  • Derive \p N, \p D from \p P, \p Q, \p E.
- /// Alternative implementations need not support these. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param G The base point to use. This must be initialized + /// and belong to \p grp. It replaces the default base + /// point \c grp->G used by mbedtls_ecp_gen_keypair(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// If this function runs successfully, it guarantees that - /// the RSA context can be used for RSA operations without - /// the risk of failure or crash. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair_base( + grp: *mut mbedtls_ecp_group, + G: *const mbedtls_ecp_point, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates an ECP keypair. /// - /// \warning This function need not perform consistency checks - /// for the imported parameters. In particular, parameters that - /// are not needed by the implementation might be silently - /// discarded and left unchecked. To check the consistency - /// of the key material, see mbedtls_rsa_check_privkey(). + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context holding imported parameters. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations - /// failed. - pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair( + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports the core parameters of an RSA key. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. - /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// - /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \brief This function generates an ECP key. /// - /// \param ctx The initialized RSA context. - /// \param N The MPI to hold the RSA modulus. - /// This may be \c NULL if this field need not be exported. - /// \param P The MPI to hold the first prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param Q The MPI to hold the second prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param D The MPI to hold the private exponent. - /// This may be \c NULL if this field need not be exported. - /// \param E The MPI to hold the public exponent. - /// This may be \c NULL if this field need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. This must be initialized. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export( - ctx: *const mbedtls_rsa_context, - N: *mut mbedtls_mpi, - P: *mut mbedtls_mpi, - Q: *mut mbedtls_mpi, - D: *mut mbedtls_mpi, - E: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports core parameters of an RSA key - /// in raw big-endian binary format. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. + /// \brief Set the public key in a key pair object. /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \note This function does not check that the point actually + /// belongs to the given group. Call mbedtls_ecp_check_pubkey() + /// on \p Q before calling this function to check that. /// - /// \note The length parameters are ignored if the corresponding - /// buffer pointers are NULL. + /// \note This function does not check that the public key matches + /// the private key that is already in \p key, if any. + /// To check the consistency of the resulting key pair object, + /// call mbedtls_ecp_check_pub_priv() after setting both + /// the public key and the private key. /// - /// \param ctx The initialized RSA context. - /// \param N The Byte array to store the RSA modulus, - /// or \c NULL if this field need not be exported. - /// \param N_len The size of the buffer for the modulus. - /// \param P The Byte array to hold the first prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param P_len The size of the buffer for the first prime factor. - /// \param Q The Byte array to hold the second prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param Q_len The size of the buffer for the second prime factor. - /// \param D The Byte array to hold the private exponent, - /// or \c NULL if this field need not be exported. - /// \param D_len The size of the buffer for the private exponent. - /// \param E The Byte array to hold the public exponent, - /// or \c NULL if this field need not be exported. - /// \param E_len The size of the buffer for the public exponent. + /// \param grp_id The ECP group identifier. + /// \param key The key pair object. It must be initialized. + /// If its group has already been set, it must match \p grp_id. + /// If its group has not been set, it will be set to \p grp_id. + /// If the public key has already been set, it is overwritten. + /// \param Q The public key to copy. This must be a point on the + /// curve indicated by \p grp_id. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export_raw( - ctx: *const mbedtls_rsa_context, - N: *mut ::core::ffi::c_uchar, - N_len: usize, - P: *mut ::core::ffi::c_uchar, - P_len: usize, - Q: *mut ::core::ffi::c_uchar, - Q_len: usize, - D: *mut ::core::ffi::c_uchar, - D_len: usize, - E: *mut ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not + /// match \p grp_id. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_public_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports CRT parameters of a private RSA key. + /// \brief This function reads an elliptic curve private key. /// - /// \note Alternative RSA implementations not using CRT-parameters - /// internally can implement this function based on - /// mbedtls_rsa_deduce_opt(). + /// \note This function does not set the public key in the + /// key pair object. Without a public key, the key pair object + /// cannot be used with operations that require the public key. + /// Call mbedtls_ecp_keypair_calc_public() to set the public + /// key from the private key. Alternatively, you can call + /// mbedtls_ecp_set_public_key() to set the public key part, + /// and then optionally mbedtls_ecp_check_pub_priv() to check + /// that the private and public parts are consistent. + /// + /// \note If a public key has already been set in the key pair + /// object, this function does not check that it is consistent + /// with the private key. Call mbedtls_ecp_check_pub_priv() + /// after setting both the public key and the private key + /// to make that check. /// - /// \param ctx The initialized RSA context. - /// \param DP The MPI to hold \c D modulo `P-1`, - /// or \c NULL if it need not be exported. - /// \param DQ The MPI to hold \c D modulo `Q-1`, - /// or \c NULL if it need not be exported. - /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, - /// or \c NULL if it need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. + /// \param buf The buffer containing the binary representation of the + /// key. (Big endian integer for Weierstrass curves, byte + /// string for Montgomery curves.) + /// \param buflen The length of the buffer in bytes. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_export_crt( - ctx: *const mbedtls_rsa_context, - DP: *mut mbedtls_mpi, - DQ: *mut mbedtls_mpi, - QP: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is + /// invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_read_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + buf: *const ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves the length of RSA modulus in Bytes. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context. + /// \deprecated Note that although this function accepts an output + /// buffer that is smaller or larger than the key, most key + /// import interfaces require the output to have exactly + /// key's nominal length. It is generally simplest to + /// pass the key's nominal length as \c buflen, after + /// checking that the output buffer is large enough. + /// See the description of the \p buflen parameter for + /// how to calculate the nominal length. + /// To avoid this difficulty, use mbedtls_ecp_write_key_ext() + /// instead. + /// mbedtls_ecp_write_key() is deprecated and will be + /// removed in a future version of the library. + /// + /// \note If the private key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \return The length of the RSA modulus in Bytes. - pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; + /// \param key The private key. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// For Weierstrass curves, this is the big-endian + /// representation, padded with null bytes at the beginning + /// to reach \p buflen bytes. + /// For Montgomery curves, this is the standard byte string + /// representation (which is little-endian), padded with + /// null bytes at the end to reach \p buflen bytes. + /// \param buflen The total length of the buffer in bytes. + /// The length of the output is + /// (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// For Weierstrass keys, if the output buffer is smaller, + /// leading zeros are trimmed to fit if possible. For + /// Montgomery keys, the output buffer must always be large + /// enough for the nominal length. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + /// #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key( + key: *mut mbedtls_ecp_keypair, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an RSA keypair. - /// - /// \note mbedtls_rsa_init() must be called before this function, - /// to set up the RSA context. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context used to hold the key. - /// \param f_rng The RNG function to be used for key generation. - /// This is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. - /// This may be \c NULL if \p f_rng doesn't need a context. - /// \param nbits The size of the public key in bits. - /// \param exponent The public exponent to use. For example, \c 65537. - /// This must be odd and greater than \c 1. + /// \param key The private key. + /// \param olen On success, the length of the private key. + /// This is always (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// \param buflen The total length of the buffer in bytes. + /// #MBEDTLS_ECP_MAX_BYTES is always sufficient. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_gen_key( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - nbits: ::core::ffi::c_uint, - exponent: ::core::ffi::c_int, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + /// set in \p key. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key_ext( + key: *const mbedtls_ecp_keypair, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains at least an RSA - /// public key. + /// \brief This function exports an elliptic curve public key. /// - /// If the function runs successfully, it is guaranteed that - /// enough information is present to perform an RSA public key - /// operation using mbedtls_rsa_public(). + /// \note If the public key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to check. + /// \param key The public key. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_write_public_key( + key: *const mbedtls_ecp_keypair, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains an RSA private key - /// and perform basic consistency checks. - /// - /// \note The consistency checks performed by this function not only - /// ensure that mbedtls_rsa_private() can be called successfully - /// on the given context, but that the various parameters are - /// mutually consistent with high probability, in the sense that - /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// \brief This function checks that the keypair objects + /// \p pub and \p prv have the same group and the + /// same public point, and that the private key in + /// \p prv is consistent with the public key. /// - /// \warning This function should catch accidental misconfigurations - /// like swapping of parameters, but it cannot establish full - /// trust in neither the quality nor the consistency of the key - /// material that was used to setup the given RSA context: - ///
  • Consistency: Imported parameters that are irrelevant - /// for the implementation might be silently dropped. If dropped, - /// the current function does not have access to them, - /// and therefore cannot check them. See mbedtls_rsa_complete(). - /// If you want to check the consistency of the entire - /// content of a PKCS1-encoded RSA private key, for example, you - /// should use mbedtls_rsa_validate_params() before setting - /// up the RSA context. - /// Additionally, if the implementation performs empirical checks, - /// these checks substantiate but do not guarantee consistency.
    • - ///
  • Quality: This function is not expected to perform - /// extended quality assessments like checking that the prime - /// factors are safe. Additionally, it is the responsibility of the - /// user to ensure the trustworthiness of the source of his RSA - /// parameters, which goes beyond what is effectively checkable - /// by the library.
- /// - /// \param ctx The initialized RSA context to check. + /// \param pub The keypair structure holding the public key. This + /// must be initialized. If it contains a private key, that + /// part is ignored. + /// \param prv The keypair structure holding the full keypair. + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success, meaning that the keys are valid and match. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_check_pub_priv( + pub_: *const mbedtls_ecp_keypair, + prv: *const mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks a public-private RSA key pair. - /// - /// It checks each of the contexts, and makes sure they match. + /// \brief Calculate the public key from a private key in a key pair. /// - /// \param pub The initialized RSA context holding the public key. - /// \param prv The initialized RSA context holding the private key. + /// \param key A keypair structure. It must have a private key set. + /// If the public key is set, it will be overwritten. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pub_priv( - pub_: *const mbedtls_rsa_context, - prv: *const mbedtls_rsa_context, + /// \return \c 0 on success. The key pair object can be used for + /// operations that require the public key. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_keypair_calc_public( + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs an RSA public key operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// - /// \note This function does not handle message padding. + /// \brief Query the group that a key pair belongs to. /// - /// \note Make sure to set \p input[0] = 0 or ensure that - /// input is smaller than \p N. + /// \param key The key pair to query. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_public( - ctx: *mut mbedtls_rsa_context, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The group ID for the group registered in the key pair + /// object. + /// This is \c MBEDTLS_ECP_DP_NONE if no group has been set + /// in the key pair object. + pub fn mbedtls_ecp_keypair_get_group_id( + key: *const mbedtls_ecp_keypair, + ) -> mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function performs an RSA private key operation. - /// - /// \note Blinding is used if and only if a PRNG is provided. + /// \brief This function exports generic key-pair parameters. /// - /// \note If blinding is used, both the base of exponentiation - /// and the exponent are blinded, providing protection - /// against some side-channel attacks. + /// Each of the output parameters can be a null pointer + /// if you do not need that parameter. /// - /// \warning It is deprecated and a security risk to not provide - /// a PRNG here and thereby prevent the use of blinding. - /// Future versions of the library may enforce the presence - /// of a PRNG. + /// \note If the private key or the public key was not set in \p key, + /// the corresponding output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function, used for blinding. It is mandatory. - /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param key The key pair to export from. + /// \param grp Slot for exported ECP group. + /// It must either be null or point to an initialized ECP group. + /// \param d Slot for the exported secret value. + /// It must either be null or point to an initialized mpi. + /// \param Q Slot for the exported public value. + /// It must either be null or point to an initialized ECP point. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_private( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_export( + key: *const mbedtls_ecp_keypair, + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function adds the message padding, then performs an RSA - /// operation. - /// - /// It is the generic wrapper for performing a PKCS#1 encryption - /// operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG to use. It is used for padding generation - /// and it is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. May be - /// \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \brief The ECP checkup routine. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return \c 1 on failure. + pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The RSA context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_rsa_context { + ///< Reserved for internal purposes. + /// Do not set this field in application + /// code. Its meaning might change without + /// notice. + pub private_ver: ::core::ffi::c_int, + ///< The size of \p N in Bytes. + pub private_len: usize, + ///< The public modulus. + pub private_N: mbedtls_mpi, + ///< The public exponent. + pub private_E: mbedtls_mpi, + ///< The private exponent. + pub private_D: mbedtls_mpi, + ///< The first prime factor. + pub private_P: mbedtls_mpi, + ///< The second prime factor. + pub private_Q: mbedtls_mpi, + ///< D % (P - 1). + pub private_DP: mbedtls_mpi, + ///< D % (Q - 1). + pub private_DQ: mbedtls_mpi, + ///< 1 / (Q % P). + pub private_QP: mbedtls_mpi, + ///< cached R^2 mod N. + pub private_RN: mbedtls_mpi, + ///< cached R^2 mod P. + pub private_RP: mbedtls_mpi, + ///< cached R^2 mod Q. + pub private_RQ: mbedtls_mpi, + ///< The cached blinding value. + pub private_Vi: mbedtls_mpi, + ///< The cached un-blinding value. + pub private_Vf: mbedtls_mpi, + ///< Selects padding mode: + ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. + pub private_padding: ::core::ffi::c_int, + ///< Hash identifier of mbedtls_md_type_t type, + ///as specified in md.h for use in the MGF + ///mask generating function used in the + ///EME-OAEP and EMSA-PSS encodings. + pub private_hash_id: ::core::ffi::c_int, +} +impl Default for mbedtls_rsa_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 encryption operation - /// (RSAES-PKCS1-v1_5-ENCRYPT). + /// \brief This function initializes an RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. It is mandatory and used for - /// padding generation. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note This function initializes the padding and the hash + /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + /// information about those parameters. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The RSA context to initialize. This must not be \c NULL. + pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP encryption - /// operation (RSAES-OAEP-ENCRYPT). - /// - /// \note The output buffer must be as large as the size - /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \brief This function sets padding for an already initialized RSA + /// context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is needed for padding - /// generation and is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param ilen The length of the plaintext buffer \p input in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + /// encryption scheme and the RSASSA-PSS signature scheme. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs an RSA operation, then removes the - /// message padding. + /// \note The \p hash_id parameter is ignored when using + /// #MBEDTLS_RSA_PKCS_V15 padding. /// - /// It is the generic wrapper for performing a PKCS#1 decryption - /// operation. + /// \note The choice of padding mode is strictly enforced for private + /// key operations, since there might be security concerns in + /// mixing padding modes. For public key operations it is + /// a default value, which can be overridden by calling specific + /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + /// functions. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N (for example, - /// 128 Bytes if RSA-1024 is used) to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note The hash selected in \p hash_id is always used for OEAP + /// encryption. For PSS signatures, it is always used for + /// making signatures, but can be overridden for verifying them. + /// If set to #MBEDTLS_MD_NONE, it is always overridden. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \param ctx The initialized RSA context to be configured. + /// \param padding The padding mode to use. This must be either + /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. + /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is + /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + /// function but may be not suitable for some operations. + /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_decrypt( + /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + /// \p padding or \p hash_id is invalid. + pub fn mbedtls_rsa_set_padding( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + padding: ::core::ffi::c_int, + hash_id: mbedtls_md_type_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 decryption - /// operation (RSAES-PKCS1-v1_5-DECRYPT). + /// \brief This function retrieves padding mode of initialized + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for example, - /// 128 Bytes if RSA-1024 is used, to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \param ctx The initialized RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \return RSA padding mode. + pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function retrieves hash identifier of mbedtls_md_type_t + /// type. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context. + /// + /// \return Hash identifier of mbedtls_md_type_t type. + pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP decryption - /// operation (RSAES-OAEP-DECRYPT). + /// \brief This function imports a set of core parameters into an + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for - /// example, 128 Bytes if RSA-1024 is used, to be able to - /// hold an arbitrary decrypted message. If it is not - /// large enough to hold the decryption of the particular - /// ciphertext provided, the function returns - /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. + /// + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. + /// + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. + /// + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param E The public exponent. This may be \c NULL. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_decrypt( + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + N: *const mbedtls_mpi, + P: *const mbedtls_mpi, + Q: *const mbedtls_mpi, + D: *const mbedtls_mpi, + E: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a private RSA operation to sign - /// a message digest using PKCS#1. + /// \brief This function imports core RSA parameters, in raw big-endian + /// binary format, into an RSA context. /// - /// It is the generic wrapper for performing a PKCS#1 - /// signature. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_sign() for details on - /// \p md_alg and \p hash_id. + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is mandatory and - /// must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_sign( + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. + /// \param E The public exponent. This may be \c NULL. + /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import_raw( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + N: *const ::core::ffi::c_uchar, + N_len: usize, + P: *const ::core::ffi::c_uchar, + P_len: usize, + Q: *const ::core::ffi::c_uchar, + Q_len: usize, + D: *const ::core::ffi::c_uchar, + D_len: usize, + E: *const ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 signature - /// operation (RSASSA-PKCS1-v1_5-SIGN). + /// \brief This function completes an RSA context from + /// a set of imported core parameters. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// To setup an RSA public key, precisely \c N and \c E + /// must have been imported. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// To setup an RSA private key, sufficient information must + /// be present for the other parameters to be derivable. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// The default implementation supports the following: + ///
  • Derive \c P, \c Q from \c N, \c D, \c E.
    • + ///
  • Derive \c N, \c D from \c P, \c Q, \c E.
+ /// Alternative implementations need not support these. /// - /// \note This function enforces that the provided salt length complies - /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 - /// step 3. The constraint is that the hash length plus the salt - /// length plus 2 bytes must be at most the key length. If this - /// constraint is not met, this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// If this function runs successfully, it guarantees that + /// the RSA context can be used for RSA operations without + /// the risk of failure or crash. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param saltlen The length of the salt that should be used. - /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use - /// the largest possible salt length up to the hash length, - /// which is the largest permitted by some standards including - /// FIPS 186-4 §5.5. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \warning This function need not perform consistency checks + /// for the imported parameters. In particular, parameters that + /// are not needed by the implementation might be silently + /// discarded and left unchecked. To check the consistency + /// of the key material, see mbedtls_rsa_check_privkey(). /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign_ext( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - saltlen: ::core::ffi::c_int, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context holding imported parameters. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations + /// failed. + pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// \brief This function exports the core parameters of an RSA key. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \note This function always uses the maximum possible salt size, - /// up to the length of the payload hash. This choice of salt - /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 - /// v2.2) §9.1.1 step 3. Furthermore this function enforces a - /// minimum salt size which is the hash size minus 2 bytes. If - /// this minimum size is too large given the key size (the salt - /// size, plus the hash size, plus 2 bytes must be no more than - /// the key size in bytes), this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
/// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param N The MPI to hold the RSA modulus. + /// This may be \c NULL if this field need not be exported. + /// \param P The MPI to hold the first prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param Q The MPI to hold the second prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param D The MPI to hold the private exponent. + /// This may be \c NULL if this field need not be exported. + /// \param E The MPI to hold the public exponent. + /// This may be \c NULL if this field need not be exported. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export( + ctx: *const mbedtls_rsa_context, + N: *mut mbedtls_mpi, + P: *mut mbedtls_mpi, + Q: *mut mbedtls_mpi, + D: *mut mbedtls_mpi, + E: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a public RSA operation and checks - /// the message digest. - /// - /// This is the generic wrapper for performing a PKCS#1 - /// verification. + /// \brief This function exports core parameters of an RSA key + /// in raw big-endian binary format. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_verify() about \p md_alg and - /// \p hash_id. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
+ /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \note The length parameters are ignored if the corresponding + /// buffer pointers are NULL. + /// + /// \param ctx The initialized RSA context. + /// \param N The Byte array to store the RSA modulus, + /// or \c NULL if this field need not be exported. + /// \param N_len The size of the buffer for the modulus. + /// \param P The Byte array to hold the first prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param P_len The size of the buffer for the first prime factor. + /// \param Q The Byte array to hold the second prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param Q_len The size of the buffer for the second prime factor. + /// \param D The Byte array to hold the private exponent, + /// or \c NULL if this field need not be exported. + /// \param D_len The size of the buffer for the private exponent. + /// \param E The Byte array to hold the public exponent, + /// or \c NULL if this field need not be exported. + /// \param E_len The size of the buffer for the public exponent. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export_raw( + ctx: *const mbedtls_rsa_context, + N: *mut ::core::ffi::c_uchar, + N_len: usize, + P: *mut ::core::ffi::c_uchar, + P_len: usize, + Q: *mut ::core::ffi::c_uchar, + Q_len: usize, + D: *mut ::core::ffi::c_uchar, + D_len: usize, + E: *mut ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 verification - /// operation (RSASSA-PKCS1-v1_5-VERIFY). + /// \brief This function exports CRT parameters of a private RSA key. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Alternative RSA implementations not using CRT-parameters + /// internally can implement this function based on + /// mbedtls_rsa_deduce_opt(). /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param DP The MPI to hold \c D modulo `P-1`, + /// or \c NULL if it need not be exported. + /// \param DQ The MPI to hold \c D modulo `Q-1`, + /// or \c NULL if it need not be exported. + /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, + /// or \c NULL if it need not be exported. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_export_crt( + ctx: *const mbedtls_rsa_context, + DP: *mut mbedtls_mpi, + DQ: *mut mbedtls_mpi, + QP: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). - /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. If the \c hash_id set in \p ctx by - /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg - /// parameter is used. + /// \brief This function retrieves the length of the RSA modulus in bits. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param ctx The initialized RSA context. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The length of the RSA modulus in bits. + pub fn mbedtls_rsa_get_bitlen(ctx: *const mbedtls_rsa_context) -> usize; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). + /// \brief This function retrieves the length of RSA modulus in Bytes. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \param ctx The initialized RSA context. /// - /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is - /// ignored. + /// \return The length of the RSA modulus in Bytes. + pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; +} +unsafe extern "C" { + /// \brief This function generates an RSA keypair. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param mgf1_hash_id The message digest algorithm used for the - /// verification operation and the mask generation - /// function (MGF1). For more details on the encoding - /// operation and the mask generation function, consult - /// RFC-3447: Public-Key Cryptography Standards - /// (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. - /// \param expected_salt_len The length of the salt used in padding. Use - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note mbedtls_rsa_init() must be called before this function, + /// to set up the RSA context. /// - /// \return \c 0 if the verify operation was successful. + /// \param ctx The initialized RSA context used to hold the key. + /// \param f_rng The RNG function to be used for key generation. + /// This is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. + /// This may be \c NULL if \p f_rng doesn't need a context. + /// \param nbits The size of the public key in bits. + /// \param exponent The public exponent to use. For example, \c 65537. + /// This must be odd and greater than \c 1. + /// + /// \return \c 0 on success. /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify_ext( + pub fn mbedtls_rsa_gen_key( ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - mgf1_hash_id: mbedtls_md_type_t, - expected_salt_len: ::core::ffi::c_int, - sig: *const ::core::ffi::c_uchar, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + nbits: ::core::ffi::c_uint, + exponent: ::core::ffi::c_int, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function copies the components of an RSA context. + /// \brief This function checks if a context contains at least an RSA + /// public key. /// - /// \param dst The destination context. This must be initialized. - /// \param src The source context. This must be initialized. + /// If the function runs successfully, it is guaranteed that + /// enough information is present to perform an RSA public key + /// operation using mbedtls_rsa_public(). + /// + /// \param ctx The initialized RSA context to check. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. - pub fn mbedtls_rsa_copy( - dst: *mut mbedtls_rsa_context, - src: *const mbedtls_rsa_context, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees the components of an RSA key. + /// \brief This function checks if a context contains an RSA private key + /// and perform basic consistency checks. /// - /// \param ctx The RSA context to free. May be \c NULL, in which case - /// this function is a no-op. If it is not \c NULL, it must - /// point to an initialized RSA context. - pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); + /// \note The consistency checks performed by this function not only + /// ensure that mbedtls_rsa_private() can be called successfully + /// on the given context, but that the various parameters are + /// mutually consistent with high probability, in the sense that + /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// + /// \warning This function should catch accidental misconfigurations + /// like swapping of parameters, but it cannot establish full + /// trust in neither the quality nor the consistency of the key + /// material that was used to setup the given RSA context: + ///
  • Consistency: Imported parameters that are irrelevant + /// for the implementation might be silently dropped. If dropped, + /// the current function does not have access to them, + /// and therefore cannot check them. See mbedtls_rsa_complete(). + /// If you want to check the consistency of the entire + /// content of a PKCS1-encoded RSA private key, for example, you + /// should use mbedtls_rsa_validate_params() before setting + /// up the RSA context. + /// Additionally, if the implementation performs empirical checks, + /// these checks substantiate but do not guarantee consistency.
    • + ///
  • Quality: This function is not expected to perform + /// extended quality assessments like checking that the prime + /// factors are safe. Additionally, it is the responsibility of the + /// user to ensure the trustworthiness of the source of his RSA + /// parameters, which goes beyond what is effectively checkable + /// by the library.
+ /// + /// \param ctx The initialized RSA context to check. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The RSA checkup routine. + /// \brief This function checks a public-private RSA key pair. + /// + /// It checks each of the contexts, and makes sure they match. + /// + /// \param pub The initialized RSA context holding the public key. + /// \param prv The initialized RSA context holding the private key. /// /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief The ECDSA context structure. -/// -/// \warning Performing multiple operations concurrently on the same -/// ECDSA context is not supported; objects of this type -/// should not be shared between multiple threads. -/// -/// \note pk_wrap module assumes that "ecdsa_context" is identical -/// to "ecp_keypair" (see for example structure -/// "mbedtls_eckey_info" where ECDSA sign/verify functions -/// are used also for EC key) -pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; -pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pub_priv( + pub_: *const mbedtls_rsa_context, + prv: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { - /// \brief This function checks whether a given group can be used - /// for ECDSA. + /// \brief This function performs an RSA public key operation. /// - /// \param gid The ECP group ID to check. + /// \param ctx The initialized RSA context to use. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 1 if the group can be used, \c 0 otherwise - pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; + /// \note This function does not handle message padding. + /// + /// \note Make sure to set \p input[0] = 0 or ensure that + /// input is smaller than \c N. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_public( + ctx: *mut mbedtls_rsa_context, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message. + /// \brief This function performs an RSA private key operation. /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_ext() is usually preferred. + /// \note Blinding is used if and only if a PRNG is provided. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated - /// as defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \note If blinding is used, both the base of exponentiation + /// and the exponent are blinded, providing protection + /// against some side-channel attacks. /// - /// \see ecp.h + /// \warning It is deprecated and a security risk to not provide + /// a PRNG here and thereby prevent the use of blinding. + /// Future versions of the library may enforce the presence + /// of a PRNG. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized. - /// \param buf The content to be signed. This is usually the hash of - /// the original data to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function, used for blinding. It is mandatory. + /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX - /// or \c MBEDTLS_MPI_XXX error code on failure. - pub fn mbedtls_ecdsa_sign( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_private( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, deterministic version. + /// \brief This function adds the message padding, then performs an RSA + /// operation. /// - /// For more information, see RFC-6979: Deterministic - /// Usage of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). + /// It is the generic wrapper for performing a PKCS#1 encryption + /// operation. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG to use. It is used for padding generation + /// and it is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. May be + /// \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \see ecp.h + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v1.5 encryption operation + /// (RSAES-PKCS1-v1_5-ENCRYPT). /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. It is mandatory and used for + /// padding generation. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_ext( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 OAEP encryption + /// operation (RSAES-OAEP-ENCRYPT). /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_restartable() is usually - /// preferred. + /// \note The output buffer must be as large as the size + /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \note This function is like \c mbedtls_ecdsa_sign() but - /// it can return early and restart according to the - /// limit set with \c mbedtls_ecp_set_max_ops() to - /// reduce blocking. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is needed for padding + /// generation and is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param ilen The length of the plaintext buffer \p input in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs an RSA operation, then removes the + /// message padding. /// - /// \see ecp.h + /// It is the generic wrapper for performing a PKCS#1 decryption + /// operation. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15, + /// mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an + /// inherently dangerous function (CWE-242). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N (for example, + /// 128 Bytes if RSA-1024 is used) to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. - /// - /// \note This function is like \c - /// mbedtls_ecdsa_sign_det_ext() but it can return - /// early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 decryption + /// operation (RSAES-PKCS1-v1_5-DECRYPT). /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \warning This is an inherently dangerous function (CWE-242). Unless + /// it is used in a side channel free and safe way (eg. + /// implementing the TLS protocol as per 7.4.7.1 of RFC 5246), + /// the calling code is vulnerable. /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for example, + /// 128 Bytes if RSA-1024 is used, to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message. - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \brief This function performs a PKCS#1 v2.1 OAEP decryption + /// operation (RSAES-OAEP-DECRYPT). /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for + /// example, 128 Bytes if RSA-1024 is used, to be able to + /// hold an arbitrary decrypted message. If it is not + /// large enough to hold the decryption of the particular + /// ciphertext provided, the function returns + /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message, in a restartable manner + /// \brief This function performs a private RSA operation to sign + /// a message digest using PKCS#1. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// It is the generic wrapper for performing a PKCS#1 + /// signature. /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify_restartable( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, serialized as defined in RFC-4492: - /// Elliptic Curve Cryptography (ECC) Cipher Suites for - /// Transport Layer Security (TLS). - /// - /// \warning It is not thread-safe to use the same context in - /// multiple threads. - /// - /// \note The deterministic version is used if - /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more - /// information, see RFC-6979: Deterministic Usage - /// of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. - /// - /// \see ecp.h + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_sign() for details on + /// \p md_alg and \p hash_id. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is used only for blinding and may be set to \c NULL, but - /// doing so is DEPRECATED. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is mandatory and + /// must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, in a restartable way. - /// - /// \see \c mbedtls_ecdsa_write_signature() - /// - /// \note This function is like \c mbedtls_ecdsa_write_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 signature + /// operation (RSASSA-PKCS1-v1_5-SIGN). /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is unused and may be set to \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \see ecp.h + /// \note This function enforces that the provided salt length complies + /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 + /// step 3. The constraint is that the hash length plus the salt + /// length plus 2 bytes must be at most the key length. If this + /// constraint is not met, this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param saltlen The length of the salt that should be used. + /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use + /// the largest possible salt length up to the hash length, + /// which is the largest permitted by some standards including + /// FIPS 186-4 §5.5. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign_ext( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, - sig: *const ::core::ffi::c_uchar, - slen: usize, + saltlen: ::core::ffi::c_int, + sig: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature, - /// in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \see \c mbedtls_ecdsa_read_signature() + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \note This function is like \c mbedtls_ecdsa_read_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function always uses the maximum possible salt size, + /// up to the length of the payload hash. This choice of salt + /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 + /// v2.2) §9.1.1 step 3. Furthermore this function enforces a + /// minimum salt size which is the hash size minus 2 bytes. If + /// this minimum size is too large given the key size (the salt + /// size, plus the hash size, plus 2 bytes must be no more than + /// the key size in bytes), this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a public RSA operation and checks + /// the message digest. + /// + /// This is the generic wrapper for performing a PKCS#1 + /// verification. + /// + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_verify() about \c md_alg and + /// \c hash_id. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *const ::core::ffi::c_uchar, - slen: usize, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an ECDSA keypair on the given curve. + /// \brief This function performs a PKCS#1 v1.5 verification + /// operation (RSASSA-PKCS1-v1_5-VERIFY). /// - /// \see ecp.h + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \param ctx The ECDSA context to store the keypair in. - /// This must be initialized. - /// \param gid The elliptic curve to use. One of the various - /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_genkey( - ctx: *mut mbedtls_ecdsa_context, - gid: mbedtls_ecp_group_id, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. If the \c hash_id set in \p ctx by + /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg + /// parameter is used. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets up an ECDSA context from an EC key pair. + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param ctx The ECDSA context to setup. This must be initialized. - /// \param key The EC key to use. This must be initialized and hold - /// a private-public key pair or a public key. In the former - /// case, the ECDSA context may be used for signature creation - /// and verification after this call. In the latter case, it - /// may be used for signature verification. + /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is + /// ignored. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_from_keypair( - ctx: *mut mbedtls_ecdsa_context, - key: *const mbedtls_ecp_keypair, + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param mgf1_hash_id The message digest algorithm used for the + /// verification operation and the mask generation + /// function (MGF1). For more details on the encoding + /// operation and the mask generation function, consult + /// RFC-3447: Public-Key Cryptography Standards + /// (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. + /// \param expected_salt_len The length of the salt used in padding. Use + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify_ext( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + mgf1_hash_id: mbedtls_md_type_t, + expected_salt_len: ::core::ffi::c_int, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECDSA context. + /// \brief This function copies the components of an RSA context. /// - /// \param ctx The ECDSA context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); + /// \param dst The destination context. This must be initialized. + /// \param src The source context. This must be initialized. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. + pub fn mbedtls_rsa_copy( + dst: *mut mbedtls_rsa_context, + src: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees an ECDSA context. + /// \brief This function frees the components of an RSA key. /// - /// \param ctx The ECDSA context to free. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must be initialized. - pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); + /// \param ctx The RSA context to free. May be \c NULL, in which case + /// this function is a no-op. If it is not \c NULL, it must + /// point to an initialized RSA context. + pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); } -pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; -pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; -/// \brief Public key types -pub type mbedtls_pk_type_t = ::core::ffi::c_uint; -/// \brief Options for RSASSA-PSS signature verification. -/// See \c mbedtls_rsa_rsassa_pss_verify_ext() -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_rsassa_pss_options { - /// The digest to use for MGF1 in PSS. +unsafe extern "C" { + /// \brief The RSA checkup routine. /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is - /// disabled, this must be equal to the \c md_alg argument passed - /// to mbedtls_pk_verify_ext(). In a future version of the library, - /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is - /// enabled regardless of the status of #MBEDTLS_RSA_C. - pub mgf1_hash_id: mbedtls_md_type_t, - /// The expected length of the salt, in bytes. This may be - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only - /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be - /// ignored (allowing any salt length). - pub expected_salt_len: ::core::ffi::c_int, -} -impl Default for mbedtls_pk_rsassa_pss_options { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; -/// \brief Types for interfacing with the debug module -pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; -/// \brief Item to send to the debug module -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_debug_item { - pub private_type: mbedtls_pk_debug_type, - pub private_name: *const ::core::ffi::c_char, - pub private_value: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_debug_item { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_info_t { - _unused: [u8; 0], -} -/// \brief Public key container -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_context { - ///< Public key information - pub private_pk_info: *const mbedtls_pk_info_t, - ///< Underlying public key context - pub private_pk_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; -/// \brief Types for RSA-alt abstraction -pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_key_len_func = - ::core::option::Option usize>; +/// \brief The ECDSA context structure. +/// +/// \warning Performing multiple operations concurrently on the same +/// ECDSA context is not supported; objects of this type +/// should not be shared between multiple threads. +/// +/// \note pk_wrap module assumes that "ecdsa_context" is identical +/// to "ecp_keypair" (see for example structure +/// "mbedtls_eckey_info" where ECDSA sign/verify functions +/// are used also for EC key) +pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; +pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; unsafe extern "C" { - /// \brief Return information associated with the given PK type - /// - /// \param pk_type PK type to search for. + /// \brief This function checks whether a given group can be used + /// for ECDSA. /// - /// \return The PK info associated with the type or NULL if not found. - pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; -} -unsafe extern "C" { - /// \brief Initialize a #mbedtls_pk_context (as NONE). + /// \param gid The ECP group ID to check. /// - /// \param ctx The context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); + /// \return \c 1 if the group can be used, \c 0 otherwise + pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Free the components of a #mbedtls_pk_context. + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message. /// - /// \param ctx The context to clear. It must have been initialized. - /// If this is \c NULL, this function does nothing. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_ext() is usually preferred. /// - /// \note For contexts that have been set up with - /// mbedtls_pk_setup_opaque(), this does not free the underlying - /// PSA key and you still need to call psa_destroy_key() - /// independently if you want to destroy that key. - pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); -} -unsafe extern "C" { - /// \brief Initialize a PK context with the information given - /// and allocates the type-specific PK subcontext. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated + /// as defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param info Information to use + /// \see ecp.h /// - /// \return 0 on success, - /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, - /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized. + /// \param buf The content to be signed. This is usually the hash of + /// the original data to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function, used both to generate the ECDSA nonce + /// and for blinding. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. /// - /// \note For contexts holding an RSA-alt key, use - /// \c mbedtls_pk_setup_rsa_alt() instead. - pub fn mbedtls_pk_setup( - ctx: *mut mbedtls_pk_context, - info: *const mbedtls_pk_info_t, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX + /// or \c MBEDTLS_MPI_XXX error code on failure. + pub fn mbedtls_ecdsa_sign( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Initialize an RSA-alt context + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, deterministic version. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param key RSA key pointer - /// \param decrypt_func Decryption function - /// \param sign_func Signing function - /// \param key_len_func Function returning key length in bytes + /// For more information, see RFC-6979: Deterministic + /// Usage of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the - /// context wasn't already initialized as RSA_ALT. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. - pub fn mbedtls_pk_setup_rsa_alt( - ctx: *mut mbedtls_pk_context, - key: *mut ::core::ffi::c_void, - decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, - sign_func: mbedtls_pk_rsa_alt_sign_func, - key_len_func: mbedtls_pk_rsa_alt_key_len_func, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Get the size in bits of the underlying key + /// \see ecp.h /// - /// \param ctx The context to query. It must have been initialized. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This + /// may be \c NULL if \p f_rng_blind doesn't need a context + /// parameter. /// - /// \return Key size in bits, or 0 on error - pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_ext( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + md_alg: mbedtls_md_type_t, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Tell if a context can do the operation given by type + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \param ctx The context to query. It must have been initialized. - /// \param type The desired type. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_restartable() is usually + /// preferred. /// - /// \return 1 if the context can do operations on the given type. - /// \return 0 if the context cannot do the operations on the given - /// type. This is always the case for a context that has - /// been initialized but not set up, or that has been - /// cleared with mbedtls_pk_free(). - pub fn mbedtls_pk_can_do( - ctx: *const mbedtls_pk_context, - type_: mbedtls_pk_type_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Verify signature (including padding if relevant). + /// \note This function is like \c mbedtls_ecdsa_sign() but + /// it can return early and restart according to the + /// limit set with \c mbedtls_ecp_set_max_ops() to + /// reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used. - /// This can be #MBEDTLS_MD_NONE if the signature algorithm - /// does not rely on a hash algorithm (non-deterministic - /// ECDSA, RSA PKCS#1 v1.5). - /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then - /// \p hash is the DigestInfo structure used by RFC 8017 - /// §9.2 steps 3–6. If \p md_alg is a valid hash - /// algorithm then \p hash is the digest itself, and this - /// function calculates the DigestInfo encoding internally. - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \see ecp.h /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - /// to verify RSASSA_PSS signatures. - pub fn mbedtls_pk_verify( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_verify() + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_verify(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_verify(). + /// \note This function is like \c + /// mbedtls_ecdsa_sign_det_ext() but it can return + /// early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length - /// \param rs_ctx Restart context (NULL to disable restart) + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return See \c mbedtls_pk_verify(), or - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_verify_restartable( - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This may be + /// \c NULL if \p f_rng_blind doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, - rs_ctx: *mut mbedtls_pk_restart_ctx, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify signature, with options. - /// (Includes verification of the padding depending on type.) - /// - /// \param type Signature type (inc. possible padding type) to verify - /// \param options Pointer to type-specific options, or NULL - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be - /// used for this type of signatures, - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note If hash_len is 0, then the length associated with md_alg - /// is used instead, or an error returned if it is invalid. + /// \see ecp.h /// - /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. /// - /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point - /// to a mbedtls_pk_rsassa_pss_options structure, - /// otherwise it must be NULL. Note that if - /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not - /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. - pub fn mbedtls_pk_verify_ext( - type_: mbedtls_pk_type_t, - options: *const ::core::ffi::c_void, - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature, including padding if relevant. - /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message, in a restartable manner /// - /// \return 0 on success, or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// There is no interface in the PK module to make RSASSA-PSS - /// signatures yet. + /// \see ecp.h /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify_restartable( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature given a signature type. + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, serialized as defined in RFC-4492: + /// Elliptic Curve Cryptography (ECC) Cipher Suites for + /// Transport Layer Security (TLS). /// - /// \param pk_type Signature type. - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \warning It is not thread-safe to use the same context in + /// multiple threads. /// - /// \return 0 on success, or a specific error code. + /// \note The deterministic version is used if + /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + /// information, see RFC-6979: Deterministic Usage + /// of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, - /// see #PSA_ALG_RSA_PSS for a description of PSS options used. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign_ext( - pk_type: mbedtls_pk_type_t, - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_sign() + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_sign(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_sign(). + /// \see \c mbedtls_ecdsa_write_signature() /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. + /// \note This function is like \c mbedtls_ecdsa_write_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// \param rs_ctx Restart context (NULL to disable restart) + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return See \c mbedtls_pk_sign(). + /// \return \c 0 on success. /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_sign_restartable( - ctx: *mut mbedtls_pk_context, + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_pk_restart_ctx, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Decrypt message (including padding if relevant). + /// \brief This function reads and verifies an ECDSA signature. /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param input Input to decrypt - /// \param ilen Input size - /// \param output Decrypted output - /// \param olen Decrypted message length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \see ecp.h /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_decrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Encrypt message (including padding if relevant). - /// - /// \param ctx The PK context to use. It must have been set up. - /// \param input Message to encrypt - /// \param ilen Message size - /// \param output Encrypted output - /// \param olen Encrypted output length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function reads and verifies an ECDSA signature, + /// in a restartable way. /// - /// \note \p f_rng is used for padding generation. + /// \see \c mbedtls_ecdsa_read_signature() /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \note This function is like \c mbedtls_ecdsa_read_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_encrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if a public-private pair of keys matches. - /// - /// \param pub Context holding a public key. - /// \param prv Context holding a private (and public) key. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// - /// \return \c 0 on success (keys were checked and match each other). - /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not - /// be checked - in that case they may or may not match. - /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. - /// \return Another non-zero value if the keys do not match. - pub fn mbedtls_pk_check_pair( - pub_: *const mbedtls_pk_context, - prv: *const mbedtls_pk_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Export debug information - /// - /// \param ctx The PK context to use. It must have been initialized. - /// \param items Place to write debug items + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA - pub fn mbedtls_pk_debug( - ctx: *const mbedtls_pk_context, - items: *mut mbedtls_pk_debug_item, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Access the type name - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type name on success, or "invalid PK" - pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; -} -unsafe extern "C" { - /// \brief Get the key type - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type on success. - /// \return #MBEDTLS_PK_NONE for a context that has not been set up. - pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a private key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// \param pwd Optional password for decryption. - /// Pass \c NULL if expecting a non-encrypted key. - /// Pass a string of \p pwdlen bytes if expecting an encrypted - /// key; a non-encrypted key will also be accepted. - /// The empty password is not supported. - /// \param pwdlen Size of the password in bytes. - /// Ignored if \p pwd is \c NULL. - /// \param f_rng RNG function, must not be \c NULL. Used for blinding. - /// \param p_rng RNG parameter + /// \brief This function generates an ECDSA keypair on the given curve. /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to store the keypair in. + /// This must be initialized. + /// \param gid The elliptic curve to use. One of the various + /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, - pwd: *const ::core::ffi::c_uchar, - pwdlen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_genkey( + ctx: *mut mbedtls_ecdsa_context, + gid: mbedtls_ecp_group_id, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a public key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \brief This function sets up an ECDSA context from an EC key pair. /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to setup. This must be initialized. + /// \param key The EC key to use. This must be initialized and hold + /// a private-public key pair or a public key. In the former + /// case, the ECDSA context may be used for signature creation + /// and verification after this call. In the latter case, it + /// may be used for signature verification. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_public_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_from_keypair( + ctx: *mut mbedtls_ecdsa_context, + key: *const mbedtls_ecp_keypair, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function initializes an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_key_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); } unsafe extern "C" { - /// \brief Write a public key to a SubjectPublicKeyInfo DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function frees an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_pubkey_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to free. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must be initialized. + pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); } -unsafe extern "C" { - /// \brief Write a public key to a PEM string - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_pubkey_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 PEM string - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_key_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Parse a SubjectPublicKeyInfo DER structure - /// - /// \param p the position in the ASN.1 data - /// \param end end of the buffer - /// \param pk The PK context to fill. It must have been initialized - /// but not set up. - /// - /// \return 0 if successful, or a specific PK error code - pub fn mbedtls_pk_parse_subpubkey( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - pk: *mut mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a subjectPublicKey to ASN.1 data - /// Note: function works backwards in data buffer - /// - /// \param p reference to current position pointer - /// \param start start of the buffer (for bounds-checking) - /// \param key PK context which must contain a valid public or private key. - /// - /// \return the length written or a negative error code - pub fn mbedtls_pk_write_pubkey( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - key: *const mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = - 3; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - mbedtls_key_exchange_type_t = 4; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = - 8; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = - 9; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = - 10; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = - 11; -pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; -/// \brief This structure is used for storing ciphersuite information -/// -/// \note members are defined using integral types instead of enums -/// in order to pack structure and reduce memory usage by internal -/// \c ciphersuite_definitions[] -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ssl_ciphersuite_t { - pub private_id: ::core::ffi::c_int, - pub private_name: *const ::core::ffi::c_char, - pub private_cipher: u8, - pub private_mac: u8, - pub private_key_exchange: u8, - pub private_flags: u8, - pub private_min_tls_version: u16, - pub private_max_tls_version: u16, -} -impl Default for mbedtls_ssl_ciphersuite_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_string( - ciphersuite_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_id( - ciphersuite_id: ::core::ffi::c_int, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_pk_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_ec( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_psk( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> usize; -} -/// The type of the context passed to mbedtls_psa_external_get_random(). -/// -/// Mbed TLS initializes the context to all-bits-zero before calling -/// mbedtls_psa_external_get_random() for the first time. -/// -/// The definition of this type in the Mbed TLS source code is for -/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() -/// are expected to replace it with a custom definition. -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_external_random_context_t { - pub private_opaque: [usize; 2usize], +/// The type of the context passed to mbedtls_psa_external_get_random(). +/// +/// Mbed TLS initializes the context to all-bits-zero before calling +/// mbedtls_psa_external_get_random() for the first time. +/// +/// The definition of this type in the Mbed TLS source code is for +/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() +/// are expected to replace it with a custom definition. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_external_random_context_t { + pub private_opaque: [usize; 2usize], } pub type psa_status_t = i32; /// \brief Encoding of a key type. @@ -10579,6478 +10447,7672 @@ pub type psa_key_attributes_t = psa_key_attributes_s; /// Values of this type are generally constructed by macros called /// `PSA_KEY_DERIVATION_INPUT_xxx`. pub type psa_key_derivation_step_t = u16; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following field: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// +/// Functions that take such a structure as input also take an associated +/// input buffer \c custom_data of length \c custom_data_length. +/// +/// The interpretation of this structure and the associated \c custom_data +/// parameter depend on the type of the created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c custom_data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_custom_key_parameters_t = psa_custom_key_parameters_s; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following fields: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// - \c data: a flexible array of bytes. +/// +/// The interpretation of this structure depend on the type of the +/// created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty or if the custom production parameters are omitted +/// altogether, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_key_production_parameters_t = psa_key_production_parameters_s; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; +/// For encrypt-decrypt functions, whether the operation is an encryption +/// or a decryption. +pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; +/// \brief MD5 context structure +/// +/// \warning MD5 is considered a weak message digest and its use +/// constitutes a security risk. We recommend considering +/// stronger message digests instead. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md5_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 4usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_md5_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { - /// \brief Library initialization. - /// - /// Applications must call this function before calling any other - /// function in this module. - /// - /// Applications may call this function more than once. Once a call - /// succeeds, subsequent calls are guaranteed to succeed. + /// \brief Initialize MD5 context /// - /// If the application calls other functions before calling psa_crypto_init(), - /// the behavior is undefined. Implementations are encouraged to either perform - /// the operation as if the library had been initialized or to return - /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, - /// implementations should not return a success status if the lack of - /// initialization may have security implications, for example due to improper - /// seeding of the random number generator. + /// \param ctx MD5 context to be initialized /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - pub fn psa_crypto_init() -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Retrieve the attributes of a key. - /// - /// This function first resets the attribute structure as with - /// psa_reset_key_attributes(). It then copies the attributes of - /// the given key into the given attribute structure. - /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \brief Clear MD5 context /// - /// \param[in] key Identifier of the key to query. - /// \param[in,out] attributes On success, the attributes of the key. - /// On failure, equivalent to a - /// freshly-initialized structure. + /// \param ctx MD5 context to be cleared /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_get_key_attributes( - key: mbedtls_svc_key_id_t, - attributes: *mut psa_key_attributes_t, - ) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Reset a key attribute structure to a freshly initialized state. - /// - /// You must initialize the attribute structure as described in the - /// documentation of the type #psa_key_attributes_t before calling this - /// function. Once the structure has been initialized, you may call this - /// function at any time. + /// \brief Clone (the state of) an MD5 context /// - /// This function frees any auxiliary resources that the structure - /// may contain. + /// \param dst The destination context + /// \param src The context to be cloned /// - /// \param[in,out] attributes The attribute structure to reset. - pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); } unsafe extern "C" { - /// Remove non-essential copies of key material from memory. + /// \brief MD5 context setup /// - /// If the key identifier designates a volatile key, this functions does not do - /// anything and returns successfully. - /// - /// If the key identifier designates a persistent key, then this function will - /// free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and the key can still be used. + /// \param ctx context to be initialized /// - /// \param key Identifier of the key to purge. + /// \return 0 if successful /// - /// \retval #PSA_SUCCESS - /// The key material will have been removed from memory if it is not - /// currently required. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid key identifier. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Make a copy of a key. + /// \brief MD5 process buffer /// - /// Copy key material from one location to another. + /// \param ctx MD5 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// This function is primarily useful to copy a key from one location - /// to another, since it populates a key using the material from - /// another key which may have a different lifetime. + /// \return 0 if successful /// - /// This function may be used to share a key with a different party, - /// subject to implementation-defined restrictions on key sharing. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_update( + ctx: *mut mbedtls_md5_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 final digest /// - /// The policy on the source key must have the usage flag - /// #PSA_KEY_USAGE_COPY set. - /// This flag is sufficient to permit the copy if the key has the lifetime - /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. - /// Some secure elements do not provide a way to copy a key without - /// making it extractable from the secure element. If a key is located - /// in such a secure element, then the key must have both usage flags - /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make - /// a copy of the key outside the secure element. + /// \param ctx MD5 context + /// \param output MD5 checksum result /// - /// The resulting key may only be used in a way that conforms to - /// both the policy of the original key and the policy specified in - /// the \p attributes parameter: - /// - The usage flags on the resulting key are the bitwise-and of the - /// usage flags on the source policy and the usage flags in \p attributes. - /// - If both allow the same algorithm or wildcard-based - /// algorithm policy, the resulting key has the same algorithm policy. - /// - If either of the policies allows an algorithm and the other policy - /// allows a wildcard-based algorithm policy that includes this algorithm, - /// the resulting key allows the same algorithm. - /// - If the policies do not allow any algorithm in common, this function - /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// \return 0 if successful /// - /// The effect of this function on implementation-defined attributes is - /// implementation-defined. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_finish( + ctx: *mut mbedtls_md5_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 process data block (internal use only) /// - /// \param source_key The key to copy. It must allow the usage - /// #PSA_KEY_USAGE_COPY. If a private or secret key is - /// being copied outside of a secure element it must - /// also allow #PSA_KEY_USAGE_EXPORT. - /// \param[in] attributes The attributes for the new key. - /// They are used as follows: - /// - The key type and size may be 0. If either is - /// nonzero, it must match the corresponding - /// attribute of the source key. - /// - The key location (the lifetime and, for - /// persistent keys, the key identifier) is - /// used directly. - /// - The policy constraints (usage flags and - /// algorithm policy) are combined from - /// the source key and \p attributes so that - /// both sets of restrictions apply, as - /// described in the documentation of this function. - /// \param[out] target_key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param ctx MD5 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p source_key is invalid. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The lifetime or identifier in \p attributes are invalid, or - /// the policy constraints on the source and specified in - /// \p attributes are incompatible, or - /// \p attributes specifies a key type or key size - /// which does not match the attributes of the source key. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or - /// the source key is not exportable and its lifetime does not - /// allow copying it to the target's lifetime. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_copy_key( - source_key: mbedtls_svc_key_id_t, - attributes: *const psa_key_attributes_t, - target_key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + /// + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_internal_md5_process( + ctx: *mut mbedtls_md5_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Destroy a key. + /// \brief Output = MD5( input buffer ) /// - /// This function destroys a key from both volatile - /// memory and, if applicable, non-volatile storage. Implementations shall - /// make a best effort to ensure that the key material cannot be recovered. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output MD5 checksum result /// - /// This function also erases any metadata such as policies and frees - /// resources associated with the key. + /// \return 0 if successful /// - /// If a key is currently in use in a multipart operation, then destroying the - /// key will cause the multipart operation to fail. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \param key Identifier of the key to erase. If this is \c 0, do nothing and - /// return #PSA_SUCCESS. + /// \return 0 if successful, or 1 if the test failed /// - /// \retval #PSA_SUCCESS - /// \p key was a valid identifier and the key material that it - /// referred to has been erased. Alternatively, \p key is \c 0. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key cannot be erased because it is - /// read-only, either due to a policy or due to physical restrictions. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p key is not a valid identifier nor \c 0. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE - /// There was a failure in communication with the cryptoprocessor. - /// The key material may still be present in the cryptoprocessor. - /// \retval #PSA_ERROR_DATA_INVALID - /// This error is typically a result of either storage corruption on a - /// cleartext storage backend, or an attempt to read data that was - /// written by an incompatible version of the library. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The storage is corrupted. Implementations shall make a best effort - /// to erase key material even in this stage, however applications - /// should be aware that it may be impossible to guarantee that the - /// key material is not recoverable in such cases. - /// \retval #PSA_ERROR_CORRUPTION_DETECTED - /// An unexpected condition which is not a storage corruption or - /// a communication failure occurred. The cryptoprocessor may have - /// been compromised. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief RIPEMD-160 context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ripemd160_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 5usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_ripemd160_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief Import a key in binary format. + /// \brief Initialize RIPEMD-160 context /// - /// This function supports any output from psa_export_key(). Refer to the - /// documentation of psa_export_public_key() for the format of public keys - /// and to the documentation of psa_export_key() for the format for - /// other key types. + /// \param ctx RIPEMD-160 context to be initialized + pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clear RIPEMD-160 context /// - /// The key data determines the key size. The attributes may optionally - /// specify a key size; in this case it must match the size determined - /// from the key data. A key size of 0 in \p attributes indicates that - /// the key size is solely determined by the key data. + /// \param ctx RIPEMD-160 context to be cleared + pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clone (the state of) a RIPEMD-160 context /// - /// Implementations must reject an attempt to import a key of size 0. + /// \param dst The destination context + /// \param src The context to be cloned + pub fn mbedtls_ripemd160_clone( + dst: *mut mbedtls_ripemd160_context, + src: *const mbedtls_ripemd160_context, + ); +} +unsafe extern "C" { + /// \brief RIPEMD-160 context setup /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. - /// - /// \param[in] attributes The attributes for the new key. - /// The key size is always determined from the - /// \p data buffer. - /// If the key size in \p attributes is nonzero, - /// it must be equal to the size from \p data. - /// \param[out] key On success, an identifier to the newly created key. - /// For persistent keys, this is the key identifier - /// defined in \p attributes. - /// \c 0 on failure. - /// \param[in] data Buffer containing the key data. The content of this - /// buffer is interpreted according to the type declared - /// in \p attributes. - /// All implementations must support at least the format - /// described in the documentation - /// of psa_export_key() or psa_export_public_key() for - /// the chosen type. Implementations may allow other - /// formats, but should be conservative: implementations - /// should err on the side of rejecting content if it - /// may be erroneous (e.g. wrong type or truncated data). - /// \param data_length Size of the \p data buffer in bytes. + /// \param ctx context to be initialized /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular persistent location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key attributes, as a whole, are invalid, or - /// the key data is not correctly formatted, or - /// the size in \p attributes is nonzero and does not match the size - /// of the key data. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_import_key( - attributes: *const psa_key_attributes_t, - data: *const u8, - data_length: usize, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a key in binary format. - /// - /// The output of this function can be passed to psa_import_key() to - /// create an equivalent object. + /// \brief RIPEMD-160 process buffer /// - /// If the implementation of psa_import_key() supports other formats - /// beyond the format specified here, the output from psa_export_key() - /// must use the representation specified here, not the original - /// representation. + /// \param ctx RIPEMD-160 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// For standard key types, the output format is as follows: + /// \return 0 if successful + pub fn mbedtls_ripemd160_update( + ctx: *mut mbedtls_ripemd160_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 final digest /// - /// - For symmetric keys (including MAC keys), the format is the - /// raw bytes of the key. - /// - For DES, the key data consists of 8 bytes. The parity bits must be - /// correct. - /// - For Triple-DES, the format is the concatenation of the - /// two or three DES keys. - /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format - /// is the non-encrypted DER encoding of the representation defined by - /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. - /// ``` - /// RSAPrivateKey ::= SEQUENCE { - /// version INTEGER, -- must be 0 - /// modulus INTEGER, -- n - /// publicExponent INTEGER, -- e - /// privateExponent INTEGER, -- d - /// prime1 INTEGER, -- p - /// prime2 INTEGER, -- q - /// exponent1 INTEGER, -- d mod (p-1) - /// exponent2 INTEGER, -- d mod (q-1) - /// coefficient INTEGER, -- (inverse of q) mod p - /// } - /// ``` - /// - For elliptic curve key pairs (key types for which - /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is - /// a representation of the private value as a `ceiling(m/8)`-byte string - /// where `m` is the bit size associated with the curve, i.e. the bit size - /// of the order of the curve's coordinate field. This byte string is - /// in little-endian order for Montgomery curves (curve types - /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass - /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` - /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). - /// For Weierstrass curves, this is the content of the `privateKey` field of - /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, - /// the format is defined by RFC 7748, and output is masked according to §5. - /// For twisted Edwards curves, the private key is as defined by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For Diffie-Hellman key exchange key pairs (key types for which - /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the - /// format is the representation of the private key `x` as a big-endian byte - /// string. The length of the byte string is the private key size in bytes - /// (leading zeroes are not stripped). - /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is - /// true), the format is the same as for psa_export_public_key(). + /// \param ctx RIPEMD-160 context + /// \param output RIPEMD-160 checksum result /// - /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// \return 0 if successful + pub fn mbedtls_ripemd160_finish( + ctx: *mut mbedtls_ripemd160_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 process data block (internal use only) /// - /// \param key Identifier of the key to export. It must allow the - /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public - /// key. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. + /// \param ctx RIPEMD-160 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_internal_ripemd160_process( + ctx: *mut mbedtls_ripemd160_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a public key or the public part of a key pair in binary format. + /// \brief Output = RIPEMD-160( input buffer ) /// - /// The output of this function can be passed to psa_import_key() to - /// create an object that is equivalent to the public key. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output RIPEMD-160 checksum result /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. + /// \return 0 if successful + pub fn mbedtls_ripemd160( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// For standard key types, the output format is as follows: - /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of - /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. - /// ``` - /// RSAPublicKey ::= SEQUENCE { - /// modulus INTEGER, -- n - /// publicExponent INTEGER } -- e - /// ``` - /// - For elliptic curve keys on a twisted Edwards curve (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY - /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined - /// by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For other elliptic curve public keys (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed - /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. - /// Let `m` be the bit size associated with the curve, i.e. the bit size of - /// `q` for a curve over `F_q`. The representation consists of: - /// - The byte 0x04; - /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; - /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. - /// - For Diffie-Hellman key exchange public keys (key types for which - /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), - /// the format is the representation of the public key `y = g^x mod p` as a - /// big-endian byte string. The length of the byte string is the length of the - /// base prime `p` in bytes. + /// \return 0 if successful, or 1 if the test failed + pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha1_context { + pub work_area: [::core::ffi::c_uchar; 208usize], +} +impl Default for mbedtls_sha1_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-1 context. /// - /// Exporting a public key object or the public part of a key pair is - /// always permitted, regardless of the key's usage flags. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param key Identifier of the key to export. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key is neither a public key nor a key pair. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_public_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message. - /// - /// \note To verify the hash of a message against an - /// expected value, use psa_hash_compare() instead. + /// \brief This function clears a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\p alg). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p hash_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compute( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it is + /// not \c NULL, it must point to an initialized + /// SHA-1 context. + pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message and compare it with a - /// reference value. + /// \brief This function clones the state of a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p input_length or \p hash_length do not match the hash size for \p alg - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compare( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \param dst The SHA-1 context to clone to. This must be initialized. + /// \param src The SHA-1 context to clone from. This must be initialized. + pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); } -/// The type of the state data structure for multipart hash operations. -/// -/// Before calling any function on a hash operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_hash_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_hash_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, -/// for example: -/// \code -/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_hash_operation_init() -/// to the structure, for example: -/// \code -/// psa_hash_operation_t operation; -/// operation = psa_hash_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_hash_operation_t = psa_hash_operation_s; unsafe extern "C" { - /// Set up a multipart hash operation. - /// - /// The sequence of operations to calculate a hash (message digest) - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. - /// -# Call psa_hash_setup() to specify the algorithm. - /// -# Call psa_hash_update() zero, one or more times, passing a fragment - /// of the message each time. The hash that is calculated is the hash - /// of the concatenation of these messages in order. - /// -# To calculate the hash, call psa_hash_finish(). - /// To compare the hash with an expected value, call psa_hash_verify(). - /// - /// If an error occurs at any step after a call to psa_hash_setup(), the - /// operation will need to be reset by a call to psa_hash_abort(). The - /// application may call psa_hash_abort() at any time after the operation - /// has been initialized. + /// \brief This function starts a SHA-1 checksum calculation. /// - /// After a successful call to psa_hash_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_hash_finish() or psa_hash_verify(). - /// - A call to psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_hash_operation_t and not yet in use. - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param ctx The SHA-1 context to initialize. This must be initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a hash algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_setup( - operation: *mut psa_hash_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart hash operation. - /// - /// The application must call psa_hash_setup() before calling this function. + /// \brief This function feeds an input buffer into an ongoing SHA-1 + /// checksum calculation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] input Buffer containing the message fragment to hash. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-1 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_update( - operation: *mut psa_hash_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_update( + ctx: *mut mbedtls_sha1_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message. + /// \brief This function finishes the SHA-1 operation, and writes + /// the result to the output buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \param ctx The SHA-1 context to use. This must be initialized and + /// have a hash operation started. + /// \param output The SHA-1 checksum result. This must be a writable + /// buffer of length \c 20 Bytes. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the hash. Call psa_hash_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// hash values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the hashed data which could allow an attacker to guess - /// a valid hash and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_finish( + ctx: *mut mbedtls_sha1_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief SHA-1 process data block (internal use only). /// - /// \param[in,out] operation Active hash operation. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\c alg) where \c alg is the - /// hash algorithm that is calculated. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p hash buffer is too small. You can determine a - /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) - /// where \c alg is the hash algorithm that is calculated. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_finish( - operation: *mut psa_hash_operation_t, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to use. This must be initialized. + /// \param data The data block being processed. This must be a + /// readable buffer of length \c 64 Bytes. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha1_process( + ctx: *mut mbedtls_sha1_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-1 checksum of a buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). It then - /// compares the calculated hash with the expected hash passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// The SHA-1 result is calculated as + /// output = SHA-1(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual hash and the expected hash is performed - /// in constant time. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. + /// \param output The SHA-1 checksum result. + /// This must be a writable buffer of length \c 20 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_verify( - operation: *mut psa_hash_operation_t, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a hash operation. + /// \brief The SHA-1 checkup routine. /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_hash_setup() again. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_hash_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha256_context { + pub work_area: [::core::ffi::c_uchar; 208usize], + pub is224: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha256_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-256 context. /// - /// In particular, calling psa_hash_abort() after the operation has been - /// terminated by a call to psa_hash_abort(), psa_hash_finish() or - /// psa_hash_verify() is safe and has no effect. + /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-256 context. /// - /// \param[in,out] operation Initialized hash operation. + /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-256 context. + pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-256 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha256_clone( + dst: *mut mbedtls_sha256_context, + src: *const mbedtls_sha256_context, + ); } unsafe extern "C" { - /// Clone a hash operation. + /// \brief This function starts a SHA-224 or SHA-256 checksum + /// calculation. /// - /// This function copies the state of an ongoing hash operation to - /// a new operation object. In other words, this function is equivalent - /// to calling psa_hash_setup() on \p target_operation with the same - /// algorithm that \p source_operation was set up for, then - /// psa_hash_update() on \p target_operation with the same input that - /// that was passed to \p source_operation. After this function returns, the - /// two objects are independent, i.e. subsequent calls involving one of - /// the objects do not affect the other object. + /// \param ctx The context to use. This must be initialized. + /// \param is224 This determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// \param[in] source_operation The active hash operation to clone. - /// \param[in,out] target_operation The operation object to set up. - /// It must be initialized but not active. + /// \note is224 must be defined accordingly to the enabled + /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The \p source_operation state is not valid (it must be active), or - /// the \p target_operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_clone( - source_operation: *const psa_hash_operation_t, - target_operation: *mut psa_hash_operation_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_starts( + ctx: *mut mbedtls_sha256_context, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC (message authentication code) of a message. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-256 checksum calculation. /// - /// \note To verify the MAC of a message against an - /// expected value, use psa_mac_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_update( + ctx: *mut mbedtls_sha256_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function finishes the SHA-256 operation, and writes + /// the result to the output buffer. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p mac_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_compute( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_finish( + ctx: *mut mbedtls_sha256_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC of a message and compare it with a reference value. + /// \brief This function processes a single data block within + /// the ongoing SHA-256 computation. This function is for + /// internal use only. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \param ctx The SHA-256 context. This must be initialized. + /// \param data The buffer holding one block of data. This must + /// be a readable buffer of length \c 64 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected value. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha256_process( + ctx: *mut mbedtls_sha256_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart MAC operations. -/// -/// Before calling any function on a MAC operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_mac_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_mac_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, -/// for example: -/// \code -/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_mac_operation_init() -/// to the structure, for example: -/// \code -/// psa_mac_operation_t operation; -/// operation = psa_mac_operation_init(); -/// \endcode -/// -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Set up a multipart MAC calculation operation. + /// \brief This function calculates the SHA-224 or SHA-256 + /// checksum of a buffer. /// - /// This function sets up the calculation of the MAC - /// (message authentication code) of a byte string. - /// To verify the MAC of a message against an - /// expected value, use psa_mac_verify_setup() instead. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// The sequence of operations to calculate a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_sign_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_sign_finish() to finish - /// calculating the MAC value and retrieve it. + /// The SHA-256 result is calculated as + /// output = SHA-256(input buffer). /// - /// If an error occurs at any step after a call to psa_mac_sign_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// \param is224 Determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// After a successful call to psa_mac_sign_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_sign_finish(). - /// - A call to psa_mac_abort(). + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-224 checkup routine. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-256 checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha512_context { + pub work_area: [::core::ffi::c_uchar; 304usize], + pub is384: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha512_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Set up a multipart MAC verification operation. + /// \brief This function initializes a SHA-512 context. /// - /// This function sets up the verification of the MAC - /// (message authentication code) of a byte string against an expected value. + /// \param ctx The SHA-512 context to initialize. This must + /// not be \c NULL. + pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-512 context. /// - /// The sequence of operations to verify a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_verify_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_verify_finish() to finish - /// calculating the actual MAC of the message and verify it against - /// the expected value. + /// \param ctx The SHA-512 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must point to an initialized + /// SHA-512 context. + pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-512 context. /// - /// If an error occurs at any step after a call to psa_mac_verify_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha512_clone( + dst: *mut mbedtls_sha512_context, + src: *const mbedtls_sha512_context, + ); +} +unsafe extern "C" { + /// \brief This function starts a SHA-384 or SHA-512 checksum + /// calculation. /// - /// After a successful call to psa_mac_verify_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_verify_finish(). - /// - A call to psa_mac_abort(). + /// \param ctx The SHA-512 context to use. This must be initialized. + /// \param is384 Determines which function to use. This must be + /// either \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage - /// PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \note is384 must be defined accordingly to the enabled + /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c key is not compatible with \c alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_starts( + ctx: *mut mbedtls_sha512_context, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart MAC operation. - /// - /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() - /// before calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \brief This function feeds an input buffer into an ongoing + /// SHA-512 checksum calculation. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] input Buffer containing the message fragment to add to - /// the MAC calculation. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. This must + /// be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_update( - operation: *mut psa_mac_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_update( + ctx: *mut mbedtls_sha512_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message. - /// - /// The application must call psa_mac_sign_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). + /// \brief This function finishes the SHA-512 operation, and writes + /// the result to the output buffer. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the MAC. Call psa_mac_verify_finish() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_finish( + ctx: *mut mbedtls_sha512_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function processes a single data block within + /// the ongoing SHA-512 computation. + /// This function is for internal use only. /// - /// \param[in,out] operation Active MAC operation. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. This is always - /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of the key and \c alg is the - /// MAC algorithm that is calculated. + /// \param ctx The SHA-512 context. This must be initialized. + /// \param data The buffer holding one block of data. This + /// must be a readable buffer of length \c 128 Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p mac buffer is too small. You can determine a - /// sufficient buffer size by calling PSA_MAC_LENGTH(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac sign - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_finish( - operation: *mut psa_mac_operation_t, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha512_process( + ctx: *mut mbedtls_sha512_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-512 or SHA-384 + /// checksum of a buffer. /// - /// The application must call psa_mac_verify_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). It then - /// compares the calculated MAC with the expected MAC passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// The SHA-512 result is calculated as + /// output = SHA-512(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual MAC and the expected MAC is performed - /// in constant time. + /// \param input The buffer holding the input data. This must be + /// a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. + /// \param is384 Determines which function to use. This must be either + /// \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \note is384 must be defined accordingly with the supported + /// symbols in the config file. If: + /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or + /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined + /// then the function will return + /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected MAC. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac verify - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_finish( - operation: *mut psa_mac_operation_t, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a MAC operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_mac_sign_setup() or psa_mac_verify_setup() again. + /// \brief The SHA-384 checkup routine. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_mac_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-512 checkup routine. /// - /// In particular, calling psa_mac_abort() after the operation has been - /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or - /// psa_mac_verify_finish() is safe and has no effect. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +///< Operation not defined. +pub const mbedtls_sha3_id_MBEDTLS_SHA3_NONE: mbedtls_sha3_id = 0; +///< SHA3-224 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_224: mbedtls_sha3_id = 1; +///< SHA3-256 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_256: mbedtls_sha3_id = 2; +///< SHA3-384 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_384: mbedtls_sha3_id = 3; +///< SHA3-512 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_512: mbedtls_sha3_id = 4; +/// SHA-3 family id. +/// +/// It identifies the family (SHA3-256, SHA3-512, etc.) +pub type mbedtls_sha3_id = ::core::ffi::c_uint; +/// \brief The SHA-3 context structure. +/// +/// The structure is used SHA-3 checksum calculations. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_sha3_context { + pub private_state: [u64; 25usize], + pub private_index: u32, + pub private_olen: u16, + pub private_max_block_size: u16, +} +unsafe extern "C" { + /// \brief This function initializes a SHA-3 context. /// - /// \param[in,out] operation Initialized MAC operation. + /// \param ctx The SHA-3 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha3_init(ctx: *mut mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-3 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; + /// \param ctx The SHA-3 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-3 context. + pub fn mbedtls_sha3_free(ctx: *mut mbedtls_sha3_context); } unsafe extern "C" { - /// Encrypt a message using a symmetric cipher. + /// \brief This function clones the state of a SHA-3 context. /// - /// This function encrypts a message with a random IV (initialization - /// vector). Use the multipart operation interface with a - /// #psa_cipher_operation_t object to provide other forms of IV. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha3_clone(dst: *mut mbedtls_sha3_context, src: *const mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function starts a SHA-3 checksum + /// calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// The output contains the IV followed by - /// the ciphertext proper. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The context to use. This must be initialized. + /// \param id The id of the SHA-3 family. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_starts( + ctx: *mut mbedtls_sha3_context, + id: mbedtls_sha3_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Decrypt a message using a symmetric cipher. - /// - /// This function decrypts a message encrypted with a symmetric cipher. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-3 checksum calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to decrypt. - /// This consists of the IV followed by the - /// ciphertext proper. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the plaintext is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_update( + ctx: *mut mbedtls_sha3_context, input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + ilen: usize, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart cipher operations. -/// -/// Before calling any function on a cipher operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_cipher_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_cipher_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, -/// for example: -/// \code -/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_cipher_operation_init() -/// to the structure, for example: -/// \code -/// psa_cipher_operation_t operation; -/// operation = psa_cipher_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// Set the key for a multipart symmetric encryption operation. + /// \brief This function finishes the SHA-3 operation, and writes + /// the result to the output buffer. /// - /// The sequence of operations to encrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. - /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to - /// generate or set the IV (initialization vector). You should use - /// psa_cipher_generate_iv() unless the protocol you are implementing - /// requires a specific IV value. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. /// - /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_finish( + ctx: *mut mbedtls_sha3_context, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function calculates the SHA-3 + /// checksum of a buffer. /// - /// After a successful call to psa_cipher_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// The SHA-3 result is calculated as + /// output = SHA-3(id, input buffer, d). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \param id The id of the SHA-3 family. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3( + id: mbedtls_sha3_id, + input: *const u8, + ilen: usize, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart symmetric decryption operation. + /// \brief Checkup routine for the algorithms implemented + /// by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512. /// - /// The sequence of operations to decrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. - /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the - /// decryption. If the IV is prepended to the ciphertext, you can call - /// psa_cipher_update() on a buffer containing the IV followed by the - /// beginning of the message. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). - /// - /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_cipher_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). - /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if the test failed. + pub fn mbedtls_sha3_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// Generate an IV for a symmetric encryption operation. - /// - /// This function generates a random IV (initialization vector), nonce - /// or initial counter value for the encryption operation as appropriate - /// for the chosen algorithm, key type and key size. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] iv Buffer where the generated IV is to be written. - /// \param iv_size Size of the \p iv buffer in bytes. - /// \param[out] iv_length On success, the number of bytes of the - /// generated IV. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p iv buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no IV set), - /// or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_generate_iv( - operation: *mut psa_cipher_operation_t, - iv: *mut u8, - iv_size: usize, - iv_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hash_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// Set the IV for a symmetric encryption or decryption operation. - /// - /// This function sets the IV (initialization vector), nonce - /// or initial counter value for the encryption or decryption operation. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \note When encrypting, applications should use psa_cipher_generate_iv() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] iv Buffer containing the IV to use. - /// \param iv_length Size of the IV in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p iv is not acceptable for the chosen algorithm, - /// or the chosen algorithm does not use an IV. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active cipher - /// encrypt operation, with no IV set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_set_iv( - operation: *mut psa_cipher_operation_t, - iv: *const u8, - iv_length: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub md5: mbedtls_md5_context, + pub ripemd160: mbedtls_ripemd160_context, + pub sha1: mbedtls_sha1_context, + pub sha256: mbedtls_sha256_context, + pub sha512: mbedtls_sha512_context, } -unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active cipher operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() - /// (recommended when encrypting) or psa_cipher_set_iv(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_update( - operation: *mut psa_cipher_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Finish encrypting or decrypting a message in a cipher operation. - /// - /// The application must call psa_cipher_encrypt_setup() or - /// psa_cipher_decrypt_setup() before calling this function. The choice - /// of setup function determines whether this function encrypts or - /// decrypts its input. - /// - /// This function finishes the encryption or decryption of the message - /// formed by concatenating the inputs passed to preceding calls to - /// psa_cipher_update(). - /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input size passed to this operation is not valid for - /// this particular algorithm. For example, the algorithm is a based - /// on block cipher and requires a whole number of blocks, but the - /// total input size is not a multiple of the block size. - /// \retval #PSA_ERROR_INVALID_PADDING - /// This is a decryption operation for an algorithm that includes - /// padding, and the ciphertext does not contain valid padding. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_finish( - operation: *mut psa_cipher_operation_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_cipher_operation_t { + pub private_alg: psa_algorithm_t, + pub private_iv_length: u8, + pub private_block_length: u8, + pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_cipher: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_cipher_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_hash_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_hash_operation_t, +} +impl Default for psa_driver_hash_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_cipher_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, +} +impl Default for psa_driver_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hash_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h. + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. the driver context is not active, in use). + pub private_id: ::core::ffi::c_uint, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_hash_context_t, +} +impl Default for psa_hash_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_cipher_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_default_iv_length: u8, + pub private_ctx: psa_driver_cipher_context_t, +} +impl Default for psa_cipher_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_cipher_operation_s { + #[inline] + pub fn private_iv_required(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_iv_required: ::core::ffi::c_uint, + private_iv_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; + private_iv_required as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; + private_iv_set as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The GCM context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_gcm_context { + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, + ///< Precalculated HTable. + pub private_H: [[u64; 2usize]; 16usize], + ///< The total length of the encrypted data. + pub private_len: u64, + ///< The total length of the additional data. + pub private_add_len: u64, + ///< The first ECTR for tag. + pub private_base_ectr: [::core::ffi::c_uchar; 16usize], + ///< The Y working value. + pub private_y: [::core::ffi::c_uchar; 16usize], + ///< The buf working value. + pub private_buf: [::core::ffi::c_uchar; 16usize], + ///< The operation to perform: + ///#MBEDTLS_GCM_ENCRYPT or + ///#MBEDTLS_GCM_DECRYPT. + pub private_mode: ::core::ffi::c_uchar, + ///< The acceleration to use. + pub private_acceleration: ::core::ffi::c_uchar, +} +impl Default for mbedtls_gcm_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Abort a cipher operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. - /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_cipher_operation_t. - /// - /// In particular, calling psa_cipher_abort() after the operation has been - /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() - /// is safe and has no effect. + /// \brief This function initializes the specified GCM context, + /// to make references valid, and prepares the context + /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). /// - /// \param[in,out] operation Initialized cipher operation. + /// The function does not bind the GCM context to a particular + /// cipher, nor set the key. For this purpose, use + /// mbedtls_gcm_setkey(). /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; + /// \param ctx The GCM context to initialize. This must not be \c NULL. + pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Process an authenticated encryption operation. + /// \brief This function associates a GCM context with a + /// cipher algorithm and a key. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that will be authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] plaintext Data that will be authenticated and - /// encrypted. - /// \param plaintext_length Size of \p plaintext in bytes. - /// \param[out] ciphertext Output buffer for the authenticated and - /// encrypted data. The additional data is not - /// part of this output. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate outputs, the - /// authentication tag is appended to the - /// encrypted data. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p plaintext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p - /// plaintext_length) evaluates to the maximum - /// ciphertext size of any supported AEAD - /// encryption. - /// \param[out] ciphertext_length On success, the size of the output - /// in the \p ciphertext buffer. + /// \param ctx The GCM context. This must be initialized. + /// \param cipher The 128-bit block cipher to use. + /// \param key The encryption key. This must be a readable buffer of at + /// least \p keybits bits. + /// \param keybits The key size in bits. Valid options are: + ///
  • 128 bits
    • + ///
  • 192 bits
    • + ///
  • 256 bits
/// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p ciphertext_size is too small. - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p plaintext_length) or - /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - plaintext: *const u8, - plaintext_length: usize, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_gcm_setkey( + ctx: *mut mbedtls_gcm_context, + cipher: mbedtls_cipher_id_t, + key: *const ::core::ffi::c_uchar, + keybits: ::core::ffi::c_uint, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Process an authenticated decryption operation. + /// \brief This function performs GCM encryption or decryption of a buffer. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that has been authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] ciphertext Data that has been authenticated and - /// encrypted. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate inputs, the buffer - /// must contain the encrypted data followed - /// by the authentication tag. - /// \param ciphertext_length Size of \p ciphertext in bytes. - /// \param[out] plaintext Output buffer for the decrypted data. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p ciphertext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p - /// ciphertext_length) evaluates to the maximum - /// plaintext size of any supported AEAD - /// decryption. - /// \param[out] plaintext_length On success, the size of the output - /// in the \p plaintext buffer. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The ciphertext is not authentic. - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p plaintext_size is too small. - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p ciphertext_length) or - /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used - /// to determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - ciphertext: *const u8, - ciphertext_length: usize, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - ) -> psa_status_t; + /// \warning When this function performs a decryption, it outputs the + /// authentication tag and does not verify that the data is + /// authentic. You should use this function to perform encryption + /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// + /// \param ctx The GCM context to use for encryption or decryption. This + /// must be initialized. + /// \param mode The operation to perform: + /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. + /// The ciphertext is written to \p output and the + /// authentication tag is written to \p tag. + /// - #MBEDTLS_GCM_DECRYPT to perform decryption. + /// The plaintext is written to \p output and the + /// authentication tag is written to \p tag. + /// Note that this mode is not recommended, because it does + /// not verify the authenticity of the data. For this reason, + /// you should use mbedtls_gcm_auth_decrypt() instead of + /// calling this function in decryption mode. + /// \param length The length of the input data, which is equal to the length + /// of the output data. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param input The buffer holding the input data. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size in Bytes. + /// \param output The buffer for holding the output data. If \p length is greater + /// than zero, this must be a writable buffer of at least that + /// size in Bytes. + /// \param tag_len The length of the tag to generate. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// + /// \return \c 0 if the encryption or decryption was performed + /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, + /// this does not indicate that the data is authentic. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the encryption + /// or decryption failed. + pub fn mbedtls_gcm_crypt_and_tag( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + tag_len: usize, + tag: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart AEAD operations. -/// -/// Before calling any function on an AEAD operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_aead_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_aead_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, -/// for example: -/// \code -/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_aead_operation_init() -/// to the structure, for example: -/// \code -/// psa_aead_operation_t operation; -/// operation = psa_aead_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// Set the key for a multipart authenticated encryption operation. + /// \brief This function performs a GCM authenticated decryption of a + /// buffer. /// - /// The sequence of operations to encrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to - /// generate or set the nonce. You should use - /// psa_aead_generate_nonce() unless the protocol you are implementing - /// requires a specific nonce value. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the message to encrypt each time. - /// -# Call psa_aead_finish(). - /// - /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_finish(). - /// - A call to psa_aead_abort(). + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param length The length of the ciphertext to decrypt, which is also + /// the length of the decrypted plaintext. + /// \param iv The initialization vector. This must be a readable buffer + /// of at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param tag The buffer holding the tag to verify. This must be a + /// readable buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to verify. + /// \param input The buffer holding the ciphertext. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size. + /// \param output The buffer for holding the decrypted plaintext. If \p length + /// is greater than zero, this must be a writable buffer of at + /// least that size. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 if successful and authenticated. + /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the decryption + /// failed. + pub fn mbedtls_gcm_auth_decrypt( + ctx: *mut mbedtls_gcm_context, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + tag: *const ::core::ffi::c_uchar, + tag_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart authenticated decryption operation. - /// - /// The sequence of operations to decrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call psa_aead_set_nonce() with the nonce for the decryption. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the ciphertext to decrypt each time. - /// -# Call psa_aead_verify(). - /// - /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_verify(). - /// - A call to psa_aead_abort(). + /// \brief This function starts a GCM encryption or decryption + /// operation. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + /// #MBEDTLS_GCM_DECRYPT. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_starts( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Generate a random nonce for an authenticated encryption operation. - /// - /// This function generates a random nonce for the authenticated encryption - /// operation with an appropriate size for the chosen algorithm, key type - /// and key size. - /// - /// The application must call psa_aead_encrypt_setup() before - /// calling this function. + /// \brief This function feeds an input buffer as associated data + /// (authenticated but not encrypted data) in a GCM + /// encryption or decryption operation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// Call this function after mbedtls_gcm_starts() to pass + /// the associated data. If the associated data is empty, + /// you do not need to call this function. You may not + /// call this function after calling mbedtls_cipher_update(). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] nonce Buffer where the generated nonce is to be - /// written. - /// \param nonce_size Size of the \p nonce buffer in bytes. - /// \param[out] nonce_length On success, the number of bytes of the - /// generated nonce. + /// \param ctx The GCM context. This must have been started with + /// mbedtls_gcm_starts() and must not have yet received + /// any input with mbedtls_gcm_update(). + /// \param add The buffer holding the additional data, or \c NULL + /// if \p add_len is \c 0. + /// \param add_len The length of the additional data. If \c 0, + /// \p add may be \c NULL. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p nonce buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active aead encrypt - /// operation, with no nonce set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_generate_nonce( - operation: *mut psa_aead_operation_t, - nonce: *mut u8, - nonce_size: usize, - nonce_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_update_ad( + ctx: *mut mbedtls_gcm_context, + add: *const ::core::ffi::c_uchar, + add_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the nonce for an authenticated encryption or decryption operation. + /// \brief This function feeds an input buffer into an ongoing GCM + /// encryption or decryption operation. /// - /// This function sets the nonce for the authenticated - /// encryption or decryption operation. + /// You may call this function zero, one or more times + /// to pass successive parts of the input: the plaintext to + /// encrypt, or the ciphertext (not including the tag) to + /// decrypt. After the last part of the input, call + /// mbedtls_gcm_finish(). /// - /// The application must call psa_aead_encrypt_setup() or - /// psa_aead_decrypt_setup() before calling this function. + /// This function may produce output in one of the following + /// ways: + /// - Immediate output: the output length is always equal + /// to the input length. + /// - Buffered output: the output consists of a whole number + /// of 16-byte blocks. If the total input length so far + /// (not including associated data) is 16 \* *B* + *A* + /// with *A* < 16 then the total output length is 16 \* *B*. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// In particular: + /// - It is always correct to call this function with + /// \p output_size >= \p input_length + 15. + /// - If \p input_length is a multiple of 16 for all the calls + /// to this function during an operation, then it is + /// correct to use \p output_size = \p input_length. /// - /// \note When encrypting, applications should use psa_aead_generate_nonce() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] nonce Buffer containing the nonce to use. - /// \param nonce_length Size of the nonce in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param input The buffer holding the input data. If \p input_length + /// is greater than zero, this must be a readable buffer + /// of at least \p input_length bytes. + /// \param input_length The length of the input data in bytes. + /// \param output The buffer for the output data. If \p output_size + /// is greater than zero, this must be a writable buffer of + /// of at least \p output_size bytes. + /// \param output_size The size of the output buffer in bytes. + /// See the function description regarding the output size. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p nonce is not acceptable for the chosen algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no nonce - /// set), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_nonce( - operation: *mut psa_aead_operation_t, - nonce: *const u8, - nonce_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// total input length too long, + /// unsupported input/output buffer overlap detected, + /// or \p output_size too small. + pub fn mbedtls_gcm_update( + ctx: *mut mbedtls_gcm_context, + input: *const ::core::ffi::c_uchar, + input_length: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Declare the lengths of the message and additional data for AEAD. - /// - /// The application must call this function before calling - /// psa_aead_update_ad() or psa_aead_update() if the algorithm for - /// the operation requires it. If the algorithm does not require it, - /// calling this function is optional, but if this function is called - /// then the implementation must enforce the lengths. - /// - /// You may call this function before or after setting the nonce with - /// psa_aead_set_nonce() or psa_aead_generate_nonce(). - /// - /// - For #PSA_ALG_CCM, calling this function is required. - /// - For the other AEAD algorithms defined in this specification, calling - /// this function is not required. - /// - For vendor-defined algorithm, refer to the vendor documentation. + /// \brief This function finishes the GCM operation and generates + /// the authentication tag. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// It wraps up the GCM stream, and generates the + /// tag. The tag can have a maximum length of 16 Bytes. /// - /// \param[in,out] operation Active AEAD operation. - /// \param ad_length Size of the non-encrypted additional - /// authenticated data in bytes. - /// \param plaintext_length Size of the plaintext to encrypt in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to generate. This must be at least + /// four. + /// \param output The buffer for the final output. + /// If \p output_size is nonzero, this must be a writable + /// buffer of at least \p output_size bytes. + /// \param output_size The size of the \p output buffer in bytes. + /// This must be large enough for the output that + /// mbedtls_gcm_update() has not produced. In particular: + /// - If mbedtls_gcm_update() produces immediate output, + /// or if the total input size is a multiple of \c 16, + /// then mbedtls_gcm_finish() never produces any output, + /// so \p output_size can be \c 0. + /// - \p output_size never needs to be more than \c 15. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// At least one of the lengths is not acceptable for the chosen - /// algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and - /// psa_aead_update_ad() and psa_aead_update() must not have been - /// called yet), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_lengths( - operation: *mut psa_aead_operation_t, - ad_length: usize, - plaintext_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// invalid value of \p tag_len, + /// or \p output_size too small. + pub fn mbedtls_gcm_finish( + ctx: *mut mbedtls_gcm_context, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + tag: *mut ::core::ffi::c_uchar, + tag_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Pass additional data to an active AEAD operation. - /// - /// Additional data is authenticated, but not encrypted. - /// - /// You may call this function multiple times to pass successive fragments - /// of the additional data. You may not call this function after passing - /// data to encrypt or decrypt with psa_aead_update(). - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, - /// treat the input as untrusted and prepare to undo any action that - /// depends on the input if psa_aead_verify() returns an error status. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the fragment of - /// additional data. - /// \param input_length Size of the \p input buffer in bytes. + /// \brief This function clears a GCM context and the underlying + /// cipher sub-context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input length overflows the additional data length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, have lengths set if required by the algorithm, and - /// psa_aead_update() must not have been called yet), or the library - /// has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update_ad( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The GCM context to clear. If this is \c NULL, the call has + /// no effect. Otherwise, this must be initialized. + pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active AEAD operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// 3. Call psa_aead_update_ad() to pass all the additional data. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: - /// - Do not use the output in any way other than storing it in a - /// confidential location. If you take any action that depends - /// on the tentative decrypted data, this action will need to be - /// undone if the input turns out not to be valid. Furthermore, - /// if an adversary can observe that this action took place - /// (for example through timing), they may be able to use this - /// fact as an oracle to decrypt any message encrypted with the - /// same key. - /// - In particular, do not copy the output anywhere but to a - /// memory or storage space that you have exclusive access to. - /// - /// This function does not require the input to be aligned to any - /// particular block boundary. If the implementation can only process - /// a whole block at a time, it must consume all the input provided, but - /// it may delay the end of the corresponding output until a subsequent - /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() - /// provides sufficient input. The amount of data that can be delayed - /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, - /// \c alg, \p input_length) where - /// \c key_type is the type of key and \c alg is - /// the algorithm that were used to set up the - /// operation. - /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p - /// input_length) evaluates to the maximum - /// output size of any supported AEAD - /// algorithm. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// \brief The GCM checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or - /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total input length overflows the plaintext length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, and have lengths set if required by the algorithm), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hmac_operation_t { + /// The HMAC algorithm in use + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + /// The hash context. + pub hash_ctx: psa_hash_operation_s, + /// The HMAC part of the context. + pub private_opad: [u8; 128usize], +} +impl Default for mbedtls_psa_hmac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_mac_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_hmac: mbedtls_psa_hmac_operation_t, + pub private_cmac: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_mac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_aead_operation_t { + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_tag_length: u8, + pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub private_ccm: mbedtls_ccm_context, + pub private_gcm: mbedtls_gcm_context, + pub private_chachapoly: mbedtls_chachapoly_context, +} +impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_aead_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl mbedtls_psa_aead_operation_t { + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_sign_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_verify_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +///< Client +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; +///< Server +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; +///< Undefined +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_NONE: mbedtls_ecjpake_role = 2; +/// Roles in the EC J-PAKE exchange +pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; +/// EC J-PAKE context structure. +/// +/// J-PAKE is a symmetric protocol, except for the identifiers used in +/// Zero-Knowledge Proofs, and the serialization of the second message +/// (KeyExchange) as defined by the Thread spec. +/// +/// In order to benefit from this symmetry, we choose a different naming +/// convention from the Thread v1.0 spec. Correspondence is indicated in the +/// description as a pair C: client name, S: server name +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecjpake_context { + ///< Hash to use + pub private_md_type: mbedtls_md_type_t, + ///< Elliptic curve + pub private_grp: mbedtls_ecp_group, + ///< Are we client or server? + pub private_role: mbedtls_ecjpake_role, + ///< Format for point export + pub private_point_format: ::core::ffi::c_int, + ///< My public key 1 C: X1, S: X3 + pub private_Xm1: mbedtls_ecp_point, + ///< My public key 2 C: X2, S: X4 + pub private_Xm2: mbedtls_ecp_point, + ///< Peer public key 1 C: X3, S: X1 + pub private_Xp1: mbedtls_ecp_point, + ///< Peer public key 2 C: X4, S: X2 + pub private_Xp2: mbedtls_ecp_point, + ///< Peer public key C: Xs, S: Xc + pub private_Xp: mbedtls_ecp_point, + ///< My private key 1 C: x1, S: x3 + pub private_xm1: mbedtls_mpi, + ///< My private key 2 C: x2, S: x4 + pub private_xm2: mbedtls_mpi, + ///< Pre-shared secret (passphrase) + pub private_s: mbedtls_mpi, +} +impl Default for mbedtls_ecjpake_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Finish encrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_encrypt_setup(). + /// \brief Initialize an ECJPAKE context. /// - /// This function finishes the authentication of the additional data - /// formed by concatenating the inputs passed to preceding calls to - /// psa_aead_update_ad() with the plaintext formed by concatenating the - /// inputs passed to preceding calls to psa_aead_update(). + /// \param ctx The ECJPAKE context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Set up an ECJPAKE context for use. /// - /// This function has two output buffers: - /// - \p ciphertext contains trailing ciphertext that was buffered from - /// preceding calls to psa_aead_update(). - /// - \p tag contains the authentication tag. + /// \note Currently the only values for hash/curve allowed by the + /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to set up. This must be initialized. + /// \param role The role of the caller. This must be either + /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. + /// \param hash The identifier of the hash function to use, + /// for example #MBEDTLS_MD_SHA256. + /// \param curve The identifier of the elliptic curve to use, + /// for example #MBEDTLS_ECP_DP_SECP256R1. + /// \param secret The pre-shared secret (passphrase). This must be + /// a readable not empty buffer of length \p len Bytes. It need + /// only be valid for the duration of this call. + /// \param len The length of the pre-shared secret \p secret. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] ciphertext Buffer where the last part of the ciphertext - /// is to be written. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] ciphertext_length On success, the number of bytes of - /// returned ciphertext. - /// \param[out] tag Buffer where the authentication tag is - /// to be written. - /// \param tag_size Size of the \p tag buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c - /// key_type, \c key_bits, \c alg) where - /// \c key_type and \c key_bits are the type and - /// bit-size of the key, and \c alg is the - /// algorithm that were used in the call to - /// psa_aead_encrypt_setup(). - /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the - /// maximum tag size of any supported AEAD - /// algorithm. - /// \param[out] tag_length On success, the number of bytes - /// that make up the returned tag. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p ciphertext or \p tag buffer is too small. - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the - /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, - /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to - /// determine the required \p tag buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active encryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_finish( - operation: *mut psa_aead_operation_t, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - tag: *mut u8, - tag_size: usize, - tag_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_setup( + ctx: *mut mbedtls_ecjpake_context, + role: mbedtls_ecjpake_role, + hash: mbedtls_md_type_t, + curve: mbedtls_ecp_group_id, + secret: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish authenticating and decrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_decrypt_setup(). - /// - /// This function finishes the authenticated decryption of the message - /// components: + /// \brief Set the point format for future reads and writes. /// - /// - The additional data consisting of the concatenation of the inputs - /// passed to preceding calls to psa_aead_update_ad(). - /// - The ciphertext consisting of the concatenation of the inputs passed to - /// preceding calls to psa_aead_update(). - /// - The tag passed to this function call. + /// \param ctx The ECJPAKE context to configure. + /// \param point_format The point format to use: + /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) + /// or #MBEDTLS_ECP_PF_COMPRESSED. /// - /// If the authentication tag is correct, this function outputs any remaining - /// plaintext and reports success. If the authentication tag is not correct, - /// this function returns #PSA_ERROR_INVALID_SIGNATURE. + /// \return \c 0 if successful. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format + /// is invalid. + pub fn mbedtls_ecjpake_set_point_format( + ctx: *mut mbedtls_ecjpake_context, + point_format: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if an ECJPAKE context is ready for use. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to check. This must be + /// initialized. /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual tag and the expected tag is performed - /// in constant time. + /// \return \c 0 if the context is ready for use. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. + pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] plaintext Buffer where the last part of the plaintext - /// is to be written. This is the remaining data - /// from previous calls to psa_aead_update() - /// that could not be processed until the end - /// of the input. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] plaintext_length On success, the number of bytes of - /// returned plaintext. - /// \param[in] tag Buffer containing the authentication tag. - /// \param tag_length Size of the \p tag buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be + /// initialized and set up. + /// \param buf The buffer to write the contents to. This must be a + /// writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number + /// of Bytes written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculations were successful, but the authentication tag is - /// not correct. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p plaintext buffer is too small. - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the - /// required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active decryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_verify( - operation: *mut psa_aead_operation_t, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - tag: *const u8, - tag_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort an AEAD operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// \brief Read and process the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_aead_operation_t. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up. + /// \param buf The buffer holding the first round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// In particular, calling psa_aead_abort() after the operation has been - /// terminated by a call to psa_aead_abort(), psa_aead_finish() or - /// psa_aead_verify() is safe and has no effect. + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \param[in,out] operation Initialized AEAD operation. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up, and already have performed round one. + /// \param buf The buffer to write the round two contents to. + /// This must be a writable buffer of length \p len Bytes. + /// \param len The size of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a message with a private key. For hash-and-sign algorithms, - /// this includes the hashing step. + /// \brief Read and process the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \note To perform a multi-part hash-and-sign signature algorithm, first use - /// a multi-part hash operation and then pass the resulting hash to - /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the - /// hash algorithm to use. - /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The input message to sign. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param[in] signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up and already have performed round one. + /// \param buf The buffer holding the second round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a message with a public key, using - /// a hash-and-sign verification algorithm. - /// - /// \note To perform a multi-part hash-and-sign signature verification - /// algorithm, first use a multi-part hash operation to hash the message - /// and then pass the resulting hash to psa_verify_hash(). - /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm - /// to use. + /// \brief Derive the shared secret + /// (TLS: Pre-Master Secret). /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The message whose signature is to be verified. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer containing the signature to verify. - /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed signature - /// is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_derive_secret( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a hash or short message with a private key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief Write the shared key material to be passed to a Key + /// Derivation Function as described in RFC8236. /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. - /// \param[out] signature_length On success, the number of bytes - /// that make up the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_shared_key( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a hash or short message using a public key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief This clears an ECJPAKE context and frees any + /// embedded data structure. /// - /// \param key Identifier of the key to use for the operation. It - /// must be a public key or an asymmetric key pair. The - /// key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message whose signature is to be - /// verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to free. This may be \c NULL, + /// in which case this function does nothing. If it is not + /// \c NULL, it must point to an initialized ECJPAKE context. + pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \retval #PSA_SUCCESS - /// The signature is valid. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief Encrypt a short message with a public key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the encrypted message is to - /// be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_pake_operation_t { + pub private_alg: psa_algorithm_t, + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_role: mbedtls_ecjpake_role, + pub private_buffer: [u8; 336usize], + pub private_buffer_length: usize, + pub private_buffer_offset: usize, + pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// \brief Decrypt a short message with a private key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. It must - /// allow the usage #PSA_KEY_USAGE_DECRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_jpake: mbedtls_ecjpake_context, } -/// The type of the state data structure for key derivation operations. -/// -/// Before calling any function on a key derivation operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_key_derivation_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, -/// for example: -/// \code -/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_key_derivation_operation_init() -/// to the structure, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// operation = psa_key_derivation_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_key_derivation_operation_t = psa_key_derivation_s; -unsafe extern "C" { - /// Set up a key derivation operation. - /// - /// A key derivation algorithm takes some inputs and uses them to generate - /// a byte stream in a deterministic way. - /// This byte stream can be used to produce keys and other - /// cryptographic material. - /// - /// To derive a key: - /// -# Start with an initialized object of type #psa_key_derivation_operation_t. - /// -# Call psa_key_derivation_setup() to select the algorithm. - /// -# Provide the inputs for the key derivation by calling - /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() - /// as appropriate. Which inputs are needed, in what order, and whether - /// they may be keys and if so of what type depends on the algorithm. - /// -# Optionally set the operation's maximum capacity with - /// psa_key_derivation_set_capacity(). You may do this before, in the middle - /// of or after providing inputs. For some algorithms, this step is mandatory - /// because the output depends on the maximum capacity. - /// -# To derive a key, call psa_key_derivation_output_key(). - /// To derive a byte string for a different purpose, call - /// psa_key_derivation_output_bytes(). - /// Successive calls to these functions use successive output bytes - /// calculated by the key derivation algorithm. - /// -# Clean up the key derivation operation object with - /// psa_key_derivation_abort(). - /// - /// If this function returns an error, the key derivation operation object is - /// not changed. - /// - /// If an error occurs at any step after a call to psa_key_derivation_setup(), - /// the operation will need to be reset by a call to psa_key_derivation_abort(). - /// - /// Implementations must reject an attempt to derive a key of size 0. - /// - /// \param[in,out] operation The key derivation operation object - /// to set up. It must - /// have been initialized but not set up yet. - /// \param alg The key derivation algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c alg is not a key derivation algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_setup( - operation: *mut psa_key_derivation_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Retrieve the current capacity of a key derivation operation. - /// - /// The capacity of a key derivation is the maximum number of bytes that it can - /// return. When you get *N* bytes of output from a key derivation operation, - /// this reduces its capacity by *N*. - /// - /// \param[in] operation The operation to query. - /// \param[out] capacity On success, the capacity of the operation. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_get_capacity( - operation: *const psa_key_derivation_operation_t, - capacity: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Set the maximum capacity of a key derivation operation. - /// - /// The capacity of a key derivation operation is the maximum number of bytes - /// that the key derivation operation can return from this point onwards. - /// - /// \param[in,out] operation The key derivation operation object to modify. - /// \param capacity The new capacity of the operation. - /// It must be less or equal to the operation's - /// current capacity. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p capacity is larger than the operation's current capacity. - /// In this case, the operation object remains valid and its capacity - /// remains unchanged. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_set_capacity( - operation: *mut psa_key_derivation_operation_t, - capacity: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_mac_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_mac_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function passes direct inputs, which is usually correct for - /// non-secret inputs. To pass a secret input, which should be in a key - /// object, call psa_key_derivation_input_key() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] data Input data to use. - /// \param data_length Size of the \p data buffer in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow direct inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_bytes( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - data: *const u8, - data_length: usize, - ) -> psa_status_t; +impl Default for psa_driver_mac_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Provide a numeric input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// However, when an algorithm requires a particular order, numeric inputs - /// usually come first as they tend to be configuration parameters. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function is used for inputs which are fixed-size non-negative - /// integers. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] value The value of the numeric input. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow numeric inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_integer( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - value: u64, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_aead_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_aead_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation in the form of a key. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function obtains input from a key object, which is usually correct for - /// secret inputs or for non-secret personalization strings kept in the key - /// store. To pass a non-secret parameter which is not in the key store, - /// call psa_key_derivation_input_bytes() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param key Identifier of the key. It must have an - /// appropriate type for step and must allow the - /// usage #PSA_KEY_USAGE_DERIVE or - /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) - /// and the algorithm used by the operation. - /// - /// \note Once all inputs steps are completed, the operations will allow: - /// - psa_key_derivation_output_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_output_key() if the input for step - /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was - /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_verify_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - /// - psa_key_derivation_verify_key() under the same conditions as - /// psa_key_derivation_verify_bytes(). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key allows neither #PSA_KEY_USAGE_DERIVE nor - /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this - /// algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow key inputs of the given type - /// or does not allow key inputs at all. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_key( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - key: mbedtls_svc_key_id_t, - ) -> psa_status_t; +impl Default for psa_driver_aead_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Perform a key agreement and use the shared secret as input to a key - /// derivation. - /// - /// A key agreement algorithm takes two inputs: a private key \p private_key - /// a public key \p peer_key. - /// The result of this function is passed as input to a key derivation. - /// The output of this key derivation can be extracted by reading from the - /// resulting operation to produce keys and other cryptographic material. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() with a - /// key agreement and derivation algorithm - /// \c alg (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true - /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) - /// is false). - /// The operation must be ready for an - /// input of the type given by \p step. - /// \param step Which step the input data is for. - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. The peer key must be in the - /// same format that psa_import_key() accepts for the - /// public key type corresponding to the type of - /// private_key. That is, this function performs the - /// equivalent of - /// #psa_import_key(..., - /// `peer_key`, `peer_key_length`) where - /// with key attributes indicating the public key - /// type corresponding to the type of `private_key`. - /// For example, for EC keys, this means that peer_key - /// is interpreted as a point on the curve that the - /// private key is on. The standard formats for public - /// keys are documented in the documentation of - /// psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_sign_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, +} +impl Default for psa_driver_sign_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_verify_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, +} +impl Default for psa_driver_verify_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_pake_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_pake_operation_t, +} +impl Default for psa_driver_pake_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_mac_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_mac_size: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_mac_context_t, +} +impl Default for psa_mac_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_mac_operation_s { + #[inline] + pub fn private_is_sign(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_sign: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; + private_is_sign as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_aead_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub private_ad_remaining: usize, + pub private_body_remaining: usize, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_ctx: psa_driver_aead_context_t, +} +impl Default for psa_aead_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_aead_operation_s { + #[inline] + pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_ad_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_body_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(3usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 3usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 3usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(4usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 4usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 4usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_nonce_set: ::core::ffi::c_uint, + private_lengths_set: ::core::ffi::c_uint, + private_ad_started: ::core::ffi::c_uint, + private_body_started: ::core::ffi::c_uint, + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; + private_nonce_set as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; + private_lengths_set as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; + private_ad_started as u64 + }); + __bindgen_bitfield_unit.set(3usize, 1u8, { + let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; + private_body_started as u64 + }); + __bindgen_bitfield_unit.set(4usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hkdf_key_derivation_t { + pub private_info: *mut u8, + pub private_info_length: usize, + pub private_offset_in_block: u8, + pub private_block_number: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_output_block: [u8; 64usize], + pub private_prk: [u8; 64usize], + pub __bindgen_padding_0: [u64; 0usize], + pub private_hmac: psa_mac_operation_s, +} +impl Default for psa_hkdf_key_derivation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_hkdf_key_derivation_t { + #[inline] + pub fn private_state(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_info_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_state: ::core::ffi::c_uint, + private_info_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 2u8, { + let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; + private_state as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; + private_info_set as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_tls12_ecjpake_to_pms_t { + pub private_data: [u8; 32usize], +} +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: + psa_tls12_prf_key_derivation_state_t = 0; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: + psa_tls12_prf_key_derivation_state_t = 1; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 2; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 3; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: + psa_tls12_prf_key_derivation_state_t = 4; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: + psa_tls12_prf_key_derivation_state_t = 5; +pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_tls12_prf_key_derivation_s { + pub private_left_in_block: u8, + pub private_block_number: u8, + pub private_state: psa_tls12_prf_key_derivation_state_t, + pub private_secret: *mut u8, + pub private_secret_length: usize, + pub private_seed: *mut u8, + pub private_seed_length: usize, + pub private_label: *mut u8, + pub private_label_length: usize, + pub private_other_secret: *mut u8, + pub private_other_secret_length: usize, + pub private_Ai: [u8; 64usize], + pub private_output_block: [u8; 64usize], +} +impl Default for psa_tls12_prf_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_key_derivation_context_t { + pub dummy: ::core::ffi::c_uint, + pub private_hkdf: psa_hkdf_key_derivation_t, + pub private_tls12_prf: psa_tls12_prf_key_derivation_t, + pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +} +impl Default for psa_driver_key_derivation_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_key_derivation_s { + pub private_alg: psa_algorithm_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_capacity: usize, + pub __bindgen_padding_0: [u64; 0usize], + pub private_ctx: psa_driver_key_derivation_context_t, +} +impl Default for psa_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_key_derivation_s { + #[inline] + pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_can_output_key: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_can_output_key: u32 = + unsafe { ::core::mem::transmute(private_can_output_key) }; + private_can_output_key as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_custom_key_parameters_s { + pub flags: u32, +} +#[repr(C)] +#[derive(Default)] +pub struct psa_key_production_parameters_s { + pub flags: u32, + pub data: __IncompleteArrayField, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_policy_s { + pub private_usage: psa_key_usage_t, + pub private_alg: psa_algorithm_t, + pub private_alg2: psa_algorithm_t, +} +pub type psa_key_policy_t = psa_key_policy_s; +pub type psa_key_bits_t = u16; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_attributes_s { + pub private_type: psa_key_type_t, + pub private_bits: psa_key_bits_t, + pub private_lifetime: psa_key_lifetime_t, + pub private_policy: psa_key_policy_t, + pub private_id: mbedtls_svc_key_id_t, +} +/// \brief The context for PSA interruptible hash signing. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_sign_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_sign_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_sign_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_sign_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The context for PSA interruptible hash verification. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_verify_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_verify_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_verify_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_verify_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +unsafe extern "C" { + /// \brief Library initialization. + /// + /// Applications must call this function before calling any other + /// function in this module. + /// + /// Applications may call this function more than once. Once a call + /// succeeds, subsequent calls are guaranteed to succeed. + /// + /// If the application calls other functions before calling psa_crypto_init(), + /// the behavior is undefined. Implementations are encouraged to either perform + /// the operation as if the library had been initialized or to return + /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, + /// implementations should not return a success status if the lack of + /// initialization may have security implications, for example due to improper + /// seeding of the random number generator. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + pub fn psa_crypto_init() -> psa_status_t; +} +unsafe extern "C" { + /// Retrieve the attributes of a key. + /// + /// This function first resets the attribute structure as with + /// psa_reset_key_attributes(). It then copies the attributes of + /// the given key into the given attribute structure. + /// + /// \note This function may allocate memory or other resources. + /// Once you have called this function on an attribute structure, + /// you must call psa_reset_key_attributes() to free these resources. + /// + /// \param[in] key Identifier of the key to query. + /// \param[in,out] attributes On success, the attributes of the key. + /// On failure, equivalent to a + /// freshly-initialized structure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_get_key_attributes( + key: mbedtls_svc_key_id_t, + attributes: *mut psa_key_attributes_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Reset a key attribute structure to a freshly initialized state. + /// + /// You must initialize the attribute structure as described in the + /// documentation of the type #psa_key_attributes_t before calling this + /// function. Once the structure has been initialized, you may call this + /// function at any time. + /// + /// This function frees any auxiliary resources that the structure + /// may contain. + /// + /// \param[in,out] attributes The attribute structure to reset. + pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); +} +unsafe extern "C" { + /// Remove non-essential copies of key material from memory. + /// + /// If the key identifier designates a volatile key, this functions does not do + /// anything and returns successfully. + /// + /// If the key identifier designates a persistent key, then this function will + /// free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and the key can still be used. + /// + /// \param key Identifier of the key to purge. + /// + /// \retval #PSA_SUCCESS + /// The key material will have been removed from memory if it is not + /// currently required. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid key identifier. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// Make a copy of a key. + /// + /// Copy key material from one location to another. + /// + /// This function is primarily useful to copy a key from one location + /// to another, since it populates a key using the material from + /// another key which may have a different lifetime. + /// + /// This function may be used to share a key with a different party, + /// subject to implementation-defined restrictions on key sharing. + /// + /// The policy on the source key must have the usage flag + /// #PSA_KEY_USAGE_COPY set. + /// This flag is sufficient to permit the copy if the key has the lifetime + /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. + /// Some secure elements do not provide a way to copy a key without + /// making it extractable from the secure element. If a key is located + /// in such a secure element, then the key must have both usage flags + /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make + /// a copy of the key outside the secure element. + /// + /// The resulting key may only be used in a way that conforms to + /// both the policy of the original key and the policy specified in + /// the \p attributes parameter: + /// - The usage flags on the resulting key are the bitwise-and of the + /// usage flags on the source policy and the usage flags in \p attributes. + /// - If both allow the same algorithm or wildcard-based + /// algorithm policy, the resulting key has the same algorithm policy. + /// - If either of the policies allows an algorithm and the other policy + /// allows a wildcard-based algorithm policy that includes this algorithm, + /// the resulting key allows the same algorithm. + /// - If the policies do not allow any algorithm in common, this function + /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// + /// The effect of this function on implementation-defined attributes is + /// implementation-defined. + /// + /// \param source_key The key to copy. It must allow the usage + /// #PSA_KEY_USAGE_COPY. If a private or secret key is + /// being copied outside of a secure element it must + /// also allow #PSA_KEY_USAGE_EXPORT. + /// \param[in] attributes The attributes for the new key. + /// They are used as follows: + /// - The key type and size may be 0. If either is + /// nonzero, it must match the corresponding + /// attribute of the source key. + /// - The key location (the lifetime and, for + /// persistent keys, the key identifier) is + /// used directly. + /// - The policy constraints (usage flags and + /// algorithm policy) are combined from + /// the source key and \p attributes so that + /// both sets of restrictions apply, as + /// described in the documentation of this function. + /// \param[out] target_key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p source_key is invalid. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The lifetime or identifier in \p attributes are invalid, or + /// the policy constraints on the source and specified in + /// \p attributes are incompatible, or + /// \p attributes specifies a key type or key size + /// which does not match the attributes of the source key. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or + /// the source key is not exportable and its lifetime does not + /// allow copying it to the target's lifetime. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_copy_key( + source_key: mbedtls_svc_key_id_t, + attributes: *const psa_key_attributes_t, + target_key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Destroy a key. + /// + /// This function destroys a key from both volatile + /// memory and, if applicable, non-volatile storage. Implementations shall + /// make a best effort to ensure that the key material cannot be recovered. + /// + /// This function also erases any metadata such as policies and frees + /// resources associated with the key. + /// + /// If a key is currently in use in a multipart operation, then destroying the + /// key will cause the multipart operation to fail. + /// + /// \warning We can only guarantee that the the key material will + /// eventually be wiped from memory. With threading enabled + /// and during concurrent execution, copies of the key material may + /// still exist until all threads have finished using the key. + /// + /// \param key Identifier of the key to erase. If this is \c 0, do nothing and + /// return #PSA_SUCCESS. + /// + /// \retval #PSA_SUCCESS + /// \p key was a valid identifier and the key material that it + /// referred to has been erased. Alternatively, \p key is \c 0. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key cannot be erased because it is + /// read-only, either due to a policy or due to physical restrictions. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p key is not a valid identifier nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE + /// There was a failure in communication with the cryptoprocessor. + /// The key material may still be present in the cryptoprocessor. + /// \retval #PSA_ERROR_DATA_INVALID + /// This error is typically a result of either storage corruption on a + /// cleartext storage backend, or an attempt to read data that was + /// written by an incompatible version of the library. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The storage is corrupted. Implementations shall make a best effort + /// to erase key material even in this stage, however applications + /// should be aware that it may be impossible to guarantee that the + /// key material is not recoverable in such cases. + /// \retval #PSA_ERROR_CORRUPTION_DETECTED + /// An unexpected condition which is not a storage corruption or + /// a communication failure occurred. The cryptoprocessor may have + /// been compromised. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Import a key in binary format. + /// + /// This function supports any output from psa_export_key(). Refer to the + /// documentation of psa_export_public_key() for the format of public keys + /// and to the documentation of psa_export_key() for the format for + /// other key types. + /// + /// The key data determines the key size. The attributes may optionally + /// specify a key size; in this case it must match the size determined + /// from the key data. A key size of 0 in \p attributes indicates that + /// the key size is solely determined by the key data. + /// + /// Implementations must reject an attempt to import a key of size 0. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// \param[in] attributes The attributes for the new key. + /// The key size is always determined from the + /// \p data buffer. + /// If the key size in \p attributes is nonzero, + /// it must be equal to the size from \p data. + /// \param[out] key On success, an identifier to the newly created key. + /// For persistent keys, this is the key identifier + /// defined in \p attributes. + /// \c 0 on failure. + /// \param[in] data Buffer containing the key data. The content of this + /// buffer is interpreted according to the type declared + /// in \p attributes. + /// All implementations must support at least the format + /// described in the documentation + /// of psa_export_key() or psa_export_public_key() for + /// the chosen type. Implementations may allow other + /// formats, but should be conservative: implementations + /// should err on the side of rejecting content if it + /// may be erroneous (e.g. wrong type or truncated data). + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular persistent location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key attributes, as a whole, are invalid, or + /// the key data is not correctly formatted, or + /// the size in \p attributes is nonzero and does not match the size + /// of the key data. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_import_key( + attributes: *const psa_key_attributes_t, + data: *const u8, + data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a key in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an equivalent object. + /// + /// If the implementation of psa_import_key() supports other formats + /// beyond the format specified here, the output from psa_export_key() + /// must use the representation specified here, not the original + /// representation. + /// + /// For standard key types, the output format is as follows: + /// + /// - For symmetric keys (including MAC keys), the format is the + /// raw bytes of the key. + /// - For DES, the key data consists of 8 bytes. The parity bits must be + /// correct. + /// - For Triple-DES, the format is the concatenation of the + /// two or three DES keys. + /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format + /// is the non-encrypted DER encoding of the representation defined by + /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. + /// ``` + /// RSAPrivateKey ::= SEQUENCE { + /// version INTEGER, -- must be 0 + /// modulus INTEGER, -- n + /// publicExponent INTEGER, -- e + /// privateExponent INTEGER, -- d + /// prime1 INTEGER, -- p + /// prime2 INTEGER, -- q + /// exponent1 INTEGER, -- d mod (p-1) + /// exponent2 INTEGER, -- d mod (q-1) + /// coefficient INTEGER, -- (inverse of q) mod p + /// } + /// ``` + /// - For elliptic curve key pairs (key types for which + /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is + /// a representation of the private value as a `ceiling(m/8)`-byte string + /// where `m` is the bit size associated with the curve, i.e. the bit size + /// of the order of the curve's coordinate field. This byte string is + /// in little-endian order for Montgomery curves (curve types + /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass + /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` + /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). + /// For Weierstrass curves, this is the content of the `privateKey` field of + /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, + /// the format is defined by RFC 7748, and output is masked according to §5. + /// For twisted Edwards curves, the private key is as defined by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For Diffie-Hellman key exchange key pairs (key types for which + /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the + /// format is the representation of the private key `x` as a big-endian byte + /// string. The length of the byte string is the private key size in bytes + /// (leading zeroes are not stripped). + /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is + /// true), the format is the same as for psa_export_public_key(). + /// + /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// + /// \param key Identifier of the key to export. It must allow the + /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public + /// key. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a public key or the public part of a key pair in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an object that is equivalent to the public key. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// For standard key types, the output format is as follows: + /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of + /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. + /// ``` + /// RSAPublicKey ::= SEQUENCE { + /// modulus INTEGER, -- n + /// publicExponent INTEGER } -- e + /// ``` + /// - For elliptic curve keys on a twisted Edwards curve (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY + /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined + /// by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For other elliptic curve public keys (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed + /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. + /// Let `m` be the bit size associated with the curve, i.e. the bit size of + /// `q` for a curve over `F_q`. The representation consists of: + /// - The byte 0x04; + /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; + /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. + /// - For Diffie-Hellman key exchange public keys (key types for which + /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), + /// the format is the representation of the public key `y = g^x mod p` as a + /// big-endian byte string. The length of the byte string is the length of the + /// base prime `p` in bytes. + /// + /// Exporting a public key object or the public part of a key pair is + /// always permitted, regardless of the key's usage flags. + /// + /// \param key Identifier of the key to export. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key is neither a public key nor a key pair. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_public_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message. + /// + /// \note To verify the hash of a message against an + /// expected value, use psa_hash_compare() instead. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\p alg). /// /// \retval #PSA_SUCCESS /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p hash_size is too small + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compute( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message and compare it with a + /// reference value. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the input. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c private_key is not compatible with \c alg, - /// or \p peer_key is not valid for \c alg or not compatible with - /// \c private_key, or \c step does not allow an input resulting - /// from a key agreement. + /// \p input_length or \p hash_length do not match the hash size for \p alg + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compare( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; +} +/// The type of the state data structure for multipart hash operations. +/// +/// Before calling any function on a hash operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_hash_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_hash_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, +/// for example: +/// \code +/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_hash_operation_init() +/// to the structure, for example: +/// \code +/// psa_hash_operation_t operation; +/// operation = psa_hash_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_hash_operation_t = psa_hash_operation_s; +unsafe extern "C" { + /// Set up a multipart hash operation. + /// + /// The sequence of operations to calculate a hash (message digest) + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. + /// -# Call psa_hash_setup() to specify the algorithm. + /// -# Call psa_hash_update() zero, one or more times, passing a fragment + /// of the message each time. The hash that is calculated is the hash + /// of the concatenation of these messages in order. + /// -# To calculate the hash, call psa_hash_finish(). + /// To compare the hash with an expected value, call psa_hash_verify(). + /// + /// If an error occurs at any step after a call to psa_hash_setup(), the + /// operation will need to be reset by a call to psa_hash_abort(). The + /// application may call psa_hash_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_hash_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_hash_finish() or psa_hash_verify(). + /// - A call to psa_hash_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_hash_operation_t and not yet in use. + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. + /// \p alg is not a supported hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a hash algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this key agreement \p step, - /// or the library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_key_agreement( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, + pub fn psa_hash_setup( + operation: *mut psa_hash_operation_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// Read some data from a key derivation operation. + /// Add a message fragment to a multipart hash operation. /// - /// This function calculates output bytes from a key derivation algorithm and - /// return those bytes. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the requested number of bytes from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. + /// The application must call psa_hash_setup() before calling this function. /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] output Buffer where the output will be written. - /// \param output_length Number of bytes to output. + /// \param[in,out] operation Active hash operation. + /// \param[in] input Buffer containing the message fragment to hash. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// no output is written to the output buffer. - /// The operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller output buffer. + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_update( + operation: *mut psa_hash_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \warning Applications should not call this function if they expect + /// a specific value for the hash. Call psa_hash_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// hash values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the hashed data which could allow an attacker to guess + /// a valid hash and thereby bypass security controls. + /// + /// \param[in,out] operation Active hash operation. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\c alg) where \c alg is the + /// hash algorithm that is calculated. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p hash buffer is too small. You can determine a + /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) + /// where \c alg is the hash algorithm that is calculated. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_finish( + operation: *mut psa_hash_operation_t, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message and compare it with + /// an expected value. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). It then + /// compares the calculated hash with the expected hash passed as a + /// parameter to this function. + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual hash and the expected hash is performed + /// in constant time. + /// + /// \param[in,out] operation Active hash operation. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_bytes( - operation: *mut psa_key_derivation_operation_t, - output: *mut u8, - output_length: usize, + pub fn psa_hash_verify( + operation: *mut psa_hash_operation_t, + hash: *const u8, + hash_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// Derive a key from an ongoing key derivation operation. - /// - /// This function calculates output bytes from a key derivation algorithm - /// and uses those bytes to generate a key deterministically. - /// The key's location, usage policy, type and size are taken from - /// \p attributes. - /// - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads as many bytes as required from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// How much output is produced and consumed from the operation, and how - /// the key is derived, depends on the key type and on the key size - /// (denoted \c bits below): - /// - /// - For key types for which the key is an arbitrary sequence of bytes - /// of a given size, this function is functionally equivalent to - /// calling #psa_key_derivation_output_bytes - /// and passing the resulting output to #psa_import_key. - /// However, this function has a security benefit: - /// if the implementation provides an isolation boundary then - /// the key material is not exposed outside the isolation boundary. - /// As a consequence, for these key types, this function always consumes - /// exactly (\c bits / 8) bytes from the operation. - /// The following key types defined in this specification follow this scheme: - /// - /// - #PSA_KEY_TYPE_AES; - /// - #PSA_KEY_TYPE_ARIA; - /// - #PSA_KEY_TYPE_CAMELLIA; - /// - #PSA_KEY_TYPE_DERIVE; - /// - #PSA_KEY_TYPE_HMAC; - /// - #PSA_KEY_TYPE_PASSWORD_HASH. - /// - /// - For ECC keys on a Montgomery elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Montgomery curve), this function always draws a byte string whose - /// length is determined by the curve, and sets the mandatory bits - /// accordingly. That is: + /// Abort a hash operation. /// - /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte - /// string and process it as specified in RFC 7748 §5. - /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte - /// string and process it as specified in RFC 7748 §5. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_hash_setup() again. /// - /// - For key types for which the key is represented by a single sequence of - /// \c bits bits with constraints as to which bit sequences are acceptable, - /// this function draws a byte string of length (\c bits / 8) bytes rounded - /// up to the nearest whole number of bytes. If the resulting byte string - /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. - /// This process is repeated until an acceptable byte string is drawn. - /// The byte string drawn from the operation is interpreted as specified - /// for the output produced by psa_export_key(). - /// The following key types defined in this specification follow this scheme: + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_hash_operation_t. /// - /// - #PSA_KEY_TYPE_DES. - /// Force-set the parity bits, but discard forbidden weak keys. - /// For 2-key and 3-key triple-DES, the three keys are generated - /// successively (for example, for 3-key triple-DES, - /// if the first 8 bytes specify a weak key and the next 8 bytes do not, - /// discard the first 8 bytes, use the next 8 bytes as the first key, - /// and continue reading output from the operation to derive the other - /// two keys). - /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) - /// where \c group designates any Diffie-Hellman group) and - /// ECC keys on a Weierstrass elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Weierstrass curve). - /// For these key types, interpret the byte string as integer - /// in big-endian order. Discard it if it is not in the range - /// [0, *N* - 2] where *N* is the boundary of the private key domain - /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, - /// or the order of the curve's base point for ECC). - /// Add 1 to the resulting integer and use this as the private key *x*. - /// This method allows compliance to NIST standards, specifically - /// the methods titled "key-pair generation by testing candidates" - /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, - /// in FIPS 186-4 §B.1.2 for DSA, and - /// in NIST SP 800-56A §5.6.1.2.2 or - /// FIPS 186-4 §B.4.2 for elliptic curve keys. + /// In particular, calling psa_hash_abort() after the operation has been + /// terminated by a call to psa_hash_abort(), psa_hash_finish() or + /// psa_hash_verify() is safe and has no effect. /// - /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, - /// the way in which the operation output is consumed is - /// implementation-defined. + /// \param[in,out] operation Initialized hash operation. /// - /// In all cases, the data that is read is discarded from the operation. - /// The operation's capacity is decreased by the number of bytes read. + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Clone a hash operation. /// - /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, - /// the input to that step must be provided with psa_key_derivation_input_key(). - /// Future versions of this specification may include additional restrictions - /// on the derived key based on the attributes and strength of the secret key. + /// This function copies the state of an ongoing hash operation to + /// a new operation object. In other words, this function is equivalent + /// to calling psa_hash_setup() on \p target_operation with the same + /// algorithm that \p source_operation was set up for, then + /// psa_hash_update() on \p target_operation with the same input that + /// that was passed to \p source_operation. After this function returns, the + /// two objects are independent, i.e. subsequent calls involving one of + /// the objects do not affect the other object. /// - /// \param[in] attributes The attributes for the new key. - /// If the key type to be created is - /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - /// the policy must be the same as in the current - /// operation. - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in] source_operation The active hash operation to clone. + /// \param[in,out] target_operation The operation object to set up. + /// It must be initialized but not active. /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// There was not enough data to create the desired key. - /// Note that in this case, no output is written to the output buffer. - /// The operation's capacity is set to 0, thus subsequent calls to - /// this function will not succeed, even with a smaller output buffer. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The provided key attributes are not valid for the operation. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The #PSA_KEY_DERIVATION_INPUT_SECRET or - /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - /// key; or one of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_SUCCESS \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The \p source_operation state is not valid (it must be active), or + /// the \p target_operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_key( - attributes: *const psa_key_attributes_t, - operation: *mut psa_key_derivation_operation_t, - key: *mut mbedtls_svc_key_id_t, + pub fn psa_hash_clone( + source_operation: *const psa_hash_operation_t, + target_operation: *mut psa_hash_operation_t, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value in constant time. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the expected number of bytes from the - /// stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to the following code: - /// \code - /// psa_key_derivation_output_bytes(operation, tmp, output_length); - /// if (memcmp(output, tmp, output_length) != 0) - /// return PSA_ERROR_INVALID_SIGNATURE; - /// \endcode - /// except (1) it works even if the key's policy does not allow outputting the - /// bytes, and (2) the comparison will be done in constant time. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC (message authentication code) of a message. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected_output Buffer containing the expected derivation output. - /// \param output_length Length of the expected output; this is also the - /// number of bytes that will be read. + /// \note To verify the MAC of a message against an + /// expected value, use psa_mac_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but it differs from the expected - /// output. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p mac_size is too small /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_bytes( - operation: *mut psa_key_derivation_operation_t, - expected_output: *const u8, - output_length: usize, + pub fn psa_mac_compute( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value - /// stored in a key object. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value, provided as key of type - /// #PSA_KEY_TYPE_PASSWORD_HASH. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the number of bytes corresponding to the - /// length of the expected value from the stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to exporting the key and calling - /// psa_key_derivation_verify_bytes() on the result, except that it - /// works even if the key cannot be exported. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC of a message and compare it with a reference value. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH - /// containing the expected output. Its policy must - /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag - /// and the permitted algorithm must match the - /// operation. The value of this key was likely - /// computed by a previous call to - /// psa_key_derivation_output_key(). + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the input. /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but if differs from the expected - /// output. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// The key passed as the expected value does not exist. + /// The MAC of the message was calculated successfully, but it + /// differs from the expected value. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key passed as the expected value has an invalid type. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key passed as the expected value does not allow this usage or - /// this algorithm; or one of the inputs was a key whose policy didn't - /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// the length of the expected value. In this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_key( - operation: *mut psa_key_derivation_operation_t, - expected: psa_key_id_t, + pub fn psa_mac_verify( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *const u8, + mac_length: usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart MAC operations. +/// +/// Before calling any function on a MAC operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_mac_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_mac_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, +/// for example: +/// \code +/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_mac_operation_init() +/// to the structure, for example: +/// \code +/// psa_mac_operation_t operation; +/// operation = psa_mac_operation_init(); +/// \endcode +/// +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Abort a key derivation operation. + /// Set up a multipart MAC calculation operation. /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_key_derivation_setup() again. + /// This function sets up the calculation of the MAC + /// (message authentication code) of a byte string. + /// To verify the MAC of a message against an + /// expected value, use psa_mac_verify_setup() instead. /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_key_derivation_operation_t. + /// The sequence of operations to calculate a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_sign_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_sign_finish() to finish + /// calculating the MAC value and retrieve it. /// - /// In particular, it is valid to call psa_key_derivation_abort() twice, or to - /// call psa_key_derivation_abort() on an operation that has not been set up. + /// If an error occurs at any step after a call to psa_mac_sign_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. /// - /// \param[in,out] operation The operation to abort. + /// After a successful call to psa_mac_sign_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_sign_finish(). + /// - A call to psa_mac_abort(). /// - /// \retval #PSA_SUCCESS \emptydescription + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) - -> psa_status_t; + pub fn psa_mac_sign_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Perform a key agreement and return the raw shared secret. + /// Set up a multipart MAC verification operation. /// - /// \warning The raw result of a key agreement algorithm such as finite-field - /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should - /// not be used directly as key material. It should instead be passed as - /// input to a key derivation algorithm. To chain a key agreement with - /// a key derivation, use psa_key_derivation_key_agreement() and other - /// functions from the key derivation interface. + /// This function sets up the verification of the MAC + /// (message authentication code) of a byte string against an expected value. /// - /// \param alg The key agreement algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) - /// is true). - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. It must be - /// in the same format that psa_import_key() - /// accepts. The standard formats for public - /// keys are documented in the documentation - /// of psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// The sequence of operations to verify a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_verify_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_verify_finish() to finish + /// calculating the actual MAC of the message and verify it against + /// the expected value. + /// + /// If an error occurs at any step after a call to psa_mac_verify_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_mac_verify_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_verify_finish(). + /// - A call to psa_mac_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage + /// PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). /// /// \retval #PSA_SUCCESS /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a key agreement algorithm, or - /// \p private_key is not compatible with \p alg, - /// or \p peer_key is not valid for \p alg or not compatible with - /// \p private_key. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p output_size is too small + /// \c key is not compatible with \c alg. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported key agreement algorithm. + /// \c alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_raw_key_agreement( + pub fn psa_mac_verify_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate random bytes. - /// - /// \warning This function **can** fail! Callers MUST check the return status - /// and MUST NOT use the content of the output buffer if the return - /// status is not #PSA_SUCCESS. - /// - /// \note To generate a key, use psa_generate_key() instead. - /// - /// \param[out] output Output buffer for the generated data. - /// \param output_size Number of bytes to generate and output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Generate a key or key pair. - /// - /// The key is generated randomly. - /// Its location, usage policy, type and size are taken from \p attributes. + /// Add a message fragment to a multipart MAC operation. /// - /// Implementations must reject an attempt to generate a key of size 0. + /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() + /// before calling this function. /// - /// The following type-specific considerations apply: - /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the public exponent is 65537. - /// The modulus is a product of two probabilistic primes - /// between 2^{n-1} and 2^n where n is the bit size specified in the - /// attributes. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param[in] attributes The attributes for the new key. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in,out] operation Active MAC operation. + /// \param[in] input Buffer containing the message fragment to add to + /// the MAC calculation. + /// \param input_length Size of the \p input buffer in bytes. /// /// \retval #PSA_SUCCESS /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_generate_key( - attributes: *const psa_key_attributes_t, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; -} -/// The type of the state data structure for interruptible hash -/// signing operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = -/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_sign_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// operation = psa_sign_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; -/// The type of the state data structure for interruptible hash -/// verification operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = -/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_verify_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// operation = psa_verify_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; -unsafe extern "C" { - /// \brief Set the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note The time taken to execute a single op is - /// implementation specific and depends on - /// software, hardware, the algorithm, key type and - /// curve chosen. Even within a single operation, - /// successive ops can take differing amounts of - /// time. The only guarantee is that lower values - /// for \p max_ops means functions will block for a - /// lesser maximum amount of time. The functions - /// \c psa_sign_interruptible_get_num_ops() and - /// \c psa_verify_interruptible_get_num_ops() are - /// provided to help with tuning this value. - /// - /// \note This value defaults to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which - /// means the whole operation will be done in one - /// go, regardless of the number of ops required. - /// - /// \note If more ops are needed to complete a - /// computation, #PSA_OPERATION_INCOMPLETE will be - /// returned by the function performing the - /// computation. It is then the caller's - /// responsibility to either call again with the - /// same operation context until it returns 0 or an - /// error code; or to call the relevant abort - /// function if the answer is no longer required. - /// - /// \note The interpretation of \p max_ops is also - /// implementation defined. On a hard real time - /// system, this can indicate a hard deadline, as a - /// real-time system needs a guarantee of not - /// spending more than X time, however care must be - /// taken in such an implementation to avoid the - /// situation whereby calls just return, not being - /// able to do any actual work within the allotted - /// time. On a non-real-time system, the - /// implementation can be more relaxed, but again - /// whether this number should be interpreted as as - /// hard or soft limit or even whether a less than - /// or equals as regards to ops executed in a - /// single call is implementation defined. - /// - /// \note For keys in local storage when no accelerator - /// driver applies, please see also the - /// documentation for \c mbedtls_ecp_set_max_ops(), - /// which is the internal implementation in these - /// cases. - /// - /// \warning With implementations that interpret this number - /// as a hard limit, setting this number too small - /// may result in an infinite loop, whereby each - /// call results in immediate return with no ops - /// done (as there is not enough time to execute - /// any), and thus no result will ever be achieved. - /// - /// \note This only applies to functions whose - /// documentation mentions they may return - /// #PSA_OPERATION_INCOMPLETE. - /// - /// \param max_ops The maximum number of ops to be executed in a - /// single call. This can be a number from 0 to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 - /// is the least amount of work done per call. - pub fn psa_interruptible_set_max_ops(max_ops: u32); -} -unsafe extern "C" { - /// \brief Get the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. This will return the last - /// value set by - /// \c psa_interruptible_set_max_ops() or - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if - /// that function has never been called. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \return Maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - pub fn psa_interruptible_get_max_ops() -> u32; + pub fn psa_mac_update( + operation: *mut psa_mac_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash signing - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling - /// \c psa_sign_hash_interruptible_abort() on - /// the operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message. /// - /// \note This interface is guaranteed re-entrant and - /// thus may be called from driver code. + /// The application must call psa_mac_sign_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// \warning Applications should not call this function if they expect + /// a specific value for the MAC. Call psa_mac_verify_finish() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \param operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// \param[in,out] operation Active MAC operation. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. This is always + /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of the key and \c alg is the + /// MAC algorithm that is calculated. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_sign_hash_get_num_ops( - operation: *const psa_sign_hash_interruptible_operation_t, - ) -> u32; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p mac buffer is too small. You can determine a + /// sufficient buffer size by calling PSA_MAC_LENGTH(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac sign + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_sign_finish( + operation: *mut psa_mac_operation_t, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash verification - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling \c - /// psa_verify_hash_interruptible_abort() on the - /// operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message and compare it with + /// an expected value. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// The application must call psa_mac_verify_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). It then + /// compares the calculated MAC with the expected MAC passed as a + /// parameter to this function. /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param operation The \c - /// psa_verify_hash_interruptible_operation_t to - /// use. This must be initialized first. + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual MAC and the expected MAC is performed + /// in constant time. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_verify_hash_get_num_ops( - operation: *const psa_verify_hash_interruptible_operation_t, - ) -> u32; + /// \param[in,out] operation Active MAC operation. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The MAC of the message was calculated successfully, but it + /// differs from the expected MAC. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac verify + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_verify_finish( + operation: *mut psa_mac_operation_t, + mac: *const u8, + mac_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start signing a hash or short message with a - /// private key, in an interruptible manner. + /// Abort a MAC operation. /// - /// \see \c psa_sign_hash_complete() + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_mac_sign_setup() or psa_mac_verify_setup() again. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_mac_operation_t. /// - /// \note This function combined with \c - /// psa_sign_hash_complete() is equivalent to - /// \c psa_sign_hash() but - /// \c psa_sign_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// In particular, calling psa_mac_abort() after the operation has been + /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or + /// psa_mac_verify_finish() is safe and has no effect. /// - /// \note Users should call \c psa_sign_hash_complete() - /// repeatedly on the same context after a - /// successful call to this function until \c - /// psa_sign_hash_complete() either returns 0 or an - /// error. \c psa_sign_hash_complete() will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// \param[in,out] operation Initialized MAC operation. /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_sign_hash_abort(). + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Encrypt a message using a symmetric cipher. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// This function encrypts a message with a random IV (initialization + /// vector). Use the multipart operation interface with a + /// #psa_cipher_operation_t object to provide other forms of IV. /// /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. + /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// The output contains the IV followed by + /// the ciphertext proper. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. /// /// \retval #PSA_SUCCESS - /// The operation started successfully - call \c psa_sign_hash_complete() - /// with the same context to complete the operation - /// + /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does - /// not permit the requested algorithm. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// An operation has previously been started on this context, and is - /// still in progress. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Decrypt a message using a symmetric cipher. + /// + /// This function decrypts a message encrypted with a symmetric cipher. + /// + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to decrypt. + /// This consists of the IV followed by the + /// ciphertext proper. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the plaintext is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_start( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt( key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart cipher operations. +/// +/// Before calling any function on a cipher operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_cipher_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_cipher_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, +/// for example: +/// \code +/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_cipher_operation_init() +/// to the structure, for example: +/// \code +/// psa_cipher_operation_t operation; +/// operation = psa_cipher_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// signing a hash or short message with a private - /// key, in an interruptible manner. - /// - /// \see \c psa_sign_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_sign_hash_start() is equivalent to - /// \c psa_sign_hash() but this function can return - /// early and resume according to the limit set with - /// \c psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// Set the key for a multipart symmetric encryption operation. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// The sequence of operations to encrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. + /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to + /// generate or set the IV (initialization vector). You should use + /// psa_cipher_generate_iv() unless the protocol you are implementing + /// requires a specific IV value. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_sign_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_sign_hash_start() called with it - /// first. + /// After a successful call to psa_cipher_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c - /// key_bits, \c alg) where \c key_type and \c - /// key_bits are the type and bit-size - /// respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// Operation completed successfully - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_sign_hash_start(). - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_sign_hash_start() with this operation object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_sign_hash_complete( - operation: *mut psa_sign_hash_interruptible_operation_t, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Abort a sign hash operation. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function is the only function that clears - /// the number of ops completed as part of the - /// operation. Please ensure you copy this value via - /// \c psa_sign_hash_get_num_ops() if required - /// before calling. - /// - /// \note Aborting an operation frees all associated - /// resources except for the \p operation structure - /// itself. Once aborted, the operation object can - /// be reused for another operation by calling \c - /// psa_sign_hash_start() again. - /// - /// \note You may call this function any time after the - /// operation object has been initialized. In - /// particular, calling \c psa_sign_hash_abort() - /// after the operation has already been terminated - /// by a call to \c psa_sign_hash_abort() or - /// psa_sign_hash_complete() is safe. - /// - /// \param[in,out] operation Initialized sign hash operation. - /// - /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_abort( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_encrypt_setup( + operation: *mut psa_cipher_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start reading and verifying a hash or short - /// message, in an interruptible manner. - /// - /// \see \c psa_verify_hash_complete() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_verify_hash_complete() is equivalent to - /// \c psa_verify_hash() but \c - /// psa_verify_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function. + /// Set the key for a multipart symmetric decryption operation. /// - /// \note Users should call \c psa_verify_hash_complete() - /// repeatedly on the same operation object after a - /// successful call to this function until \c - /// psa_verify_hash_complete() either returns 0 or - /// an error. \c psa_verify_hash_complete() will - /// return #PSA_OPERATION_INCOMPLETE if there is - /// more work to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The sequence of operations to decrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. + /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the + /// decryption. If the IV is prepended to the ciphertext, you can call + /// psa_cipher_update() on a buffer containing the IV followed by the + /// beginning of the message. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_verify_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// After a successful call to psa_cipher_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. /// \param key Identifier of the key to use for the operation. - /// The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash whose signature is to be verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// The operation started successfully - please call \c - /// psa_verify_hash_complete() with the same context to complete the - /// operation. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// Another operation has already been started on this context, and is - /// still in progress. - /// - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does - /// not permit the requested algorithm. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_start( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt_setup( + operation: *mut psa_cipher_operation_t, key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// reading and verifying a hash or short message - /// signed with a private key, in an interruptible - /// manner. - /// - /// \see \c psa_verify_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// Generate an IV for a symmetric encryption operation. /// - /// \note This function combined with \c - /// psa_verify_hash_start() is equivalent to - /// \c psa_verify_hash() but this function can - /// return early and resume according to the limit - /// set with \c psa_interruptible_set_max_ops() to - /// reduce the maximum time spent in a function - /// call. + /// This function generates a random IV (initialization vector), nonce + /// or initial counter value for the encryption operation as appropriate + /// for the chosen algorithm, key type and key size. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_verify_hash_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_verify_hash_start() called with it - /// first. + /// \param[in,out] operation Active cipher operation. + /// \param[out] iv Buffer where the generated IV is to be written. + /// \param iv_size Size of the \p iv buffer in bytes. + /// \param[out] iv_length On success, the number of bytes of the + /// generated IV. /// /// \retval #PSA_SUCCESS - /// Operation completed successfully, and the passed signature is valid. - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_verify_hash_start(). - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p iv buffer is too small. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_verify_hash_start() on this object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_verify_hash_complete( - operation: *mut psa_verify_hash_interruptible_operation_t, + /// The operation state is not valid (it must be active, with no IV set), + /// or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_generate_iv( + operation: *mut psa_cipher_operation_t, + iv: *mut u8, + iv_size: usize, + iv_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Abort a verify hash operation. + /// Set the IV for a symmetric encryption or decryption operation. /// - /// \warning This is a beta API, and thus subject to change at - /// any point. It is not bound by the usual interface - /// stability promises. + /// This function sets the IV (initialization vector), nonce + /// or initial counter value for the encryption or decryption operation. /// - /// \note This function is the only function that clears the - /// number of ops completed as part of the operation. - /// Please ensure you copy this value via - /// \c psa_verify_hash_get_num_ops() if required - /// before calling. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note Aborting an operation frees all associated - /// resources except for the operation structure - /// itself. Once aborted, the operation object can be - /// reused for another operation by calling \c - /// psa_verify_hash_start() again. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \note You may call this function any time after the - /// operation object has been initialized. - /// In particular, calling \c psa_verify_hash_abort() - /// after the operation has already been terminated by - /// a call to \c psa_verify_hash_abort() or - /// psa_verify_hash_complete() is safe. + /// \note When encrypting, applications should use psa_cipher_generate_iv() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \param[in,out] operation Initialized verify hash operation. + /// \param[in,out] operation Active cipher operation. + /// \param[in] iv Buffer containing the IV to use. + /// \param iv_length Size of the IV in bytes. /// /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p iv is not acceptable for the chosen algorithm, + /// or the chosen algorithm does not use an IV. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be an active cipher + /// encrypt operation, with no IV set), or the library has not been + /// previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_abort( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_set_iv( + operation: *mut psa_cipher_operation_t, + iv: *const u8, + iv_length: usize, ) -> psa_status_t; } -/// \brief The GCM context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_gcm_context { - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, - ///< Precalculated HTable low. - pub private_HL: [u64; 16usize], - ///< Precalculated HTable high. - pub private_HH: [u64; 16usize], - ///< The total length of the encrypted data. - pub private_len: u64, - ///< The total length of the additional data. - pub private_add_len: u64, - ///< The first ECTR for tag. - pub private_base_ectr: [::core::ffi::c_uchar; 16usize], - ///< The Y working value. - pub private_y: [::core::ffi::c_uchar; 16usize], - ///< The buf working value. - pub private_buf: [::core::ffi::c_uchar; 16usize], - ///< The operation to perform: - ///#MBEDTLS_GCM_ENCRYPT or - ///#MBEDTLS_GCM_DECRYPT. - pub private_mode: ::core::ffi::c_int, -} -impl Default for mbedtls_gcm_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes the specified GCM context, - /// to make references valid, and prepares the context - /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). + /// Encrypt or decrypt a message fragment in an active cipher operation. /// - /// The function does not bind the GCM context to a particular - /// cipher, nor set the key. For this purpose, use - /// mbedtls_gcm_setkey(). + /// Before calling this function, you must: + /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() + /// (recommended when encrypting) or psa_cipher_set_iv(). /// - /// \param ctx The GCM context to initialize. This must not be \c NULL. - pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief This function associates a GCM context with a - /// cipher algorithm and a key. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param cipher The 128-bit block cipher to use. - /// \param key The encryption key. This must be a readable buffer of at - /// least \p keybits bits. - /// \param keybits The key size in bits. Valid options are: - ///
  • 128 bits
    • - ///
  • 192 bits
    • - ///
  • 256 bits
+ /// \param[in,out] operation Active cipher operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A cipher-specific error code on failure. - pub fn mbedtls_gcm_setkey( - ctx: *mut mbedtls_gcm_context, - cipher: mbedtls_cipher_id_t, - key: *const ::core::ffi::c_uchar, - keybits: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_update( + operation: *mut psa_cipher_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs GCM encryption or decryption of a buffer. + /// Finish encrypting or decrypting a message in a cipher operation. /// - /// \note For encryption, the output buffer can be the same as the - /// input buffer. For decryption, the output buffer cannot be - /// the same as input buffer. If the buffers overlap, the output - /// buffer must trail at least 8 Bytes behind the input buffer. + /// The application must call psa_cipher_encrypt_setup() or + /// psa_cipher_decrypt_setup() before calling this function. The choice + /// of setup function determines whether this function encrypts or + /// decrypts its input. /// - /// \warning When this function performs a decryption, it outputs the - /// authentication tag and does not verify that the data is - /// authentic. You should use this function to perform encryption - /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// This function finishes the encryption or decryption of the message + /// formed by concatenating the inputs passed to preceding calls to + /// psa_cipher_update(). /// - /// \param ctx The GCM context to use for encryption or decryption. This - /// must be initialized. - /// \param mode The operation to perform: - /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. - /// The ciphertext is written to \p output and the - /// authentication tag is written to \p tag. - /// - #MBEDTLS_GCM_DECRYPT to perform decryption. - /// The plaintext is written to \p output and the - /// authentication tag is written to \p tag. - /// Note that this mode is not recommended, because it does - /// not verify the authenticity of the data. For this reason, - /// you should use mbedtls_gcm_auth_decrypt() instead of - /// calling this function in decryption mode. - /// \param length The length of the input data, which is equal to the length - /// of the output data. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param input The buffer holding the input data. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size in Bytes. - /// \param output The buffer for holding the output data. If \p length is greater - /// than zero, this must be a writable buffer of at least that - /// size in Bytes. - /// \param tag_len The length of the tag to generate. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \return \c 0 if the encryption or decryption was performed - /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, - /// this does not indicate that the data is authentic. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the encryption - /// or decryption failed. - pub fn mbedtls_gcm_crypt_and_tag( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - tag_len: usize, - tag: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active cipher operation. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input size passed to this operation is not valid for + /// this particular algorithm. For example, the algorithm is a based + /// on block cipher and requires a whole number of blocks, but the + /// total input size is not a multiple of the block size. + /// \retval #PSA_ERROR_INVALID_PADDING + /// This is a decryption operation for an algorithm that includes + /// padding, and the ciphertext does not contain valid padding. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_finish( + operation: *mut psa_cipher_operation_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs a GCM authenticated decryption of a - /// buffer. + /// Abort a cipher operation. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. /// - /// \param ctx The GCM context. This must be initialized. - /// \param length The length of the ciphertext to decrypt, which is also - /// the length of the decrypted plaintext. - /// \param iv The initialization vector. This must be a readable buffer - /// of at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param tag The buffer holding the tag to verify. This must be a - /// readable buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to verify. - /// \param input The buffer holding the ciphertext. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size. - /// \param output The buffer for holding the decrypted plaintext. If \p length - /// is greater than zero, this must be a writable buffer of at - /// least that size. + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_cipher_operation_t. /// - /// \return \c 0 if successful and authenticated. - /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the decryption - /// failed. - pub fn mbedtls_gcm_auth_decrypt( - ctx: *mut mbedtls_gcm_context, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - tag: *const ::core::ffi::c_uchar, - tag_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// In particular, calling psa_cipher_abort() after the operation has been + /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() + /// is safe and has no effect. + /// + /// \param[in,out] operation Initialized cipher operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a GCM encryption or decryption - /// operation. + /// Process an authenticated encryption operation. /// - /// \param ctx The GCM context. This must be initialized. - /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or - /// #MBEDTLS_GCM_DECRYPT. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that will be authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] plaintext Data that will be authenticated and + /// encrypted. + /// \param plaintext_length Size of \p plaintext in bytes. + /// \param[out] ciphertext Output buffer for the authenticated and + /// encrypted data. The additional data is not + /// part of this output. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate outputs, the + /// authentication tag is appended to the + /// encrypted data. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p plaintext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p + /// plaintext_length) evaluates to the maximum + /// ciphertext size of any supported AEAD + /// encryption. + /// \param[out] ciphertext_length On success, the size of the output + /// in the \p ciphertext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_starts( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p ciphertext_size is too small. + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p plaintext_length) or + /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + plaintext: *const u8, + plaintext_length: usize, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer as associated data - /// (authenticated but not encrypted data) in a GCM - /// encryption or decryption operation. - /// - /// Call this function after mbedtls_gcm_starts() to pass - /// the associated data. If the associated data is empty, - /// you do not need to call this function. You may not - /// call this function after calling mbedtls_cipher_update(). + /// Process an authenticated decryption operation. /// - /// \param ctx The GCM context. This must have been started with - /// mbedtls_gcm_starts() and must not have yet received - /// any input with mbedtls_gcm_update(). - /// \param add The buffer holding the additional data, or \c NULL - /// if \p add_len is \c 0. - /// \param add_len The length of the additional data. If \c 0, - /// \p add may be \c NULL. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that has been authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] ciphertext Data that has been authenticated and + /// encrypted. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate inputs, the buffer + /// must contain the encrypted data followed + /// by the authentication tag. + /// \param ciphertext_length Size of \p ciphertext in bytes. + /// \param[out] plaintext Output buffer for the decrypted data. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p ciphertext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p + /// ciphertext_length) evaluates to the maximum + /// plaintext size of any supported AEAD + /// decryption. + /// \param[out] plaintext_length On success, the size of the output + /// in the \p plaintext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_update_ad( - ctx: *mut mbedtls_gcm_context, - add: *const ::core::ffi::c_uchar, - add_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The ciphertext is not authentic. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p plaintext_size is too small. + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p ciphertext_length) or + /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used + /// to determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + ciphertext: *const u8, + ciphertext_length: usize, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for multipart AEAD operations. +/// +/// Before calling any function on an AEAD operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_aead_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_aead_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, +/// for example: +/// \code +/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_aead_operation_init() +/// to the structure, for example: +/// \code +/// psa_aead_operation_t operation; +/// operation = psa_aead_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing GCM - /// encryption or decryption operation. - /// - /// You may call this function zero, one or more times - /// to pass successive parts of the input: the plaintext to - /// encrypt, or the ciphertext (not including the tag) to - /// decrypt. After the last part of the input, call - /// mbedtls_gcm_finish(). + /// Set the key for a multipart authenticated encryption operation. /// - /// This function may produce output in one of the following - /// ways: - /// - Immediate output: the output length is always equal - /// to the input length. - /// - Buffered output: the output consists of a whole number - /// of 16-byte blocks. If the total input length so far - /// (not including associated data) is 16 \* *B* + *A* - /// with *A* < 16 then the total output length is 16 \* *B*. + /// The sequence of operations to encrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to + /// generate or set the nonce. You should use + /// psa_aead_generate_nonce() unless the protocol you are implementing + /// requires a specific nonce value. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the message to encrypt each time. + /// -# Call psa_aead_finish(). /// - /// In particular: - /// - It is always correct to call this function with - /// \p output_size >= \p input_length + 15. - /// - If \p input_length is a multiple of 16 for all the calls - /// to this function during an operation, then it is - /// correct to use \p output_size = \p input_length. + /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// After a successful call to psa_aead_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_finish(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param input The buffer holding the input data. If \p input_length - /// is greater than zero, this must be a readable buffer - /// of at least \p input_length bytes. - /// \param input_length The length of the input data in bytes. - /// \param output The buffer for the output data. If \p output_size - /// is greater than zero, this must be a writable buffer of - /// of at least \p output_size bytes. - /// \param output_size The size of the output buffer in bytes. - /// See the function description regarding the output size. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// total input length too long, - /// unsupported input/output buffer overlap detected, - /// or \p output_size too small. - pub fn mbedtls_gcm_update( - ctx: *mut mbedtls_gcm_context, - input: *const ::core::ffi::c_uchar, - input_length: usize, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the GCM operation and generates - /// the authentication tag. + /// Set the key for a multipart authenticated decryption operation. /// - /// It wraps up the GCM stream, and generates the - /// tag. The tag can have a maximum length of 16 Bytes. + /// The sequence of operations to decrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call psa_aead_set_nonce() with the nonce for the decryption. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the ciphertext to decrypt each time. + /// -# Call psa_aead_verify(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to generate. This must be at least - /// four. - /// \param output The buffer for the final output. - /// If \p output_size is nonzero, this must be a writable - /// buffer of at least \p output_size bytes. - /// \param output_size The size of the \p output buffer in bytes. - /// This must be large enough for the output that - /// mbedtls_gcm_update() has not produced. In particular: - /// - If mbedtls_gcm_update() produces immediate output, - /// or if the total input size is a multiple of \c 16, - /// then mbedtls_gcm_finish() never produces any output, - /// so \p output_size can be \c 0. - /// - \p output_size never needs to be more than \c 15. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// invalid value of \p tag_len, - /// or \p output_size too small. - pub fn mbedtls_gcm_finish( - ctx: *mut mbedtls_gcm_context, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - tag: *mut ::core::ffi::c_uchar, - tag_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function clears a GCM context and the underlying - /// cipher sub-context. + /// After a successful call to psa_aead_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_verify(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context to clear. If this is \c NULL, the call has - /// no effect. Otherwise, this must be initialized. - pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief The GCM checkup routine. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; -/// For encrypt-decrypt functions, whether the operation is an encryption -/// or a decryption. -pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; -/// \brief MD5 context structure -/// -/// \warning MD5 is considered a weak message digest and its use -/// constitutes a security risk. We recommend considering -/// stronger message digests instead. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md5_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 4usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_md5_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize MD5 context + /// Generate a random nonce for an authenticated encryption operation. /// - /// \param ctx MD5 context to be initialized + /// This function generates a random nonce for the authenticated encryption + /// operation with an appropriate size for the chosen algorithm, key type + /// and key size. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief Clear MD5 context + /// The application must call psa_aead_encrypt_setup() before + /// calling this function. /// - /// \param ctx MD5 context to be cleared + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); + /// \param[in,out] operation Active AEAD operation. + /// \param[out] nonce Buffer where the generated nonce is to be + /// written. + /// \param nonce_size Size of the \p nonce buffer in bytes. + /// \param[out] nonce_length On success, the number of bytes of the + /// generated nonce. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p nonce buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active aead encrypt + /// operation, with no nonce set), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_generate_nonce( + operation: *mut psa_aead_operation_t, + nonce: *mut u8, + nonce_size: usize, + nonce_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) an MD5 context + /// Set the nonce for an authenticated encryption or decryption operation. /// - /// \param dst The destination context - /// \param src The context to be cloned + /// This function sets the nonce for the authenticated + /// encryption or decryption operation. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief MD5 context setup + /// The application must call psa_aead_encrypt_setup() or + /// psa_aead_decrypt_setup() before calling this function. /// - /// \param ctx context to be initialized + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \note When encrypting, applications should use psa_aead_generate_nonce() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] nonce Buffer containing the nonce to use. + /// \param nonce_length Size of the nonce in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p nonce is not acceptable for the chosen algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with no nonce + /// set), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_nonce( + operation: *mut psa_aead_operation_t, + nonce: *const u8, + nonce_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process buffer + /// Declare the lengths of the message and additional data for AEAD. /// - /// \param ctx MD5 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// The application must call this function before calling + /// psa_aead_update_ad() or psa_aead_update() if the algorithm for + /// the operation requires it. If the algorithm does not require it, + /// calling this function is optional, but if this function is called + /// then the implementation must enforce the lengths. /// - /// \return 0 if successful + /// You may call this function before or after setting the nonce with + /// psa_aead_set_nonce() or psa_aead_generate_nonce(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_update( - ctx: *mut mbedtls_md5_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief MD5 final digest + /// - For #PSA_ALG_CCM, calling this function is required. + /// - For the other AEAD algorithms defined in this specification, calling + /// this function is not required. + /// - For vendor-defined algorithm, refer to the vendor documentation. /// - /// \param ctx MD5 context - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \param[in,out] operation Active AEAD operation. + /// \param ad_length Size of the non-encrypted additional + /// authenticated data in bytes. + /// \param plaintext_length Size of the plaintext to encrypt in bytes. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_finish( - ctx: *mut mbedtls_md5_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// At least one of the lengths is not acceptable for the chosen + /// algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and + /// psa_aead_update_ad() and psa_aead_update() must not have been + /// called yet), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_lengths( + operation: *mut psa_aead_operation_t, + ad_length: usize, + plaintext_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process data block (internal use only) + /// Pass additional data to an active AEAD operation. /// - /// \param ctx MD5 context - /// \param data buffer holding one block of data + /// Additional data is authenticated, but not encrypted. /// - /// \return 0 if successful + /// You may call this function multiple times to pass successive fragments + /// of the additional data. You may not call this function after passing + /// data to encrypt or decrypt with psa_aead_update(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_internal_md5_process( - ctx: *mut mbedtls_md5_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = MD5( input buffer ) + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, + /// treat the input as untrusted and prepare to undo any action that + /// depends on the input if psa_aead_verify() returns an error status. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the fragment of + /// additional data. + /// \param input_length Size of the \p input buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input length overflows the additional data length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, have lengths set if required by the algorithm, and + /// psa_aead_update() must not have been called yet), or the library + /// has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update_ad( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Encrypt or decrypt a message fragment in an active AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). + /// 3. Call psa_aead_update_ad() to pass all the additional data. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief RIPEMD-160 context structure -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ripemd160_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 5usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_ripemd160_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize RIPEMD-160 context + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \param ctx RIPEMD-160 context to be initialized - pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); -} -unsafe extern "C" { - /// \brief Clear RIPEMD-160 context + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: + /// - Do not use the output in any way other than storing it in a + /// confidential location. If you take any action that depends + /// on the tentative decrypted data, this action will need to be + /// undone if the input turns out not to be valid. Furthermore, + /// if an adversary can observe that this action took place + /// (for example through timing), they may be able to use this + /// fact as an oracle to decrypt any message encrypted with the + /// same key. + /// - In particular, do not copy the output anywhere but to a + /// memory or storage space that you have exclusive access to. /// - /// \param ctx RIPEMD-160 context to be cleared - pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); + /// This function does not require the input to be aligned to any + /// particular block boundary. If the implementation can only process + /// a whole block at a time, it must consume all the input provided, but + /// it may delay the end of the corresponding output until a subsequent + /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() + /// provides sufficient input. The amount of data that can be delayed + /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, + /// \c alg, \p input_length) where + /// \c key_type is the type of key and \c alg is + /// the algorithm that were used to set up the + /// operation. + /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p + /// input_length) evaluates to the maximum + /// output size of any supported AEAD + /// algorithm. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or + /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total input length overflows the plaintext length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, and have lengths set if required by the algorithm), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) a RIPEMD-160 context + /// Finish encrypting a message in an AEAD operation. /// - /// \param dst The destination context - /// \param src The context to be cloned - pub fn mbedtls_ripemd160_clone( - dst: *mut mbedtls_ripemd160_context, - src: *const mbedtls_ripemd160_context, - ); -} -unsafe extern "C" { - /// \brief RIPEMD-160 context setup + /// The operation must have been set up with psa_aead_encrypt_setup(). /// - /// \param ctx context to be initialized + /// This function finishes the authentication of the additional data + /// formed by concatenating the inputs passed to preceding calls to + /// psa_aead_update_ad() with the plaintext formed by concatenating the + /// inputs passed to preceding calls to psa_aead_update(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process buffer + /// This function has two output buffers: + /// - \p ciphertext contains trailing ciphertext that was buffered from + /// preceding calls to psa_aead_update(). + /// - \p tag contains the authentication tag. /// - /// \param ctx RIPEMD-160 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_update( - ctx: *mut mbedtls_ripemd160_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[out] ciphertext Buffer where the last part of the ciphertext + /// is to be written. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] ciphertext_length On success, the number of bytes of + /// returned ciphertext. + /// \param[out] tag Buffer where the authentication tag is + /// to be written. + /// \param tag_size Size of the \p tag buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c + /// key_type, \c key_bits, \c alg) where + /// \c key_type and \c key_bits are the type and + /// bit-size of the key, and \c alg is the + /// algorithm that were used in the call to + /// psa_aead_encrypt_setup(). + /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the + /// maximum tag size of any supported AEAD + /// algorithm. + /// \param[out] tag_length On success, the number of bytes + /// that make up the returned tag. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p ciphertext or \p tag buffer is too small. + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the + /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, + /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to + /// determine the required \p tag buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active encryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_finish( + operation: *mut psa_aead_operation_t, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + tag: *mut u8, + tag_size: usize, + tag_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief RIPEMD-160 final digest + /// Finish authenticating and decrypting a message in an AEAD operation. /// - /// \param ctx RIPEMD-160 context - /// \param output RIPEMD-160 checksum result + /// The operation must have been set up with psa_aead_decrypt_setup(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_finish( - ctx: *mut mbedtls_ripemd160_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process data block (internal use only) + /// This function finishes the authenticated decryption of the message + /// components: /// - /// \param ctx RIPEMD-160 context - /// \param data buffer holding one block of data + /// - The additional data consisting of the concatenation of the inputs + /// passed to preceding calls to psa_aead_update_ad(). + /// - The ciphertext consisting of the concatenation of the inputs passed to + /// preceding calls to psa_aead_update(). + /// - The tag passed to this function call. /// - /// \return 0 if successful - pub fn mbedtls_internal_ripemd160_process( - ctx: *mut mbedtls_ripemd160_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = RIPEMD-160( input buffer ) + /// If the authentication tag is correct, this function outputs any remaining + /// plaintext and reports success. If the authentication tag is not correct, + /// this function returns #PSA_ERROR_INVALID_SIGNATURE. /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output RIPEMD-160 checksum result + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual tag and the expected tag is performed + /// in constant time. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[out] plaintext Buffer where the last part of the plaintext + /// is to be written. This is the remaining data + /// from previous calls to psa_aead_update() + /// that could not be processed until the end + /// of the input. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] plaintext_length On success, the number of bytes of + /// returned plaintext. + /// \param[in] tag Buffer containing the authentication tag. + /// \param tag_length Size of the \p tag buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculations were successful, but the authentication tag is + /// not correct. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p plaintext buffer is too small. + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the + /// required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active decryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_verify( + operation: *mut psa_aead_operation_t, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + tag: *const u8, + tag_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Abort an AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed - pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha1_context { - pub work_area: [::core::ffi::c_uchar; 208usize], -} -impl Default for mbedtls_sha1_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_aead_operation_t. + /// + /// In particular, calling psa_aead_abort() after the operation has been + /// terminated by a call to psa_aead_abort(), psa_aead_finish() or + /// psa_aead_verify() is safe and has no effect. + /// + /// \param[in,out] operation Initialized AEAD operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-1 context. - /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \brief Sign a message with a private key. For hash-and-sign algorithms, + /// this includes the hashing step. /// - /// \param ctx The SHA-1 context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-1 context. + /// \note To perform a multi-part hash-and-sign signature algorithm, first use + /// a multi-part hash operation and then pass the resulting hash to + /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the + /// hash algorithm to use. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in] key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The input message to sign. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param[in] signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. /// - /// \param ctx The SHA-1 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it is - /// not \c NULL, it must point to an initialized - /// SHA-1 context. - pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-1 context. + /// \brief Verify the signature of a message with a public key, using + /// a hash-and-sign verification algorithm. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \note To perform a multi-part hash-and-sign signature verification + /// algorithm, first use a multi-part hash operation to hash the message + /// and then pass the resulting hash to psa_verify_hash(). + /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm + /// to use. /// - /// \param dst The SHA-1 context to clone to. This must be initialized. - /// \param src The SHA-1 context to clone from. This must be initialized. - pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); + /// \param[in] key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The message whose signature is to be verified. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed signature + /// is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-1 checksum calculation. + /// \brief Sign a hash or short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context to initialize. This must be initialized. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. + /// \param[out] signature_length On success, the number of bytes + /// that make up the returned signature value. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing SHA-1 - /// checksum calculation. + /// \brief Verify the signature of a hash or short message using a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. + /// \param key Identifier of the key to use for the operation. It + /// must be a public key or an asymmetric key pair. The + /// key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message whose signature is to be + /// verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_update( - ctx: *mut mbedtls_sha1_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// The signature is valid. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the SHA-1 operation, and writes - /// the result to the output buffer. + /// \brief Encrypt a short message with a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized and - /// have a hash operation started. - /// \param output The SHA-1 checksum result. This must be a writable - /// buffer of length \c 20 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the encrypted message is to + /// be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_finish( - ctx: *mut mbedtls_sha1_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief SHA-1 process data block (internal use only). + /// \brief Decrypt a short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. It must + /// allow the usage #PSA_KEY_USAGE_DECRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized. - /// \param data The data block being processed. This must be a - /// readable buffer of length \c 64 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha1_process( - ctx: *mut mbedtls_sha1_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for key derivation operations. +/// +/// Before calling any function on a key derivation operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_key_derivation_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, +/// for example: +/// \code +/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_key_derivation_operation_init() +/// to the structure, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// operation = psa_key_derivation_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_key_derivation_operation_t = psa_key_derivation_s; unsafe extern "C" { - /// \brief This function calculates the SHA-1 checksum of a buffer. + /// Set up a key derivation operation. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// A key derivation algorithm takes some inputs and uses them to generate + /// a byte stream in a deterministic way. + /// This byte stream can be used to produce keys and other + /// cryptographic material. /// - /// The SHA-1 result is calculated as - /// output = SHA-1(input buffer). + /// To derive a key: + /// -# Start with an initialized object of type #psa_key_derivation_operation_t. + /// -# Call psa_key_derivation_setup() to select the algorithm. + /// -# Provide the inputs for the key derivation by calling + /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() + /// as appropriate. Which inputs are needed, in what order, and whether + /// they may be keys and if so of what type depends on the algorithm. + /// -# Optionally set the operation's maximum capacity with + /// psa_key_derivation_set_capacity(). You may do this before, in the middle + /// of or after providing inputs. For some algorithms, this step is mandatory + /// because the output depends on the maximum capacity. + /// -# To derive a key, call psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// To derive a byte string for a different purpose, call + /// psa_key_derivation_output_bytes(). + /// Successive calls to these functions use successive output bytes + /// calculated by the key derivation algorithm. + /// -# Clean up the key derivation operation object with + /// psa_key_derivation_abort(). /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// If this function returns an error, the key derivation operation object is + /// not changed. /// - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. - /// \param output The SHA-1 checksum result. - /// This must be a writable buffer of length \c 20 Bytes. + /// If an error occurs at any step after a call to psa_key_derivation_setup(), + /// the operation will need to be reset by a call to psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-1 checkup routine. + /// Implementations must reject an attempt to derive a key of size 0. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in,out] operation The key derivation operation object + /// to set up. It must + /// have been initialized but not set up yet. + /// \param alg The key derivation algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha256_context { - pub work_area: [::core::ffi::c_uchar; 208usize], - pub is224: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha256_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c alg is not a key derivation algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_setup( + operation: *mut psa_key_derivation_operation_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-256 context. + /// Retrieve the current capacity of a key derivation operation. /// - /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. - pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-256 context. + /// The capacity of a key derivation is the maximum number of bytes that it can + /// return. When you get *N* bytes of output from a key derivation operation, + /// this reduces its capacity by *N*. /// - /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which - /// case this function returns immediately. If it is not \c NULL, - /// it must point to an initialized SHA-256 context. - pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clones the state of a SHA-256 context. + /// \param[in] operation The operation to query. + /// \param[out] capacity On success, the capacity of the operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha256_clone( - dst: *mut mbedtls_sha256_context, - src: *const mbedtls_sha256_context, - ); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_get_capacity( + operation: *const psa_key_derivation_operation_t, + capacity: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-224 or SHA-256 checksum - /// calculation. + /// Set the maximum capacity of a key derivation operation. /// - /// \param ctx The context to use. This must be initialized. - /// \param is224 This determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// The capacity of a key derivation operation is the maximum number of bytes + /// that the key derivation operation can return from this point onwards. /// - /// \note is224 must be defined accordingly to the enabled - /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to modify. + /// \param capacity The new capacity of the operation. + /// It must be less or equal to the operation's + /// current capacity. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_starts( - ctx: *mut mbedtls_sha256_context, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p capacity is larger than the operation's current capacity. + /// In this case, the operation object remains valid and its capacity + /// remains unchanged. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_set_capacity( + operation: *mut psa_key_derivation_operation_t, + capacity: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-256 checksum calculation. + /// Provide an input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_update( - ctx: *mut mbedtls_sha256_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-256 operation, and writes - /// the result to the output buffer. + /// This function passes direct inputs, which is usually correct for + /// non-secret inputs. To pass a secret input, which should be in a key + /// object, call psa_key_derivation_input_key() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_finish( - ctx: *mut mbedtls_sha256_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] data Input data to use. + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow direct inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_bytes( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + data: *const u8, + data_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-256 computation. This function is for - /// internal use only. + /// Provide a numeric input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized. - /// \param data The buffer holding one block of data. This must - /// be a readable buffer of length \c 64 Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// However, when an algorithm requires a particular order, numeric inputs + /// usually come first as they tend to be configuration parameters. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha256_process( - ctx: *mut mbedtls_sha256_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// This function is used for inputs which are fixed-size non-negative + /// integers. + /// + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] value The value of the numeric input. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow numeric inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_integer( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + value: u64, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function calculates the SHA-224 or SHA-256 - /// checksum of a buffer. + /// Provide an input for key derivation in the form of a key. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// The SHA-256 result is calculated as - /// output = SHA-256(input buffer). + /// This function obtains input from a key object, which is usually correct for + /// secret inputs or for non-secret personalization strings kept in the key + /// store. To pass a non-secret parameter which is not in the key store, + /// call psa_key_derivation_input_bytes() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. - /// \param is224 Determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param key Identifier of the key. It must have an + /// appropriate type for step and must allow the + /// usage #PSA_KEY_USAGE_DERIVE or + /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + /// and the algorithm used by the operation. + /// + /// \note Once all inputs steps are completed, the operations will allow: + /// - psa_key_derivation_output_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() + /// if the input for step + /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_verify_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + /// - psa_key_derivation_verify_key() under the same conditions as + /// psa_key_derivation_verify_bytes(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key allows neither #PSA_KEY_USAGE_DERIVE nor + /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + /// algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow key inputs of the given type + /// or does not allow key inputs at all. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_key( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + key: mbedtls_svc_key_id_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief The SHA-224 checkup routine. + /// Perform a key agreement and use the shared secret as input to a key + /// derivation. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-256 checkup routine. + /// A key agreement algorithm takes two inputs: a private key \p private_key + /// a public key \p peer_key. + /// The result of this function is passed as input to a key derivation. + /// The output of this key derivation can be extracted by reading from the + /// resulting operation to produce keys and other cryptographic material. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha512_context { - pub work_area: [::core::ffi::c_uchar; 304usize], - pub is384: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha512_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief This function initializes a SHA-512 context. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \param ctx The SHA-512 context to initialize. This must - /// not be \c NULL. - pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-512 context. + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() with a + /// key agreement and derivation algorithm + /// \c alg (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true + /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) + /// is false). + /// The operation must be ready for an + /// input of the type given by \p step. + /// \param step Which step the input data is for. + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. The peer key must be in the + /// same format that psa_import_key() accepts for the + /// public key type corresponding to the type of + /// private_key. That is, this function performs the + /// equivalent of + /// #psa_import_key(..., + /// `peer_key`, `peer_key_length`) where + /// with key attributes indicating the public key + /// type corresponding to the type of `private_key`. + /// For example, for EC keys, this means that peer_key + /// is interpreted as a point on the curve that the + /// private key is on. The standard formats for public + /// keys are documented in the documentation of + /// psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. /// - /// \param ctx The SHA-512 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must point to an initialized - /// SHA-512 context. - pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c private_key is not compatible with \c alg, + /// or \p peer_key is not valid for \c alg or not compatible with + /// \c private_key, or \c step does not allow an input resulting + /// from a key agreement. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this key agreement \p step, + /// or the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_key_agreement( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-512 context. + /// Read some data from a key derivation operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha512_clone( - dst: *mut mbedtls_sha512_context, - src: *const mbedtls_sha512_context, - ); -} -unsafe extern "C" { - /// \brief This function starts a SHA-384 or SHA-512 checksum - /// calculation. + /// This function calculates output bytes from a key derivation algorithm and + /// return those bytes. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the requested number of bytes from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context to use. This must be initialized. - /// \param is384 Determines which function to use. This must be - /// either \c 0 for SHA-512, or \c 1 for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \note is384 must be defined accordingly to the enabled - /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] output Buffer where the output will be written. + /// \param output_length Number of bytes to output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_starts( - ctx: *mut mbedtls_sha512_context, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// no output is written to the output buffer. + /// The operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_bytes( + operation: *mut psa_key_derivation_operation_t, + output: *mut u8, + output_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-512 checksum calculation. + /// Derive a key from an ongoing key derivation operation. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. This must - /// be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// This function calculates output bytes from a key derivation algorithm + /// and uses those bytes to generate a key deterministically. + /// The key's location, usage policy, type and size are taken from + /// \p attributes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_update( - ctx: *mut mbedtls_sha512_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-512 operation, and writes - /// the result to the output buffer. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads as many bytes as required from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_finish( - ctx: *mut mbedtls_sha512_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-512 computation. - /// This function is for internal use only. + /// How much output is produced and consumed from the operation, and how + /// the key is derived, depends on the key type and on the key size + /// (denoted \c bits below): /// - /// \param ctx The SHA-512 context. This must be initialized. - /// \param data The buffer holding one block of data. This - /// must be a readable buffer of length \c 128 Bytes. + /// - For key types for which the key is an arbitrary sequence of bytes + /// of a given size, this function is functionally equivalent to + /// calling #psa_key_derivation_output_bytes + /// and passing the resulting output to #psa_import_key. + /// However, this function has a security benefit: + /// if the implementation provides an isolation boundary then + /// the key material is not exposed outside the isolation boundary. + /// As a consequence, for these key types, this function always consumes + /// exactly (\c bits / 8) bytes from the operation. + /// The following key types defined in this specification follow this scheme: /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha512_process( - ctx: *mut mbedtls_sha512_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function calculates the SHA-512 or SHA-384 - /// checksum of a buffer. + /// - #PSA_KEY_TYPE_AES; + /// - #PSA_KEY_TYPE_ARIA; + /// - #PSA_KEY_TYPE_CAMELLIA; + /// - #PSA_KEY_TYPE_DERIVE; + /// - #PSA_KEY_TYPE_HMAC; + /// - #PSA_KEY_TYPE_PASSWORD_HASH. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// - For ECC keys on a Montgomery elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Montgomery curve), this function always draws a byte string whose + /// length is determined by the curve, and sets the mandatory bits + /// accordingly. That is: /// - /// The SHA-512 result is calculated as - /// output = SHA-512(input buffer). + /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte + /// string and process it as specified in RFC 7748 §5. + /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte + /// string and process it as specified in RFC 7748 §5. /// - /// \param input The buffer holding the input data. This must be - /// a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. - /// \param is384 Determines which function to use. This must be either - /// \c 0 for SHA-512, or \c 1 for SHA-384. + /// - For key types for which the key is represented by a single sequence of + /// \c bits bits with constraints as to which bit sequences are acceptable, + /// this function draws a byte string of length (\c bits / 8) bytes rounded + /// up to the nearest whole number of bytes. If the resulting byte string + /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. + /// This process is repeated until an acceptable byte string is drawn. + /// The byte string drawn from the operation is interpreted as specified + /// for the output produced by psa_export_key(). + /// The following key types defined in this specification follow this scheme: /// - /// \note is384 must be defined accordingly with the supported - /// symbols in the config file. If: - /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or - /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined - /// then the function will return - /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// - #PSA_KEY_TYPE_DES. + /// Force-set the parity bits, but discard forbidden weak keys. + /// For 2-key and 3-key triple-DES, the three keys are generated + /// successively (for example, for 3-key triple-DES, + /// if the first 8 bytes specify a weak key and the next 8 bytes do not, + /// discard the first 8 bytes, use the next 8 bytes as the first key, + /// and continue reading output from the operation to derive the other + /// two keys). + /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) + /// where \c group designates any Diffie-Hellman group) and + /// ECC keys on a Weierstrass elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Weierstrass curve). + /// For these key types, interpret the byte string as integer + /// in big-endian order. Discard it if it is not in the range + /// [0, *N* - 2] where *N* is the boundary of the private key domain + /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, + /// or the order of the curve's base point for ECC). + /// Add 1 to the resulting integer and use this as the private key *x*. + /// This method allows compliance to NIST standards, specifically + /// the methods titled "key-pair generation by testing candidates" + /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, + /// in FIPS 186-4 §B.1.2 for DSA, and + /// in NIST SP 800-56A §5.6.1.2.2 or + /// FIPS 186-4 §B.4.2 for elliptic curve keys. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-384 checkup routine. + /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, + /// the way in which the operation output is consumed is + /// implementation-defined. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-512 checkup routine. + /// In all cases, the data that is read is discarded from the operation. + /// The operation's capacity is decreased by the number of bytes read. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hash_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub md5: mbedtls_md5_context, - pub ripemd160: mbedtls_ripemd160_context, - pub sha1: mbedtls_sha1_context, - pub sha256: mbedtls_sha256_context, - pub sha512: mbedtls_sha512_context, -} -impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_hash_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_cipher_operation_t { - pub private_alg: psa_algorithm_t, - pub private_iv_length: u8, - pub private_block_length: u8, - pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_cipher: mbedtls_cipher_context_t, -} -impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_cipher_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_hash_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_hash_operation_t, -} -impl Default for psa_driver_hash_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_cipher_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, -} -impl Default for psa_driver_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_hash_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h. - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. the driver context is not active, in use). - pub private_id: ::core::ffi::c_uint, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_hash_context_t, -} -impl Default for psa_hash_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_cipher_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_default_iv_length: u8, - pub private_ctx: psa_driver_cipher_context_t, + /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, + /// the input to that step must be provided with psa_key_derivation_input_key(). + /// Future versions of this specification may include additional restrictions + /// on the derived key based on the attributes and strength of the secret key. + /// + /// \note This function is equivalent to calling + /// psa_key_derivation_output_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for psa_cipher_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// See the description of psa_key_derivation_out_key() for the operation of + /// this function with the default production parameters. + /// Mbed TLS currently does not currently support any non-default production + /// parameters. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_custom( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl psa_cipher_operation_s { - #[inline] - pub fn private_iv_required(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_iv_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_iv_required: ::core::ffi::c_uint, - private_iv_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; - private_iv_required as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; - private_iv_set as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] params Customization parameters for the key derivation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// Mbed TLS currently only supports the default + /// production parameters, i.e. + /// #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + /// for all key types. + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_ext( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hmac_operation_t { - /// The HMAC algorithm in use - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - /// The hash context. - pub hash_ctx: psa_hash_operation_s, - /// The HMAC part of the context. - pub private_opad: [u8; 128usize], +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value in constant time. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the expected number of bytes from the + /// stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to the following code: + /// \code + /// psa_key_derivation_output_bytes(operation, tmp, output_length); + /// if (memcmp(output, tmp, output_length) != 0) + /// return PSA_ERROR_INVALID_SIGNATURE; + /// \endcode + /// except (1) it works even if the key's policy does not allow outputting the + /// bytes, and (2) the comparison will be done in constant time. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected Buffer containing the expected derivation output. + /// \param expected_length Length of the expected output; this is also the + /// number of bytes that will be read. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but it differs from the expected + /// output. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_bytes( + operation: *mut psa_key_derivation_operation_t, + expected: *const u8, + expected_length: usize, + ) -> psa_status_t; } -impl Default for mbedtls_psa_hmac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value + /// stored in a key object. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value, provided as key of type + /// #PSA_KEY_TYPE_PASSWORD_HASH. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the number of bytes corresponding to the + /// length of the expected value from the stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to exporting the key and calling + /// psa_key_derivation_verify_bytes() on the result, except that it + /// works even if the key cannot be exported. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + /// containing the expected output. Its policy must + /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + /// and the permitted algorithm must match the + /// operation. The value of this key was likely + /// computed by a previous call to + /// psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but if differs from the expected + /// output. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// The key passed as the expected value does not exist. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key passed as the expected value has an invalid type. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key passed as the expected value does not allow this usage or + /// this algorithm; or one of the inputs was a key whose policy didn't + /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// the length of the expected value. In this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_key( + operation: *mut psa_key_derivation_operation_t, + expected: psa_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_mac_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// Abort a key derivation operation. + /// + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_key_derivation_setup() again. + /// + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_key_derivation_operation_t. + /// + /// In particular, it is valid to call psa_key_derivation_abort() twice, or to + /// call psa_key_derivation_abort() on an operation that has not been set up. + /// + /// \param[in,out] operation The operation to abort. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) + -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_hmac: mbedtls_psa_hmac_operation_t, - pub private_cmac: mbedtls_cipher_context_t, +unsafe extern "C" { + /// Perform a key agreement and return the raw shared secret. + /// + /// \warning The raw result of a key agreement algorithm such as finite-field + /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should + /// not be used directly as key material. It should instead be passed as + /// input to a key derivation algorithm. To chain a key agreement with + /// a key derivation, use psa_key_derivation_key_agreement() and other + /// functions from the key derivation interface. + /// + /// \param alg The key agreement algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) + /// is true). + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. It must be + /// in the same format that psa_import_key() + /// accepts. The standard formats for public + /// keys are documented in the documentation + /// of psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a key agreement algorithm, or + /// \p private_key is not compatible with \p alg, + /// or \p peer_key is not valid for \p alg or not compatible with + /// \p private_key. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p output_size is too small + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not a supported key agreement algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_raw_key_agreement( + alg: psa_algorithm_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Generate random bytes. + /// + /// \warning This function **can** fail! Callers MUST check the return status + /// and MUST NOT use the content of the output buffer if the return + /// status is not #PSA_SUCCESS. + /// + /// \note To generate a key, use psa_generate_key() instead. + /// + /// \param[out] output Output buffer for the generated data. + /// \param output_size Number of bytes to generate and output. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair. + /// + /// The key is generated randomly. + /// Its location, usage policy, type and size are taken from \p attributes. + /// + /// Implementations must reject an attempt to generate a key of size 0. + /// + /// The following type-specific considerations apply: + /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), + /// the public exponent is 65537. + /// The modulus is a product of two probabilistic primes + /// between 2^{n-1} and 2^n where n is the bit size specified in the + /// attributes. + /// + /// \note This function is equivalent to calling psa_generate_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key( + attributes: *const psa_key_attributes_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// See the description of psa_generate_key() for the operation of this + /// function with the default production parameters. In addition, this function + /// supports the following production customizations, described in more detail + /// in the documentation of ::psa_custom_key_parameters_t: + /// + /// - RSA keys: generation with a custom public exponent. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_custom( + attributes: *const psa_key_attributes_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_aead_operation_t { - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_tag_length: u8, - pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] params Customization parameters for the key generation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_ext( + attributes: *const psa_key_attributes_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub private_ccm: mbedtls_ccm_context, - pub private_gcm: mbedtls_gcm_context, - pub private_chachapoly: mbedtls_chachapoly_context, +/// The type of the state data structure for interruptible hash +/// signing operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = +/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_sign_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// operation = psa_sign_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; +/// The type of the state data structure for interruptible hash +/// verification operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = +/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_verify_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// operation = psa_verify_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; +unsafe extern "C" { + /// \brief Set the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note The time taken to execute a single op is + /// implementation specific and depends on + /// software, hardware, the algorithm, key type and + /// curve chosen. Even within a single operation, + /// successive ops can take differing amounts of + /// time. The only guarantee is that lower values + /// for \p max_ops means functions will block for a + /// lesser maximum amount of time. The functions + /// \c psa_sign_interruptible_get_num_ops() and + /// \c psa_verify_interruptible_get_num_ops() are + /// provided to help with tuning this value. + /// + /// \note This value defaults to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + /// means the whole operation will be done in one + /// go, regardless of the number of ops required. + /// + /// \note If more ops are needed to complete a + /// computation, #PSA_OPERATION_INCOMPLETE will be + /// returned by the function performing the + /// computation. It is then the caller's + /// responsibility to either call again with the + /// same operation context until it returns 0 or an + /// error code; or to call the relevant abort + /// function if the answer is no longer required. + /// + /// \note The interpretation of \p max_ops is also + /// implementation defined. On a hard real time + /// system, this can indicate a hard deadline, as a + /// real-time system needs a guarantee of not + /// spending more than X time, however care must be + /// taken in such an implementation to avoid the + /// situation whereby calls just return, not being + /// able to do any actual work within the allotted + /// time. On a non-real-time system, the + /// implementation can be more relaxed, but again + /// whether this number should be interpreted as as + /// hard or soft limit or even whether a less than + /// or equals as regards to ops executed in a + /// single call is implementation defined. + /// + /// \note For keys in local storage when no accelerator + /// driver applies, please see also the + /// documentation for \c mbedtls_ecp_set_max_ops(), + /// which is the internal implementation in these + /// cases. + /// + /// \warning With implementations that interpret this number + /// as a hard limit, setting this number too small + /// may result in an infinite loop, whereby each + /// call results in immediate return with no ops + /// done (as there is not enough time to execute + /// any), and thus no result will ever be achieved. + /// + /// \note This only applies to functions whose + /// documentation mentions they may return + /// #PSA_OPERATION_INCOMPLETE. + /// + /// \param max_ops The maximum number of ops to be executed in a + /// single call. This can be a number from 0 to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + /// is the least amount of work done per call. + pub fn psa_interruptible_set_max_ops(max_ops: u32); } -impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. This will return the last + /// value set by + /// \c psa_interruptible_set_max_ops() or + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + /// that function has never been called. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \return Maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + pub fn psa_interruptible_get_max_ops() -> u32; } -impl Default for mbedtls_psa_aead_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash signing + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling + /// \c psa_sign_hash_interruptible_abort() on + /// the operation, a value of 0 will be returned. + /// + /// \note This interface is guaranteed re-entrant and + /// thus may be called from driver code. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_sign_hash_get_num_ops( + operation: *const psa_sign_hash_interruptible_operation_t, + ) -> u32; } -impl mbedtls_psa_aead_operation_t { - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash verification + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling \c + /// psa_verify_hash_interruptible_abort() on the + /// operation, a value of 0 will be returned. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c + /// psa_verify_hash_interruptible_operation_t to + /// use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_verify_hash_get_num_ops( + operation: *const psa_verify_hash_interruptible_operation_t, + ) -> u32; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_sign_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Start signing a hash or short message with a + /// private key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_complete() is equivalent to + /// \c psa_sign_hash() but + /// \c psa_sign_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call \c psa_sign_hash_complete() + /// repeatedly on the same context after a + /// successful call to this function until \c + /// psa_sign_hash_complete() either returns 0 or an + /// error. \c psa_sign_hash_complete() will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - call \c psa_sign_hash_complete() + /// with the same context to complete the operation + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + /// not permit the requested algorithm. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation has previously been started on this context, and is + /// still in progress. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_start( + operation: *mut psa_sign_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_verify_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Continue and eventually complete the action of + /// signing a hash or short message with a private + /// key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_start() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_start() is equivalent to + /// \c psa_sign_hash() but this function can return + /// early and resume according to the limit set with + /// \c psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_sign_hash_start() called with it + /// first. + /// + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + /// key_bits, \c alg) where \c key_type and \c + /// key_bits are the type and bit-size + /// respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. + /// + /// \retval #PSA_SUCCESS + /// Operation completed successfully + /// + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \c key. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_sign_hash_start(). + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_sign_hash_start() with this operation object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_sign_hash_complete( + operation: *mut psa_sign_hash_interruptible_operation_t, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } -///< Client -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; -///< Server -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; -/// Roles in the EC J-PAKE exchange -pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; -/// EC J-PAKE context structure. -/// -/// J-PAKE is a symmetric protocol, except for the identifiers used in -/// Zero-Knowledge Proofs, and the serialization of the second message -/// (KeyExchange) as defined by the Thread spec. -/// -/// In order to benefit from this symmetry, we choose a different naming -/// convention from the Thread v1.0 spec. Correspondence is indicated in the -/// description as a pair C: client name, S: server name -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecjpake_context { - ///< Hash to use - pub private_md_type: mbedtls_md_type_t, - ///< Elliptic curve - pub private_grp: mbedtls_ecp_group, - ///< Are we client or server? - pub private_role: mbedtls_ecjpake_role, - ///< Format for point export - pub private_point_format: ::core::ffi::c_int, - ///< My public key 1 C: X1, S: X3 - pub private_Xm1: mbedtls_ecp_point, - ///< My public key 2 C: X2, S: X4 - pub private_Xm2: mbedtls_ecp_point, - ///< Peer public key 1 C: X3, S: X1 - pub private_Xp1: mbedtls_ecp_point, - ///< Peer public key 2 C: X4, S: X2 - pub private_Xp2: mbedtls_ecp_point, - ///< Peer public key C: Xs, S: Xc - pub private_Xp: mbedtls_ecp_point, - ///< My private key 1 C: x1, S: x3 - pub private_xm1: mbedtls_mpi, - ///< My private key 2 C: x2, S: x4 - pub private_xm2: mbedtls_mpi, - ///< Pre-shared secret (passphrase) - pub private_s: mbedtls_mpi, +unsafe extern "C" { + /// \brief Abort a sign hash operation. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function is the only function that clears + /// the number of ops completed as part of the + /// operation. Please ensure you copy this value via + /// \c psa_sign_hash_get_num_ops() if required + /// before calling. + /// + /// \note Aborting an operation frees all associated + /// resources except for the \p operation structure + /// itself. Once aborted, the operation object can + /// be reused for another operation by calling \c + /// psa_sign_hash_start() again. + /// + /// \note You may call this function any time after the + /// operation object has been initialized. In + /// particular, calling \c psa_sign_hash_abort() + /// after the operation has already been terminated + /// by a call to \c psa_sign_hash_abort() or + /// psa_sign_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized sign hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_abort( + operation: *mut psa_sign_hash_interruptible_operation_t, + ) -> psa_status_t; } -impl Default for mbedtls_ecjpake_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Start reading and verifying a hash or short + /// message, in an interruptible manner. + /// + /// \see \c psa_verify_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_verify_hash_complete() is equivalent to + /// \c psa_verify_hash() but \c + /// psa_verify_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function. + /// + /// \note Users should call \c psa_verify_hash_complete() + /// repeatedly on the same operation object after a + /// successful call to this function until \c + /// psa_verify_hash_complete() either returns 0 or + /// an error. \c psa_verify_hash_complete() will + /// return #PSA_OPERATION_INCOMPLETE if there is + /// more work to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_verify_hash_abort(). + /// + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash whose signature is to be verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - please call \c + /// psa_verify_hash_complete() with the same context to complete the + /// operation. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// Another operation has already been started on this context, and is + /// still in progress. + /// + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + /// not permit the requested algorithm. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_start( + operation: *mut psa_verify_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize an ECJPAKE context. + /// \brief Continue and eventually complete the action of + /// reading and verifying a hash or short message + /// signed with a private key, in an interruptible + /// manner. /// - /// \param ctx The ECJPAKE context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); -} -unsafe extern "C" { - /// \brief Set up an ECJPAKE context for use. + /// \see \c psa_verify_hash_start() /// - /// \note Currently the only values for hash/curve allowed by the - /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. /// - /// \param ctx The ECJPAKE context to set up. This must be initialized. - /// \param role The role of the caller. This must be either - /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. - /// \param hash The identifier of the hash function to use, - /// for example #MBEDTLS_MD_SHA256. - /// \param curve The identifier of the elliptic curve to use, - /// for example #MBEDTLS_ECP_DP_SECP256R1. - /// \param secret The pre-shared secret (passphrase). This must be - /// a readable not empty buffer of length \p len Bytes. It need - /// only be valid for the duration of this call. - /// \param len The length of the pre-shared secret \p secret. + /// \note This function combined with \c + /// psa_verify_hash_start() is equivalent to + /// \c psa_verify_hash() but this function can + /// return early and resume according to the limit + /// set with \c psa_interruptible_set_max_ops() to + /// reduce the maximum time spent in a function + /// call. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_setup( - ctx: *mut mbedtls_ecjpake_context, - role: mbedtls_ecjpake_role, - hash: mbedtls_md_type_t, - curve: mbedtls_ecp_group_id, - secret: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the point format for future reads and writes. + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. /// - /// \param ctx The ECJPAKE context to configure. - /// \param point_format The point format to use: - /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) - /// or #MBEDTLS_ECP_PF_COMPRESSED. + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_verify_hash_abort(). /// - /// \return \c 0 if successful. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format - /// is invalid. - pub fn mbedtls_ecjpake_set_point_format( - ctx: *mut mbedtls_ecjpake_context, - point_format: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if an ECJPAKE context is ready for use. + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_verify_hash_start() called with it + /// first. /// - /// \param ctx The ECJPAKE context to check. This must be - /// initialized. + /// \retval #PSA_SUCCESS + /// Operation completed successfully, and the passed signature is valid. /// - /// \return \c 0 if the context is ready for use. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. - pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_verify_hash_start(). + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_verify_hash_start() on this object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_verify_hash_complete( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate and write the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \brief Abort a verify hash operation. /// - /// \param ctx The ECJPAKE context to use. This must be - /// initialized and set up. - /// \param buf The buffer to write the contents to. This must be a - /// writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number - /// of Bytes written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \warning This is a beta API, and thus subject to change at + /// any point. It is not bound by the usual interface + /// stability promises. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Read and process the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \note This function is the only function that clears the + /// number of ops completed as part of the operation. + /// Please ensure you copy this value via + /// \c psa_verify_hash_get_num_ops() if required + /// before calling. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up. - /// \param buf The buffer holding the first round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// \note Aborting an operation frees all associated + /// resources except for the operation structure + /// itself. Once aborted, the operation object can be + /// reused for another operation by calling \c + /// psa_verify_hash_start() again. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \note You may call this function any time after the + /// operation object has been initialized. + /// In particular, calling \c psa_verify_hash_abort() + /// after the operation has already been terminated by + /// a call to \c psa_verify_hash_abort() or + /// psa_verify_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized verify hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_abort( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } +pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// \brief Generate and write the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Open a handle to an existing persistent key. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up, and already have performed round one. - /// \param buf The buffer to write the round two contents to. - /// This must be a writable buffer of length \p len Bytes. - /// \param len The size of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Open a handle to a persistent key. A key is persistent if it was created + /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key + /// always has a nonzero key identifier, set with psa_set_key_id() when + /// creating the key. Implementations may provide additional pre-provisioned + /// keys that can be opened with psa_open_key(). Such keys have an application + /// key identifier in the vendor range, as documented in the description of + /// #psa_key_id_t. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// The application must eventually close the handle with psa_close_key() or + /// psa_destroy_key() to release associated resources. If the application dies + /// without calling one of these functions, the implementation should perform + /// the equivalent of a call to psa_close_key(). + /// + /// Some implementations permit an application to open the same key multiple + /// times. If this is successful, each call to psa_open_key() will return a + /// different key handle. + /// + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. + /// + /// \note Applications that rely on opening a key multiple times will not be + /// portable to implementations that only permit a single key handle to be + /// opened. See also :ref:\`key-handles\`. + /// + /// + /// \param key The persistent identifier of the key. + /// \param[out] handle On success, a handle to the key. + /// + /// \retval #PSA_SUCCESS + /// Success. The application can now use the value of `*handle` + /// to access the key. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY + /// The implementation does not have sufficient resources to open the + /// key. This can be due to reaching an implementation limit on the + /// number of open keys, the number of open key handles, or available + /// memory. + /// \retval #PSA_ERROR_DOES_NOT_EXIST + /// There is no persistent key with key identifier \p key. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid persistent key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The specified key exists, but the application does not have the + /// permission to access it. Note that this specification does not + /// define any way to create such a key, but it may be possible + /// through implementation-specific means. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Read and process the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Close a key handle. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up and already have performed round one. - /// \param buf The buffer holding the second round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// If the handle designates a volatile key, this will destroy the key material + /// and free all associated resources, just like psa_destroy_key(). /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Derive the shared secret - /// (TLS: Pre-Master Secret). + /// If this is the last open handle to a persistent key, then closing the handle + /// will free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and can be opened again later + /// with a call to psa_open_key(). /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Closing the key handle makes the handle invalid, and the key handle + /// must not be used again by the application. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_derive_secret( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write the shared key material to be passed to a Key - /// Derivation Function as described in RFC8236. + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \note If the key handle was used to set up an active + /// :ref:\`multipart operation \`, then closing the + /// key handle can cause the multipart operation to fail. Applications should + /// maintain the key handle until after the multipart operation has finished. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_shared_key( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This clears an ECJPAKE context and frees any - /// embedded data structure. + /// \param handle The key handle to close. + /// If this is \c 0, do nothing and return \c PSA_SUCCESS. /// - /// \param ctx The ECJPAKE context to free. This may be \c NULL, - /// in which case this function does nothing. If it is not - /// \c NULL, it must point to an initialized ECJPAKE context. - pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); + /// \retval #PSA_SUCCESS + /// \p handle was a valid handle or \c 0. It is now closed. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p handle is not a valid handle nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// \brief Library deinitialization. /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_pake_operation_t { - pub private_alg: psa_algorithm_t, - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: u8, - pub private_buffer: [u8; 336usize], - pub private_buffer_length: usize, - pub private_buffer_offset: usize, - pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_jpake: mbedtls_ecjpake_context, -} -impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_pake_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_mac_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_mac_operation_t, -} -impl Default for psa_driver_mac_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_aead_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_aead_operation_t, -} -impl Default for psa_driver_aead_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_sign_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, -} -impl Default for psa_driver_sign_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_verify_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, -} -impl Default for psa_driver_verify_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_pake_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_pake_operation_t, -} -impl Default for psa_driver_pake_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// This function clears all data associated with the PSA layer, + /// including the whole key store. + /// This function is not thread safe, it wipes every key slot regardless of + /// state and reader count. It should only be called when no slot is in use. + /// + /// This is an Mbed TLS extension. + pub fn mbedtls_psa_crypto_free(); } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. #[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_mac_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_mac_size: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_mac_context_t, +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_stats_s { + /// Number of slots containing key material for a volatile key. + pub private_volatile_slots: usize, + /// Number of slots containing key material for a key which is in + /// internal persistent storage. + pub private_persistent_slots: usize, + /// Number of slots containing a reference to a key in a + /// secure element. + pub private_external_slots: usize, + /// Number of slots which are occupied, but do not contain + /// key material yet. + pub private_half_filled_slots: usize, + /// Number of slots that contain cache data. + pub private_cache_slots: usize, + /// Number of slots that are not used for anything. + pub private_empty_slots: usize, + /// Number of slots that are locked. + pub private_locked_slots: usize, + /// Largest key id value among open keys in internal persistent storage. + pub private_max_open_internal_key_id: psa_key_id_t, + /// Largest key id value among open keys in secure elements. + pub private_max_open_external_key_id: psa_key_id_t, } -impl Default for psa_mac_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. +pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; +unsafe extern "C" { + /// \brief Get statistics about + /// resource consumption related to the PSA keystore. + /// + /// \note When Mbed TLS is built as part of a service, with isolation + /// between the application and the keystore, the service may or + /// may not expose this function. + pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); } -impl psa_mac_operation_s { - #[inline] - pub fn private_is_sign(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_sign: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; - private_is_sign as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Inject an initial entropy seed for the random generator into + /// secure storage. + /// + /// This function injects data to be used as a seed for the random generator + /// used by the PSA Crypto implementation. On devices that lack a trusted + /// entropy source (preferably a hardware random number generator), + /// the Mbed PSA Crypto implementation uses this value to seed its + /// random generator. + /// + /// On devices without a trusted entropy source, this function must be + /// called exactly once in the lifetime of the device. On devices with + /// a trusted entropy source, calling this function is optional. + /// In all cases, this function may only be called before calling any + /// other function in the PSA Crypto API, including psa_crypto_init(). + /// + /// When this function returns successfully, it populates a file in + /// persistent storage. Once the file has been created, this function + /// can no longer succeed. + /// + /// If any error occurs, this function does not change the system state. + /// You can call this function again after correcting the reason for the + /// error if possible. + /// + /// \warning This function **can** fail! Callers MUST check the return status. + /// + /// \warning If you use this function, you should use it as part of a + /// factory provisioning process. The value of the injected seed + /// is critical to the security of the device. It must be + /// *secret*, *unpredictable* and (statistically) *unique per device*. + /// You should be generate it randomly using a cryptographically + /// secure random generator seeded from trusted entropy sources. + /// You should transmit it securely to the device and ensure + /// that its value is not leaked or stored anywhere beyond the + /// needs of transmitting it from the point of generation to + /// the call of this function, and erase all copies of the value + /// once this function returns. + /// + /// This is an Mbed TLS extension. + /// + /// \note This function is only available on the following platforms: + /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. + /// Note that you must provide compatible implementations of + /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. + /// * In a client-server integration of PSA Cryptography, on the client side, + /// if the server supports this feature. + /// \param[in] seed Buffer containing the seed value to inject. + /// \param[in] seed_size Size of the \p seed buffer. + /// The size of the seed in bytes must be greater + /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE + /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM + /// in `library/entropy_poll.h` in the Mbed TLS source + /// code. + /// It must be less or equal to + /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. + /// + /// \retval #PSA_SUCCESS + /// The seed value was injected successfully. The random generator + /// of the PSA Crypto implementation is now ready for use. + /// You may now call psa_crypto_init() and use the PSA Crypto + /// implementation. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p seed_size is out of range. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// There was a failure reading or writing from storage. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The library has already been initialized. It is no longer + /// possible to call this function. + pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_aead_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub private_ad_remaining: usize, - pub private_body_remaining: usize, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_ctx: psa_driver_aead_context_t, +unsafe extern "C" { + /// External random generator function, implemented by the platform. + /// + /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, + /// this function replaces Mbed TLS's entropy and DRBG modules for all + /// random generation triggered via PSA crypto interfaces. + /// + /// \note This random generator must deliver random numbers with cryptographic + /// quality and high performance. It must supply unpredictable numbers + /// with a uniform distribution. The implementation of this function + /// is responsible for ensuring that the random generator is seeded + /// with sufficient entropy. If you have a hardware TRNG which is slow + /// or delivers non-uniform output, declare it as an entropy source + /// with mbedtls_entropy_add_source() instead of enabling this option. + /// + /// \param[in,out] context Pointer to the random generator context. + /// This is all-bits-zero on the first call + /// and preserved between successive calls. + /// \param[out] output Output buffer. On success, this buffer + /// contains random data with a uniform + /// distribution. + /// \param output_size The size of the \p output buffer in bytes. + /// \param[out] output_length On success, set this value to \p output_size. + /// + /// \retval #PSA_SUCCESS + /// Success. The output buffer contains \p output_size bytes of + /// cryptographic-quality random data, and \c *output_length is + /// set to \p output_size. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + /// The random generator requires extra entropy and there is no + /// way to obtain entropy under current environment conditions. + /// This error should not happen under normal circumstances since + /// this function is responsible for obtaining as much entropy as + /// it needs. However implementations of this function may return + /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain + /// entropy without blocking indefinitely. + /// \retval #PSA_ERROR_HARDWARE_FAILURE + /// A failure of the random generator hardware that isn't covered + /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. + pub fn mbedtls_psa_external_get_random( + context: *mut mbedtls_psa_external_random_context_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_aead_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// A slot number identifying a key in a driver. +/// +/// Values of this type are used to identify built-in keys. +pub type psa_drv_slot_number_t = u64; +unsafe extern "C" { + /// Check if PSA is capable of handling the specified hash algorithm. + /// + /// This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + /// set and that psa_crypto_init has already been called. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the algorithm. + /// This might be improved in the future. + /// + /// \param hash_alg The hash algorithm. + /// + /// \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + pub fn psa_can_do_hash(hash_alg: psa_algorithm_t) -> ::core::ffi::c_int; } -impl psa_aead_operation_s { - #[inline] - pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_ad_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_body_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(3usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 3usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 3usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(4usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 4usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 4usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_nonce_set: ::core::ffi::c_uint, - private_lengths_set: ::core::ffi::c_uint, - private_ad_started: ::core::ffi::c_uint, - private_body_started: ::core::ffi::c_uint, - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; - private_nonce_set as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; - private_lengths_set as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; - private_ad_started as u64 - }); - __bindgen_bitfield_unit.set(3usize, 1u8, { - let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; - private_body_started as u64 - }); - __bindgen_bitfield_unit.set(4usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Tell if PSA is ready for this cipher. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the key type and algorithm. + /// This might be improved in the future. + /// + /// \param key_type The key type. + /// \param cipher_alg The cipher algorithm. + /// + /// \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. + pub fn psa_can_do_cipher( + key_type: psa_key_type_t, + cipher_alg: psa_algorithm_t, + ) -> ::core::ffi::c_int; +} +/// \brief Encoding of the application role of PAKE +/// +/// Encodes the application's role in the algorithm is being executed. For more +/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX +/// constants. +pub type psa_pake_role_t = u8; +/// Encoding of input and output indicators for PAKE. +/// +/// Some PAKE algorithms need to exchange more data than just a single key share. +/// This type is for encoding additional input and output data for such +/// algorithms. +pub type psa_pake_step_t = u8; +/// Encoding of the type of the PAKE's primitive. +/// +/// Values defined by this standard will never be in the range 0x80-0xff. +/// Vendors who define additional types must use an encoding in this range. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_primitive_type_t = u8; +/// \brief Encoding of the family of the primitive associated with the PAKE. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_family_t = u8; +/// \brief Encoding of the primitive associated with the PAKE. +/// +/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. +pub type psa_pake_primitive_t = u32; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_pake_cipher_suite_s { + pub algorithm: psa_algorithm_t, + pub type_: psa_pake_primitive_type_t, + pub family: psa_pake_family_t, + pub bits: u16, + pub hash: psa_algorithm_t, } #[repr(C)] -#[repr(align(16))] #[derive(Copy, Clone)] -pub struct psa_hkdf_key_derivation_t { - pub private_info: *mut u8, - pub private_info_length: usize, - pub private_offset_in_block: u8, - pub private_block_number: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_output_block: [u8; 64usize], - pub private_prk: [u8; 64usize], - pub __bindgen_padding_0: [u64; 0usize], - pub private_hmac: psa_mac_operation_s, +pub struct psa_crypto_driver_pake_inputs_s { + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_user: *mut u8, + pub private_user_len: usize, + pub private_peer: *mut u8, + pub private_peer_len: usize, + pub private_attributes: psa_key_attributes_t, + pub private_cipher_suite: psa_pake_cipher_suite_s, } -impl Default for psa_hkdf_key_derivation_t { +impl Default for psa_crypto_driver_pake_inputs_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17059,126 +18121,97 @@ impl Default for psa_hkdf_key_derivation_t { } } } -impl psa_hkdf_key_derivation_t { - #[inline] - pub fn private_state(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } - } - #[inline] - pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 2u8, val as u64) - } - } - #[inline] - pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 2u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 2u8, - val as u64, - ) - } - } - #[inline] - pub fn private_info_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { +pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = + 10; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = + 11; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; +pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; +pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; +pub const psa_jpake_round_PSA_JPAKE_FIRST: psa_jpake_round = 0; +pub const psa_jpake_round_PSA_JPAKE_SECOND: psa_jpake_round = 1; +pub const psa_jpake_round_PSA_JPAKE_FINISHED: psa_jpake_round = 2; +pub type psa_jpake_round = ::core::ffi::c_uint; +pub use self::psa_jpake_round as psa_jpake_round_t; +pub const psa_jpake_io_mode_PSA_JPAKE_INPUT: psa_jpake_io_mode = 0; +pub const psa_jpake_io_mode_PSA_JPAKE_OUTPUT: psa_jpake_io_mode = 1; +pub type psa_jpake_io_mode = ::core::ffi::c_uint; +pub use self::psa_jpake_io_mode as psa_jpake_io_mode_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_jpake_computation_stage_s { + pub private_round: psa_jpake_round_t, + pub private_io_mode: psa_jpake_io_mode_t, + pub private_inputs: u8, + pub private_outputs: u8, + pub private_step: psa_pake_step_t, +} +impl Default for psa_jpake_computation_stage_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_pake_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_primitive: psa_pake_primitive_t, + pub private_stage: u8, + pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, + pub private_data: psa_pake_operation_s__bindgen_ty_2, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_pake_operation_s__bindgen_ty_1 { + pub private_dummy: u8, + pub private_jpake: psa_jpake_computation_stage_s, +} +impl Default for psa_pake_operation_s__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub fn new_bitfield_1( - private_state: ::core::ffi::c_uint, - private_info_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 2u8, { - let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; - private_state as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; - private_info_set as u64 - }); - __bindgen_bitfield_unit - } -} -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_tls12_ecjpake_to_pms_t { - pub private_data: [u8; 32usize], } -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: - psa_tls12_prf_key_derivation_state_t = 0; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: - psa_tls12_prf_key_derivation_state_t = 1; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 2; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 3; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: - psa_tls12_prf_key_derivation_state_t = 4; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: - psa_tls12_prf_key_derivation_state_t = 5; -pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct psa_tls12_prf_key_derivation_s { - pub private_left_in_block: u8, - pub private_block_number: u8, - pub private_state: psa_tls12_prf_key_derivation_state_t, - pub private_secret: *mut u8, - pub private_secret_length: usize, - pub private_seed: *mut u8, - pub private_seed_length: usize, - pub private_label: *mut u8, - pub private_label_length: usize, - pub private_other_secret: *mut u8, - pub private_other_secret_length: usize, - pub private_Ai: [u8; 64usize], - pub private_output_block: [u8; 64usize], +pub union psa_pake_operation_s__bindgen_ty_2 { + pub private_ctx: psa_driver_pake_context_t, + pub private_inputs: psa_crypto_driver_pake_inputs_s, } -impl Default for psa_tls12_prf_key_derivation_s { +impl Default for psa_pake_operation_s__bindgen_ty_2 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for psa_pake_operation_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17187,1462 +18220,1629 @@ impl Default for psa_tls12_prf_key_derivation_s { } } } -pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_key_derivation_s { - pub private_alg: psa_algorithm_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_capacity: usize, - pub __bindgen_padding_0: [u64; 0usize], - pub private_ctx: psa_key_derivation_s__bindgen_ty_1, +/// The type of the data structure for PAKE cipher suites. +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; +/// The type of the state data structure for PAKE operations. +/// +/// Before calling any function on a PAKE operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_pake_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_pake_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, +/// for example: +/// \code +/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_pake_operation_init() +/// to the structure, for example: +/// \code +/// psa_pake_operation_t operation; +/// operation = psa_pake_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_operation_t = psa_pake_operation_s; +/// The type of input values for PAKE operations. +pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; +/// The type of computation stage for J-PAKE operations. +pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; +unsafe extern "C" { + /// Get the length of the password in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] password_len Password length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + password_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the password from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] buffer Return buffer for password. + /// \param buffer_size Size of the return buffer in bytes. + /// \param[out] buffer_length Actual size of the password in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password( + inputs: *const psa_crypto_driver_pake_inputs_t, + buffer: *mut u8, + buffer_size: usize, + buffer_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the user id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_len User id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_user_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the peer id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_len Peer id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_peer_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_len: *mut usize, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_key_derivation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_hkdf: psa_hkdf_key_derivation_t, - pub private_tls12_prf: psa_tls12_prf_key_derivation_t, - pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +unsafe extern "C" { + /// Get the user id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_id User id. + /// \param user_id_size Size of \p user_id in bytes. + /// \param[out] user_id_len Size of the user id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p user_id is too small. + pub fn psa_crypto_driver_pake_get_user( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_id: *mut u8, + user_id_size: usize, + user_id_len: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the peer id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_id Peer id. + /// \param peer_id_size Size of \p peer_id in bytes. + /// \param[out] peer_id_length Size of the peer id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p peer_id is too small. + pub fn psa_crypto_driver_pake_get_peer( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_id: *mut u8, + peer_id_size: usize, + peer_id_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the cipher suite from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] cipher_suite Return buffer for role. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Cipher_suite hasn't been set yet. + pub fn psa_crypto_driver_pake_get_cipher_suite( + inputs: *const psa_crypto_driver_pake_inputs_t, + cipher_suite: *mut psa_pake_cipher_suite_t, + ) -> psa_status_t; } -impl psa_key_derivation_s { - #[inline] - pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_can_output_key: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_can_output_key: u32 = - unsafe { ::core::mem::transmute(private_can_output_key) }; - private_can_output_key as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Set the session information for a password-authenticated key exchange. + /// + /// The sequence of operations to set up a password-authenticated key exchange + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_pake_operation_t, e.g. + /// #PSA_PAKE_OPERATION_INIT. + /// -# Call psa_pake_setup() to specify the cipher suite. + /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the + /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + /// to be called depends on the algorithm in use. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// A typical sequence of calls to perform a password-authenticated key + /// exchange: + /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + /// key share that needs to be sent to the peer. + /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + /// the key share that was received from the peer. + /// -# Depending on the algorithm additional calls to psa_pake_output() and + /// psa_pake_input() might be necessary. + /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// If an error occurs at any step after a call to psa_pake_setup(), + /// the operation will need to be reset by a call to psa_pake_abort(). The + /// application may call psa_pake_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_pake_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A call to psa_pake_abort(). + /// - A successful call to psa_pake_get_implicit_key(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized but not set up yet. + /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + /// characterizes a PAKE algorithm and determines + /// the algorithm as well.) + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the + /// PAKE primitive in \p cipher_suite is not compatible with the + /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + /// or not compatible with the PAKE algorithm and primitive. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, + /// or the PAKE primitive in \p cipher_suite is not supported or not + /// compatible with the PAKE algorithm, or the hash algorithm in + /// \p cipher_suite is not supported or not compatible with the PAKE + /// algorithm and primitive. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_setup( + operation: *mut psa_pake_operation_t, + cipher_suite: *const psa_pake_cipher_suite_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_key_policy_s { - pub private_usage: psa_key_usage_t, - pub private_alg: psa_algorithm_t, - pub private_alg2: psa_algorithm_t, +unsafe extern "C" { + /// Set the password for a password-authenticated key exchange from key ID. + /// + /// Call this function when the password, or a value derived from the password, + /// is already present in the key store. + /// + /// \param[in,out] operation The operation object to set the password for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the password hasn't + /// been set yet (psa_pake_set_password_key() + /// hasn't been called yet). + /// \param password Identifier of the key holding the password or a + /// value derived from the password (eg. by a + /// memory-hard function). It must remain valid + /// until the operation terminates. It must be of + /// type #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + /// the usage #PSA_KEY_USAGE_DERIVE. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p password is not a valid key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + /// permit the \p operation's algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + /// the \p operation's cipher suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size of \p password is not supported with the + /// \p operation's cipher suite. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must have been set up.), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_password_key( + operation: *mut psa_pake_operation_t, + password: mbedtls_svc_key_id_t, + ) -> psa_status_t; } -pub type psa_key_policy_t = psa_key_policy_s; -pub type psa_key_bits_t = u16; -/// A mask of flags that can be stored in key attributes. -/// -/// This type is also used internally to store flags in slots. Internal -/// flags are defined in library/psa_crypto_core.h. Internal flags may have -/// the same value as external flags if they are properly handled during -/// key creation and in psa_get_key_attributes. -pub type psa_key_attributes_flag_t = u16; -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_core_key_attributes_t { - pub private_type: psa_key_type_t, - pub private_bits: psa_key_bits_t, - pub private_lifetime: psa_key_lifetime_t, - pub private_id: mbedtls_svc_key_id_t, - pub private_policy: psa_key_policy_t, - pub private_flags: psa_key_attributes_flag_t, +unsafe extern "C" { + /// Set the user ID for a password-authenticated key exchange. + /// + /// Call this function to set the user ID. For PAKE algorithms that associate a + /// user identifier with each side of the session you need to call + /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single + /// user identifier with the session, call psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the user ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the user ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the user ID hasn't + /// been set (psa_pake_set_user() hasn't been + /// called yet). + /// \param[in] user_id The user ID to authenticate with. + /// \param user_id_len Size of the \p user_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p user_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The value of \p user_id is not supported by the implementation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_user( + operation: *mut psa_pake_operation_t, + user_id: *const u8, + user_id_len: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_key_attributes_s { - pub private_core: psa_core_key_attributes_t, - pub private_domain_parameters: *mut ::core::ffi::c_void, - pub private_domain_parameters_size: usize, +unsafe extern "C" { + /// Set the peer ID for a password-authenticated key exchange. + /// + /// Call this function in addition to psa_pake_set_user() for PAKE algorithms + /// that associate a user identifier with each side of the session. For PAKE + /// algorithms that associate a single user identifier with the session, call + /// psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the peer ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the peer ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the peer ID hasn't + /// been set (psa_pake_set_peer() hasn't been + /// called yet). + /// \param[in] peer_id The peer's ID to authenticate. + /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p peer_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm doesn't associate a second identity with the session. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// Calling psa_pake_set_peer() is invalid with the \p operation's + /// algorithm, the operation state is not valid, or the library has not + /// been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_peer( + operation: *mut psa_pake_operation_t, + peer_id: *const u8, + peer_id_len: usize, + ) -> psa_status_t; } -impl Default for psa_key_attributes_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Set the application role for a password-authenticated key exchange. + /// + /// Not all PAKE algorithms need to differentiate the communicating entities. + /// It is optional to call this function for PAKEs that don't require a role + /// to be specified. For such PAKEs the application role parameter is ignored, + /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \param[in,out] operation The operation object to specify the + /// application's role for. It must have been set up + /// by psa_pake_setup() and not yet in use (neither + /// psa_pake_output() nor psa_pake_input() has been + /// called yet). It must be on operation for which + /// the application's role hasn't been specified + /// (psa_pake_set_role() hasn't been called yet). + /// \param role A value of type ::psa_pake_role_t indicating the + /// application's role in the PAKE the algorithm + /// that is being set up. For more information see + /// the documentation of \c PSA_PAKE_ROLE_XXX + /// constants. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The \p role is not a valid PAKE role in the \p operation’s algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The \p role for this algorithm is not supported or is not valid. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_role( + operation: *mut psa_pake_operation_t, + role: psa_pake_role_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Set domain parameters for a key. + /// Get output for a step of a password-authenticated key exchange. /// - /// Some key types require additional domain parameters in addition to - /// the key type identifier and the key size. Use this function instead - /// of psa_set_key_type() when you need to specify domain parameters. + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. /// - /// The format for the required domain parameters varies based on the key type. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the domain parameter data consists of the public exponent, - /// represented as a big-endian integer with no leading zeros. - /// This information is used when generating an RSA key pair. - /// When importing a key, the public exponent is read from the imported - /// key data and the exponent recorded in the attribute structure is ignored. - /// As an exception, the public exponent 65537 is represented by an empty - /// byte string. - /// - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR), - /// the `Dss-Params` format as defined by RFC 3279 §2.3.2. - /// ``` - /// Dss-Params ::= SEQUENCE { - /// p INTEGER, - /// q INTEGER, - /// g INTEGER - /// } - /// ``` - /// - For Diffie-Hellman key exchange keys - /// (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - /// #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the - /// `DomainParameters` format as defined by RFC 3279 §2.3.3. - /// ``` - /// DomainParameters ::= SEQUENCE { - /// p INTEGER, -- odd prime, p=jq +1 - /// g INTEGER, -- generator, g - /// q INTEGER, -- factor of p-1 - /// j INTEGER OPTIONAL, -- subgroup factor - /// validationParams ValidationParams OPTIONAL - /// } - /// ValidationParams ::= SEQUENCE { - /// seed BIT STRING, - /// pgenCounter INTEGER - /// } - /// ``` + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step of the algorithm for which the output is + /// requested. + /// \param[out] output Buffer where the output is to be written in the + /// format appropriate for this \p step. Refer to + /// the documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param output_size Size of the \p output buffer in bytes. This must + /// be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c + /// primitive, \p output_step) where \c alg and + /// \p primitive are the PAKE algorithm and primitive + /// in the operation's cipher suite, and \p step is + /// the output step. + /// + /// \param[out] output_length On success, the number of bytes of the returned + /// output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p step is not compatible with the operation's algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step is not supported with the operation's algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_output( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Provide input for a step of a password-authenticated key exchange. + /// + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. + /// + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \param[in,out] attributes Attribute structure where the specified domain - /// parameters will be stored. - /// If this function fails, the content of - /// \p attributes is not modified. - /// \param type Key type (a \c PSA_KEY_TYPE_XXX value). - /// \param[in] data Buffer containing the key domain parameters. - /// The content of this buffer is interpreted - /// according to \p type as described above. - /// \param data_length Size of the \p data buffer in bytes. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step for which the input is provided. + /// \param[in] input Buffer containing the input in the format + /// appropriate for this \p step. Refer to the + /// documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p input_length is not compatible with the \p operation’s algorithm, + /// or the \p input is not valid for the \p operation's algorithm, + /// cipher suite or \p step. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step p is not supported with the \p operation's algorithm, or the + /// \p input is not supported for the \p operation's algorithm, cipher + /// suite or \p step. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - pub fn psa_set_key_domain_parameters( - attributes: *mut psa_key_attributes_t, - type_: psa_key_type_t, - data: *const u8, - data_length: usize, + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_input( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + input: *const u8, + input_length: usize, ) -> psa_status_t; } -/// \brief The context for PSA interruptible hash signing. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_sign_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_sign_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_sign_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_sign_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -/// \brief The context for PSA interruptible hash verification. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_verify_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_verify_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_verify_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_verify_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// Open a handle to an existing persistent key. - /// - /// Open a handle to a persistent key. A key is persistent if it was created - /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key - /// always has a nonzero key identifier, set with psa_set_key_id() when - /// creating the key. Implementations may provide additional pre-provisioned - /// keys that can be opened with psa_open_key(). Such keys have an application - /// key identifier in the vendor range, as documented in the description of - /// #psa_key_id_t. + /// Get implicitly confirmed shared secret from a PAKE. /// - /// The application must eventually close the handle with psa_close_key() or - /// psa_destroy_key() to release associated resources. If the application dies - /// without calling one of these functions, the implementation should perform - /// the equivalent of a call to psa_close_key(). + /// At this point there is a cryptographic guarantee that only the authenticated + /// party who used the same password is able to compute the key. But there is no + /// guarantee that the peer is the party it claims to be and was able to do so. /// - /// Some implementations permit an application to open the same key multiple - /// times. If this is successful, each call to psa_open_key() will return a - /// different key handle. + /// That is, the authentication is only implicit. Since the peer is not + /// authenticated yet, no action should be taken yet that assumes that the peer + /// is who it claims to be. For example, do not access restricted files on the + /// peer's behalf until an explicit authentication has succeeded. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function can be called after the key exchange phase of the operation + /// has completed. It imports the shared secret output of the PAKE into the + /// provided derivation operation. The input step + /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + /// material in the key derivation operation. /// - /// \note Applications that rely on opening a key multiple times will not be - /// portable to implementations that only permit a single key handle to be - /// opened. See also :ref:\`key-handles\`. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// + /// When this function returns successfully, \p operation becomes inactive. + /// If this function returns an error status, both \p operation + /// and \c key_derivation operations enter an error state and must be aborted by + /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. /// - /// \param key The persistent identifier of the key. - /// \param[out] handle On success, a handle to the key. + /// \param[in,out] operation Active PAKE operation. + /// \param[out] output A key derivation operation that is ready + /// for an input step of type + /// #PSA_KEY_DERIVATION_INPUT_SECRET. /// /// \retval #PSA_SUCCESS - /// Success. The application can now use the value of `*handle` - /// to access the key. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY - /// The implementation does not have sufficient resources to open the - /// key. This can be due to reaching an implementation limit on the - /// number of open keys, the number of open key handles, or available - /// memory. - /// \retval #PSA_ERROR_DOES_NOT_EXIST - /// There is no persistent key with key identifier \p key. + /// Success. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid persistent key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The specified key exists, but the application does not have the - /// permission to access it. Note that this specification does not - /// define any way to create such a key, but it may be possible - /// through implementation-specific means. + /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + /// algorithm in the \p output key derivation operation. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// Input from a PAKE is not supported by the algorithm in the \p output + /// key derivation operation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The PAKE operation state is not valid (it must be active, but beyond + /// that validity is specific to the algorithm), or + /// the library has not been previously initialized by psa_crypto_init(), + /// or the state of \p output is not valid for + /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + /// step is out of order or the application has done this step already + /// and it may not be repeated. /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_get_implicit_key( + operation: *mut psa_pake_operation_t, + output: *mut psa_key_derivation_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Close a key handle. - /// - /// If the handle designates a volatile key, this will destroy the key material - /// and free all associated resources, just like psa_destroy_key(). - /// - /// If this is the last open handle to a persistent key, then closing the handle - /// will free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and can be opened again later - /// with a call to psa_open_key(). + /// Abort a PAKE operation. /// - /// Closing the key handle makes the handle invalid, and the key handle - /// must not be used again by the application. + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_pake_setup() again. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_pake_operation_t. /// - /// \note If the key handle was used to set up an active - /// :ref:\`multipart operation \`, then closing the - /// key handle can cause the multipart operation to fail. Applications should - /// maintain the key handle until after the multipart operation has finished. + /// In particular, calling psa_pake_abort() after the operation has been + /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + /// is safe and has no effect. /// - /// \param handle The key handle to close. - /// If this is \c 0, do nothing and return \c PSA_SUCCESS. + /// \param[in,out] operation The operation to abort. /// /// \retval #PSA_SUCCESS - /// \p handle was a valid handle or \c 0. It is now closed. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p handle is not a valid handle nor \c 0. + /// Success. /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; } -unsafe extern "C" { - /// \brief Library deinitialization. +pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; +pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; +/// \brief Public key types +pub type mbedtls_pk_type_t = ::core::ffi::c_uint; +/// \brief Options for RSASSA-PSS signature verification. +/// See \c mbedtls_rsa_rsassa_pss_verify_ext() +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_rsassa_pss_options { + /// The digest to use for MGF1 in PSS. /// - /// This function clears all data associated with the PSA layer, - /// including the whole key store. + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is + /// disabled, this must be equal to the \c md_alg argument passed + /// to mbedtls_pk_verify_ext(). In a future version of the library, + /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is + /// enabled regardless of the status of #MBEDTLS_RSA_C. + pub mgf1_hash_id: mbedtls_md_type_t, + /// The expected length of the salt, in bytes. This may be + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. /// - /// This is an Mbed TLS extension. - pub fn mbedtls_psa_crypto_free(); + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only + /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be + /// ignored (allowing any salt length). + pub expected_salt_len: ::core::ffi::c_int, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. +impl Default for mbedtls_pk_rsassa_pss_options { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_PSA_EC: mbedtls_pk_debug_type = 3; +/// \brief Types for interfacing with the debug module +pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; +/// \brief Item to send to the debug module #[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_stats_s { - /// Number of slots containing key material for a volatile key. - pub private_volatile_slots: usize, - /// Number of slots containing key material for a key which is in - /// internal persistent storage. - pub private_persistent_slots: usize, - /// Number of slots containing a reference to a key in a - /// secure element. - pub private_external_slots: usize, - /// Number of slots which are occupied, but do not contain - /// key material yet. - pub private_half_filled_slots: usize, - /// Number of slots that contain cache data. - pub private_cache_slots: usize, - /// Number of slots that are not used for anything. - pub private_empty_slots: usize, - /// Number of slots that are locked. - pub private_locked_slots: usize, - /// Largest key id value among open keys in internal persistent storage. - pub private_max_open_internal_key_id: psa_key_id_t, - /// Largest key id value among open keys in secure elements. - pub private_max_open_external_key_id: psa_key_id_t, +#[derive(Copy, Clone)] +pub struct mbedtls_pk_debug_item { + pub private_type: mbedtls_pk_debug_type, + pub private_name: *const ::core::ffi::c_char, + pub private_value: *mut ::core::ffi::c_void, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. -pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; -unsafe extern "C" { - /// \brief Get statistics about - /// resource consumption related to the PSA keystore. - /// - /// \note When Mbed Crypto is built as part of a service, with isolation - /// between the application and the keystore, the service may or - /// may not expose this function. - pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); +impl Default for mbedtls_pk_debug_item { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief Inject an initial entropy seed for the random generator into - /// secure storage. - /// - /// This function injects data to be used as a seed for the random generator - /// used by the PSA Crypto implementation. On devices that lack a trusted - /// entropy source (preferably a hardware random number generator), - /// the Mbed PSA Crypto implementation uses this value to seed its - /// random generator. - /// - /// On devices without a trusted entropy source, this function must be - /// called exactly once in the lifetime of the device. On devices with - /// a trusted entropy source, calling this function is optional. - /// In all cases, this function may only be called before calling any - /// other function in the PSA Crypto API, including psa_crypto_init(). - /// - /// When this function returns successfully, it populates a file in - /// persistent storage. Once the file has been created, this function - /// can no longer succeed. - /// - /// If any error occurs, this function does not change the system state. - /// You can call this function again after correcting the reason for the - /// error if possible. - /// - /// \warning This function **can** fail! Callers MUST check the return status. - /// - /// \warning If you use this function, you should use it as part of a - /// factory provisioning process. The value of the injected seed - /// is critical to the security of the device. It must be - /// *secret*, *unpredictable* and (statistically) *unique per device*. - /// You should be generate it randomly using a cryptographically - /// secure random generator seeded from trusted entropy sources. - /// You should transmit it securely to the device and ensure - /// that its value is not leaked or stored anywhere beyond the - /// needs of transmitting it from the point of generation to - /// the call of this function, and erase all copies of the value - /// once this function returns. - /// - /// This is an Mbed TLS extension. - /// - /// \note This function is only available on the following platforms: - /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. - /// Note that you must provide compatible implementations of - /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. - /// * In a client-server integration of PSA Cryptography, on the client side, - /// if the server supports this feature. - /// \param[in] seed Buffer containing the seed value to inject. - /// \param[in] seed_size Size of the \p seed buffer. - /// The size of the seed in bytes must be greater - /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE - /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM - /// in `library/entropy_poll.h` in the Mbed TLS source - /// code. - /// It must be less or equal to - /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. - /// - /// \retval #PSA_SUCCESS - /// The seed value was injected successfully. The random generator - /// of the PSA Crypto implementation is now ready for use. - /// You may now call psa_crypto_init() and use the PSA Crypto - /// implementation. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p seed_size is out of range. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// There was a failure reading or writing from storage. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The library has already been initialized. It is no longer - /// possible to call this function. - pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_info_t { + _unused: [u8; 0], } -unsafe extern "C" { - /// \brief Get domain parameters for a key. - /// - /// Get the domain parameters for a key with this function, if any. The format - /// of the domain parameters written to \p data is specified in the - /// documentation for psa_set_key_domain_parameters(). - /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. - /// - /// \param[in] attributes The key attribute structure to query. - /// \param[out] data On success, the key domain parameters. - /// \param data_size Size of the \p data buffer in bytes. - /// The buffer is guaranteed to be large - /// enough if its size in bytes is at least - /// the value given by - /// PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - /// \param[out] data_length On success, the number of bytes - /// that make up the key domain parameters data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - pub fn psa_get_key_domain_parameters( - attributes: *const psa_key_attributes_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; +/// \brief Public key container +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_context { + ///< Public key information + pub private_pk_info: *const mbedtls_pk_info_t, + ///< Underlying public key context + pub private_pk_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_pk_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } +pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; +/// \brief Types for RSA-alt abstraction +pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_key_len_func = + ::core::option::Option usize>; unsafe extern "C" { - /// Convert an ECC curve identifier from the PSA encoding to Mbed TLS. - /// - /// \note This function is provided solely for the convenience of - /// Mbed TLS and may be removed at any time without notice. + /// \brief Return information associated with the given PK type /// - /// \param curve A PSA elliptic curve identifier - /// (`PSA_ECC_FAMILY_xxx`). - /// \param bits The bit-length of a private key on \p curve. - /// \param bits_is_sloppy If true, \p bits may be the bit-length rounded up - /// to the nearest multiple of 8. This allows the caller - /// to infer the exact curve from the length of a key - /// which is supplied as a byte string. + /// \param pk_type PK type to search for. /// - /// \return The corresponding Mbed TLS elliptic curve identifier - /// (`MBEDTLS_ECP_DP_xxx`). - /// \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized. - /// \return #MBEDTLS_ECP_DP_NONE if \p bits is not - /// correct for \p curve. - pub fn mbedtls_ecc_group_of_psa( - curve: psa_ecc_family_t, - bits: usize, - bits_is_sloppy: ::core::ffi::c_int, - ) -> mbedtls_ecp_group_id; + /// \return The PK info associated with the type or NULL if not found. + pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; } unsafe extern "C" { - /// External random generator function, implemented by the platform. - /// - /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, - /// this function replaces Mbed TLS's entropy and DRBG modules for all - /// random generation triggered via PSA crypto interfaces. - /// - /// \note This random generator must deliver random numbers with cryptographic - /// quality and high performance. It must supply unpredictable numbers - /// with a uniform distribution. The implementation of this function - /// is responsible for ensuring that the random generator is seeded - /// with sufficient entropy. If you have a hardware TRNG which is slow - /// or delivers non-uniform output, declare it as an entropy source - /// with mbedtls_entropy_add_source() instead of enabling this option. - /// - /// \param[in,out] context Pointer to the random generator context. - /// This is all-bits-zero on the first call - /// and preserved between successive calls. - /// \param[out] output Output buffer. On success, this buffer - /// contains random data with a uniform - /// distribution. - /// \param output_size The size of the \p output buffer in bytes. - /// \param[out] output_length On success, set this value to \p output_size. + /// \brief Initialize a #mbedtls_pk_context (as NONE). /// - /// \retval #PSA_SUCCESS - /// Success. The output buffer contains \p output_size bytes of - /// cryptographic-quality random data, and \c *output_length is - /// set to \p output_size. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - /// The random generator requires extra entropy and there is no - /// way to obtain entropy under current environment conditions. - /// This error should not happen under normal circumstances since - /// this function is responsible for obtaining as much entropy as - /// it needs. However implementations of this function may return - /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain - /// entropy without blocking indefinitely. - /// \retval #PSA_ERROR_HARDWARE_FAILURE - /// A failure of the random generator hardware that isn't covered - /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. - pub fn mbedtls_psa_external_get_random( - context: *mut mbedtls_psa_external_random_context_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); } -/// A slot number identifying a key in a driver. -/// -/// Values of this type are used to identify built-in keys. -pub type psa_drv_slot_number_t = u64; -/// \brief Encoding of the application role of PAKE -/// -/// Encodes the application's role in the algorithm is being executed. For more -/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX -/// constants. -pub type psa_pake_role_t = u8; -/// Encoding of input and output indicators for PAKE. -/// -/// Some PAKE algorithms need to exchange more data than just a single key share. -/// This type is for encoding additional input and output data for such -/// algorithms. -pub type psa_pake_step_t = u8; -/// Encoding of the type of the PAKE's primitive. -/// -/// Values defined by this standard will never be in the range 0x80-0xff. -/// Vendors who define additional types must use an encoding in this range. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_primitive_type_t = u8; -/// \brief Encoding of the family of the primitive associated with the PAKE. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_family_t = u8; -/// \brief Encoding of the primitive associated with the PAKE. -/// -/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. -pub type psa_pake_primitive_t = u32; -/// The type of the data structure for PAKE cipher suites. -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; -/// The type of the state data structure for PAKE operations. -/// -/// Before calling any function on a PAKE operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_pake_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_pake_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, -/// for example: -/// \code -/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_pake_operation_init() -/// to the structure, for example: -/// \code -/// psa_pake_operation_t operation; -/// operation = psa_pake_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_operation_t = psa_pake_operation_s; -/// The type of input values for PAKE operations. -pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; -/// The type of computation stage for J-PAKE operations. -pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; unsafe extern "C" { - /// Get the length of the password in bytes from given inputs. + /// \brief Free the components of a #mbedtls_pk_context. /// - /// \param[in] inputs Operation inputs. - /// \param[out] password_len Password length. + /// \param ctx The context to clear. It must have been initialized. + /// If this is \c NULL, this function does nothing. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - password_len: *mut usize, - ) -> psa_status_t; + /// \note For contexts that have been set up with + /// mbedtls_pk_setup_opaque(), this does not free the underlying + /// PSA key and you still need to call psa_destroy_key() + /// independently if you want to destroy that key. + pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); } unsafe extern "C" { - /// Get the password from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] buffer Return buffer for password. - /// \param buffer_size Size of the return buffer in bytes. - /// \param[out] buffer_length Actual size of the password in bytes. + /// \brief Initialize a PK context with the information given + /// and allocates the type-specific PK subcontext. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password( - inputs: *const psa_crypto_driver_pake_inputs_t, - buffer: *mut u8, - buffer_size: usize, - buffer_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// Get the role from given inputs. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param info Information to use /// - /// \param[in] inputs Operation inputs. - /// \param[out] role Return buffer for role. + /// \return 0 on success, + /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, + /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Role hasn't been set yet. - pub fn psa_crypto_driver_pake_get_role( - inputs: *const psa_crypto_driver_pake_inputs_t, - role: *mut psa_pake_role_t, - ) -> psa_status_t; + /// \note For contexts holding an RSA-alt key, use + /// \c mbedtls_pk_setup_rsa_alt() instead. + pub fn mbedtls_pk_setup( + ctx: *mut mbedtls_pk_context, + info: *const mbedtls_pk_info_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the user id in bytes from given inputs. + /// \brief Initialize an RSA-alt context /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_len User id length. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param key RSA key pointer + /// \param decrypt_func Decryption function + /// \param sign_func Signing function + /// \param key_len_func Function returning key length in bytes /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_user_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_len: *mut usize, - ) -> psa_status_t; + /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the + /// context wasn't already initialized as RSA_ALT. + /// + /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. + pub fn mbedtls_pk_setup_rsa_alt( + ctx: *mut mbedtls_pk_context, + key: *mut ::core::ffi::c_void, + decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, + sign_func: mbedtls_pk_rsa_alt_sign_func, + key_len_func: mbedtls_pk_rsa_alt_key_len_func, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the peer id in bytes from given inputs. + /// \brief Get the size in bits of the underlying key /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_len Peer id length. + /// \param ctx The context to query. It must have been initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_peer_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_len: *mut usize, - ) -> psa_status_t; + /// \return Key size in bits, or 0 on error + pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; } unsafe extern "C" { - /// Get the user id from given inputs. + /// \brief Tell if a context can do the operation given by type /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_id User id. - /// \param user_id_size Size of \p user_id in bytes. - /// \param[out] user_id_len Size of the user id in bytes. + /// \param ctx The context to query. It must have been initialized. + /// \param type The desired type. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p user_id is too small. - pub fn psa_crypto_driver_pake_get_user( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_id: *mut u8, - user_id_size: usize, - user_id_len: *mut usize, - ) -> psa_status_t; + /// \return 1 if the context can do operations on the given type. + /// \return 0 if the context cannot do the operations on the given + /// type. This is always the case for a context that has + /// been initialized but not set up, or that has been + /// cleared with mbedtls_pk_free(). + pub fn mbedtls_pk_can_do( + ctx: *const mbedtls_pk_context, + type_: mbedtls_pk_type_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the peer id from given inputs. + /// \brief Determine valid PSA attributes that can be used to + /// import a key into PSA. /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_id Peer id. - /// \param peer_id_size Size of \p peer_id in bytes. - /// \param[out] peer_id_length Size of the peer id in bytes. + /// The attributes determined by this function are suitable + /// for calling mbedtls_pk_import_into_psa() to create + /// a PSA key with the same key material. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p peer_id is too small. - pub fn psa_crypto_driver_pake_get_peer( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_id: *mut u8, - peer_id_size: usize, - peer_id_length: *mut usize, - ) -> psa_status_t; + /// The typical flow of operations involving this function is + /// ``` + /// psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + /// int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + /// if (ret != 0) ...; // error handling omitted + /// // Tweak attributes if desired + /// psa_key_id_t key_id = 0; + /// ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + /// if (ret != 0) ...; // error handling omitted + /// ``` + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + /// - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_ENCRYPT as well as + /// #PSA_KEY_USAGE_DECRYPT. + /// - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type. + /// - #PSA_KEY_USAGE_ENCRYPT: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_HASH as well as + /// #PSA_KEY_USAGE_SIGN_HASH. + /// - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + /// #PSA_KEY_USAGE_SIGN_MESSAGE. + /// - #PSA_KEY_USAGE_VERIFY_HASH: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + /// \p attributes will contain a public key type. + /// \param[out] attributes + /// On success, valid attributes to import the key into PSA. + /// - The lifetime and key identifier are unchanged. If the + /// attribute structure was initialized or reset before + /// calling this function, this will result in a volatile + /// key. Call psa_set_key_identifier() before or after this + /// function if you wish to create a persistent key. Call + /// psa_set_key_lifetime() before or after this function if + /// you wish to import the key in a secure element. + /// - The key type and bit-size are determined by the contents + /// of the PK context. If the PK context contains a key + /// pair, the key type can be either a key pair type or + /// the corresponding public key type, depending on + /// \p usage. If the PK context contains a public key, + /// the key type is a public key type. + /// - The key's policy is determined by the key type and + /// the \p usage parameter. The usage always allows + /// \p usage, exporting and copying the key, and + /// possibly other permissions as documented for the + /// \p usage parameter. + /// The permitted algorithm policy is determined as follows + /// based on the #mbedtls_pk_type_t type of \p pk, + /// the chosen \p usage and other factors: + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V15: + /// #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_PKCS1V15_CRYPT + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V21 and the digest type + /// corresponding to the PSA algorithm \c hash: + /// #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_OAEP(\c hash) + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA_ALT: not supported. + /// - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + /// if \p usage is SIGN/VERIFY: + /// #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + /// if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + /// otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + /// - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + /// if \p usage is DERIVE: + /// #PSA_ALG_ECDH. + /// - #MBEDTLS_PK_OPAQUE: same as the primary algorithm + /// set for the underlying PSA key, except that + /// sign/decrypt flags are removed if the type is + /// set to a public key type. + /// The underlying key must allow \p usage. + /// Note that the enrollment algorithm set with + /// psa_set_key_enrollment_algorithm() is not copied. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_get_psa_attributes( + pk: *const mbedtls_pk_context, + usage: psa_key_usage_t, + attributes: *mut psa_key_attributes_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the cipher suite from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] cipher_suite Return buffer for role. + /// \brief Import a key into the PSA key store. + /// + /// This function is equivalent to calling psa_import_key() + /// with the key material from \p pk. + /// + /// The typical way to use this function is: + /// -# Call mbedtls_pk_get_psa_attributes() to obtain + /// attributes for the given key. + /// -# If desired, modify the attributes, for example: + /// - To create a persistent key, call + /// psa_set_key_identifier() and optionally + /// psa_set_key_lifetime(). + /// - To import only the public part of a key pair: + /// + /// psa_set_key_type(&attributes, + /// PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + /// psa_get_key_type(&attributes))); + /// - Restrict the key usage if desired. + /// -# Call mbedtls_pk_import_into_psa(). + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param[in] attributes + /// The attributes to use for the new key. They must be + /// compatible with \p pk. In particular, the key type + /// must match the content of \p pk. + /// If \p pk contains a key pair, the key type in + /// attributes can be either the key pair type or the + /// corresponding public key type (to import only the + /// public part). + /// \param[out] key_id + /// On success, the identifier of the newly created key. + /// On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_import_into_psa( + pk: *const mbedtls_pk_context, + attributes: *const psa_key_attributes_t, + key_id: *mut mbedtls_svc_key_id_t, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Create a PK context starting from a key stored in PSA. + /// This key: + /// - must be exportable and + /// - must be an RSA or EC key pair or public key (FFDH is not supported in PK). + /// + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. + /// + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_sign(), mbedtls_pk_verify(), + /// mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. + /// * For ECDSA, the choice of deterministic vs randomized will + /// be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. + /// * For an RSA key, the output PK context will allow both + /// encrypt/decrypt and sign/verify regardless of the original + /// key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. + /// + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Cipher_suite hasn't been set yet. - pub fn psa_crypto_driver_pake_get_cipher_suite( - inputs: *const psa_crypto_driver_pake_inputs_t, - cipher_suite: *mut psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the session information for a password-authenticated key exchange. + /// \brief Create a PK context for the public key of a PSA key. /// - /// The sequence of operations to set up a password-authenticated key exchange - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_pake_operation_t, e.g. - /// #PSA_PAKE_OPERATION_INIT. - /// -# Call psa_pake_setup() to specify the cipher suite. - /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the - /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - /// to be called depends on the algorithm in use. + /// The key must be an RSA or ECC key. It can be either a + /// public key or a key pair, and only the public key is copied. + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_verify() or + /// mbedtls_pk_encrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. /// - /// A typical sequence of calls to perform a password-authenticated key - /// exchange: - /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - /// key share that needs to be sent to the peer. - /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - /// the key share that was received from the peer. - /// -# Depending on the algorithm additional calls to psa_pake_output() and - /// psa_pake_input() might be necessary. - /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// For an RSA key, the output PK context will allow both + /// encrypt and verify regardless of the original key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// If an error occurs at any step after a call to psa_pake_setup(), - /// the operation will need to be reset by a call to psa_pake_abort(). The - /// application may call psa_pake_abort() at any time after the operation - /// has been initialized. + /// \return 0 on success. + /// \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_public_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature (including padding if relevant). /// - /// After a successful call to psa_pake_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A call to psa_pake_abort(). - /// - A successful call to psa_pake_get_implicit_key(). + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used. + /// This can be #MBEDTLS_MD_NONE if the signature algorithm + /// does not rely on a hash algorithm (non-deterministic + /// ECDSA, RSA PKCS#1 v1.5). + /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + /// \p hash is the DigestInfo structure used by RFC 8017 + /// §9.2 steps 3–6. If \p md_alg is a valid hash + /// algorithm then \p hash is the digest itself, and this + /// function calculates the DigestInfo encoding internally. + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Signature to verify + /// \param sig_len Signature length /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized but not set up yet. - /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - /// characterizes a PAKE algorithm and determines - /// the algorithm as well.) + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (accepting any salt length), + /// depending on the padding mode in the underlying RSA context. + /// For a pk object constructed by parsing, this is PKCS#1 v1.5 + /// by default. Use mbedtls_pk_verify_ext() to explicitly select + /// a different algorithm. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the - /// PAKE primitive in \p cipher_suite is not compatible with the - /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - /// or not compatible with the PAKE algorithm and primitive. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, - /// or the PAKE primitive in \p cipher_suite is not supported or not - /// compatible with the PAKE algorithm, or the hash algorithm in - /// \p cipher_suite is not supported or not compatible with the PAKE - /// algorithm and primitive. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_setup( - operation: *mut psa_pake_operation_t, - cipher_suite: *const psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + pub fn mbedtls_pk_verify( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the password for a password-authenticated key exchange from key ID. + /// \brief Restartable version of \c mbedtls_pk_verify() /// - /// Call this function when the password, or a value derived from the password, - /// is already present in the key store. + /// \note Performs the same job as \c mbedtls_pk_verify(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_verify(). /// - /// \param[in,out] operation The operation object to set the password for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the password hasn't - /// been set yet (psa_pake_set_password_key() - /// hasn't been called yet). - /// \param password Identifier of the key holding the password or a - /// value derived from the password (eg. by a - /// memory-hard function). It must remain valid - /// until the operation terminates. It must be of - /// type #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - /// the usage #PSA_KEY_USAGE_DERIVE. + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p password is not a valid key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - /// permit the \p operation's algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - /// the \p operation's cipher suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size of \p password is not supported with the - /// \p operation's cipher suite. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must have been set up.), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_password_key( - operation: *mut psa_pake_operation_t, - password: mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return See \c mbedtls_pk_verify(), or + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_verify_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature, with options. + /// (Includes verification of the padding depending on type.) + /// + /// \param type Signature type (inc. possible padding type) to verify + /// \param options Pointer to type-specific options, or NULL + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be + /// used for this type of signatures, + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + /// + /// \note If hash_len is 0, then the length associated with md_alg + /// is used instead, or an error returned if it is invalid. + /// + /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// + /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point + /// to a mbedtls_pk_rsassa_pss_options structure, + /// otherwise it must be NULL. Note that if + /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not + /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. + pub fn mbedtls_pk_verify_ext( + type_: mbedtls_pk_type_t, + options: *const ::core::ffi::c_void, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the user ID for a password-authenticated key exchange. + /// \brief Make signature, including padding if relevant. /// - /// Call this function to set the user ID. For PAKE algorithms that associate a - /// user identifier with each side of the session you need to call - /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single - /// user identifier with the session, call psa_pake_set_user() only. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (using the largest possible salt + /// length up to the hash length), depending on the padding mode + /// in the underlying RSA context. For a pk object constructed + /// by parsing, this is PKCS#1 v1.5 by default. Use + /// mbedtls_pk_verify_ext() to explicitly select a different + /// algorithm. /// - /// \param[in,out] operation The operation object to set the user ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the user ID hasn't - /// been set (psa_pake_set_user() hasn't been - /// called yet). - /// \param[in] user_id The user ID to authenticate with. - /// (temporary limitation: "client" or "server" only) - /// \param user_id_len Size of the \p user_id buffer in bytes. + /// \return 0 on success, or a specific error code. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The value of \p user_id is not supported by the implementation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_user( - operation: *mut psa_pake_operation_t, - user_id: *const u8, - user_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the peer ID for a password-authenticated key exchange. + /// \brief Make signature given a signature type. /// - /// Call this function in addition to psa_pake_set_user() for PAKE algorithms - /// that associate a user identifier with each side of the session. For PAKE - /// algorithms that associate a single user identifier with the session, call - /// psa_pake_set_user() only. + /// \param pk_type Signature type. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \return 0 on success, or a specific error code. /// - /// \param[in,out] operation The operation object to set the peer ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the peer ID hasn't - /// been set (psa_pake_set_peer() hasn't been - /// called yet). - /// \param[in] peer_id The peer's ID to authenticate. - /// (temporary limitation: "client" or "server" only) - /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, + /// see #PSA_ALG_RSA_PSS for a description of PSS options used. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm doesn't associate a second identity with the session. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// Calling psa_pake_set_peer() is invalid with the \p operation's - /// algorithm, the operation state is not valid, or the library has not - /// been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_peer( - operation: *mut psa_pake_operation_t, - peer_id: *const u8, - peer_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign_ext( + pk_type: mbedtls_pk_type_t, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the application role for a password-authenticated key exchange. + /// \brief Restartable version of \c mbedtls_pk_sign() /// - /// Not all PAKE algorithms need to differentiate the communicating entities. - /// It is optional to call this function for PAKEs that don't require a role - /// to be specified. For such PAKEs the application role parameter is ignored, - /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// \note Performs the same job as \c mbedtls_pk_sign(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_sign(). /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \param[in,out] operation The operation object to specify the - /// application's role for. It must have been set up - /// by psa_pake_setup() and not yet in use (neither - /// psa_pake_output() nor psa_pake_input() has been - /// called yet). It must be on operation for which - /// the application's role hasn't been specified - /// (psa_pake_set_role() hasn't been called yet). - /// \param role A value of type ::psa_pake_role_t indicating the - /// application's role in the PAKE the algorithm - /// that is being set up. For more information see - /// the documentation of \c PSA_PAKE_ROLE_XXX - /// constants. + /// \return See \c mbedtls_pk_sign(). + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_sign_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Decrypt message (including padding if relevant). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The \p role is not a valid PAKE role in the \p operation’s algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The \p role for this algorithm is not supported or is not valid. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_role( - operation: *mut psa_pake_operation_t, - role: psa_pake_role_t, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param input Input to decrypt + /// \param ilen Input size + /// \param output Decrypted output + /// \param olen Decrypted message length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. + /// + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_decrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get output for a step of a password-authenticated key exchange. + /// \brief Encrypt message (including padding if relevant). /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been set up. + /// \param input Message to encrypt + /// \param ilen Message size + /// \param output Encrypted output + /// \param olen Encrypted output length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \note \p f_rng is used for padding generation. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step of the algorithm for which the output is - /// requested. - /// \param[out] output Buffer where the output is to be written in the - /// format appropriate for this \p step. Refer to - /// the documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param output_size Size of the \p output buffer in bytes. This must - /// be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p - /// primitive, \p step) where \p alg and - /// \p primitive are the PAKE algorithm and primitive - /// in the operation's cipher suite, and \p step is - /// the output step. + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_encrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if a public-private pair of keys matches. /// - /// \param[out] output_length On success, the number of bytes of the returned - /// output. + /// \param pub Context holding a public key. + /// \param prv Context holding a private (and public) key. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p step is not compatible with the operation's algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step is not supported with the operation's algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_output( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success (keys were checked and match each other). + /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not + /// be checked - in that case they may or may not match. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. + /// \return Another non-zero value if the keys do not match. + pub fn mbedtls_pk_check_pair( + pub_: *const mbedtls_pk_context, + prv: *const mbedtls_pk_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Provide input for a step of a password-authenticated key exchange. + /// \brief Export debug information /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been initialized. + /// \param items Place to write debug items /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA + pub fn mbedtls_pk_debug( + ctx: *const mbedtls_pk_context, + items: *mut mbedtls_pk_debug_item, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Access the type name /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \param ctx The PK context to use. It must have been initialized. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step for which the input is provided. - /// \param[in] input Buffer containing the input in the format - /// appropriate for this \p step. Refer to the - /// documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param input_length Size of the \p input buffer in bytes. + /// \return Type name on success, or "invalid PK" + pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; +} +unsafe extern "C" { + /// \brief Get the key type /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p is not compatible with the \p operation’s algorithm, or the - /// \p input is not valid for the \p operation's algorithm, cipher suite - /// or \p step. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step p is not supported with the \p operation's algorithm, or the - /// \p input is not supported for the \p operation's algorithm, cipher - /// suite or \p step. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_input( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been initialized. + /// + /// \return Type on success. + /// \return #MBEDTLS_PK_NONE for a context that has not been set up. + pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; } unsafe extern "C" { - /// Get implicitly confirmed shared secret from a PAKE. + /// \ingroup pk_module */ + ////** + /// \brief Parse a private key in PEM or DER format /// - /// At this point there is a cryptographic guarantee that only the authenticated - /// party who used the same password is able to compute the key. But there is no - /// guarantee that the peer is the party it claims to be and was able to do so. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// That is, the authentication is only implicit. Since the peer is not - /// authenticated yet, no action should be taken yet that assumes that the peer - /// is who it claims to be. For example, do not access restricted files on the - /// peer's behalf until an explicit authentication has succeeded. + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// \param pwd Optional password for decryption. + /// Pass \c NULL if expecting a non-encrypted key. + /// Pass a string of \p pwdlen bytes if expecting an encrypted + /// key; a non-encrypted key will also be accepted. + /// The empty password is not supported. + /// \param pwdlen Size of the password in bytes. + /// Ignored if \p pwd is \c NULL. + /// \param f_rng RNG function, must not be \c NULL. Used for blinding. + /// \param p_rng RNG parameter /// - /// This function can be called after the key exchange phase of the operation - /// has completed. It imports the shared secret output of the PAKE into the - /// provided derivation operation. The input step - /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - /// material in the key derivation operation. + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note The key is also checked for correctness. /// - /// When this function returns successfully, \p operation becomes inactive. - /// If this function returns an error status, both \p operation - /// and \p key_derivation operations enter an error state and must be aborted by - /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \ingroup pk_module */ + ////** + /// \brief Parse a public key in PEM or DER format /// - /// \param[in,out] operation Active PAKE operation. - /// \param[out] output A key derivation operation that is ready - /// for an input step of type - /// #PSA_KEY_DERIVATION_INPUT_SECRET. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - /// algorithm in the \p output key derivation operation. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// Input from a PAKE is not supported by the algorithm in the \p output - /// key derivation operation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The PAKE operation state is not valid (it must be active, but beyond - /// that validity is specific to the algorithm), or - /// the library has not been previously initialized by psa_crypto_init(), - /// or the state of \p output is not valid for - /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - /// step is out of order or the application has done this step already - /// and it may not be repeated. - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_get_implicit_key( - operation: *mut psa_pake_operation_t, - output: *mut psa_key_derivation_operation_t, - ) -> psa_status_t; + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). + /// + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. + /// + /// \note The key is also checked for correctness. + /// + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_public_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a PAKE operation. + /// \brief Write a private key to a PKCS#1 or SEC1 DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_pake_setup() again. + /// \param ctx PK context which must contain a valid private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_pake_operation_t. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_key_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a SubjectPublicKeyInfo DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// In particular, calling psa_pake_abort() after the operation has been - /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - /// is safe and has no effect. + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// \param[in,out] operation The operation to abort. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_pubkey_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a PEM string /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_pubkey_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_pake_cipher_suite_s { - pub algorithm: psa_algorithm_t, - pub type_: psa_pake_primitive_type_t, - pub family: psa_pake_family_t, - pub bits: u16, - pub hash: psa_algorithm_t, +unsafe extern "C" { + /// \brief Write a private key to a PKCS#1 or SEC1 PEM string + /// + /// \param ctx PK context which must contain a valid private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_key_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_crypto_driver_pake_inputs_s { - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: psa_pake_role_t, - pub private_user: *mut u8, - pub private_user_len: usize, - pub private_peer: *mut u8, - pub private_peer_len: usize, - pub private_attributes: psa_key_attributes_t, - pub private_cipher_suite: psa_pake_cipher_suite_t, +unsafe extern "C" { + /// \brief Parse a SubjectPublicKeyInfo DER structure + /// + /// \param p the position in the ASN.1 data + /// \param end end of the buffer + /// \param pk The PK context to fill. It must have been initialized + /// but not set up. + /// + /// \return 0 if successful, or a specific PK error code + pub fn mbedtls_pk_parse_subpubkey( + p: *mut *mut ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -impl Default for psa_crypto_driver_pake_inputs_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Write a subjectPublicKey to ASN.1 data + /// Note: function works backwards in data buffer + /// + /// \param p reference to current position pointer + /// \param start start of the buffer (for bounds-checking) + /// \param key PK context which must contain a valid public or private key. + /// + /// \return the length written or a negative error code + pub fn mbedtls_pk_write_pubkey( + p: *mut *mut ::core::ffi::c_uchar, + start: *mut ::core::ffi::c_uchar, + key: *const mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -pub const psa_jpake_step_PSA_PAKE_STEP_INVALID: psa_jpake_step = 0; -pub const psa_jpake_step_PSA_PAKE_STEP_X1_X2: psa_jpake_step = 1; -pub const psa_jpake_step_PSA_PAKE_STEP_X2S: psa_jpake_step = 2; -pub const psa_jpake_step_PSA_PAKE_STEP_DERIVE: psa_jpake_step = 3; -pub type psa_jpake_step = ::core::ffi::c_uint; -pub use self::psa_jpake_step as psa_jpake_step_t; -pub const psa_jpake_state_PSA_PAKE_STATE_INVALID: psa_jpake_state = 0; -pub const psa_jpake_state_PSA_PAKE_STATE_SETUP: psa_jpake_state = 1; -pub const psa_jpake_state_PSA_PAKE_STATE_READY: psa_jpake_state = 2; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X1_X2: psa_jpake_state = 3; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X2S: psa_jpake_state = 4; -pub const psa_jpake_state_PSA_PAKE_INPUT_X1_X2: psa_jpake_state = 5; -pub const psa_jpake_state_PSA_PAKE_INPUT_X4S: psa_jpake_state = 6; -pub type psa_jpake_state = ::core::ffi::c_uint; -pub use self::psa_jpake_state as psa_jpake_state_t; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_INVALID: psa_jpake_sequence = 0; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_KEY_SHARE: psa_jpake_sequence = 1; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PUBLIC: psa_jpake_sequence = 2; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PROOF: psa_jpake_sequence = 3; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_KEY_SHARE: psa_jpake_sequence = 4; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PUBLIC: psa_jpake_sequence = 5; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PROOF: psa_jpake_sequence = 6; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_END: psa_jpake_sequence = 7; -pub type psa_jpake_sequence = ::core::ffi::c_uint; -pub use self::psa_jpake_sequence as psa_jpake_sequence_t; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = + 3; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + mbedtls_key_exchange_type_t = 4; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = + 8; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = + 9; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = 10; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = 11; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; -pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; -pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_jpake_computation_stage_s { - pub private_state: psa_jpake_state_t, - pub private_sequence: psa_jpake_sequence_t, - pub private_input_step: psa_jpake_step_t, - pub private_output_step: psa_jpake_step_t, -} -impl Default for psa_jpake_computation_stage_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_pake_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_stage: u8, - pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, - pub private_data: psa_pake_operation_s__bindgen_ty_2, -} +pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; +/// \brief This structure is used for storing ciphersuite information +/// +/// \note members are defined using integral types instead of enums +/// in order to pack structure and reduce memory usage by internal +/// \c ciphersuite_definitions[] #[repr(C)] #[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_jpake: psa_jpake_computation_stage_t, +pub struct mbedtls_ssl_ciphersuite_t { + pub private_id: ::core::ffi::c_int, + pub private_name: *const ::core::ffi::c_char, + pub private_cipher: u8, + pub private_mac: u8, + pub private_key_exchange: u8, + pub private_flags: u8, + pub private_min_tls_version: u16, + pub private_max_tls_version: u16, } -impl Default for psa_pake_operation_s__bindgen_ty_1 { +impl Default for mbedtls_ssl_ciphersuite_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -18651,29 +19851,23 @@ impl Default for psa_pake_operation_s__bindgen_ty_1 { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_2 { - pub private_ctx: psa_driver_pake_context_t, - pub private_inputs: psa_crypto_driver_pake_inputs_t, +unsafe extern "C" { + pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; } -impl Default for psa_pake_operation_s__bindgen_ty_2 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_string( + ciphersuite_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ssl_ciphersuite_t; } -impl Default for psa_pake_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_id( + ciphersuite_id: ::core::ffi::c_int, + ) -> *const mbedtls_ssl_ciphersuite_t; +} +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( + info: *const mbedtls_ssl_ciphersuite_t, + ) -> usize; } /// Type-length-value structure that allows for ASN1 using DER. pub type mbedtls_x509_buf = mbedtls_asn1_buf; @@ -18684,6 +19878,23 @@ pub type mbedtls_x509_bitstring = mbedtls_asn1_bitstring; pub type mbedtls_x509_name = mbedtls_asn1_named_data; /// Container for a sequence of ASN.1 items pub type mbedtls_x509_sequence = mbedtls_asn1_sequence; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_authority { + pub keyIdentifier: mbedtls_x509_buf, + pub authorityCertIssuer: mbedtls_x509_sequence, + pub authorityCertSerialNumber: mbedtls_x509_buf, + pub raw: mbedtls_x509_buf, +} +impl Default for mbedtls_x509_authority { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} /// Container for date and time (precision in seconds). #[repr(C)] #[derive(Default, Copy, Clone)] @@ -18775,9 +19986,9 @@ pub struct mbedtls_x509_subject_alternative_name { #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_x509_subject_alternative_name__bindgen_ty_1 { - ///< The otherName supported type. pub other_name: mbedtls_x509_san_other_name, - ///< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported + pub directory_name: mbedtls_x509_name, + ///< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. pub unstructured_name: mbedtls_x509_buf, } impl Default for mbedtls_x509_subject_alternative_name__bindgen_ty_1 { @@ -18798,6 +20009,21 @@ impl Default for mbedtls_x509_subject_alternative_name { } } } +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_san_list { + pub node: mbedtls_x509_subject_alternative_name, + pub next: *mut mbedtls_x509_san_list, +} +impl Default for mbedtls_x509_san_list { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { /// \brief Store the certificate DN in printable form into buf; /// no more than size characters will be written. @@ -18814,6 +20040,26 @@ unsafe extern "C" { dn: *const mbedtls_x509_name, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Convert the certificate DN string \p name into + /// a linked list of mbedtls_x509_name (equivalent to + /// mbedtls_asn1_named_data). + /// + /// \note This function allocates a linked list, and places the head + /// pointer in \p head. This list must later be freed by a + /// call to mbedtls_asn1_free_named_data_list(). + /// + /// \param[out] head Address in which to store the pointer to the head of the + /// allocated list of mbedtls_x509_name. Must point to NULL on + /// entry. + /// \param[in] name The string representation of a DN to convert + /// + /// \return 0 on success, or a negative error code. + pub fn mbedtls_x509_string_to_names( + head: *mut *mut mbedtls_asn1_named_data, + name: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Store the certificate serial in printable form into buf; /// no more than size characters will be written. @@ -18830,6 +20076,20 @@ unsafe extern "C" { serial: *const mbedtls_x509_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Compare pair of mbedtls_x509_time. + /// + /// \param t1 mbedtls_x509_time to compare + /// \param t2 mbedtls_x509_time to compare + /// + /// \return < 0 if t1 is before t2 + /// 0 if t1 equals t2 + /// > 0 if t1 is after t2 + pub fn mbedtls_x509_time_cmp( + t1: *const mbedtls_x509_time, + t2: *const mbedtls_x509_time, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Check a given mbedtls_x509_time against the system time /// and tell if it's in the past. @@ -18858,21 +20118,25 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief This function parses an item in the SubjectAlternativeNames - /// extension. + /// extension. Please note that this function might allocate + /// additional memory for a subject alternative name, thus + /// mbedtls_x509_free_subject_alt_name has to be called + /// to dispose of this additional memory afterwards. /// /// \param san_buf The buffer holding the raw data item of the subject /// alternative name. /// \param san The target structure to populate with the parsed presentation - /// of the subject alternative name encoded in \p san_raw. + /// of the subject alternative name encoded in \p san_buf. /// /// \note Supported GeneralName types, as defined in RFC 5280: - /// "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + /// "rfc822Name", "dnsName", "directoryName", + /// "uniformResourceIdentifier" and "hardware_module_name" /// of type "otherName", as defined in RFC 4108. /// /// \note This function should be called on a single raw data of /// subject alternative name. For example, after successful /// certificate parsing, one must iterate on every item in the - /// \p crt->subject_alt_names sequence, and pass it to + /// \c crt->subject_alt_names sequence, and pass it to /// this function. /// /// \warning The target structure contains pointers to the raw data of the @@ -18889,173 +20153,29 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \} addtogroup x509_module - pub fn mbedtls_x509_get_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - cur: *mut mbedtls_x509_name, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg_null( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - params: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_rsassa_pss_params( - params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - mgf_md: *mut mbedtls_md_type_t, - salt_len: *mut ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - sig: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig_alg( - sig_oid: *const mbedtls_x509_buf, - sig_params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - pk_alg: *mut mbedtls_pk_type_t, - sig_opts: *mut *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_time( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - t: *mut mbedtls_x509_time, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_serial( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - serial: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ext( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ext: *mut mbedtls_x509_buf, - tag: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_sig_alg_gets( - buf: *mut ::core::ffi::c_char, - size: usize, - sig_oid: *const mbedtls_x509_buf, - pk_alg: mbedtls_pk_type_t, - md_alg: mbedtls_md_type_t, - sig_opts: *const ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_key_size_helper( - buf: *mut ::core::ffi::c_char, - buf_size: usize, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_string_to_names( - head: *mut *mut mbedtls_asn1_named_data, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_set_extension( - head: *mut *mut mbedtls_asn1_named_data, - oid: *const ::core::ffi::c_char, - oid_len: usize, - critical: ::core::ffi::c_int, - val: *const ::core::ffi::c_uchar, - val_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_extensions( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_names( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_sig( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - oid: *const ::core::ffi::c_char, - oid_len: usize, - sig: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ns_cert_type( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ns_cert_type: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_key_usage( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - key_usage: *mut ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_subject_alt_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - subject_alt_name: *mut mbedtls_x509_sequence, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_subject_alt_name( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - subject_alt_name: *const mbedtls_x509_sequence, - prefix: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_cert_type( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - ns_cert_type: ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \brief Unallocate all data related to subject alternative name + /// + /// \param san SAN structure - extra memory owned by this structure will be freed + pub fn mbedtls_x509_free_subject_alt_name(san: *mut mbedtls_x509_subject_alternative_name); } unsafe extern "C" { - pub fn mbedtls_x509_info_key_usage( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - key_usage: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \brief This function parses a CN string as an IP address. + /// + /// \param cn The CN string to parse. CN string MUST be null-terminated. + /// \param dst The target buffer to populate with the binary IP address. + /// The buffer MUST be 16 bytes to save IPv6, and should be + /// 4-byte aligned if the result will be used as struct in_addr. + /// e.g. uint32_t dst[4] + /// + /// \note \p cn is parsed as an IPv6 address if string contains ':', + /// else \p cn is parsed as an IPv4 address. + /// + /// \return Length of binary IP address; num bytes written to target. + /// \return \c 0 on failure to parse CN string as an IP address. + pub fn mbedtls_x509_crt_parse_cn_inet_pton( + cn: *const ::core::ffi::c_char, + dst: *mut ::core::ffi::c_void, + ) -> usize; } /// Certificate revocation list entry. /// Contains the CA-specific serial numbers and revocation dates. @@ -19247,8 +20367,12 @@ pub struct mbedtls_x509_crt { pub subject_id: mbedtls_x509_buf, ///< Optional X.509 v3 extensions. pub v3_ext: mbedtls_x509_buf, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, + ///< Optional X.509 v3 extension subject key identifier. + pub subject_key_id: mbedtls_x509_buf, + ///< Optional X.509 v3 extension authority key identifier. + pub authority_key_id: mbedtls_x509_authority, ///< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). pub certificate_policies: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions @@ -19347,6 +20471,22 @@ impl Default for mbedtls_x509write_cert { } } } +unsafe extern "C" { + /// \brief Set Subject Alternative Name + /// + /// \param ctx Certificate context to use + /// \param san_list List of SAN values + /// + /// \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + /// + /// \note "dnsName", "uniformResourceIdentifier", "IP address", + /// "otherName", and "DirectoryName", as defined in RFC 5280, + /// are supported. + pub fn mbedtls_x509write_crt_set_subject_alternative_name( + ctx: *mut mbedtls_x509write_cert, + san_list: *const mbedtls_x509_san_list, + ) -> ::core::ffi::c_int; +} /// Item in a verification chain: cert and flags for it #[repr(C)] #[derive(Copy, Clone)] @@ -19685,8 +20825,12 @@ unsafe extern "C" { /// \param cn The expected Common Name. This will be checked to be /// present in the certificate's subjectAltNames extension or, /// if this extension is absent, as a CN component in its - /// Subject name. Currently only DNS names are supported. This - /// may be \c NULL if the CN need not be verified. + /// Subject name. DNS names and IP addresses are fully + /// supported, while the URI subtype is partially supported: + /// only exact matching, without any normalization procedures + /// described in 7.4 of RFC5280, will result in a positive + /// URI verification. + /// This may be \c NULL if the CN need not be verified. /// \param flags The address at which to store the result of the verification. /// If the verification couldn't be completed, the flag value is /// set to (uint32_t) -1. @@ -19917,6 +21061,16 @@ unsafe extern "C" { /// \param crt Certificate chain to free pub fn mbedtls_x509_crt_free(crt: *mut mbedtls_x509_crt); } +unsafe extern "C" { + /// \brief Access the ca_istrue field + /// + /// \param[in] crt Certificate to be queried, must not be \c NULL + /// + /// \return \c 1 if this a CA certificate \c 0 otherwise. + /// \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain + /// the Optional Basic Constraint extension. + pub fn mbedtls_x509_crt_get_ca_istrue(crt: *const mbedtls_x509_crt) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Initialize a CRT writing context /// @@ -19997,7 +21151,7 @@ unsafe extern "C" { /// \brief Set the issuer name for a Certificate /// Issuer names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS CA" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS CA" /// /// \param ctx CRT context to use /// \param issuer_name issuer name to set @@ -20013,7 +21167,7 @@ unsafe extern "C" { /// \brief Set the subject name for a Certificate /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CRT context to use /// \param subject_name subject name to set @@ -20183,13 +21337,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20209,13 +21357,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20336,13 +21478,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20415,13 +21551,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20455,13 +21585,7 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, output_size: usize, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20492,7 +21616,7 @@ unsafe extern "C" { /// initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p field is invalid. + /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid. /// \return An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails. pub fn mbedtls_dhm_get_value( ctx: *const mbedtls_dhm_context, @@ -20620,6 +21744,18 @@ impl Default for mbedtls_ecdh_context { } } } +unsafe extern "C" { + /// \brief Return the ECP group for provided context. + /// + /// \note To access group specific fields, users should use + /// `mbedtls_ecp_curve_info_from_grp_id` or + /// `mbedtls_ecp_group_load` on the extracted `group_id`. + /// + /// \param ctx The ECDH context to parse. This must not be \c NULL. + /// + /// \return The \c mbedtls_ecp_group_id of the context. + pub fn mbedtls_ecdh_get_grp_id(ctx: *mut mbedtls_ecdh_context) -> mbedtls_ecp_group_id; +} unsafe extern "C" { /// \brief Check whether a given group can be used for ECDH. /// @@ -20656,13 +21792,7 @@ unsafe extern "C" { grp: *mut mbedtls_ecp_group, d: *mut mbedtls_mpi, Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20701,13 +21831,7 @@ unsafe extern "C" { z: *mut mbedtls_mpi, Q: *const mbedtls_ecp_point, d: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20774,13 +21898,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20816,7 +21934,7 @@ unsafe extern "C" { /// \brief This function sets up an ECDH context from an EC key. /// /// It is used by clients and servers in place of the - /// ServerKeyEchange for static ECDH, and imports ECDH + /// ServerKeyExchange for static ECDH, and imports ECDH /// parameters from the EC key information of a certificate. /// /// \see ecp.h @@ -20865,13 +21983,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20932,19 +22044,14 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_ssl_premaster_secret { + pub dummy: ::core::ffi::c_uchar, pub _pms_rsa: [::core::ffi::c_uchar; 48usize], pub _pms_dhm: [::core::ffi::c_uchar; 1024usize], pub _pms_ecdh: [::core::ffi::c_uchar; 66usize], @@ -21216,6 +22323,8 @@ pub struct mbedtls_ssl_session { ///< MaxFragmentLength negotiated by peer pub private_mfl_code: ::core::ffi::c_uchar, pub private_exported: ::core::ffi::c_uchar, + ///< 0: client, 1: server + pub private_endpoint: u8, /// TLS version negotiated in the session. Used if and when renegotiating /// or resuming a session instead of the configured minor TLS version. pub private_tls_version: mbedtls_ssl_protocol_version, @@ -21234,15 +22343,13 @@ pub struct mbedtls_ssl_session { ///< RFC 5077 session ticket pub private_ticket: *mut ::core::ffi::c_uchar, ///< session ticket length - pub private_ticket_len: usize, - ///< ticket lifetime hint - pub private_ticket_lifetime: u32, - ///< 0: client, 1: server - pub private_endpoint: u8, - ///< Ticket flags - pub private_ticket_flags: u8, + pub private_ticket_len: usize, + ///< ticket lifetime hint + pub private_ticket_lifetime: u32, ///< Randomly generated value used to obscure the age of the ticket pub private_ticket_age_add: u32, + ///< Ticket flags + pub private_ticket_flags: u8, ///< resumption_key length pub private_resumption_key_len: u8, pub private_resumption_key: [::core::ffi::c_uchar; 48usize], @@ -21581,22 +22688,30 @@ pub struct mbedtls_ssl_context { ///number of retransmissions of request if ///renego_max_records is < 0 pub private_renego_records_seen: ::core::ffi::c_int, - /// Server: Negotiated TLS protocol version. - /// Client: Maximum TLS version to be negotiated, then negotiated TLS - /// version. - /// - /// It is initialized as the maximum TLS version to be negotiated in the - /// ClientHello writing preparation stage and used throughout the - /// ClientHello writing. For a fresh handshake not linked to any previous - /// handshake, it is initialized to the configured maximum TLS version - /// to be negotiated. When renegotiating or resuming a session, it is - /// initialized to the previously negotiated TLS version. - /// - /// Updated to the negotiated TLS version as soon as the ServerHello is - /// received. + /// Maximum TLS version to be negotiated, then negotiated TLS version. + /// + /// It is initialized as the configured maximum TLS version to be + /// negotiated by mbedtls_ssl_setup(). + /// + /// When renegotiating or resuming a session, it is overwritten in the + /// ClientHello writing preparation stage with the previously negotiated + /// TLS version. + /// + /// On client side, it is updated to the TLS version selected by the server + /// for the handshake when the ServerHello is received. + /// + /// On server side, it is updated to the TLS version the server selects for + /// the handshake when the ClientHello is received. pub private_tls_version: mbedtls_ssl_protocol_version, - ///< records with a bad MAC received - pub private_badmac_seen: ::core::ffi::c_uint, + /// Multipurpose field. + /// + /// - DTLS: records with a bad MAC received. + /// - TLS: accumulated length of handshake fragments (up to \c in_hslen). + /// + /// This field is multipurpose in order to preserve the ABI in the + /// Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS + /// and called `badmac_seen`. + pub private_badmac_seen_or_in_hsfraglen: ::core::ffi::c_uint, /// Callback to customize X.509 certificate chain verification pub private_f_vrfy: ::core::option::Option< unsafe extern "C" fn( @@ -21733,8 +22848,33 @@ pub struct mbedtls_ssl_context { pub private_cur_out_ctr: [::core::ffi::c_uchar; 8usize], ///< path mtu, used to fragment outgoing messages pub private_mtu: u16, - ///< expected peer CN for verification - ///(and SNI if available) + /// Expected peer CN for verification. + /// + /// Also used on clients for SNI, + /// and for TLS 1.3 session resumption using tickets. + /// + /// The value of this field can be: + /// - \p NULL in a newly initialized or reset context. + /// - A heap-allocated copy of the last value passed to + /// mbedtls_ssl_set_hostname(), if the last call had a non-null + /// \p hostname argument. + /// - A special value to indicate that mbedtls_ssl_set_hostname() + /// was called with \p NULL (as opposed to never having been called). + /// See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + /// + /// If this field contains the value \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is unset, on a TLS client, attempting to verify a server certificate + /// results in the error + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + /// + /// If this field contains the special value described above, or if + /// the value is \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is set, then the peer name verification is skipped, which may be + /// insecure, especially on a client. Furthermore, on a client, the + /// server_name extension is not sent, and the server name is ignored + /// in TLS 1.3 session resumption using tickets. pub private_hostname: *mut ::core::ffi::c_char, ///< negotiated protocol pub private_alpn_chosen: *const ::core::ffi::c_char, @@ -21830,6 +22970,14 @@ unsafe extern "C" { /// Calling mbedtls_ssl_setup again is not supported, even /// if no session is active. /// + /// \warning After setting up a client context, if certificate-based + /// authentication is enabled, you should call + /// mbedtls_ssl_set_hostname() to specifiy the expected + /// name of the server. Without this, in most scenarios, + /// the TLS connection is insecure. See + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more information. + /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. @@ -21933,18 +23081,16 @@ unsafe extern "C" { unsafe extern "C" { /// \brief Set the random number generator callback /// + /// \note The callback with its parameter must remain valid as + /// long as there is an SSL context that uses the + /// SSL configuration. + /// /// \param conf SSL configuration /// \param f_rng RNG function (mandatory) /// \param p_rng RNG parameter pub fn mbedtls_ssl_conf_rng( conf: *mut mbedtls_ssl_config, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ); } @@ -22047,10 +23193,10 @@ unsafe extern "C" { /// \param own_cid The address of the readable buffer holding the CID we want /// the peer to use when sending encrypted messages to us. /// This may be \c NULL if \p own_cid_len is \c 0. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// \param own_cid_len The length of \p own_cid. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// /// \note The value of \p own_cid_len must match the value of the @@ -22705,16 +23851,16 @@ unsafe extern "C" { /// a full handshake. /// /// \note This function can handle a variety of mechanisms for session - /// resumption: For TLS 1.2, both session ID-based resumption and - /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and loading - /// one or more sessions via this call will lead to their - /// corresponding tickets being advertised as resumption PSKs - /// by the client. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// resumption: For TLS 1.2, both session ID-based resumption + /// and ticket-based resumption will be considered. For TLS 1.3, + /// sessions equate to tickets, and loading one session by + /// calling this function will lead to its corresponding ticket + /// being advertised as resumption PSK by the client. This + /// depends on session tickets being enabled (see + /// #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + /// If session tickets are disabled, a call to this function + /// with a TLS 1.3 session, will not have any effect on the next + /// handshake for the SSL context \p ssl. /// /// \param ssl The SSL context representing the connection which should /// be attempted to be setup using session resumption. This @@ -22729,9 +23875,10 @@ unsafe extern "C" { /// /// \return \c 0 if successful. /// \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - /// could not be loaded because of an implementation limitation. - /// This error is non-fatal, and has no observable effect on - /// the SSL context or the session that was attempted to be loaded. + /// could not be loaded because one session has already been + /// loaded. This error is non-fatal, and has no observable + /// effect on the SSL context or the session that was attempted + /// to be loaded. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_get_session() @@ -22789,8 +23936,8 @@ unsafe extern "C" { /// /// \param session The session structure to be saved. /// \param buf The buffer to write the serialized data to. It must be a - /// writeable buffer of at least \p len bytes, or may be \c - /// NULL if \p len is \c 0. + /// writeable buffer of at least \p buf_len bytes, or may be \c + /// NULL if \p buf_len is \c 0. /// \param buf_len The number of bytes available for writing in \p buf. /// \param olen The size in bytes of the data that has been or would have /// been written. It must point to a valid \c size_t. @@ -22800,8 +23947,16 @@ unsafe extern "C" { /// to determine the necessary size by calling this function /// with \p buf set to \c NULL and \p buf_len to \c 0. /// + /// \note For TLS 1.3 sessions, this feature is supported only if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + /// as in TLS 1.3 session resumption is possible only with + /// tickets. + /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + /// and the session is a TLS 1.3 session. pub fn mbedtls_ssl_session_save( session: *const mbedtls_ssl_session, buf: *mut ::core::ffi::c_uchar, @@ -22927,7 +24082,7 @@ unsafe extern "C" { /// record headers. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len + /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len /// is too large. pub fn mbedtls_ssl_conf_cid( conf: *mut mbedtls_ssl_config, @@ -23254,6 +24409,8 @@ unsafe extern "C" { /// used for certificate signature are controlled by the /// verification profile, see \c mbedtls_ssl_conf_cert_profile(). /// + /// \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). + /// /// \note This list should be ordered by decreasing preference /// (preferred hash first). /// @@ -23278,27 +24435,43 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Configure allowed signature algorithms for use in TLS 1.3 + /// \brief Configure allowed signature algorithms for use in TLS /// /// \param conf The SSL configuration to use. /// \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - /// terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain - /// available throughout the lifetime of the conf object. Supported - /// values are available as \c MBEDTLS_TLS1_3_SIG_XXXX + /// terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain + /// available throughout the lifetime of the conf object. + /// - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be + /// used. + /// - For TLS 1.2, values should be given as + /// "(HashAlgorithm << 8) | SignatureAlgorithm". pub fn mbedtls_ssl_conf_sig_algs(conf: *mut mbedtls_ssl_config, sig_algs: *const u16); } unsafe extern "C" { /// \brief Set or reset the hostname to check against the received - /// server certificate. It sets the ServerName TLS extension, - /// too, if that extension is enabled. (client-side only) + /// peer certificate. On a client, this also sets the + /// ServerName TLS extension, if that extension is enabled. + /// On a TLS 1.3 client, this also sets the server name in + /// the session resumption ticket, if that feature is enabled. /// /// \param ssl SSL context - /// \param hostname the server hostname, may be NULL to clear hostname - /// - /// \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. - /// - /// \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - /// allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + /// \param hostname The server hostname. This may be \c NULL to clear + /// the hostname. + /// + /// \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + /// + /// \note If the hostname is \c NULL on a client, then the server + /// is not authenticated: it only needs to have a valid + /// certificate, not a certificate matching its name. + /// Therefore you should always call this function on a client, + /// unless the connection is set up to only allow + /// pre-shared keys, or in scenarios where server + /// impersonation is not a concern. See the documentation of + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more details. + /// + /// \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + /// allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on /// too long input hostname. /// /// Hostname set to the one provided on success (cleared @@ -23311,8 +24484,8 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief Retrieve SNI extension value for the current handshake. - /// Available in \p f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), - /// this is the same value passed to \p f_sni callback of + /// Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), + /// this is the same value passed to \c f_sni callback of /// \c mbedtls_ssl_conf_sni() and may be used instead of /// \c mbedtls_ssl_conf_sni(). /// @@ -23321,10 +24494,10 @@ unsafe extern "C" { /// 0 if SNI extension is not present or not yet processed. /// /// \return const pointer to SNI extension value. - /// - value is valid only when called in \p f_cert_cb + /// - value is valid only when called in \c f_cert_cb /// registered with \c mbedtls_ssl_conf_cert_cb(). /// - value is NULL if SNI extension is not present. - /// - value is not '\0'-terminated. Use \c name_len for len. + /// - value is not '\0'-terminated. Use \c name_len for len. /// - value must not be freed. pub fn mbedtls_ssl_get_hs_sni( ssl: *mut mbedtls_ssl_context, @@ -23574,6 +24747,10 @@ unsafe extern "C" { /// with \c mbedtls_ssl_read()), not handshake messages. /// With DTLS, this affects both ApplicationData and handshake. /// + /// \note Defragmentation of TLS handshake messages is supported + /// with some limitations. See the documentation of + /// mbedtls_ssl_handshake() for details. + /// /// \note This sets the maximum length for a record's payload, /// excluding record overhead that will be added to it, see /// \c mbedtls_ssl_get_record_expansion(). @@ -23607,19 +24784,48 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Enable / Disable session tickets (client only). - /// (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + /// \brief Enable / Disable TLS 1.2 session tickets (client only, + /// TLS 1.2 only). Enabled by default. /// /// \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). /// /// \param conf SSL configuration - /// \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - /// MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + /// \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) pub fn mbedtls_ssl_conf_session_tickets( conf: *mut mbedtls_ssl_config, use_tickets: ::core::ffi::c_int, ); } +unsafe extern "C" { + /// \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + /// (client only, TLS 1.3 only). + /// + /// The handling of TLS 1.3 NewSessionTicket messages is disabled by + /// default. + /// + /// In TLS 1.3, servers may send a NewSessionTicket message at any time, + /// and may send multiple NewSessionTicket messages. By default, TLS 1.3 + /// clients ignore NewSessionTicket messages. + /// + /// To support session tickets in TLS 1.3 clients, call this function + /// with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + /// this is enabled, when a client receives a NewSessionTicket message, + /// the next call to a message processing functions (notably + /// mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + /// call mbedtls_ssl_get_session() to retrieve the session ticket before + /// calling the same message processing function again. + /// + /// \param conf SSL configuration + /// \param signal_new_session_tickets Enable or disable + /// (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + pub fn mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf: *mut mbedtls_ssl_config, + signal_new_session_tickets: ::core::ffi::c_int, + ); +} unsafe extern "C" { /// \brief Number of NewSessionTicket messages for the server to send /// after handshake completion. @@ -23948,29 +25154,22 @@ unsafe extern "C" { /// \param ssl The SSL context representing the connection for which to /// to export a session structure for later resumption. /// \param session The target structure in which to store the exported session. - /// This must have been initialized with mbedtls_ssl_init_session() + /// This must have been initialized with mbedtls_ssl_session_init() /// but otherwise be unused. /// /// \note This function can handle a variety of mechanisms for session /// resumption: For TLS 1.2, both session ID-based resumption and /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and calling - /// this function multiple times will export the available - /// tickets one a time until no further tickets are available, - /// in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - /// be returned. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// sessions equate to tickets, and if session tickets are + /// enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + /// option), this function exports the last received ticket and + /// the exported session may be used to resume the TLS 1.3 + /// session. If session tickets are disabled, exported sessions + /// cannot be used to resume a TLS 1.3 session. /// /// \return \c 0 if successful. In this case, \p session can be used for /// session resumption by passing it to mbedtls_ssl_set_session(), /// and serialized for storage via mbedtls_ssl_session_save(). - /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - /// is available for export. - /// This error is a non-fatal, and has no observable effect on - /// the SSL context or the destination session. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_set_session() @@ -24002,6 +25201,17 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use /// and the client did not demonstrate reachability yet - in /// this case you must stop using the context (see below). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24010,7 +25220,9 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24030,10 +25242,31 @@ unsafe extern "C" { /// currently being processed might or might not contain further /// DTLS records. /// - /// \note If the context is configured to allow TLS 1.3, or if - /// #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. + /// Otherwise, the handshake may call psa_crypto_init() + /// if a negotiation involving TLS 1.3 takes place (this may + /// be the case even if TLS 1.3 is offered but eventually + /// not selected). + /// + /// \note In TLS, reception of fragmented handshake messages is + /// supported with some limitations (those limitations do + /// not apply to DTLS, where defragmentation is fully + /// supported): + /// - On an Mbed TLS server that only accepts TLS 1.2, + /// the initial ClientHello message must not be fragmented. + /// A TLS 1.2 ClientHello may be fragmented if the server + /// also accepts TLS 1.3 connections (meaning + /// that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + /// accepted versions have not been restricted with + /// mbedtls_ssl_conf_max_tls_version() or the like). + /// - The first fragment of a handshake message must be + /// at least 4 bytes long. + /// - Non-handshake records must not be interleaved between + /// the fragments of a handshake message. (This is permitted + /// in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + /// even in TLS 1.2.) pub fn mbedtls_ssl_handshake(ssl: *mut mbedtls_ssl_context) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -24062,8 +25295,10 @@ unsafe extern "C" { /// /// \warning If this function returns something other than \c 0, /// #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using /// the SSL context for reading or writing, and either free it /// or call \c mbedtls_ssl_session_reset() on it before /// re-using it for a new connection; the current connection @@ -24126,6 +25361,24 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server /// side of a DTLS connection and the client is initiating a /// new connection using the same source port. See below. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. + /// This error code is only returned on the client side. It is + /// only returned if handling of TLS 1.3 NewSessionTicket + /// messages has been enabled through + /// mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + /// This error code indicates that a TLS 1.3 NewSessionTicket + /// message has been received and parsed successfully by the + /// client. The ticket data can be retrieved from the SSL + /// context by calling mbedtls_ssl_get_session(). It remains + /// available until the next call to mbedtls_ssl_read(). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24134,8 +25387,10 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24202,6 +25457,17 @@ unsafe extern "C" { /// operation is in progress (see mbedtls_ecp_set_max_ops()) - /// in this case you must call this function again to complete /// the handshake when you're done attending other tasks. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24209,8 +25475,10 @@ unsafe extern "C" { /// a non-negative value, /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24451,381 +25719,64 @@ unsafe extern "C" { /// \brief Free an SSL configuration context /// /// \param conf SSL configuration context - pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); -} -unsafe extern "C" { - /// \brief Initialize SSL session structure - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief Free referenced items in an SSL session including the - /// peer certificate and clear memory - /// - /// \note A session object can be freed even if the SSL context - /// that was used to retrieve the session is still in use. - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief TLS-PRF function for key derivation. - /// - /// \param prf The tls_prf type function type to be used. - /// \param secret Secret for the key derivation function. - /// \param slen Length of the secret. - /// \param label String label for the key derivation function, - /// terminated with null character. - /// \param random Random bytes. - /// \param rlen Length of the random bytes buffer. - /// \param dstbuf The buffer holding the derived key. - /// \param dlen Length of the output buffer. - /// - /// \return 0 on success. An SSL specific error on failure. - pub fn mbedtls_ssl_tls_prf( - prf: mbedtls_tls_prf_types, - secret: *const ::core::ffi::c_uchar, - slen: usize, - label: *const ::core::ffi::c_char, - random: *const ::core::ffi::c_uchar, - rlen: usize, - dstbuf: *mut ::core::ffi::c_uchar, - dlen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the threshold error level to handle globally all debug output. - /// Debug messages that have a level over the threshold value are - /// discarded. - /// (Default value: 0 = No debug ) - /// - /// \param threshold threshold level of messages to filter on. Messages at a - /// higher level will be discarded. - /// - Debug levels - /// - 0 No debug - /// - 1 Error - /// - 2 State change - /// - 3 Informational - /// - 4 Verbose - pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); -} -unsafe extern "C" { - /// \brief Print a message to the debug output. This function is always used - /// through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - /// context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the message has occurred in - /// \param line line number the message has occurred at - /// \param format format specifier, in printf format - /// \param ... variables used by the format specifier - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_msg( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - format: *const ::core::ffi::c_char, - ... - ); -} -unsafe extern "C" { - /// \brief Print the return value of a function to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text the name of the function that returned the error - /// \param ret the return code value - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ret( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - ret: ::core::ffi::c_int, - ); -} -unsafe extern "C" { - /// \brief Output a buffer of size len bytes to the debug output. This function - /// is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the buffer being dumped. Normally the - /// variable or buffer name - /// \param buf the buffer to be outputted - /// \param len length of the buffer - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_buf( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - buf: *const ::core::ffi::c_uchar, - len: usize, - ); -} -unsafe extern "C" { - /// \brief Print a MPI variable to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the MPI being output. Normally the - /// variable name - /// \param X the MPI variable - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_mpi( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_mpi, - ); -} -unsafe extern "C" { - /// \brief Print an ECP point to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the ECP point being output. Normally the - /// variable name - /// \param X the ECP point - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ecp( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_ecp_point, - ); -} -unsafe extern "C" { - /// \brief Print a X.509 certificate structure to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the certificate being output - /// \param crt X.509 certificate structure - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_crt( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - crt: *const mbedtls_x509_crt, - ); -} -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Q: mbedtls_debug_ecdh_attr = 0; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_QP: mbedtls_debug_ecdh_attr = 1; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Z: mbedtls_debug_ecdh_attr = 2; -pub type mbedtls_debug_ecdh_attr = ::core::ffi::c_uint; -unsafe extern "C" { - /// \brief Print a field of the ECDH structure in the SSL context to the debug - /// output. This function is always used through the - /// MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - /// and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param ecdh the ECDH context - /// \param attr the identifier of the attribute being output - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_printf_ecdh( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - ecdh: *const mbedtls_ecdh_context, - attr: mbedtls_debug_ecdh_attr, - ); -} -/// \brief Entropy poll callback pointer -/// -/// \param data Callback-specific data pointer -/// \param output Data to fill -/// \param len Maximum size to provide -/// \param olen The actual amount of bytes put into the buffer (Can be 0) -/// -/// \return 0 if no critical failures occurred, -/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise -pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< - unsafe extern "C" fn( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - ) -> ::core::ffi::c_int, ->; -/// \brief Entropy source state -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_source_state { - ///< The entropy source callback - pub private_f_source: mbedtls_entropy_f_source_ptr, - ///< The callback data pointer - pub private_p_source: *mut ::core::ffi::c_void, - ///< Amount received in bytes - pub private_size: usize, - ///< Minimum bytes required before release - pub private_threshold: usize, - ///< Is the source strong? - pub private_strong: ::core::ffi::c_int, -} -impl Default for mbedtls_entropy_source_state { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief Entropy context structure -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_context { - pub private_accumulator_started: ::core::ffi::c_int, - pub __bindgen_padding_0: u64, - pub private_accumulator: mbedtls_sha512_context, - pub private_source_count: ::core::ffi::c_int, - pub private_source: [mbedtls_entropy_source_state; 20usize], -} -impl Default for mbedtls_entropy_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize the context - /// - /// \param ctx Entropy context to initialize - pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Free the data in the context - /// - /// \param ctx Entropy context to free - pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Adds an entropy source to poll - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context - /// \param f_source Entropy function - /// \param p_source Function data - /// \param threshold Minimum required from source before entropy is released - /// ( with mbedtls_entropy_func() ) (in bytes) - /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or - /// MBEDTLS_ENTROPY_SOURCE_WEAK. - /// At least one strong source needs to be added. - /// Weaker sources (such as the cycle counter) can be used as - /// a complement. - /// - /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES - pub fn mbedtls_entropy_add_source( - ctx: *mut mbedtls_entropy_context, - f_source: mbedtls_entropy_f_source_ptr, - p_source: *mut ::core::ffi::c_void, - threshold: usize, - strong: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); } unsafe extern "C" { - /// \brief Trigger an extra gather poll for the accumulator - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context + /// \brief Initialize SSL session structure /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Retrieve entropy from the accumulator - /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief Free referenced items in an SSL session including the + /// peer certificate and clear memory /// - /// \param data Entropy context - /// \param output Buffer to fill - /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE + /// \note A session object can be freed even if the SSL context + /// that was used to retrieve the session is still in use. /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_func( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Add data to the accumulator manually - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief TLS-PRF function for key derivation. /// - /// \param ctx Entropy context - /// \param data Data to add - /// \param len Length of data + /// \param prf The tls_prf type function type to be used. + /// \param secret Secret for the key derivation function. + /// \param slen Length of the secret. + /// \param label String label for the key derivation function, + /// terminated with null character. + /// \param random Random bytes. + /// \param rlen Length of the random bytes buffer. + /// \param dstbuf The buffer holding the derived key. + /// \param dlen Length of the output buffer. /// - /// \return 0 if successful - pub fn mbedtls_entropy_update_manual( - ctx: *mut mbedtls_entropy_context, - data: *const ::core::ffi::c_uchar, - len: usize, + /// \return 0 on success. An SSL specific error on failure. + pub fn mbedtls_ssl_tls_prf( + prf: mbedtls_tls_prf_types, + secret: *const ::core::ffi::c_uchar, + slen: usize, + label: *const ::core::ffi::c_char, + random: *const ::core::ffi::c_uchar, + rlen: usize, + dstbuf: *mut ::core::ffi::c_uchar, + dlen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Checkup routine - /// - /// This module self-test also calls the entropy self-test, - /// mbedtls_entropy_source_self_test(); + /// \brief Set the threshold error level to handle globally all debug output. + /// Debug messages that have a level over the threshold value are + /// discarded. + /// (Default value: 0 = No debug ) /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; + /// \param threshold threshold level of messages to filter on. Messages at a + /// higher level will be discarded. + /// - Debug levels + /// - 0 No debug + /// - 1 Error + /// - 2 State change + /// - 3 Informational + /// - 4 Verbose + pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); } unsafe extern "C" { /// \brief This is the HMAC-based Extract-and-Expand Key Derivation Function @@ -24994,8 +25945,8 @@ unsafe extern "C" { /// \param len The length of the personalization string. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 + /// where \c entropy_len is the entropy length /// described above. /// /// \return \c 0 if successful. @@ -25120,8 +26071,8 @@ unsafe extern "C" { /// \param len The length of the additional data. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length /// (see mbedtls_hmac_drbg_set_entropy_len()). /// /// \return \c 0 if successful. @@ -25604,6 +26555,28 @@ unsafe extern "C" { oid: *const mbedtls_asn1_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate a string containing a dotted-decimal + /// representation of an ASN.1 OID into its encoded form + /// (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D"). + /// On success, this function allocates oid->buf from the + /// heap. It must be freed by the caller using mbedtls_free(). + /// + /// \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID + /// \param oid_str string representation of the OID to parse + /// \param size length of the OID string, not including any null terminator + /// + /// \return 0 if successful + /// \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not + /// represent a valid OID + /// \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to + /// allocate oid->buf + pub fn mbedtls_oid_from_numeric_string( + oid: *mut mbedtls_asn1_buf, + oid_str: *const ::core::ffi::c_char, + size: usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate an X.509 extension OID into local values /// @@ -25681,6 +26654,34 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate AlgorithmIdentifier OID into an EC group identifier, + /// for curves that are directly encoded at this level + /// + /// \param oid OID to use + /// \param grp_id place to store group id + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_ec_grp_algid( + oid: *const mbedtls_asn1_buf, + grp_id: *mut mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Translate EC group identifier into AlgorithmIdentifier OID, + /// for curves that are directly encoded at this level + /// + /// \param grp_id EC group identifier + /// \param oid place to store ASN.1 OID string pointer + /// \param olen length of the OID + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_oid_by_ec_grp_algid( + grp_id: mbedtls_ecp_group_id, + oid: *mut *const ::core::ffi::c_char, + olen: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate SignatureAlgorithm OID into md_type and pk_type /// @@ -25848,11 +26849,11 @@ unsafe extern "C" { /// \param data source data to look in (must be nul-terminated) /// \param pwd password for decryption (can be NULL) /// \param pwdlen length of password - /// \param use_len destination for total length used (set after header is - /// correctly read, so unless you get + /// \param use_len destination for total length used from data buffer. It is + /// set after header is correctly read, so unless you get /// MBEDTLS_ERR_PEM_BAD_INPUT_DATA or /// MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - /// the length to skip) + /// the length to skip. /// /// \note Attempts to check password correctness by verifying if /// the decrypted text starts with an ASN.1 sequence of @@ -25917,13 +26918,40 @@ unsafe extern "C" { unsafe extern "C" { /// \brief PKCS#5 PBES2 function /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs5_pbes2_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params the ASN.1 algorithm parameters - /// \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT /// \param pwd password to use when generating key /// \param pwdlen length of password /// \param data data to process /// \param datalen length of data - /// \param output output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. pub fn mbedtls_pkcs5_pbes2( @@ -25936,6 +26964,50 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief PKCS#5 PBES2 function + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params the ASN.1 algorithm parameters + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT + /// \param pwd password to use when generating key + /// \param pwdlen length of password + /// \param data data to process + /// \param datalen length of data + /// \param output Output buffer. + /// On success, it contains the decrypted data. + /// On failure, the content is indetermidate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails. + pub fn mbedtls_pkcs5_pbes2_ext( + pbe_params: *const mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, + datalen: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context /// @@ -26167,6 +27239,25 @@ unsafe extern "C" { /// \brief PKCS12 Password Based function (encryption / decryption) /// for cipher-based and mbedtls_md-based PBE's /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs12_pbe_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or /// #MBEDTLS_PKCS12_PBE_DECRYPT @@ -26175,9 +27266,17 @@ unsafe extern "C" { /// \param pwd Latin1-encoded password used. This may only be \c NULL when /// \p pwdlen is 0. No null terminator should be used. /// \param pwdlen length of the password (may be 0) - /// \param input the input data + /// \param data the input data /// \param len data length - /// \param output the output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \return 0 if successful, or a MBEDTLS_ERR_XXX code pub fn mbedtls_pkcs12_pbe( @@ -26187,9 +27286,62 @@ unsafe extern "C" { md_type: mbedtls_md_type_t, pwd: *const ::core::ffi::c_uchar, pwdlen: usize, - input: *const ::core::ffi::c_uchar, + data: *const ::core::ffi::c_uchar, + len: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief PKCS12 Password Based function (encryption / decryption) + /// for cipher-based and mbedtls_md-based PBE's + /// + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + /// #MBEDTLS_PKCS12_PBE_DECRYPT + /// \param cipher_type the cipher used + /// \param md_type the mbedtls_md used + /// \param pwd Latin1-encoded password used. This may only be \c NULL when + /// \p pwdlen is 0. No null terminator should be used. + /// \param pwdlen length of the password (may be 0) + /// \param data the input data + /// \param len data length + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \return 0 if successful, or a MBEDTLS_ERR_XXX code + pub fn mbedtls_pkcs12_pbe_ext( + pbe_params: *mut mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + cipher_type: mbedtls_cipher_type_t, + md_type: mbedtls_md_type_t, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, len: usize, output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -26288,6 +27440,11 @@ unsafe extern "C" { /// \param session_id_len The length of \p session_id in bytes. /// \param session The address at which to store the session /// associated with \p session_id, if present. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is + /// no cache entry with specified session ID found, or + /// any other negative error code for other failures. pub fn mbedtls_ssl_cache_get( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26304,6 +27461,9 @@ unsafe extern "C" { /// associated to \p session. /// \param session_id_len The length of \p session_id in bytes. /// \param session The session to store. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_set( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26317,12 +27477,13 @@ unsafe extern "C" { /// /// \param data The SSL cache context to use. /// \param session_id The pointer to the buffer holding the session ID - /// associated to \p session. + /// associated to session. /// \param session_id_len The length of \p session_id in bytes. /// - /// \return 0: The cache entry for session with provided ID - /// is removed or does not exist. - /// Otherwise: fail. + /// \return \c 0 on success. This indicates the cache entry for + /// the session with provided ID is removed or does not + /// exist. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_remove( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26375,13 +27536,7 @@ unsafe extern "C" { /// \brief Setup cookie context (generate keys) pub fn mbedtls_ssl_cookie_setup( ctx: *mut mbedtls_ssl_cookie_ctx, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26427,6 +27582,9 @@ unsafe extern "C" { #[derive(Copy, Clone)] pub struct mbedtls_ssl_ticket_key { pub private_name: [::core::ffi::c_uchar; 4usize], + /// Lifetime of the key in seconds. This is also the lifetime of the + /// tickets created under that key. + pub private_lifetime: u32, ///< context for auth enc/decryption pub private_ctx: mbedtls_cipher_context_t, } @@ -26482,7 +27640,9 @@ unsafe extern "C" { /// /// \param ctx Context to be set up /// \param f_rng RNG callback function (mandatory) - /// \param p_rng RNG callback context + /// \param p_rng RNG callback context. + /// Note that the RNG callback must remain valid + /// until the ticket context is freed. /// \param cipher AEAD cipher to use for ticket protection. /// Recommended value: MBEDTLS_CIPHER_AES_256_GCM. /// \param lifetime Tickets lifetime in seconds @@ -26492,21 +27652,21 @@ unsafe extern "C" { /// least as strong as the strongest ciphersuite /// supported. Usually that means a 256-bit key. /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_setup( ctx: *mut mbedtls_ssl_ticket_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, cipher: mbedtls_cipher_type_t, lifetime: u32, @@ -26537,10 +27697,16 @@ unsafe extern "C" { /// \note \c klength must be sufficient for use by cipher specified /// to \c mbedtls_ssl_ticket_setup /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_rotate( @@ -26606,7 +27772,7 @@ pub struct mbedtls_x509_csr { pub key_usage: ::core::ffi::c_uint, ///< Optional Netscape certificate type extension value: See the values in x509.h pub ns_cert_type: ::core::ffi::c_uchar, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions pub private_ext_types: ::core::ffi::c_int, @@ -26646,25 +27812,12 @@ impl Default for mbedtls_x509write_csr { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_x509_san_list { - pub node: mbedtls_x509_subject_alternative_name, - pub next: *mut mbedtls_x509_san_list, -} -impl Default for mbedtls_x509_san_list { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR) in DER format /// - /// \note CSR attributes (if any) are currently silently ignored. + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the CSR is rejected. /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling @@ -26681,6 +27834,70 @@ unsafe extern "C" { buflen: usize, ) -> ::core::ffi::c_int; } +/// \brief The type of certificate extension callbacks. +/// +/// Callbacks of this type are passed to and used by the +/// mbedtls_x509_csr_parse_der_with_ext_cb() routine when +/// it encounters either an unsupported extension. +/// Future versions of the library may invoke the callback +/// in other cases, if and when the need arises. +/// +/// \param p_ctx An opaque context passed to the callback. +/// \param csr The CSR being parsed. +/// \param oid The OID of the extension. +/// \param critical Whether the extension is critical. +/// \param p Pointer to the start of the extension value +/// (the content of the OCTET STRING). +/// \param end End of extension value. +/// +/// \note The callback must fail and return a negative error code +/// if it can not parse or does not support the extension. +/// When the callback fails to parse a critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() also fails. +/// When the callback fails to parse a non critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() simply skips +/// the extension and continues parsing. +/// +/// \return \c 0 on success. +/// \return A negative error code on failure. +pub type mbedtls_x509_csr_ext_cb_t = ::core::option::Option< + unsafe extern "C" fn( + p_ctx: *mut ::core::ffi::c_void, + csr: *const mbedtls_x509_csr, + oid: *const mbedtls_x509_buf, + critical: ::core::ffi::c_int, + p: *const ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +unsafe extern "C" { + /// \brief Load a Certificate Signing Request (CSR) in DER format + /// + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the result of the callback function decides whether + /// CSR is rejected. + /// + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. + /// + /// \param csr CSR context to fill + /// \param buf buffer holding the CRL data + /// \param buflen size of the buffer + /// \param cb A callback invoked for every unsupported certificate + /// extension. + /// \param p_ctx An opaque context passed to the callback. + /// + /// \return 0 if successful, or a specific X509 error code + pub fn mbedtls_x509_csr_parse_der_with_ext_cb( + csr: *mut mbedtls_x509_csr, + buf: *const ::core::ffi::c_uchar, + buflen: usize, + cb: mbedtls_x509_csr_ext_cb_t, + p_ctx: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR), DER or PEM format /// @@ -26742,7 +27959,7 @@ unsafe extern "C" { /// \brief Set the subject name for a CSR /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CSR context to use /// \param subject_name subject name to set @@ -26873,13 +28090,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26900,13 +28111,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } diff --git a/esp-mbedtls-sys/src/include/riscv32imc-unknown-none-elf.rs b/esp-mbedtls-sys/src/include/riscv32imc-unknown-none-elf.rs index 42738ece..a7588196 100644 --- a/esp-mbedtls-sys/src/include/riscv32imc-unknown-none-elf.rs +++ b/esp-mbedtls-sys/src/include/riscv32imc-unknown-none-elf.rs @@ -137,6 +137,36 @@ where } } } +#[repr(C)] +#[derive(Default)] +pub struct __IncompleteArrayField(::core::marker::PhantomData, [T; 0]); +impl __IncompleteArrayField { + #[inline] + pub const fn new() -> Self { + __IncompleteArrayField(::core::marker::PhantomData, []) + } + #[inline] + pub fn as_ptr(&self) -> *const T { + self as *const _ as *const T + } + #[inline] + pub fn as_mut_ptr(&mut self) -> *mut T { + self as *mut _ as *mut T + } + #[inline] + pub unsafe fn as_slice(&self, len: usize) -> &[T] { + ::core::slice::from_raw_parts(self.as_ptr(), len) + } + #[inline] + pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] { + ::core::slice::from_raw_parts_mut(self.as_mut_ptr(), len) + } +} +impl ::core::fmt::Debug for __IncompleteArrayField { + fn fmt(&self, fmt: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { + fmt.write_str("__IncompleteArrayField") + } +} pub const MBEDTLS_CONFIG_FILE: &[u8; 9] = b"config.h\0"; pub const MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT: u32 = 0; pub const MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: u32 = 1024; @@ -144,14 +174,33 @@ pub const MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE: u32 = 6000; pub const MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH: u32 = 32; pub const MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS: u32 = 1; pub const MBEDTLS_VERSION_MAJOR: u32 = 3; -pub const MBEDTLS_VERSION_MINOR: u32 = 4; -pub const MBEDTLS_VERSION_PATCH: u32 = 0; -pub const MBEDTLS_VERSION_NUMBER: u32 = 50593792; -pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.4.0\0"; -pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"mbed TLS 3.4.0\0"; +pub const MBEDTLS_VERSION_MINOR: u32 = 6; +pub const MBEDTLS_VERSION_PATCH: u32 = 5; +pub const MBEDTLS_VERSION_NUMBER: u32 = 50726144; +pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.6.5\0"; +pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"Mbed TLS 3.6.5\0"; +pub const PSA_WANT_ALG_MD5: u32 = 1; +pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; +pub const PSA_WANT_ALG_SHA_1: u32 = 1; +pub const PSA_WANT_ALG_SHA_224: u32 = 1; +pub const PSA_WANT_ALG_SHA_256: u32 = 1; +pub const PSA_WANT_ALG_SHA_384: u32 = 1; +pub const PSA_WANT_ALG_SHA_512: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_256: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_384: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_512: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_255: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_448: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_224: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_256: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_384: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_521: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CCM: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CMAC: u32 = 1; pub const PSA_WANT_ALG_CMAC: u32 = 1; @@ -162,10 +211,40 @@ pub const PSA_WANT_ALG_ECDSA: u32 = 1; pub const PSA_WANT_ALG_ECDSA_ANY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA: u32 = 1; pub const PSA_WANT_ALG_DETERMINISTIC_ECDSA: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_ALG_FFDH: u32 = 1; +pub const PSA_WANT_DH_RFC7919_2048: u32 = 1; +pub const PSA_WANT_DH_RFC7919_3072: u32 = 1; +pub const PSA_WANT_DH_RFC7919_4096: u32 = 1; +pub const PSA_WANT_DH_RFC7919_6144: u32 = 1; +pub const PSA_WANT_DH_RFC7919_8192: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_FFDH: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_GCM: u32 = 1; pub const PSA_WANT_ALG_GCM: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HMAC: u32 = 1; @@ -176,17 +255,16 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXTRACT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXPAND: u32 = 1; +pub const PSA_WANT_KEY_TYPE_HMAC: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF: u32 = 1; pub const PSA_WANT_ALG_TLS12_PRF: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const PSA_WANT_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_MD5: u32 = 1; -pub const PSA_WANT_ALG_MD5: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_PAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_JPAKE: u32 = 1; pub const PSA_WANT_ALG_JPAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160: u32 = 1; -pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const PSA_WANT_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN: u32 = 1; @@ -196,20 +274,19 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP: u32 = 1; pub const PSA_WANT_ALG_RSA_OAEP: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS: u32 = 1; pub const PSA_WANT_ALG_RSA_PSS: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_1: u32 = 1; -pub const PSA_WANT_ALG_SHA_1: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_224: u32 = 1; -pub const PSA_WANT_ALG_SHA_224: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_256: u32 = 1; -pub const PSA_WANT_ALG_SHA_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_384: u32 = 1; -pub const PSA_WANT_ALG_SHA_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_512: u32 = 1; -pub const PSA_WANT_ALG_SHA_512: u32 = 1; pub const PSA_WANT_KEY_TYPE_AES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES: u32 = 1; pub const PSA_WANT_KEY_TYPE_ARIA: u32 = 1; @@ -221,8 +298,8 @@ pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_KEY_TYPE_CHACHA20: u32 = 1; -pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20: u32 = 1; +pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER: u32 = 1; pub const PSA_WANT_ALG_CHACHA20_POLY1305: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305: u32 = 1; @@ -250,8 +327,7 @@ pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256: u32 = 1; -pub const PSA_HAVE_FULL_ECDSA: u32 = 1; -pub const PSA_HAVE_FULL_JPAKE: u32 = 1; +pub const PSA_WANT_ALG_SOME_PAKE: u32 = 1; pub const PSA_WANT_KEY_TYPE_DERIVE: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD_HASH: u32 = 1; @@ -272,7 +348,7 @@ pub const MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: i32 = -12; pub const MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: i32 = -14; pub const MBEDTLS_ERR_MPI_ALLOC_FAILED: i32 = -16; pub const MBEDTLS_MPI_MAX_LIMBS: u32 = 10000; -pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 2; +pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 3; pub const MBEDTLS_MPI_MAX_SIZE: u32 = 1024; pub const MBEDTLS_MPI_MAX_BITS: u32 = 8192; pub const MBEDTLS_MPI_MAX_BITS_SCALE100: u32 = 819200; @@ -320,6 +396,8 @@ pub const MBEDTLS_CIPHER_VARIABLE_KEY_LEN: u32 = 2; pub const MBEDTLS_MAX_IV_LENGTH: u32 = 16; pub const MBEDTLS_MAX_BLOCK_LENGTH: u32 = 16; pub const MBEDTLS_MAX_KEY_LENGTH: u32 = 64; +pub const MBEDTLS_KEY_BITLEN_SHIFT: u32 = 6; +pub const MBEDTLS_IV_SIZE_SHIFT: u32 = 2; pub const MBEDTLS_CCM_DECRYPT: u32 = 0; pub const MBEDTLS_CCM_ENCRYPT: u32 = 1; pub const MBEDTLS_CCM_STAR_DECRYPT: u32 = 2; @@ -332,7 +410,26 @@ pub const MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: i32 = -84; pub const MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: i32 = -86; pub const MBEDTLS_AES_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_DES3_BLOCK_SIZE: u32 = 8; +pub const MBEDTLS_CMAC_MAX_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_CIPHER_BLKSIZE_MAX: u32 = 16; +pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; +pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; +pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; +pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; +pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; +pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; +pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; +pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; +pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; +pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; +pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; +pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; +pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; +pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; +pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; +pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; +pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; +pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: i32 = -52; pub const MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: i32 = -54; pub const MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: i32 = -56; @@ -367,12 +464,6 @@ pub const MBEDTLS_ECP_MAX_PT_LEN: u32 = 133; pub const MBEDTLS_ECP_PF_UNCOMPRESSED: u32 = 0; pub const MBEDTLS_ECP_PF_COMPRESSED: u32 = 1; pub const MBEDTLS_ECP_TLS_NAMED_CURVE: u32 = 3; -pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; -pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; -pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; -pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; -pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; -pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; pub const MBEDTLS_ERR_RSA_BAD_INPUT_DATA: i32 = -16512; pub const MBEDTLS_ERR_RSA_INVALID_PADDING: i32 = -16640; pub const MBEDTLS_ERR_RSA_KEY_GEN_FAILED: i32 = -16768; @@ -387,6 +478,55 @@ pub const MBEDTLS_RSA_PKCS_V21: u32 = 1; pub const MBEDTLS_RSA_SIGN: u32 = 1; pub const MBEDTLS_RSA_CRYPT: u32 = 2; pub const MBEDTLS_RSA_SALT_LEN_ANY: i32 = -1; +pub const MBEDTLS_RSA_GEN_KEY_MIN_BITS: u32 = 1024; +pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; +pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; +pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; +pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; +pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; +pub const PSA_HASH_MAX_SIZE: u32 = 64; +pub const PSA_MAC_MAX_SIZE: u32 = 64; +pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; +pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; +pub const PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: u32 = 1024; +pub const PSA_VENDOR_FFDH_MAX_KEY_BITS: u32 = 8192; +pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; +pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; +pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; +pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; +pub const PSA_VENDOR_PBKDF2_MAX_ITERATIONS: u32 = 4294967295; +pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; +pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_SIGNATURE_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_KEY_PAIR_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_PUBLIC_KEY_MAX_SIZE: u32 = 1; +pub const PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE: u32 = 1; +pub const PSA_CIPHER_MAX_KEY_LENGTH: u32 = 32; +pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; +pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; +pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; +pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; +pub const MBEDTLS_ERR_SHA3_BAD_INPUT_DATA: i32 = -118; +pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; +pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; +pub const MBEDTLS_GCM_DECRYPT: u32 = 0; +pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; +pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; +pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; +pub const MBEDTLS_GCM_HTABLE_SIZE: u32 = 16; +pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; +pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; +pub const PSA_MAX_KEY_BITS: u32 = 65528; +pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; +pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; +pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; +pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; +pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; +pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; +pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_ERR_PK_ALLOC_FAILED: i32 = -16256; pub const MBEDTLS_ERR_PK_TYPE_MISMATCH: i32 = -16128; pub const MBEDTLS_ERR_PK_BAD_INPUT_DATA: i32 = -16000; @@ -597,45 +737,6 @@ pub const MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256: u32 = 4869; pub const MBEDTLS_CIPHERSUITE_WEAK: u32 = 1; pub const MBEDTLS_CIPHERSUITE_SHORT_TAG: u32 = 2; pub const MBEDTLS_CIPHERSUITE_NODTLS: u32 = 4; -pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; -pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; -pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; -pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; -pub const PSA_HASH_MAX_SIZE: u32 = 64; -pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; -pub const PSA_MAC_MAX_SIZE: u32 = 64; -pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; -pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; -pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; -pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; -pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; -pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; -pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; -pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; -pub const MBEDTLS_GCM_DECRYPT: u32 = 0; -pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; -pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; -pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; -pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; -pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; -pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; -pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; -pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; -pub const PSA_MAX_KEY_BITS: u32 = 65528; -pub const MBEDTLS_PSA_KA_MASK_DUAL_USE: u32 = 0; -pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; -pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; -pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; -pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; -pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; -pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; -pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_X509_MAX_INTERMEDIATE_CA: u32 = 8; pub const MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: i32 = -8320; pub const MBEDTLS_ERR_X509_UNKNOWN_OID: i32 = -8448; @@ -743,7 +844,9 @@ pub const MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: i32 = -30848; pub const MBEDTLS_ERR_SSL_BAD_CERTIFICATE: i32 = -31232; pub const MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET: i32 = -31488; pub const MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA: i32 = -31616; -pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31872; +pub const MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND: i32 = -32384; pub const MBEDTLS_ERR_SSL_ALLOC_FAILED: i32 = -32512; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FAILED: i32 = -32640; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: i32 = -28544; @@ -770,6 +873,7 @@ pub const MBEDTLS_ERR_SSL_EARLY_MESSAGE: i32 = -25728; pub const MBEDTLS_ERR_SSL_UNEXPECTED_CID: i32 = -24576; pub const MBEDTLS_ERR_SSL_VERSION_MISMATCH: i32 = -24320; pub const MBEDTLS_ERR_SSL_BAD_CONFIG: i32 = -24192; +pub const MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME: i32 = -23936; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: u32 = 1; pub const MBEDTLS_SSL_IANA_TLS_GROUP_NONE: u32 = 0; @@ -841,6 +945,8 @@ pub const MBEDTLS_SSL_TRUNC_HMAC_ENABLED: u32 = 1; pub const MBEDTLS_SSL_TRUNCATED_HMAC_LEN: u32 = 10; pub const MBEDTLS_SSL_SESSION_TICKETS_DISABLED: u32 = 0; pub const MBEDTLS_SSL_SESSION_TICKETS_ENABLED: u32 = 1; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED: u32 = 0; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED: u32 = 1; pub const MBEDTLS_SSL_PRESET_DEFAULT: u32 = 0; pub const MBEDTLS_SSL_PRESET_SUITEB: u32 = 2; pub const MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED: u32 = 1; @@ -854,6 +960,9 @@ pub const MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN: u32 = 48; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN: u32 = 1000; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX: u32 = 60000; +pub const MBEDTLS_SSL_EARLY_DATA_NO_DISCARD: u32 = 0; +pub const MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD: u32 = 1; +pub const MBEDTLS_SSL_EARLY_DATA_DISCARD: u32 = 2; pub const MBEDTLS_SSL_IN_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_OUT_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_DTLS_MAX_BUFFERING: u32 = 32768; @@ -988,18 +1097,6 @@ pub const MBEDTLS_SSL_UNEXPECTED_CID_IGNORE: u32 = 0; pub const MBEDTLS_SSL_UNEXPECTED_CID_FAIL: u32 = 1; pub const MBEDTLS_PRINTF_SIZET: &[u8; 3] = b"zu\0"; pub const MBEDTLS_PRINTF_LONGLONG: &[u8; 4] = b"lld\0"; -pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; -pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; -pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; -pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; -pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; -pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; -pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; -pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; -pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; -pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; -pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; -pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_HKDF_BAD_INPUT_DATA: i32 = -24448; pub const MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: i32 = -3; pub const MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: i32 = -5; @@ -1041,6 +1138,7 @@ pub const MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS: u32 = 4096; pub const MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY: u32 = 8192; pub const MBEDTLS_OID_X509_EXT_FRESHEST_CRL: u32 = 16384; pub const MBEDTLS_OID_X509_EXT_NS_CERT_TYPE: u32 = 65536; +pub const MBEDTLS_OID_MAX_COMPONENTS: u32 = 128; pub const MBEDTLS_OID_ISO_MEMBER_BODIES: &[u8; 2] = b"*\0"; pub const MBEDTLS_OID_ISO_IDENTIFIED_ORG: &[u8; 2] = b"+\0"; pub const MBEDTLS_OID_ISO_CCITT_DS: &[u8; 2] = b"U\0"; @@ -1055,6 +1153,8 @@ pub const MBEDTLS_OID_ORG_OIW: &[u8; 2] = b"\x0E\0"; pub const MBEDTLS_OID_OIW_SECSIG: &[u8; 3] = b"\x0E\x03\0"; pub const MBEDTLS_OID_OIW_SECSIG_ALG: &[u8; 4] = b"\x0E\x03\x02\0"; pub const MBEDTLS_OID_OIW_SECSIG_SHA1: &[u8; 5] = b"\x0E\x03\x02\x1A\0"; +pub const MBEDTLS_OID_ORG_THAWTE: &[u8; 2] = b"e\0"; +pub const MBEDTLS_OID_THAWTE: &[u8; 3] = b"+e\0"; pub const MBEDTLS_OID_ORG_CERTICOM: &[u8; 3] = b"\x81\x04\0"; pub const MBEDTLS_OID_CERTICOM: &[u8; 4] = b"+\x81\x04\0"; pub const MBEDTLS_OID_ORG_TELETRUST: &[u8; 2] = b"$\0"; @@ -1153,14 +1253,26 @@ pub const MBEDTLS_OID_DIGEST_ALG_SHA256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x pub const MBEDTLS_OID_DIGEST_ALG_SHA384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x02\0"; pub const MBEDTLS_OID_DIGEST_ALG_SHA512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x03\0"; pub const MBEDTLS_OID_DIGEST_ALG_RIPEMD160: &[u8; 6] = b"+$\x03\x02\x01\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x07\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x08\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\t\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA1: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x07\0"; pub const MBEDTLS_OID_HMAC_SHA224: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x08\0"; pub const MBEDTLS_OID_HMAC_SHA256: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\t\0"; pub const MBEDTLS_OID_HMAC_SHA384: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA512: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x0B\0"; +pub const MBEDTLS_OID_HMAC_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\r\0"; +pub const MBEDTLS_OID_HMAC_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0E\0"; +pub const MBEDTLS_OID_HMAC_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0F\0"; +pub const MBEDTLS_OID_HMAC_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x10\0"; +pub const MBEDTLS_OID_HMAC_RIPEMD160: &[u8; 9] = b"+\x06\x01\x05\x05\x08\x01\x04\0"; pub const MBEDTLS_OID_DES_CBC: &[u8; 6] = b"+\x0E\x03\x02\x07\0"; pub const MBEDTLS_OID_DES_EDE3_CBC: &[u8; 9] = b"*\x86H\x86\xF7\r\x03\x07\0"; pub const MBEDTLS_OID_AES: &[u8; 9] = b"`\x86H\x01e\x03\x04\x01\0"; +pub const MBEDTLS_OID_AES_128_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x02\0"; +pub const MBEDTLS_OID_AES_192_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x16\0"; +pub const MBEDTLS_OID_AES_256_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01*\0"; pub const MBEDTLS_OID_AES128_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x05\0"; pub const MBEDTLS_OID_AES128_KWP: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x08\0"; pub const MBEDTLS_OID_AES192_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x19\0"; @@ -1213,6 +1325,10 @@ pub const MBEDTLS_OID_ECDSA_SHA224: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x01\0"; pub const MBEDTLS_OID_ECDSA_SHA256: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x02\0"; pub const MBEDTLS_OID_ECDSA_SHA384: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x03\0"; pub const MBEDTLS_OID_ECDSA_SHA512: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x04\0"; +pub const MBEDTLS_OID_X25519: &[u8; 4] = b"+en\0"; +pub const MBEDTLS_OID_X448: &[u8; 4] = b"+eo\0"; +pub const MBEDTLS_OID_ED25519: &[u8; 4] = b"+ep\0"; +pub const MBEDTLS_OID_ED448: &[u8; 4] = b"+eq\0"; pub const MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT: i32 = -4224; pub const MBEDTLS_ERR_PEM_INVALID_DATA: i32 = -4352; pub const MBEDTLS_ERR_PEM_ALLOC_FAILED: i32 = -4480; @@ -1226,8 +1342,6 @@ pub const MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA: i32 = -12160; pub const MBEDTLS_ERR_PKCS5_INVALID_FORMAT: i32 = -12032; pub const MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE: i32 = -11904; pub const MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH: i32 = -11776; -pub const MBEDTLS_PKCS5_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS5_ENCRYPT: u32 = 1; pub const MBEDTLS_ERR_PKCS7_INVALID_FORMAT: i32 = -21248; pub const MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE: i32 = -21376; pub const MBEDTLS_ERR_PKCS7_INVALID_VERSION: i32 = -21504; @@ -1248,8 +1362,6 @@ pub const MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH: i32 = -7680; pub const MBEDTLS_PKCS12_DERIVE_KEY: u32 = 1; pub const MBEDTLS_PKCS12_DERIVE_IV: u32 = 2; pub const MBEDTLS_PKCS12_DERIVE_MAC_KEY: u32 = 3; -pub const MBEDTLS_PKCS12_PBE_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS12_PBE_ENCRYPT: u32 = 1; pub const MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT: u32 = 86400; pub const MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES: u32 = 50; pub const MBEDTLS_SSL_COOKIE_TIMEOUT: u32 = 60; @@ -1375,6 +1487,59 @@ unsafe extern "C" { /// \param len Length of the buffer in bytes pub fn mbedtls_platform_zeroize(buf: *mut ::core::ffi::c_void, len: usize); } +/// \brief The type of custom random generator (RNG) callbacks. +/// +/// Many Mbed TLS functions take two parameters +/// `mbedtls_f_rng_t *f_rng, void *p_rng`. The +/// library will call \c f_rng to generate +/// random values. +/// +/// \note This is typically one of the following: +/// - mbedtls_ctr_drbg_random() with \c p_rng +/// pointing to a #mbedtls_ctr_drbg_context; +/// - mbedtls_hmac_drbg_random() with \c p_rng +/// pointing to a #mbedtls_hmac_drbg_context; +/// - mbedtls_psa_get_random() with +/// `prng = MBEDTLS_PSA_RANDOM_STATE`. +/// +/// \note Generally, given a call +/// `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback +/// and the context only need to remain valid until +/// the call to `mbedtls_foo` returns. However, there +/// are a few exceptions where the callback is stored +/// in for future use. Check the documentation of +/// the calling function. +/// +/// \warning In a multithreaded environment, calling the +/// function should be thread-safe. The standard +/// functions provided by the library are thread-safe +/// when #MBEDTLS_THREADING_C is enabled. +/// +/// \warning This function must either provide as many +/// bytes as requested of **cryptographic quality** +/// random data, or return a negative error code. +/// +/// \param p_rng The \c p_rng argument that was passed along \c f_rng. +/// The library always passes \c p_rng unchanged. +/// This is typically a pointer to the random generator +/// state, or \c NULL if the custom random generator +/// doesn't need a context-specific state. +/// \param[out] output On success, this must be filled with \p output_size +/// bytes of cryptographic-quality random data. +/// \param output_size The number of bytes to output. +/// +/// \return \c 0 on success, or a negative error code on failure. +/// Library functions will generally propagate this +/// error code, so \c MBEDTLS_ERR_xxx values are +/// recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is +/// typically sensible for RNG failures. +pub type mbedtls_f_rng_t = ::core::option::Option< + unsafe extern "C" fn( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + ) -> ::core::ffi::c_int, +>; /// \brief The AES context-type definition. #[repr(C)] #[derive(Copy, Clone)] @@ -1933,6 +2098,10 @@ pub type mbedtls_t_udbl = u64; #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_mpi { + /// Pointer to limbs. + /// + /// This may be \c NULL if \c n is 0. + pub private_p: *mut mbedtls_mpi_uint, /// Sign: -1 if the mpi is negative, 1 otherwise. /// /// The number 0 must be represented with `s = +1`. Although many library @@ -1943,13 +2112,9 @@ pub struct mbedtls_mpi { /// /// Note that this implies that calloc() or `... = {0}` does not create /// a valid MPI representation. You must call mbedtls_mpi_init(). - pub private_s: ::core::ffi::c_int, + pub private_s: ::core::ffi::c_short, /// Total number of limbs in \c p. - pub private_n: usize, - /// Pointer to limbs. - /// - /// This may be \c NULL if \c n is 0. - pub private_p: *mut mbedtls_mpi_uint, + pub private_n: ::core::ffi::c_ushort, } impl Default for mbedtls_mpi { fn default() -> Self { @@ -2224,7 +2389,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2241,7 +2406,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2296,6 +2461,8 @@ unsafe extern "C" { /// \brief Perform a left-shift on an MPI: X <<= count /// /// \param X The MPI to shift. This must point to an initialized MPI. + /// The MPI pointed by \p X may be resized to fit + /// the resulting number. /// \param count The number of bits to shift by. /// /// \return \c 0 if successful. @@ -2588,7 +2755,7 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Perform a sliding-window exponentiation: X = A^E mod N + /// \brief Perform a modular exponentiation: X = A^E mod N /// /// \param X The destination MPI. This must point to an initialized MPI. /// This must not alias E or N. @@ -2639,13 +2806,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_fill_random( X: *mut mbedtls_mpi, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2685,13 +2846,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, min: mbedtls_mpi_sint, N: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2699,6 +2854,7 @@ unsafe extern "C" { /// \brief Compute the greatest common divisor: G = gcd(A, B) /// /// \param G The destination MPI. This must point to an initialized MPI. + /// This will always be positive or 0. /// \param A The first operand. This must point to an initialized MPI. /// \param B The second operand. This must point to an initialized MPI. /// @@ -2715,17 +2871,19 @@ unsafe extern "C" { /// \brief Compute the modular inverse: X = A^-1 mod N /// /// \param X The destination MPI. This must point to an initialized MPI. + /// The value returned on success will be between [1, N-1]. /// \param A The MPI to calculate the modular inverse of. This must point - /// to an initialized MPI. + /// to an initialized MPI. This value can be negative, in which + /// case a positive answer will still be returned in \p X. /// \param N The base of the modular inversion. This must point to an - /// initialized MPI. + /// initialized MPI and be greater than one. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. /// \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than /// or equal to one. - /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse - /// with respect to \p N. + /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular + /// inverse with respect to \p N. pub fn mbedtls_mpi_inv_mod( X: *mut mbedtls_mpi, A: *const mbedtls_mpi, @@ -2748,7 +2906,7 @@ unsafe extern "C" { /// This must point to an initialized MPI. /// \param rounds The number of bases to perform the Miller-Rabin primality /// test for. The probability of returning 0 on a composite is - /// at most 2-2*\p rounds. + /// at most 2-2*\p rounds . /// \param f_rng The RNG function to use. This must not be \c NULL. /// \param p_rng The RNG parameter to be passed to \p f_rng. /// This may be \c NULL if \p f_rng doesn't use @@ -2761,13 +2919,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_is_prime_ext( X: *const mbedtls_mpi, rounds: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2804,13 +2956,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, nbits: usize, flags: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -3187,7 +3333,7 @@ unsafe extern "C" { /// on a successful invocation. /// \param end The end of the ASN.1 SEQUENCE container. /// \param tag_must_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_must_value. + /// the SEQUENCE before comparing to \p tag_must_val. /// \param tag_must_val The required value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_must_mask. /// Mismatching tags lead to an error. @@ -3196,7 +3342,7 @@ unsafe extern "C" { /// while a value of \c 0xFF for \p tag_must_mask means /// that \p tag_must_val is the only allowed tag. /// \param tag_may_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_may_value. + /// the SEQUENCE before comparing to \p tag_may_val. /// \param tag_may_val The desired value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_may_mask. /// Mismatching tags will be silently ignored. @@ -3489,6 +3635,30 @@ unsafe extern "C" { par_len: usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Write an AlgorithmIdentifier sequence in ASN.1 format. + /// + /// \note This function works backwards in data buffer. + /// + /// \param p The reference to the current position pointer. + /// \param start The start of the buffer, for bounds-checking. + /// \param oid The OID of the algorithm to write. + /// \param oid_len The length of the algorithm's OID. + /// \param par_len The length of the parameters, which must be already written. + /// \param has_par If there are any parameters. If 0, par_len must be 0. If 1 + /// and \p par_len is 0, NULL parameters are added. + /// + /// \return The number of bytes written to \p p on success. + /// \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_asn1_write_algorithm_identifier_ext( + p: *mut *mut ::core::ffi::c_uchar, + start: *const ::core::ffi::c_uchar, + oid: *const ::core::ffi::c_char, + oid_len: usize, + par_len: usize, + has_par: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value /// in ASN.1 format. @@ -3991,32 +4161,17 @@ pub struct mbedtls_cipher_base_t { /// mbedtls_cipher_info_from_type(), /// mbedtls_cipher_info_from_values(), /// mbedtls_cipher_info_from_psa(). +/// +/// \note Some fields store a value that has been right-shifted to save +/// code-size, so should not be used directly. The accessor +/// functions adjust for this and return the "natural" value. #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_cipher_info_t { - /// Full cipher identifier. For example, - /// MBEDTLS_CIPHER_AES_256_CBC. - pub private_type: mbedtls_cipher_type_t, - /// The cipher mode. For example, MBEDTLS_MODE_CBC. - pub private_mode: mbedtls_cipher_mode_t, - /// The cipher key length, in bits. This is the - /// default length for variable sized ciphers. - /// Includes parity bits for ciphers like DES. - pub private_key_bitlen: ::core::ffi::c_uint, /// Name of the cipher. pub private_name: *const ::core::ffi::c_char, - /// IV or nonce size, in Bytes. - /// For ciphers that accept variable IV sizes, - /// this is the recommended size. - pub private_iv_size: ::core::ffi::c_uint, - /// Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and - /// MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the - /// cipher supports variable IV or variable key sizes, respectively. - pub private_flags: ::core::ffi::c_int, - /// The block size, in Bytes. - pub private_block_size: ::core::ffi::c_uint, - /// Struct for base cipher information and functions. - pub private_base: *const mbedtls_cipher_base_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 4usize]>, } impl Default for mbedtls_cipher_info_t { fn default() -> Self { @@ -4027,46 +4182,321 @@ impl Default for mbedtls_cipher_info_t { } } } -/// Generic cipher context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_cipher_context_t { - /// Information about the associated cipher. - pub private_cipher_info: *const mbedtls_cipher_info_t, - /// Key length to use. - pub private_key_bitlen: ::core::ffi::c_int, - /// Operation that the key of the context has been - /// initialized for. - pub private_operation: mbedtls_operation_t, - /// Padding functions to use, if relevant for - /// the specific cipher mode. - pub private_add_padding: ::core::option::Option< - unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), - >, - pub private_get_padding: ::core::option::Option< - unsafe extern "C" fn( - input: *mut ::core::ffi::c_uchar, - ilen: usize, - data_len: *mut usize, - ) -> ::core::ffi::c_int, - >, - /// Buffer for input that has not been processed yet. - pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], - /// Number of Bytes that have not been processed yet. - pub private_unprocessed_len: usize, - /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number - /// for XTS-mode. - pub private_iv: [::core::ffi::c_uchar; 16usize], - /// IV size in Bytes, for ciphers with variable-length IVs. - pub private_iv_size: usize, - /// The cipher-specific context. - pub private_cipher_ctx: *mut ::core::ffi::c_void, - /// CMAC-specific context. - pub private_cmac_ctx: *mut mbedtls_cmac_context_t, -} -impl Default for mbedtls_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); +impl mbedtls_cipher_info_t { + #[inline] + pub fn private_block_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_block_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_block_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_block_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(5usize, 3u8) as u32) } + } + #[inline] + pub fn set_private_iv_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(5usize, 3u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 5usize, + 3u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 5usize, + 3u8, + val as u64, + ) + } + } + #[inline] + pub fn private_key_bitlen(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(8usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_key_bitlen(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(8usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_key_bitlen_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 8usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_key_bitlen_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 8usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_mode(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(12usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_mode(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(12usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_mode_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 12usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_mode_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 12usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_type(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(16usize, 8u8) as u32) } + } + #[inline] + pub fn set_private_type(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(16usize, 8u8, val as u64) + } + } + #[inline] + pub unsafe fn private_type_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 16usize, + 8u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_type_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 16usize, + 8u8, + val as u64, + ) + } + } + #[inline] + pub fn private_flags(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(24usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_flags(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(24usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_flags_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 24usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_flags_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 24usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_base_idx(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(26usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_base_idx(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(26usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_base_idx_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 26usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_base_idx_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 26usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_block_size: ::core::ffi::c_uint, + private_iv_size: ::core::ffi::c_uint, + private_key_bitlen: ::core::ffi::c_uint, + private_mode: ::core::ffi::c_uint, + private_type: ::core::ffi::c_uint, + private_flags: ::core::ffi::c_uint, + private_base_idx: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 4usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 4usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 5u8, { + let private_block_size: u32 = unsafe { ::core::mem::transmute(private_block_size) }; + private_block_size as u64 + }); + __bindgen_bitfield_unit.set(5usize, 3u8, { + let private_iv_size: u32 = unsafe { ::core::mem::transmute(private_iv_size) }; + private_iv_size as u64 + }); + __bindgen_bitfield_unit.set(8usize, 4u8, { + let private_key_bitlen: u32 = unsafe { ::core::mem::transmute(private_key_bitlen) }; + private_key_bitlen as u64 + }); + __bindgen_bitfield_unit.set(12usize, 4u8, { + let private_mode: u32 = unsafe { ::core::mem::transmute(private_mode) }; + private_mode as u64 + }); + __bindgen_bitfield_unit.set(16usize, 8u8, { + let private_type: u32 = unsafe { ::core::mem::transmute(private_type) }; + private_type as u64 + }); + __bindgen_bitfield_unit.set(24usize, 2u8, { + let private_flags: u32 = unsafe { ::core::mem::transmute(private_flags) }; + private_flags as u64 + }); + __bindgen_bitfield_unit.set(26usize, 5u8, { + let private_base_idx: u32 = unsafe { ::core::mem::transmute(private_base_idx) }; + private_base_idx as u64 + }); + __bindgen_bitfield_unit + } +} +/// Generic cipher context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_cipher_context_t { + /// Information about the associated cipher. + pub private_cipher_info: *const mbedtls_cipher_info_t, + /// Key length to use. + pub private_key_bitlen: ::core::ffi::c_int, + /// Operation that the key of the context has been + /// initialized for. + pub private_operation: mbedtls_operation_t, + /// Padding functions to use, if relevant for + /// the specific cipher mode. + pub private_add_padding: ::core::option::Option< + unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), + >, + pub private_get_padding: ::core::option::Option< + unsafe extern "C" fn( + input: *mut ::core::ffi::c_uchar, + ilen: usize, + data_len: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int, + >, + /// Buffer for input that has not been processed yet. + pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], + /// Number of Bytes that have not been processed yet. + pub private_unprocessed_len: usize, + /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number + /// for XTS-mode. + pub private_iv: [::core::ffi::c_uchar; 16usize], + /// IV size in Bytes, for ciphers with variable-length IVs. + pub private_iv_size: usize, + /// The cipher-specific context. + pub private_cipher_ctx: *mut ::core::ffi::c_void, + /// CMAC-specific context. + pub private_cmac_ctx: *mut mbedtls_cmac_context_t, +} +impl Default for mbedtls_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); s.assume_init() @@ -4134,7 +4564,7 @@ unsafe extern "C" { ) -> *const mbedtls_cipher_info_t; } unsafe extern "C" { - /// \brief This function initializes a \p cipher_context as NONE. + /// \brief This function initializes a \p ctx as NONE. /// /// \param ctx The context to be initialized. This must not be \c NULL. pub fn mbedtls_cipher_init(ctx: *mut mbedtls_cipher_context_t); @@ -4205,7 +4635,6 @@ unsafe extern "C" { /// \brief This function sets the padding mode, for cipher modes /// that use padding. /// - /// The default passing mode is PKCS7 padding. /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a cipher information structure. @@ -4255,23 +4684,24 @@ unsafe extern "C" { /// /// \note With non-AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update() one or more times - /// 4. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update() zero, one or more times; + /// 4. mbedtls_cipher_finish_padded() (recommended for decryption + /// if the mode uses padding) or mbedtls_cipher_finish(). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. /// /// \note With AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update_ad() - /// 4. mbedtls_cipher_update() one or more times - /// 5. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update_ad(); + /// 4. mbedtls_cipher_update() zero, one or more times; + /// 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded()); /// 6. mbedtls_cipher_check_tag() (for decryption) or - /// mbedtls_cipher_write_tag() (for encryption). + /// mbedtls_cipher_write_tag() (for encryption). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. @@ -4306,7 +4736,8 @@ unsafe extern "C" { /// many block-sized blocks of data as possible to output. /// Any data that cannot be written immediately is either /// added to the next block, or flushed when - /// mbedtls_cipher_finish() is called. + /// mbedtls_cipher_finish() or mbedtls_cipher_finish_padded() + /// is called. /// Exception: For MBEDTLS_MODE_ECB, expects a single block /// in size. For example, 16 Bytes for AES. /// @@ -4342,12 +4773,30 @@ unsafe extern "C" { /// contained in it is padded to the size of /// the last block, and written to the \p output buffer. /// + /// \warning This function reports invalid padding through an error + /// code. Adversaries may be able to decrypt encrypted + /// data if they can submit chosen ciphertexts and + /// detect whether it has valid padding or not, + /// either through direct observation or through a side + /// channel such as timing. This is known as a + /// padding oracle attack. + /// Therefore applications that call this function for + /// decryption with a cipher that involves padding + /// should take care around error handling. Preferably, + /// such applications should use + /// mbedtls_cipher_finish_padded() instead of this function. + /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a key. /// \param output The buffer to write data to. This needs to be a writable - /// buffer of at least \p block_size Bytes. + /// buffer of at least block_size Bytes. /// \param olen The length of the data written to the \p output buffer. /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// above), although less efficiently than through + /// the invalid-padding condition. /// /// \return \c 0 on success. /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -4355,7 +4804,8 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption /// expecting a full block but not receiving one. /// \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - /// while decrypting. + /// while decrypting. Note that invalid-padding errors + /// should be handled carefully; see the warning above. /// \return A cipher-specific error code on failure. pub fn mbedtls_cipher_finish( ctx: *mut mbedtls_cipher_context_t, @@ -4363,10 +4813,60 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief The generic cipher finalization function. If data still + /// needs to be flushed from an incomplete block, the data + /// contained in it is padded to the size of + /// the last block, and written to the \p output buffer. + /// + /// \note This function is similar to mbedtls_cipher_finish(). + /// The only difference is that it reports invalid padding + /// decryption differently, through the \p invalid_padding + /// parameter rather than an error code. + /// For encryption, and in modes without padding (including + /// all authenticated modes), this function is identical + /// to mbedtls_cipher_finish(). + /// + /// \param[in,out] ctx The generic cipher context. This must be initialized and + /// bound to a key. + /// \param[out] output The buffer to write data to. This needs to be a writable + /// buffer of at least block_size Bytes. + /// \param[out] olen The length of the data written to the \p output buffer. + /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// on mbedtls_cipher_finish()). + /// \param[out] invalid_padding + /// If this function returns \c 0 on decryption, + /// \p *invalid_padding is \c 0 if the ciphertext was + /// valid, and all-bits-one if the ciphertext had invalid + /// padding. + /// On encryption, or in a mode without padding (including + /// all authenticated modes), \p *invalid_padding is \c 0 + /// on success. + /// The value in \p *invalid_padding is unspecified if + /// this function returns a nonzero status. + /// + /// \return \c 0 on success. + /// Also \c 0 for decryption with invalid padding. + /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + /// parameter-verification failure. + /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption + /// expecting a full block but not receiving one. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_cipher_finish_padded( + ctx: *mut mbedtls_cipher_context_t, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief This function writes a tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized, /// bound to a key, and have just completed a cipher @@ -4387,7 +4887,8 @@ unsafe extern "C" { unsafe extern "C" { /// \brief This function checks the tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized. /// \param tag The buffer holding the tag. This must be a readable @@ -4572,8 +5073,6 @@ pub struct mbedtls_ccm_context { pub private_y: [::core::ffi::c_uchar; 16usize], ///< The counter buffer pub private_ctr: [::core::ffi::c_uchar; 16usize], - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Total plaintext length pub private_plaintext_len: usize, ///< Total authentication data length @@ -4588,16 +5087,17 @@ pub struct mbedtls_ccm_context { ///auth data input is finished. pub private_processed: usize, ///< The Q working value - pub private_q: ::core::ffi::c_uchar, + pub private_q: ::core::ffi::c_uint, ///< The operation to perform: ///#MBEDTLS_CCM_ENCRYPT or ///#MBEDTLS_CCM_DECRYPT or ///#MBEDTLS_CCM_STAR_ENCRYPT or ///#MBEDTLS_CCM_STAR_DECRYPT. - pub private_mode: ::core::ffi::c_uchar, + pub private_mode: ::core::ffi::c_uint, + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Working value holding context's - ///state. Used for chunked data - ///input + ///state. Used for chunked data input pub private_state: ::core::ffi::c_int, } impl Default for mbedtls_ccm_context { @@ -5840,47 +6340,59 @@ unsafe extern "C" { /// \return \c 1 on failure. pub fn mbedtls_cmac_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -/// \brief The CTR_DRBG context structure. +///< None. +pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; +///< The MD5 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 3; +///< The RIPEMD-160 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 4; +///< The SHA-1 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 5; +///< The SHA-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 8; +///< The SHA-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 9; +///< The SHA-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 10; +///< The SHA-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 11; +///< The SHA3-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_224: mbedtls_md_type_t = 16; +///< The SHA3-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_256: mbedtls_md_type_t = 17; +///< The SHA3-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_384: mbedtls_md_type_t = 18; +///< The SHA3-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_512: mbedtls_md_type_t = 19; +/// \brief Supported message digests. +/// +/// \warning MD5 and SHA-1 are considered weak message digests and +/// their use constitutes a security risk. We recommend considering +/// stronger message digests instead. +pub type mbedtls_md_type_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct mbedtls_ctr_drbg_context { - ///< The counter (V). - pub private_counter: [::core::ffi::c_uchar; 16usize], - ///< The reseed counter. - /// This is the number of requests that have - /// been made since the last (re)seeding, - /// minus one. - /// Before the initial seeding, this field - /// contains the amount of entropy in bytes - /// to use as a nonce for the initial seeding, - /// or -1 if no nonce length has been explicitly - /// set (see mbedtls_ctr_drbg_set_nonce_len()). - pub private_reseed_counter: ::core::ffi::c_int, - ///< This determines whether prediction - ///resistance is enabled, that is - ///whether to systematically reseed before - ///each random generation. - pub private_prediction_resistance: ::core::ffi::c_int, - ///< The amount of entropy grabbed on each - ///seed or reseed operation, in bytes. - pub private_entropy_len: usize, - ///< The reseed interval. - /// This is the maximum number of requests - /// that can be made between reseedings. - pub private_reseed_interval: ::core::ffi::c_int, - ///< The AES context. - pub private_aes_ctx: mbedtls_aes_context, - pub private_f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - ///< The context for the entropy function. - pub private_p_entropy: *mut ::core::ffi::c_void, +pub struct mbedtls_md_info_t { + _unused: [u8; 0], } -impl Default for mbedtls_ctr_drbg_context { +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; +/// Used internally to indicate whether a context uses legacy or PSA. +/// +/// Internal use only. +pub type mbedtls_md_engine_t = ::core::ffi::c_uint; +/// The generic message-digest context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md_context_t { + /// Information about the associated message digest. + pub private_md_info: *const mbedtls_md_info_t, + /// The digest-specific context (legacy) or the PSA operation. + pub private_md_ctx: *mut ::core::ffi::c_void, + /// The HMAC part of the context. + pub private_hmac_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_md_context_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -5890,4389 +6402,3745 @@ impl Default for mbedtls_ctr_drbg_context { } } unsafe extern "C" { - /// \brief This function initializes the CTR_DRBG context, - /// and prepares it for mbedtls_ctr_drbg_seed() - /// or mbedtls_ctr_drbg_free(). + /// \brief This function returns the message-digest information + /// associated with the given digest type. /// - /// \note The reseed interval is - /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. - /// You can override it by calling - /// mbedtls_ctr_drbg_set_reseed_interval(). + /// \param md_type The type of digest to search for. /// - /// \param ctx The CTR_DRBG context to initialize. - pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); + /// \return The message-digest information associated with \p md_type. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// - The \p custom string. - /// - /// \note To achieve the nominal security strength permitted - /// by CTR_DRBG, the entropy length must be: - /// - at least 16 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 32 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// In addition, if you do not pass a nonce in \p custom, - /// the sum of the entropy length - /// and the entropy nonce length must be: - /// - at least 24 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 48 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// \param ctx The CTR_DRBG context to seed. - /// It must have been initialized with - /// mbedtls_ctr_drbg_init(). - /// After a successful call to mbedtls_ctr_drbg_seed(), - /// you may not call mbedtls_ctr_drbg_seed() again on - /// the same context unless you call - /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() - /// again first. - /// After a failed call to mbedtls_ctr_drbg_seed(), - /// you must call mbedtls_ctr_drbg_free(). - /// \param f_entropy The entropy callback, taking as arguments the - /// \p p_entropy context, the buffer to fill, and the - /// length of the buffer. - /// \p f_entropy is always called with a buffer size - /// less than or equal to the entropy length. - /// \param p_entropy The entropy context to pass to \p f_entropy. - /// \param custom The personalization string. - /// This can be \c NULL, in which case the personalization - /// string is empty regardless of the value of \p len. - /// \param len The length of the personalization string. - /// This must be at most - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function initializes a message-digest context without + /// binding it to a particular message-digest algorithm. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_seed( - ctx: *mut mbedtls_ctr_drbg_context, - f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_entropy: *mut ::core::ffi::c_void, - custom: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// This function should always be called first. It prepares the + /// context for mbedtls_md_setup() for binding it to a + /// message-digest algorithm. + pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function resets CTR_DRBG context to the state immediately - /// after initial call of mbedtls_ctr_drbg_init(). + /// \brief This function clears the internal structure of \p ctx and + /// frees any embedded internal structure, but does not free + /// \p ctx itself. /// - /// \param ctx The CTR_DRBG context to clear. - pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); + /// If you have called mbedtls_md_setup() on \p ctx, you must + /// call mbedtls_md_free() when you are no longer using the + /// context. + /// Calling this function if you have previously + /// called mbedtls_md_init() and nothing else is optional. + /// You must not call this function if you have not called + /// mbedtls_md_init(). + pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function turns prediction resistance on or off. - /// The default value is off. + /// \brief This function selects the message digest algorithm to use, + /// and allocates internal structures. /// - /// \note If enabled, entropy is gathered at the beginning of - /// every call to mbedtls_ctr_drbg_random_with_add() - /// or mbedtls_ctr_drbg_random(). - /// Only use this if your entropy source has sufficient - /// throughput. + /// It should be called after mbedtls_md_init() or + /// mbedtls_md_free(). Makes it necessary to call + /// mbedtls_md_free() later. /// - /// \param ctx The CTR_DRBG context. - /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. - pub fn mbedtls_ctr_drbg_set_prediction_resistance( - ctx: *mut mbedtls_ctr_drbg_context, - resistance: ::core::ffi::c_int, - ); + /// \param ctx The context to set up. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), + /// or non-zero: HMAC is used with this context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. + pub fn mbedtls_md_setup( + ctx: *mut mbedtls_md_context_t, + md_info: *const mbedtls_md_info_t, + hmac: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed on each - /// seed or reseed. - /// - /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function clones the state of a message-digest + /// context. /// - /// \note The security strength of CTR_DRBG is bounded by the - /// entropy length. Thus: - /// - When using AES-256 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, - /// which is the default), - /// \p len must be at least 32 (in bytes) - /// to achieve a 256-bit strength. - /// - When using AES-128 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) - /// \p len must be at least 16 (in bytes) - /// to achieve a 128-bit strength. + /// \note You must call mbedtls_md_setup() on \c dst before calling + /// this function. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. - pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); -} -unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed - /// as a nonce for the initial seeding. + /// \note The two contexts must have the same type, + /// for example, both are SHA-256. /// - /// Call this function before calling mbedtls_ctr_drbg_seed() to read - /// a nonce from the entropy source during the initial seeding. + /// \warning This function clones the message-digest state, not the + /// HMAC state. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab for the nonce, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. + /// \param dst The destination context. + /// \param src The context to be cloned. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is - /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED - /// if the initial seeding has already taken place. - pub fn mbedtls_ctr_drbg_set_nonce_len( - ctx: *mut mbedtls_ctr_drbg_context, - len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. + /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are + /// not using the same engine. This can be avoided by moving + /// the call to psa_crypto_init() before the first call to + /// mbedtls_md_setup(). + pub fn mbedtls_md_clone( + dst: *mut mbedtls_md_context_t, + src: *const mbedtls_md_context_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the reseed interval. - /// - /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() - /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function - /// is called again. + /// \brief This function extracts the message-digest size from the + /// message-digest information structure. /// - /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param interval The reseed interval. - pub fn mbedtls_ctr_drbg_set_reseed_interval( - ctx: *mut mbedtls_ctr_drbg_context, - interval: ::core::ffi::c_int, - ); + /// \return The size of the message-digest output in Bytes. + pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; } unsafe extern "C" { - /// \brief This function reseeds the CTR_DRBG context, that is - /// extracts data from the entropy source. + /// \brief This function extracts the message-digest type from the + /// message-digest information structure. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param additional Additional data to add to the state. Can be \c NULL. - /// \param len The length of the additional data. - /// This must be less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \return The type of the message digest. + pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; +} +unsafe extern "C" { + /// \brief This function starts a message-digest computation. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_reseed( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// You must call this function after setting up the context + /// with mbedtls_md_setup(), and before passing data with + /// mbedtls_md_update(). + /// + /// \param ctx The generic message-digest context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates the state of the CTR_DRBG context. + /// \brief This function feeds an input buffer into an ongoing + /// message-digest computation. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// You must call mbedtls_md_starts() before calling this + /// function. You may call this function multiple times. + /// Afterwards, call mbedtls_md_finish(). /// - /// \param ctx The CTR_DRBG context. - /// \param additional The data to update the state with. This must not be - /// \c NULL unless \p add_len is \c 0. - /// \param add_len Length of \p additional in bytes. This must be at - /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \param ctx The generic message-digest context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if - /// \p add_len is more than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return An error from the underlying AES cipher on failure. - pub fn mbedtls_ctr_drbg_update( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - add_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates a CTR_DRBG instance with additional - /// data and uses it to generate random data. - /// - /// This function automatically reseeds if the reseed counter is exceeded - /// or prediction resistance is enabled. + /// \brief This function finishes the digest operation, + /// and writes the result to the output buffer. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// Call this function after a call to mbedtls_md_starts(), + /// followed by any number of calls to mbedtls_md_update(). + /// Afterwards, you may either clear the context with + /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse + /// the context for another digest operation with the same + /// algorithm. /// - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. - /// \param additional Additional data to update. Can be \c NULL, in which - /// case the additional data is empty regardless of - /// the value of \p add_len. - /// \param add_len The length of the additional data - /// if \p additional is not \c NULL. - /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT - /// and less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \param ctx The generic message-digest context. + /// \param output The buffer for the generic message-digest checksum result. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random_with_add( - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_finish( + ctx: *mut mbedtls_md_context_t, output: *mut ::core::ffi::c_uchar, - output_len: usize, - additional: *const ::core::ffi::c_uchar, - add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. + /// \brief This function calculates the message-digest of a buffer, + /// with respect to a configurable message-digest algorithm + /// in a single call. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random( - p_rng: *mut ::core::ffi::c_void, + /// The result is calculated as + /// Output = message_digest(input buffer). + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param input The buffer holding the data. + /// \param ilen The length of the input data. + /// \param output The generic message-digest checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md( + md_info: *const mbedtls_md_info_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, output: *mut ::core::ffi::c_uchar, - output_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The CTR_DRBG checkup routine. + /// \brief This function returns the list of digests supported by the + /// generic digest module. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< Curve not defined. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; -///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; -///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; -///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; -///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; -///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; -///< Domain parameters for 256-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; -///< Domain parameters for 384-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; -///< Domain parameters for 512-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; -///< Domain parameters for Curve25519. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; -///< Domain parameters for 192-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; -///< Domain parameters for 224-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; -///< Domain parameters for 256-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; -///< Domain parameters for Curve448. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; -/// Domain-parameter identifiers: curve, subgroup, and generator. -/// -/// \note Only curves over prime fields are supported. -/// -/// \warning This library does not support validation of arbitrary domain -/// parameters. Therefore, only standardized domain parameters from trusted -/// sources should be used. See mbedtls_ecp_group_load(). -pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; -pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_NONE: mbedtls_ecp_modulus_type = 0; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_COORDINATE: mbedtls_ecp_modulus_type = 1; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_SCALAR: mbedtls_ecp_modulus_type = 2; -pub type mbedtls_ecp_modulus_type = ::core::ffi::c_uint; -/// Curve information, for use by other modules. -/// -/// The fields of this structure are part of the public API and can be -/// accessed directly by applications. Future versions of the library may -/// add extra fields or reorder existing fields. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_curve_info { - ///< An internal identifier. - pub grp_id: mbedtls_ecp_group_id, - ///< The TLS NamedCurve identifier. - pub tls_id: u16, - ///< The curve size in bits. - pub bit_size: u16, - ///< A human-friendly name. - pub name: *const ::core::ffi::c_char, + /// \note The list starts with the strongest available hashes. + /// + /// \return A statically allocated array of digests. Each element + /// in the returned list is an integer belonging to the + /// message-digest enumeration #mbedtls_md_type_t. + /// The last entry is 0. + pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; } -impl Default for mbedtls_ecp_curve_info { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief This function returns the message-digest information + /// associated with the given digest name. + /// + /// \param md_name The name of the digest to search for. + /// + /// \return The message-digest information associated with \p md_name. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_string( + md_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_md_info_t; } -/// \brief The ECP point structure, in Jacobian coordinates. -/// -/// \note All functions expect and return points satisfying -/// the following condition: Z == 0 or -/// Z == 1. Other values of \p Z are -/// used only by internal functions. -/// The point is zero, or "at infinity", if Z == 0. -/// Otherwise, \p X and \p Y are its standard (affine) -/// coordinates. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_point { - ///< The X coordinate of the ECP point. - pub private_X: mbedtls_mpi, - ///< The Y coordinate of the ECP point. - pub private_Y: mbedtls_mpi, - ///< The Z coordinate of the ECP point. - pub private_Z: mbedtls_mpi, -} -impl Default for mbedtls_ecp_point { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief The ECP group structure. -/// -/// We consider two types of curve equations: -///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P -/// (SEC1 + RFC-4492)
    • -///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, -/// Curve448)
-/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. -/// -/// For Short Weierstrass, this subgroup is the whole curve, and its -/// cardinality is denoted by \p N. Our code requires that \p N is an -/// odd prime as mbedtls_ecp_mul() requires an odd number, and -/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. -/// -/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, -/// which is the quantity used in the formulas. Additionally, \p nbits is -/// not the size of \p N but the required size for private keys. -/// -/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. -/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the -/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer -/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits -/// in size, so that it may be efficiently brought in the 0..P-1 range by a few -/// additions or subtractions. Therefore, it is only an approximative modular -/// reduction. It must return 0 on success and non-zero on failure. -/// -/// \note Alternative implementations of the ECP module must obey the -/// following constraints. -/// * Group IDs must be distinct: if two group structures have -/// the same ID, then they must be identical. -/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, -/// \c pbits and \c nbits must have the same type and semantics -/// as in the built-in implementation. -/// They must be available for reading, but direct modification -/// of these fields does not need to be supported. -/// They do not need to be at the same offset in the structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_group { - ///< An internal group identifier. - pub id: mbedtls_ecp_group_id, - ///< The prime modulus of the base field. - pub P: mbedtls_mpi, - ///< For Short Weierstrass: \p A in the equation. For - ///Montgomery curves: (A + 2) / 4. - pub A: mbedtls_mpi, - ///< For Short Weierstrass: \p B in the equation. - ///For Montgomery curves: unused. - pub B: mbedtls_mpi, - ///< The generator of the subgroup used. - pub G: mbedtls_ecp_point, - ///< The order of \p G. - pub N: mbedtls_mpi, - ///< The number of bits in \p P. - pub pbits: usize, - ///< For Short Weierstrass: The number of bits in \p P. - ///For Montgomery curves: the number of bits in the - ///private keys. - pub nbits: usize, - ///< \internal 1 if the constants are static. - pub private_h: ::core::ffi::c_uint, - ///< The function for fast pseudo-reduction - ///mod \p P (see above). - pub private_modp: - ::core::option::Option ::core::ffi::c_int>, - ///< Unused. - pub private_t_pre: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_post: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_data: *mut ::core::ffi::c_void, - ///< Pre-computed points for ecp_mul_comb(). - pub private_T: *mut mbedtls_ecp_point, - ///< The number of dynamic allocated pre-computed points. - pub private_T_size: usize, -} -impl Default for mbedtls_ecp_group { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; -/// \brief The ECP key-pair structure. -/// -/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. -/// -/// \note Members are deliberately in the same order as in the -/// ::mbedtls_ecdsa_context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_keypair { - ///< Elliptic curve and base point - pub private_grp: mbedtls_ecp_group, - ///< our secret value - pub private_d: mbedtls_mpi, - ///< our public value - pub private_Q: mbedtls_ecp_point, -} -impl Default for mbedtls_ecp_keypair { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +unsafe extern "C" { + /// \brief This function returns the name of the message digest for + /// the message-digest information structure given. + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// + /// \return The name of the message digest. + pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; } unsafe extern "C" { - /// \brief This function retrieves the information defined in - /// mbedtls_ecp_curve_info() for all supported curves. + /// \brief This function returns the message-digest information + /// from the given context. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// \param ctx The context from which to extract the information. + /// This must be initialized (or \c NULL). /// - /// \return A statically allocated array. The last entry is 0. - pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; + /// \return The message-digest information associated with \p ctx. + /// \return \c NULL if \p ctx is \c NULL. + pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// \brief This function retrieves the list of internal group - /// identifiers of all supported curves in the order of - /// preference. + /// \brief This function sets the HMAC key and prepares to + /// authenticate a new message. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// Call this function after mbedtls_md_setup(), to use + /// the MD context for an HMAC calculation, then call + /// mbedtls_md_hmac_update() to provide the input data, and + /// mbedtls_md_hmac_finish() to get the HMAC value. /// - /// \return A statically allocated array, - /// terminated with MBEDTLS_ECP_DP_NONE. - pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC key in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_starts( + ctx: *mut mbedtls_md_context_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from an internal - /// group identifier. + /// \brief This function feeds an input buffer into an ongoing HMAC + /// computation. /// - /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + /// before calling this function. + /// You may call this function multiple times to pass the + /// input piecewise. + /// Afterwards, call mbedtls_md_hmac_finish(). /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_grp_id( - grp_id: mbedtls_ecp_group_id, - ) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a TLS - /// NamedCurve value. + /// \brief This function finishes the HMAC operation, and writes + /// the result to the output buffer. /// - /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call this function after mbedtls_md_hmac_starts() and + /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards + /// you may either call mbedtls_md_free() to clear the context, + /// or call mbedtls_md_hmac_reset() to reuse the context with + /// the same HMAC key. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param output The generic HMAC checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_finish( + ctx: *mut mbedtls_md_context_t, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a - /// human-readable name. + /// \brief This function prepares to authenticate a new message with + /// the same key as the previous HMAC operation. /// - /// \param name The human-readable name. + /// You may call this function after mbedtls_md_hmac_finish(). + /// Afterwards call mbedtls_md_hmac_update() to pass the new + /// input. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_name( - name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ecp_curve_info; -} -unsafe extern "C" { - /// \brief This function initializes a point as zero. + /// \param ctx The message digest context containing an embedded HMAC + /// context. /// - /// \param pt The point to initialize. - pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECP group context - /// without loading any domain parameters. + /// \brief This function calculates the full generic HMAC + /// on the input buffer with the provided key. /// - /// \note After this function is called, domain parameters - /// for various ECP groups can be loaded through the - /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() - /// functions. - pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); -} -unsafe extern "C" { - /// \brief This function initializes a key pair as an invalid one. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param key The key pair to initialize. - pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); -} -unsafe extern "C" { - /// \brief This function frees the components of a point. + /// The HMAC result is calculated as + /// output = generic HMAC(hmac key, input buffer). /// - /// \param pt The point to free. - pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); -} -unsafe extern "C" { - /// \brief This function frees the components of an ECP group. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC secret key in Bytes. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// \param output The generic HMAC result. /// - /// \param grp The group to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP group. - pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac( + md_info: *const mbedtls_md_info_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function frees the components of a key pair. - /// - /// \param key The key pair to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP key pair. - pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +/// \brief Entropy poll callback pointer +/// +/// \param data Callback-specific data pointer +/// \param output Data to fill +/// \param len Maximum size to provide +/// \param olen The actual amount of bytes put into the buffer (Can be 0) +/// +/// \return 0 if no critical failures occurred, +/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise +pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< + unsafe extern "C" fn( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + ) -> ::core::ffi::c_int, +>; +/// \brief Entropy source state +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_source_state { + ///< The entropy source callback + pub private_f_source: mbedtls_entropy_f_source_ptr, + ///< The callback data pointer + pub private_p_source: *mut ::core::ffi::c_void, + ///< Amount received in bytes + pub private_size: usize, + ///< Minimum bytes required before release + pub private_threshold: usize, + ///< Is the source strong? + pub private_strong: ::core::ffi::c_int, } -unsafe extern "C" { - /// \brief This function copies the contents of point \p Q into - /// point \p P. - /// - /// \param P The destination point. This must be initialized. - /// \param Q The source point. This must be initialized. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code for other kinds of failure. - pub fn mbedtls_ecp_copy( - P: *mut mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_entropy_source_state { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +/// \brief Entropy context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_context { + pub private_accumulator: mbedtls_md_context_t, + pub private_accumulator_started: ::core::ffi::c_int, + pub private_source_count: ::core::ffi::c_int, + pub private_source: [mbedtls_entropy_source_state; 20usize], +} +impl Default for mbedtls_entropy_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function copies the contents of group \p src into - /// group \p dst. - /// - /// \param dst The destination group. This must be initialized. - /// \param src The source group. This must be initialized. + /// \brief Initialize the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_copy( - dst: *mut mbedtls_ecp_group, - src: *const mbedtls_ecp_group, - ) -> ::core::ffi::c_int; + /// \param ctx Entropy context to initialize + pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function sets a point to the point at infinity. - /// - /// \param pt The point to set. This must be initialized. + /// \brief Free the data in the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \param ctx Entropy context to free + pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function checks if a point is the point at infinity. + /// \brief Adds an entropy source to poll + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param pt The point to test. This must be initialized. + /// \param ctx Entropy context + /// \param f_source Entropy function + /// \param p_source Function data + /// \param threshold Minimum required from source before entropy is released + /// ( with mbedtls_entropy_func() ) (in bytes) + /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or + /// MBEDTLS_ENTROPY_SOURCE_WEAK. + /// At least one strong source needs to be added. + /// Weaker sources (such as the cycle counter) can be used as + /// a complement. /// - /// \return \c 1 if the point is zero. - /// \return \c 0 if the point is non-zero. - /// \return A negative error code on failure. - pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES + pub fn mbedtls_entropy_add_source( + ctx: *mut mbedtls_entropy_context, + f_source: mbedtls_entropy_f_source_ptr, + p_source: *mut ::core::ffi::c_void, + threshold: usize, + strong: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function compares two points. - /// - /// \note This assumes that the points are normalized. Otherwise, - /// they may compare as "not equal" even if they are. + /// \brief Trigger an extra gather poll for the accumulator + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The first point to compare. This must be initialized. - /// \param Q The second point to compare. This must be initialized. + /// \param ctx Entropy context /// - /// \return \c 0 if the points are equal. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. - pub fn mbedtls_ecp_point_cmp( - P: *const mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a non-zero point from two ASCII - /// strings. + /// \brief Retrieve entropy from the accumulator + /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The destination point. This must be initialized. - /// \param radix The numeric base of the input. - /// \param x The first affine coordinate, as a null-terminated string. - /// \param y The second affine coordinate, as a null-terminated string. + /// \param data Entropy context + /// \param output Buffer to fill + /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. - pub fn mbedtls_ecp_point_read_string( - P: *mut mbedtls_ecp_point, - radix: ::core::ffi::c_int, - x: *const ::core::ffi::c_char, - y: *const ::core::ffi::c_char, + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_func( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point into unsigned binary data. + /// \brief Add data to the accumulator manually + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The point to export. This must be initialized. - /// \param format The point format. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// (For groups without these formats, this parameter is - /// ignored. But it still has to be either of the above - /// values.) - /// \param olen The address at which to store the length of - /// the output in Bytes. This must not be \c NULL. - /// \param buf The output buffer. This must be a writable buffer - /// of length \p buflen Bytes. - /// \param buflen The length of the output buffer \p buf in Bytes. + /// \param ctx Entropy context + /// \param data Data to add + /// \param len Length of data /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer - /// is too small to hold the point. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format - /// or the export for the given group is not implemented. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_point_write_binary( - grp: *const mbedtls_ecp_group, - P: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, + /// \return 0 if successful + pub fn mbedtls_entropy_update_manual( + ctx: *mut mbedtls_entropy_context, + data: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a point from unsigned binary data. + /// \brief Checkup routine /// - /// \note This function does not check that the point actually - /// belongs to the given group, see mbedtls_ecp_check_pubkey() - /// for that. + /// This module self-test also calls the entropy self-test, + /// mbedtls_entropy_source_self_test(); /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The CTR_DRBG context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ctr_drbg_context { + ///< The counter (V). + pub private_counter: [::core::ffi::c_uchar; 16usize], + ///< The reseed counter. + /// This is the number of requests that have + /// been made since the last (re)seeding, + /// minus one. + /// Before the initial seeding, this field + /// contains the amount of entropy in bytes + /// to use as a nonce for the initial seeding, + /// or -1 if no nonce length has been explicitly + /// set (see mbedtls_ctr_drbg_set_nonce_len()). + pub private_reseed_counter: ::core::ffi::c_int, + ///< This determines whether prediction + ///resistance is enabled, that is + ///whether to systematically reseed before + ///each random generation. + pub private_prediction_resistance: ::core::ffi::c_int, + ///< The amount of entropy grabbed on each + ///seed or reseed operation, in bytes. + pub private_entropy_len: usize, + ///< The reseed interval. + /// This is the maximum number of requests + /// that can be made between reseedings. + pub private_reseed_interval: ::core::ffi::c_int, + ///< The AES context. + pub private_aes_ctx: mbedtls_aes_context, + pub private_f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + ///< The context for the entropy function. + pub private_p_entropy: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_ctr_drbg_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes the CTR_DRBG context, + /// and prepares it for mbedtls_ctr_drbg_seed() + /// or mbedtls_ctr_drbg_free(). /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The destination context to import the point to. - /// This must be initialized. - /// \param buf The input buffer. This must be a readable buffer - /// of length \p ilen Bytes. - /// \param ilen The length of the input buffer \p buf in Bytes. + /// \note The reseed interval is + /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. + /// You can override it by calling + /// mbedtls_ctr_drbg_set_reseed_interval(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the - /// given group is not implemented. - pub fn mbedtls_ecp_point_read_binary( - grp: *const mbedtls_ecp_group, - P: *mut mbedtls_ecp_point, - buf: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to initialize. + pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function imports a point from a TLS ECPoint record. + /// - The \p custom string. /// - /// \note On function return, \p *buf is updated to point immediately - /// after the ECPoint record. + /// \note To achieve the nominal security strength permitted + /// by CTR_DRBG, the entropy length must be: + /// - at least 16 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 32 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The destination point. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the buffer. + /// In addition, if you do not pass a nonce in \p custom, + /// the sum of the entropy length + /// and the entropy nonce length must be: + /// - at least 24 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 48 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization - /// failure. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - pub fn mbedtls_ecp_tls_read_point( - grp: *const mbedtls_ecp_group, - pt: *mut mbedtls_ecp_point, - buf: *mut *const ::core::ffi::c_uchar, + /// \param ctx The CTR_DRBG context to seed. + /// It must have been initialized with + /// mbedtls_ctr_drbg_init(). + /// After a successful call to mbedtls_ctr_drbg_seed(), + /// you may not call mbedtls_ctr_drbg_seed() again on + /// the same context unless you call + /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + /// again first. + /// After a failed call to mbedtls_ctr_drbg_seed(), + /// you must call mbedtls_ctr_drbg_free(). + /// \param f_entropy The entropy callback, taking as arguments the + /// \p p_entropy context, the buffer to fill, and the + /// length of the buffer. + /// \p f_entropy is always called with a buffer size + /// less than or equal to the entropy length. + /// \param p_entropy The entropy context to pass to \p f_entropy. + /// \param custom The personalization string. + /// This can be \c NULL, in which case the personalization + /// string is empty regardless of the value of \p len. + /// \param len The length of the personalization string. + /// This must be at most + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_seed( + ctx: *mut mbedtls_ctr_drbg_context, + f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + p_entropy: *mut ::core::ffi::c_void, + custom: *const ::core::ffi::c_uchar, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point as a TLS ECPoint record - /// defined in RFC 4492, Section 5.4. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to be exported. This must be initialized. - /// \param format The point format to use. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// \param olen The address at which to store the length in Bytes - /// of the data written. - /// \param buf The target buffer. This must be a writable buffer of - /// length \p blen Bytes. - /// \param blen The length of the target buffer \p buf in Bytes. + /// \brief This function resets CTR_DRBG context to the state immediately + /// after initial call of mbedtls_ctr_drbg_init(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer - /// is too small to hold the exported point. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_point( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to clear. + pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function sets up an ECP group context - /// from a standardized set of domain parameters. - /// - /// \note The index should be a value of the NamedCurve enum, - /// as defined in RFC-4492: Elliptic Curve Cryptography - /// (ECC) Cipher Suites for Transport Layer Security (TLS), - /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. + /// \brief This function turns prediction resistance on or off. + /// The default value is off. /// - /// \param grp The group context to setup. This must be initialized. - /// \param id The identifier of the domain parameter set to load. + /// \note If enabled, entropy is gathered at the beginning of + /// every call to mbedtls_ctr_drbg_random_with_add() + /// or mbedtls_ctr_drbg_random(). + /// Only use this if your entropy source has sufficient + /// throughput. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_load( - grp: *mut mbedtls_ecp_group, - id: mbedtls_ecp_group_id, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. + pub fn mbedtls_ctr_drbg_set_prediction_resistance( + ctx: *mut mbedtls_ctr_drbg_context, + resistance: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function sets up an ECP group context from a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed on each + /// seed or reseed. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. /// - /// \param grp The group context to setup. This must be initialized. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \note The security strength of CTR_DRBG is bounded by the + /// entropy length. Thus: + /// - When using AES-256 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, + /// which is the default), + /// \p len must be at least 32 (in bytes) + /// to achieve a 256-bit strength. + /// - When using AES-128 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) + /// \p len must be at least 16 (in bytes) + /// to achieve a 128-bit strength. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group( - grp: *mut mbedtls_ecp_group, - buf: *mut *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. + pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); } unsafe extern "C" { - /// \brief This function extracts an elliptic curve group ID from a - /// TLS ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed + /// as a nonce for the initial seeding. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// Call this function before calling mbedtls_ctr_drbg_seed() to read + /// a nonce from the entropy source during the initial seeding. /// - /// \param grp The address at which to store the group id. - /// This must not be \c NULL. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab for the nonce, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group_id( - grp: *mut mbedtls_ecp_group_id, - buf: *mut *const ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is + /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + /// if the initial seeding has already taken place. + pub fn mbedtls_ctr_drbg_set_nonce_len( + ctx: *mut mbedtls_ctr_drbg_context, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports an elliptic curve as a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the reseed interval. /// - /// \param grp The ECP group to be exported. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param olen The address at which to store the number of Bytes written. - /// This must not be \c NULL. - /// \param buf The buffer to write to. This must be a writable buffer - /// of length \p blen Bytes. - /// \param blen The length of the output buffer \p buf in Bytes. + /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() + /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function + /// is called again. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output - /// buffer is too small to hold the exported group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_group( - grp: *const mbedtls_ecp_group, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// + /// \param ctx The CTR_DRBG context. + /// \param interval The reseed interval. + pub fn mbedtls_ctr_drbg_set_reseed_interval( + ctx: *mut mbedtls_ctr_drbg_context, + interval: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function performs a scalar multiplication of a point - /// by an integer: \p R = \p m * \p P. - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function reseeds the CTR_DRBG context, that is + /// extracts data from the entropy source. /// - /// \note To prevent timing attacks, this function - /// executes the exact same sequence of base-field - /// operations for any valid \p m. It avoids any if-branch or - /// array index depending on the value of \p m. It also uses - /// \p f_rng to randomize some intermediate results. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param ctx The CTR_DRBG context. + /// \param additional Additional data to add to the state. Can be \c NULL. + /// \param len The length of the additional data. + /// This must be less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_reseed( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication of a point by - /// an integer: \p R = \p m * \p P in a restartable way. - /// - /// \see mbedtls_ecp_mul() + /// \brief This function updates the state of the CTR_DRBG context. /// - /// \note This function does the same as \c mbedtls_ecp_mul(), but - /// it can return early and restart according to the limit set - /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. - /// \param rs_ctx The restart context (NULL disables restart). + /// \param ctx The CTR_DRBG context. + /// \param additional The data to update the state with. This must not be + /// \c NULL unless \p add_len is \c 0. + /// \param add_len Length of \p additional in bytes. This must be at + /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecp_restart_ctx, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if + /// \p add_len is more than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return An error from the underlying AES cipher on failure. + pub fn mbedtls_ctr_drbg_update( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function updates a CTR_DRBG instance with additional + /// data and uses it to generate random data. /// - /// \note In contrast to mbedtls_ecp_mul(), this function does not - /// guarantee a constant execution flow and timing. + /// This function automatically reseeds if the reseed counter is exceeded + /// or prediction resistance is enabled. /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. + /// \param additional Additional data to update. Can be \c NULL, in which + /// case the additional data is empty regardless of + /// the value of \p add_len. + /// \param add_len The length of the additional data + /// if \p additional is not \c NULL. + /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT + /// and less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random_with_add( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q in a - /// restartable way. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. /// - /// \see \c mbedtls_ecp_muladd() + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The CTR_DRBG checkup routine. /// - /// \note This function works the same as \c mbedtls_ecp_muladd(), - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. - /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. - /// \param rs_ctx The restart context (NULL disables restart). - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, - rs_ctx: *mut mbedtls_ecp_restart_ctx, - ) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function checks that a point is a valid public key - /// on this curve. - /// - /// It only checks that the point is non-zero, has - /// valid coordinates and lies on the curve. It does not verify - /// that it is indeed a multiple of \p G. This additional - /// check is computationally more expensive, is not required - /// by standards, and should not be necessary if the group - /// used has a small cofactor. In particular, it is useless for - /// the NIST groups which all have a cofactor of 1. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure, to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the point should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid public key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not - /// a valid public key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_pubkey( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +///< Curve not defined. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; +///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; +///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; +///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; +///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; +///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; +///< Domain parameters for 256-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; +///< Domain parameters for 384-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; +///< Domain parameters for 512-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; +///< Domain parameters for Curve25519. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; +///< Domain parameters for 192-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; +///< Domain parameters for 224-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; +///< Domain parameters for 256-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; +///< Domain parameters for Curve448. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; +/// Domain-parameter identifiers: curve, subgroup, and generator. +/// +/// \note Only curves over prime fields are supported. +/// +/// \warning This library does not support validation of arbitrary domain +/// parameters. Therefore, only standardized domain parameters from trusted +/// sources should be used. See mbedtls_ecp_group_load(). +pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; +pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; +/// Curve information, for use by other modules. +/// +/// The fields of this structure are part of the public API and can be +/// accessed directly by applications. Future versions of the library may +/// add extra fields or reorder existing fields. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_curve_info { + ///< An internal identifier. + pub grp_id: mbedtls_ecp_group_id, + ///< The TLS NamedCurve identifier. + pub tls_id: u16, + ///< The curve size in bits. + pub bit_size: u16, + ///< A human-friendly name. + pub name: *const ::core::ffi::c_char, } -unsafe extern "C" { - /// \brief This function checks that an \p mbedtls_mpi is a - /// valid private key for this curve. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the private key should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The integer to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid private key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid - /// private key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_privkey( - grp: *const mbedtls_ecp_group, - d: *const mbedtls_mpi, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_curve_info { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates a private key. - /// - /// \param grp The ECP group to generate a private key for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_privkey( - grp: *const mbedtls_ecp_group, - d: *mut mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +/// \brief The ECP point structure, in Jacobian coordinates. +/// +/// \note All functions expect and return points satisfying +/// the following condition: Z == 0 or +/// Z == 1. Other values of \p Z are +/// used only by internal functions. +/// The point is zero, or "at infinity", if Z == 0. +/// Otherwise, \p X and \p Y are its standard (affine) +/// coordinates. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_point { + ///< The X coordinate of the ECP point. + pub private_X: mbedtls_mpi, + ///< The Y coordinate of the ECP point. + pub private_Y: mbedtls_mpi, + ///< The Z coordinate of the ECP point. + pub private_Z: mbedtls_mpi, } -unsafe extern "C" { - /// \brief This function generates a keypair with a configurable base - /// point. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param G The base point to use. This must be initialized - /// and belong to \p grp. It replaces the default base - /// point \c grp->G used by mbedtls_ecp_gen_keypair(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair_base( - grp: *mut mbedtls_ecp_group, - G: *const mbedtls_ecp_point, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_point { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates an ECP keypair. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. +/// \brief The ECP group structure. +/// +/// We consider two types of curve equations: +///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P +/// (SEC1 + RFC-4492)
    • +///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, +/// Curve448)
+/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. +/// +/// For Short Weierstrass, this subgroup is the whole curve, and its +/// cardinality is denoted by \p N. Our code requires that \p N is an +/// odd prime as mbedtls_ecp_mul() requires an odd number, and +/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. +/// +/// The default implementation only initializes \p A without setting it to the +/// authentic value for curves with A = -3(SECP256R1, etc), in which +/// case you need to load \p A by yourself when using domain parameters directly, +/// for example: +/// \code +/// mbedtls_mpi_init(&A); +/// mbedtls_ecp_group_init(&grp); +/// CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); +/// if (mbedtls_ecp_group_a_is_minus_3(&grp)) { +/// CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); +/// } else { +/// CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); +/// } +/// +/// do_something_with_a(&A); +/// +/// cleanup: +/// mbedtls_mpi_free(&A); +/// mbedtls_ecp_group_free(&grp); +/// \endcode +/// +/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, +/// which is the quantity used in the formulas. Additionally, \p nbits is +/// not the size of \p N but the required size for private keys. +/// +/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. +/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the +/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer +/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits +/// in size, so that it may be efficiently brought in the 0..P-1 range by a few +/// additions or subtractions. Therefore, it is only an approximate modular +/// reduction. It must return 0 on success and non-zero on failure. +/// +/// \note Alternative implementations of the ECP module must obey the +/// following constraints. +/// * Group IDs must be distinct: if two group structures have +/// the same ID, then they must be identical. +/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, +/// \c pbits and \c nbits must have the same type and semantics +/// as in the built-in implementation. +/// They must be available for reading, but direct modification +/// of these fields does not need to be supported. +/// They do not need to be at the same offset in the structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_group { + ///< An internal group identifier. + pub id: mbedtls_ecp_group_id, + ///< The prime modulus of the base field. + pub P: mbedtls_mpi, + ///< For Short Weierstrass: \p A in the equation. Note that + ///\p A is not set to the authentic value in some cases. + ///Refer to detailed description of ::mbedtls_ecp_group if + ///using domain parameters in the structure. + ///For Montgomery curves: (A + 2) / 4. + pub A: mbedtls_mpi, + ///< For Short Weierstrass: \p B in the equation. + ///For Montgomery curves: unused. + pub B: mbedtls_mpi, + ///< The generator of the subgroup used. + pub G: mbedtls_ecp_point, + ///< The order of \p G. + pub N: mbedtls_mpi, + ///< The number of bits in \p P. + pub pbits: usize, + ///< For Short Weierstrass: The number of bits in \p P. + ///For Montgomery curves: the number of bits in the + ///private keys. + pub nbits: usize, + ///< \internal 1 if the constants are static. + pub private_h: ::core::ffi::c_uint, + ///< The function for fast pseudo-reduction + ///mod \p P (see above). + pub private_modp: + ::core::option::Option ::core::ffi::c_int>, + ///< Unused. + pub private_t_pre: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_post: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_data: *mut ::core::ffi::c_void, + ///< Pre-computed points for ecp_mul_comb(). + pub private_T: *mut mbedtls_ecp_point, + ///< The number of dynamic allocated pre-computed points. + pub private_T_size: usize, +} +impl Default for mbedtls_ecp_group { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; +/// \brief The ECP key-pair structure. +/// +/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. +/// +/// \note Members are deliberately in the same order as in the +/// ::mbedtls_ecdsa_context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_keypair { + ///< Elliptic curve and base point + pub private_grp: mbedtls_ecp_group, + ///< our secret value + pub private_d: mbedtls_mpi, + ///< our public value + pub private_Q: mbedtls_ecp_point, +} +impl Default for mbedtls_ecp_keypair { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +} +unsafe extern "C" { + /// \brief This function retrieves the information defined in + /// mbedtls_ecp_curve_info() for all supported curves. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair( - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. + /// + /// \return A statically allocated array. The last entry is 0. + pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function generates an ECP key. + /// \brief This function retrieves the list of internal group + /// identifiers of all supported curves in the order of + /// preference. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. This must be initialized. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_key( - grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return A statically allocated array, + /// terminated with MBEDTLS_ECP_DP_NONE. + pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function reads an elliptic curve private key. + /// \brief This function retrieves curve information from an internal + /// group identifier. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. - /// \param buf The buffer containing the binary representation of the - /// key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The length of the buffer in bytes. + /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is - /// invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_read_key( + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_grp_id( grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - buf: *const ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports an elliptic curve private key. + /// \brief This function retrieves curve information from a TLS + /// NamedCurve value. /// - /// \param key The private key. - /// \param buf The output buffer for containing the binary representation - /// of the key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The total length of the buffer in bytes. + /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - ///representation is larger than the available space in \p buf. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_write_key( - key: *mut mbedtls_ecp_keypair, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function checks that the keypair objects - /// \p pub and \p prv have the same group and the - /// same public point, and that the private key in - /// \p prv is consistent with the public key. + /// \brief This function retrieves curve information from a + /// human-readable name. /// - /// \param pub The keypair structure holding the public key. This - /// must be initialized. If it contains a private key, that - /// part is ignored. - /// \param prv The keypair structure holding the full keypair. - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param name The human-readable name. /// - /// \return \c 0 on success, meaning that the keys are valid and match. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. - /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX - /// error code on calculation failure. - pub fn mbedtls_ecp_check_pub_priv( - pub_: *const mbedtls_ecp_keypair, - prv: *const mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_name( + name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports generic key-pair parameters. - /// - /// \param key The key pair to export from. - /// \param grp Slot for exported ECP group. - /// It must point to an initialized ECP group. - /// \param d Slot for the exported secret value. - /// It must point to an initialized mpi. - /// \param Q Slot for the exported public value. - /// It must point to an initialized ECP point. + /// \brief This function initializes a point as zero. /// - /// \return \c 0 on success, - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_export( - key: *const mbedtls_ecp_keypair, - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \param pt The point to initialize. + pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief The ECP checkup routine. + /// \brief This function initializes an ECP group context + /// without loading any domain parameters. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< None. -pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; -///< The MD5 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 1; -///< The SHA-1 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 2; -///< The SHA-224 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 3; -///< The SHA-256 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 4; -///< The SHA-384 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 5; -///< The SHA-512 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 6; -///< The RIPEMD-160 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 7; -/// \brief Supported message digests. -/// -/// \warning MD5 and SHA-1 are considered weak message digests and -/// their use constitutes a security risk. We recommend considering -/// stronger message digests instead. -pub type mbedtls_md_type_t = ::core::ffi::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_info_t { - _unused: [u8; 0], -} -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; -/// Used internally to indicate whether a context uses legacy or PSA. -/// -/// Internal use only. -pub type mbedtls_md_engine_t = ::core::ffi::c_uint; -/// The generic message-digest context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_context_t { - /// Information about the associated message digest. - pub private_md_info: *const mbedtls_md_info_t, - /// The digest-specific context (legacy) or the PSA operation. - pub private_md_ctx: *mut ::core::ffi::c_void, - /// The HMAC part of the context. - pub private_hmac_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_md_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \note After this function is called, domain parameters + /// for various ECP groups can be loaded through the + /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() + /// functions. + pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest type. - /// - /// \param md_type The type of digest to search for. + /// \brief This function initializes a key pair as an invalid one. /// - /// \return The message-digest information associated with \p md_type. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; + /// \param key The key pair to initialize. + pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); } unsafe extern "C" { - /// \brief This function initializes a message-digest context without - /// binding it to a particular message-digest algorithm. + /// \brief This function frees the components of a point. /// - /// This function should always be called first. It prepares the - /// context for mbedtls_md_setup() for binding it to a - /// message-digest algorithm. - pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); + /// \param pt The point to free. + pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief This function clears the internal structure of \p ctx and - /// frees any embedded internal structure, but does not free - /// \p ctx itself. + /// \brief This function frees the components of an ECP group. /// - /// If you have called mbedtls_md_setup() on \p ctx, you must - /// call mbedtls_md_free() when you are no longer using the - /// context. - /// Calling this function if you have previously - /// called mbedtls_md_init() and nothing else is optional. - /// You must not call this function if you have not called - /// mbedtls_md_init(). - pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); + /// \param grp The group to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP group. + pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function selects the message digest algorithm to use, - /// and allocates internal structures. + /// \brief This function frees the components of a key pair. /// - /// It should be called after mbedtls_md_init() or - /// mbedtls_md_free(). Makes it necessary to call - /// mbedtls_md_free() later. + /// \param key The key pair to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP key pair. + pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +} +unsafe extern "C" { + /// \brief This function copies the contents of point \p Q into + /// point \p P. /// - /// \param ctx The context to set up. - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), - /// or non-zero: HMAC is used with this context. + /// \param P The destination point. This must be initialized. + /// \param Q The source point. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. - pub fn mbedtls_md_setup( - ctx: *mut mbedtls_md_context_t, - md_info: *const mbedtls_md_info_t, - hmac: ::core::ffi::c_int, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code for other kinds of failure. + pub fn mbedtls_ecp_copy( + P: *mut mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function clones the state of a message-digest - /// context. - /// - /// \note You must call mbedtls_md_setup() on \c dst before calling - /// this function. - /// - /// \note The two contexts must have the same type, - /// for example, both are SHA-256. - /// - /// \warning This function clones the message-digest state, not the - /// HMAC state. + /// \brief This function copies the contents of group \p src into + /// group \p dst. /// - /// \param dst The destination context. - /// \param src The context to be cloned. + /// \param dst The destination group. This must be initialized. + /// \param src The source group. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. - /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are - /// not using the same engine. This can be avoided by moving - /// the call to psa_crypto_init() before the first call to - /// mbedtls_md_setup(). - pub fn mbedtls_md_clone( - dst: *mut mbedtls_md_context_t, - src: *const mbedtls_md_context_t, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_copy( + dst: *mut mbedtls_ecp_group, + src: *const mbedtls_ecp_group, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest size from the - /// message-digest information structure. + /// \brief This function sets a point to the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to set. This must be initialized. /// - /// \return The size of the message-digest output in Bytes. - pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest type from the - /// message-digest information structure. + /// \brief This function checks if a point is the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to test. This must be initialized. /// - /// \return The type of the message digest. - pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; + /// \return \c 1 if the point is zero. + /// \return \c 0 if the point is non-zero. + /// \return A negative error code on failure. + pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function starts a message-digest computation. + /// \brief This function compares two points. /// - /// You must call this function after setting up the context - /// with mbedtls_md_setup(), and before passing data with - /// mbedtls_md_update(). + /// \note This assumes that the points are normalized. Otherwise, + /// they may compare as "not equal" even if they are. /// - /// \param ctx The generic message-digest context. + /// \param P The first point to compare. This must be initialized. + /// \param Q The second point to compare. This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return \c 0 if the points are equal. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. + pub fn mbedtls_ecp_point_cmp( + P: *const mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// message-digest computation. - /// - /// You must call mbedtls_md_starts() before calling this - /// function. You may call this function multiple times. - /// Afterwards, call mbedtls_md_finish(). + /// \brief This function imports a non-zero point from two ASCII + /// strings. /// - /// \param ctx The generic message-digest context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param P The destination point. This must be initialized. + /// \param radix The numeric base of the input. + /// \param x The first affine coordinate, as a null-terminated string. + /// \param y The second affine coordinate, as a null-terminated string. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. + pub fn mbedtls_ecp_point_read_string( + P: *mut mbedtls_ecp_point, + radix: ::core::ffi::c_int, + x: *const ::core::ffi::c_char, + y: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the digest operation, - /// and writes the result to the output buffer. - /// - /// Call this function after a call to mbedtls_md_starts(), - /// followed by any number of calls to mbedtls_md_update(). - /// Afterwards, you may either clear the context with - /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse - /// the context for another digest operation with the same - /// algorithm. + /// \brief This function exports a point into unsigned binary data. /// - /// \param ctx The generic message-digest context. - /// \param output The buffer for the generic message-digest checksum result. + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The point to export. This must be initialized. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_point_write_binary( + grp: *const mbedtls_ecp_group, + P: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the message-digest of a buffer, - /// with respect to a configurable message-digest algorithm - /// in a single call. + /// \brief This function imports a point from unsigned binary data. /// - /// The result is calculated as - /// Output = message_digest(input buffer). + /// \note This function does not check that the point actually + /// belongs to the given group, see mbedtls_ecp_check_pubkey() + /// for that. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param input The buffer holding the data. - /// \param ilen The length of the input data. - /// \param output The generic message-digest checksum result. + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md( - md_info: *const mbedtls_md_info_t, - input: *const ::core::ffi::c_uchar, + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The destination context to import the point to. + /// This must be initialized. + /// \param buf The input buffer. This must be a readable buffer + /// of length \p ilen Bytes. + /// \param ilen The length of the input buffer \p buf in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the + /// given group is not implemented. + pub fn mbedtls_ecp_point_read_binary( + grp: *const mbedtls_ecp_group, + P: *mut mbedtls_ecp_point, + buf: *const ::core::ffi::c_uchar, ilen: usize, - output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the list of digests supported by the - /// generic digest module. - /// - /// \note The list starts with the strongest available hashes. + /// \brief This function imports a point from a TLS ECPoint record. /// - /// \return A statically allocated array of digests. Each element - /// in the returned list is an integer belonging to the - /// message-digest enumeration #mbedtls_md_type_t. - /// The last entry is 0. - pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest name. + /// \note On function return, \p *buf is updated to point immediately + /// after the ECPoint record. /// - /// \param md_name The name of the digest to search for. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The destination point. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the buffer. /// - /// \return The message-digest information associated with \p md_name. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_string( - md_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_md_info_t; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization + /// failure. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + pub fn mbedtls_ecp_tls_read_point( + grp: *const mbedtls_ecp_group, + pt: *mut mbedtls_ecp_point, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest name from the - /// message-digest information structure. + /// \brief This function exports a point as a TLS ECPoint record + /// defined in RFC 4492, Section 5.4. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to be exported. This must be initialized. + /// \param format The point format to use. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// \param olen The address at which to store the length in Bytes + /// of the data written. + /// \param buf The target buffer. This must be a writable buffer of + /// length \p blen Bytes. + /// \param blen The length of the target buffer \p buf in Bytes. /// - /// \return The name of the message digest. - pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer + /// is too small to hold the exported point. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_point( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// from the given context. + /// \brief This function sets up an ECP group context + /// from a standardized set of domain parameters. /// - /// \param ctx The context from which to extract the information. - /// This must be initialized (or \c NULL). + /// \note The index should be a value of the NamedCurve enum, + /// as defined in RFC-4492: Elliptic Curve Cryptography + /// (ECC) Cipher Suites for Transport Layer Security (TLS), + /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. /// - /// \return The message-digest information associated with \p ctx. - /// \return \c NULL if \p ctx is \c NULL. - pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; + /// \param grp The group context to setup. This must be initialized. + /// \param id The identifier of the domain parameter set to load. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_load( + grp: *mut mbedtls_ecp_group, + id: mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the HMAC key and prepares to - /// authenticate a new message. + /// \brief This function sets up an ECP group context from a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_setup(), to use - /// the MD context for an HMAC calculation, then call - /// mbedtls_md_hmac_update() to provide the input data, and - /// mbedtls_md_hmac_finish() to get the HMAC value. + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC key in Bytes. + /// \param grp The group context to setup. This must be initialized. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_starts( - ctx: *mut mbedtls_md_context_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group( + grp: *mut mbedtls_ecp_group, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing HMAC - /// computation. + /// \brief This function extracts an elliptic curve group ID from a + /// TLS ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - /// before calling this function. - /// You may call this function multiple times to pass the - /// input piecewise. - /// Afterwards, call mbedtls_md_hmac_finish(). + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param grp The address at which to store the group id. + /// This must not be \c NULL. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group_id( + grp: *mut mbedtls_ecp_group_id, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the HMAC operation, and writes - /// the result to the output buffer. + /// \brief This function exports an elliptic curve as a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_hmac_starts() and - /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards - /// you may either call mbedtls_md_free() to clear the context, - /// or call mbedtls_md_hmac_reset() to reuse the context with - /// the same HMAC key. - /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param output The generic HMAC checksum result. + /// \param grp The ECP group to be exported. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param olen The address at which to store the number of Bytes written. + /// This must not be \c NULL. + /// \param buf The buffer to write to. This must be a writable buffer + /// of length \p blen Bytes. + /// \param blen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output + /// buffer is too small to hold the exported group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_group( + grp: *const mbedtls_ecp_group, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function prepares to authenticate a new message with - /// the same key as the previous HMAC operation. + /// \brief This function performs a scalar multiplication of a point + /// by an integer: \p R = \p m * \p P. /// - /// You may call this function after mbedtls_md_hmac_finish(). - /// Afterwards call mbedtls_md_hmac_update() to pass the new - /// input. + /// It is not thread-safe to use same group in multiple threads. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. + /// \note To prevent timing attacks, this function + /// executes the exact same sequence of base-field + /// operations for any valid \p m. It avoids any if-branch or + /// array index depending on the value of \p m. It also uses + /// \p f_rng to randomize some intermediate results. + /// + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the full generic HMAC - /// on the input buffer with the provided key. + /// \brief This function performs multiplication of a point by + /// an integer: \p R = \p m * \p P in a restartable way. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// \see mbedtls_ecp_mul() /// - /// The HMAC result is calculated as - /// output = generic HMAC(hmac key, input buffer). + /// \note This function does the same as \c mbedtls_ecp_mul(), but + /// it can return early and restart according to the limit set + /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC secret key in Bytes. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. - /// \param output The generic HMAC result. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac( - md_info: *const mbedtls_md_info_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecp_restart_ctx, ) -> ::core::ffi::c_int; } -/// \brief The RSA context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_rsa_context { - ///< Reserved for internal purposes. - /// Do not set this field in application - /// code. Its meaning might change without - /// notice. - pub private_ver: ::core::ffi::c_int, - ///< The size of \p N in Bytes. - pub private_len: usize, - ///< The public modulus. - pub private_N: mbedtls_mpi, - ///< The public exponent. - pub private_E: mbedtls_mpi, - ///< The private exponent. - pub private_D: mbedtls_mpi, - ///< The first prime factor. - pub private_P: mbedtls_mpi, - ///< The second prime factor. - pub private_Q: mbedtls_mpi, - ///< D % (P - 1). - pub private_DP: mbedtls_mpi, - ///< D % (Q - 1). - pub private_DQ: mbedtls_mpi, - ///< 1 / (Q % P). - pub private_QP: mbedtls_mpi, - ///< cached R^2 mod N. - pub private_RN: mbedtls_mpi, - ///< cached R^2 mod P. - pub private_RP: mbedtls_mpi, - ///< cached R^2 mod Q. - pub private_RQ: mbedtls_mpi, - ///< The cached blinding value. - pub private_Vi: mbedtls_mpi, - ///< The cached un-blinding value. - pub private_Vf: mbedtls_mpi, - ///< Selects padding mode: - ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. - pub private_padding: ::core::ffi::c_int, - ///< Hash identifier of mbedtls_md_type_t type, - ///as specified in md.h for use in the MGF - ///mask generating function used in the - ///EME-OAEP and EMSA-PSS encodings. - pub private_hash_id: ::core::ffi::c_int, -} -impl Default for mbedtls_rsa_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes an RSA context. - /// - /// \note This function initializes the padding and the hash - /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and - /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more - /// information about those parameters. - /// - /// \param ctx The RSA context to initialize. This must not be \c NULL. - pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); -} -unsafe extern "C" { - /// \brief This function sets padding for an already initialized RSA - /// context. - /// - /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP - /// encryption scheme and the RSASSA-PSS signature scheme. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q /// - /// \note The \p hash_id parameter is ignored when using - /// #MBEDTLS_RSA_PKCS_V15 padding. + /// It is not thread-safe to use same group in multiple threads. /// - /// \note The choice of padding mode is strictly enforced for private - /// key operations, since there might be security concerns in - /// mixing padding modes. For public key operations it is - /// a default value, which can be overridden by calling specific - /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx - /// functions. + /// \note In contrast to mbedtls_ecp_mul(), this function does not + /// guarantee a constant execution flow and timing. /// - /// \note The hash selected in \p hash_id is always used for OEAP - /// encryption. For PSS signatures, it is always used for - /// making signatures, but can be overridden for verifying them. - /// If set to #MBEDTLS_MD_NONE, it is always overridden. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \param ctx The initialized RSA context to be configured. - /// \param padding The padding mode to use. This must be either - /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is - /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this - /// function but may be not suitable for some operations. - /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - /// \p padding or \p hash_id is invalid. - pub fn mbedtls_rsa_set_padding( - ctx: *mut mbedtls_rsa_context, - padding: ::core::ffi::c_int, - hash_id: mbedtls_md_type_t, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves padding mode of initialized - /// RSA context. - /// - /// \param ctx The initialized RSA context. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q in a + /// restartable way. /// - /// \return RSA padding mode. - pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function retrieves hash identifier of mbedtls_md_type_t - /// type. + /// \see \c mbedtls_ecp_muladd() /// - /// \param ctx The initialized RSA context. + /// \note This function works the same as \c mbedtls_ecp_muladd(), + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return Hash identifier of mbedtls_md_type_t type. - pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function imports a set of core parameters into an - /// RSA context. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, + rs_ctx: *mut mbedtls_ecp_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function checks that a point is a valid public key + /// on this curve. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// It only checks that the point is non-zero, has + /// valid coordinates and lies on the curve. It does not verify + /// that it is indeed a multiple of \c G. This additional + /// check is computationally more expensive, is not required + /// by standards, and should not be necessary if the group + /// used has a small cofactor. In particular, it is useless for + /// the NIST groups which all have a cofactor of 1. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure, to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param E The public exponent. This may be \c NULL. + /// \param grp The ECP group the point should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to check. This must be initialized. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import( - ctx: *mut mbedtls_rsa_context, - N: *const mbedtls_mpi, - P: *const mbedtls_mpi, - Q: *const mbedtls_mpi, - D: *const mbedtls_mpi, - E: *const mbedtls_mpi, + /// \return \c 0 if the point is a valid public key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not + /// a valid public key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_pubkey( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports core RSA parameters, in raw big-endian - /// binary format, into an RSA context. - /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \brief This function checks that an \c mbedtls_mpi is a + /// valid private key for this curve. /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// \param grp The ECP group the private key should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The integer to check. This must be initialized. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \return \c 0 if the point is a valid private key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid + /// private key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_privkey( + grp: *const mbedtls_ecp_group, + d: *const mbedtls_mpi, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates a private key. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. - /// \param E The public exponent. This may be \c NULL. - /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// \param grp The ECP group to generate a private key for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import_raw( - ctx: *mut mbedtls_rsa_context, - N: *const ::core::ffi::c_uchar, - N_len: usize, - P: *const ::core::ffi::c_uchar, - P_len: usize, - Q: *const ::core::ffi::c_uchar, - Q_len: usize, - D: *const ::core::ffi::c_uchar, - D_len: usize, - E: *const ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_privkey( + grp: *const mbedtls_ecp_group, + d: *mut mbedtls_mpi, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function completes an RSA context from - /// a set of imported core parameters. - /// - /// To setup an RSA public key, precisely \p N and \p E - /// must have been imported. + /// \brief This function generates a keypair with a configurable base + /// point. /// - /// To setup an RSA private key, sufficient information must - /// be present for the other parameters to be derivable. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// The default implementation supports the following: - ///
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • - ///
  • Derive \p N, \p D from \p P, \p Q, \p E.
- /// Alternative implementations need not support these. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param G The base point to use. This must be initialized + /// and belong to \p grp. It replaces the default base + /// point \c grp->G used by mbedtls_ecp_gen_keypair(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// If this function runs successfully, it guarantees that - /// the RSA context can be used for RSA operations without - /// the risk of failure or crash. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair_base( + grp: *mut mbedtls_ecp_group, + G: *const mbedtls_ecp_point, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates an ECP keypair. /// - /// \warning This function need not perform consistency checks - /// for the imported parameters. In particular, parameters that - /// are not needed by the implementation might be silently - /// discarded and left unchecked. To check the consistency - /// of the key material, see mbedtls_rsa_check_privkey(). + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context holding imported parameters. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations - /// failed. - pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair( + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports the core parameters of an RSA key. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. - /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// - /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \brief This function generates an ECP key. /// - /// \param ctx The initialized RSA context. - /// \param N The MPI to hold the RSA modulus. - /// This may be \c NULL if this field need not be exported. - /// \param P The MPI to hold the first prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param Q The MPI to hold the second prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param D The MPI to hold the private exponent. - /// This may be \c NULL if this field need not be exported. - /// \param E The MPI to hold the public exponent. - /// This may be \c NULL if this field need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. This must be initialized. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export( - ctx: *const mbedtls_rsa_context, - N: *mut mbedtls_mpi, - P: *mut mbedtls_mpi, - Q: *mut mbedtls_mpi, - D: *mut mbedtls_mpi, - E: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports core parameters of an RSA key - /// in raw big-endian binary format. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. + /// \brief Set the public key in a key pair object. /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \note This function does not check that the point actually + /// belongs to the given group. Call mbedtls_ecp_check_pubkey() + /// on \p Q before calling this function to check that. /// - /// \note The length parameters are ignored if the corresponding - /// buffer pointers are NULL. + /// \note This function does not check that the public key matches + /// the private key that is already in \p key, if any. + /// To check the consistency of the resulting key pair object, + /// call mbedtls_ecp_check_pub_priv() after setting both + /// the public key and the private key. /// - /// \param ctx The initialized RSA context. - /// \param N The Byte array to store the RSA modulus, - /// or \c NULL if this field need not be exported. - /// \param N_len The size of the buffer for the modulus. - /// \param P The Byte array to hold the first prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param P_len The size of the buffer for the first prime factor. - /// \param Q The Byte array to hold the second prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param Q_len The size of the buffer for the second prime factor. - /// \param D The Byte array to hold the private exponent, - /// or \c NULL if this field need not be exported. - /// \param D_len The size of the buffer for the private exponent. - /// \param E The Byte array to hold the public exponent, - /// or \c NULL if this field need not be exported. - /// \param E_len The size of the buffer for the public exponent. + /// \param grp_id The ECP group identifier. + /// \param key The key pair object. It must be initialized. + /// If its group has already been set, it must match \p grp_id. + /// If its group has not been set, it will be set to \p grp_id. + /// If the public key has already been set, it is overwritten. + /// \param Q The public key to copy. This must be a point on the + /// curve indicated by \p grp_id. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export_raw( - ctx: *const mbedtls_rsa_context, - N: *mut ::core::ffi::c_uchar, - N_len: usize, - P: *mut ::core::ffi::c_uchar, - P_len: usize, - Q: *mut ::core::ffi::c_uchar, - Q_len: usize, - D: *mut ::core::ffi::c_uchar, - D_len: usize, - E: *mut ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not + /// match \p grp_id. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_public_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports CRT parameters of a private RSA key. + /// \brief This function reads an elliptic curve private key. /// - /// \note Alternative RSA implementations not using CRT-parameters - /// internally can implement this function based on - /// mbedtls_rsa_deduce_opt(). + /// \note This function does not set the public key in the + /// key pair object. Without a public key, the key pair object + /// cannot be used with operations that require the public key. + /// Call mbedtls_ecp_keypair_calc_public() to set the public + /// key from the private key. Alternatively, you can call + /// mbedtls_ecp_set_public_key() to set the public key part, + /// and then optionally mbedtls_ecp_check_pub_priv() to check + /// that the private and public parts are consistent. + /// + /// \note If a public key has already been set in the key pair + /// object, this function does not check that it is consistent + /// with the private key. Call mbedtls_ecp_check_pub_priv() + /// after setting both the public key and the private key + /// to make that check. /// - /// \param ctx The initialized RSA context. - /// \param DP The MPI to hold \c D modulo `P-1`, - /// or \c NULL if it need not be exported. - /// \param DQ The MPI to hold \c D modulo `Q-1`, - /// or \c NULL if it need not be exported. - /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, - /// or \c NULL if it need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. + /// \param buf The buffer containing the binary representation of the + /// key. (Big endian integer for Weierstrass curves, byte + /// string for Montgomery curves.) + /// \param buflen The length of the buffer in bytes. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_export_crt( - ctx: *const mbedtls_rsa_context, - DP: *mut mbedtls_mpi, - DQ: *mut mbedtls_mpi, - QP: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is + /// invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_read_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + buf: *const ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves the length of RSA modulus in Bytes. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context. + /// \deprecated Note that although this function accepts an output + /// buffer that is smaller or larger than the key, most key + /// import interfaces require the output to have exactly + /// key's nominal length. It is generally simplest to + /// pass the key's nominal length as \c buflen, after + /// checking that the output buffer is large enough. + /// See the description of the \p buflen parameter for + /// how to calculate the nominal length. + /// To avoid this difficulty, use mbedtls_ecp_write_key_ext() + /// instead. + /// mbedtls_ecp_write_key() is deprecated and will be + /// removed in a future version of the library. + /// + /// \note If the private key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \return The length of the RSA modulus in Bytes. - pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; + /// \param key The private key. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// For Weierstrass curves, this is the big-endian + /// representation, padded with null bytes at the beginning + /// to reach \p buflen bytes. + /// For Montgomery curves, this is the standard byte string + /// representation (which is little-endian), padded with + /// null bytes at the end to reach \p buflen bytes. + /// \param buflen The total length of the buffer in bytes. + /// The length of the output is + /// (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// For Weierstrass keys, if the output buffer is smaller, + /// leading zeros are trimmed to fit if possible. For + /// Montgomery keys, the output buffer must always be large + /// enough for the nominal length. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + /// #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key( + key: *mut mbedtls_ecp_keypair, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an RSA keypair. - /// - /// \note mbedtls_rsa_init() must be called before this function, - /// to set up the RSA context. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context used to hold the key. - /// \param f_rng The RNG function to be used for key generation. - /// This is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. - /// This may be \c NULL if \p f_rng doesn't need a context. - /// \param nbits The size of the public key in bits. - /// \param exponent The public exponent to use. For example, \c 65537. - /// This must be odd and greater than \c 1. + /// \param key The private key. + /// \param olen On success, the length of the private key. + /// This is always (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// \param buflen The total length of the buffer in bytes. + /// #MBEDTLS_ECP_MAX_BYTES is always sufficient. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_gen_key( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - nbits: ::core::ffi::c_uint, - exponent: ::core::ffi::c_int, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + /// set in \p key. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key_ext( + key: *const mbedtls_ecp_keypair, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains at least an RSA - /// public key. + /// \brief This function exports an elliptic curve public key. /// - /// If the function runs successfully, it is guaranteed that - /// enough information is present to perform an RSA public key - /// operation using mbedtls_rsa_public(). + /// \note If the public key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to check. + /// \param key The public key. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_write_public_key( + key: *const mbedtls_ecp_keypair, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains an RSA private key - /// and perform basic consistency checks. - /// - /// \note The consistency checks performed by this function not only - /// ensure that mbedtls_rsa_private() can be called successfully - /// on the given context, but that the various parameters are - /// mutually consistent with high probability, in the sense that - /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// \brief This function checks that the keypair objects + /// \p pub and \p prv have the same group and the + /// same public point, and that the private key in + /// \p prv is consistent with the public key. /// - /// \warning This function should catch accidental misconfigurations - /// like swapping of parameters, but it cannot establish full - /// trust in neither the quality nor the consistency of the key - /// material that was used to setup the given RSA context: - ///
  • Consistency: Imported parameters that are irrelevant - /// for the implementation might be silently dropped. If dropped, - /// the current function does not have access to them, - /// and therefore cannot check them. See mbedtls_rsa_complete(). - /// If you want to check the consistency of the entire - /// content of a PKCS1-encoded RSA private key, for example, you - /// should use mbedtls_rsa_validate_params() before setting - /// up the RSA context. - /// Additionally, if the implementation performs empirical checks, - /// these checks substantiate but do not guarantee consistency.
    • - ///
  • Quality: This function is not expected to perform - /// extended quality assessments like checking that the prime - /// factors are safe. Additionally, it is the responsibility of the - /// user to ensure the trustworthiness of the source of his RSA - /// parameters, which goes beyond what is effectively checkable - /// by the library.
- /// - /// \param ctx The initialized RSA context to check. + /// \param pub The keypair structure holding the public key. This + /// must be initialized. If it contains a private key, that + /// part is ignored. + /// \param prv The keypair structure holding the full keypair. + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success, meaning that the keys are valid and match. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_check_pub_priv( + pub_: *const mbedtls_ecp_keypair, + prv: *const mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks a public-private RSA key pair. - /// - /// It checks each of the contexts, and makes sure they match. + /// \brief Calculate the public key from a private key in a key pair. /// - /// \param pub The initialized RSA context holding the public key. - /// \param prv The initialized RSA context holding the private key. + /// \param key A keypair structure. It must have a private key set. + /// If the public key is set, it will be overwritten. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pub_priv( - pub_: *const mbedtls_rsa_context, - prv: *const mbedtls_rsa_context, + /// \return \c 0 on success. The key pair object can be used for + /// operations that require the public key. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_keypair_calc_public( + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs an RSA public key operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// - /// \note This function does not handle message padding. + /// \brief Query the group that a key pair belongs to. /// - /// \note Make sure to set \p input[0] = 0 or ensure that - /// input is smaller than \p N. + /// \param key The key pair to query. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_public( - ctx: *mut mbedtls_rsa_context, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The group ID for the group registered in the key pair + /// object. + /// This is \c MBEDTLS_ECP_DP_NONE if no group has been set + /// in the key pair object. + pub fn mbedtls_ecp_keypair_get_group_id( + key: *const mbedtls_ecp_keypair, + ) -> mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function performs an RSA private key operation. - /// - /// \note Blinding is used if and only if a PRNG is provided. + /// \brief This function exports generic key-pair parameters. /// - /// \note If blinding is used, both the base of exponentiation - /// and the exponent are blinded, providing protection - /// against some side-channel attacks. + /// Each of the output parameters can be a null pointer + /// if you do not need that parameter. /// - /// \warning It is deprecated and a security risk to not provide - /// a PRNG here and thereby prevent the use of blinding. - /// Future versions of the library may enforce the presence - /// of a PRNG. + /// \note If the private key or the public key was not set in \p key, + /// the corresponding output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function, used for blinding. It is mandatory. - /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param key The key pair to export from. + /// \param grp Slot for exported ECP group. + /// It must either be null or point to an initialized ECP group. + /// \param d Slot for the exported secret value. + /// It must either be null or point to an initialized mpi. + /// \param Q Slot for the exported public value. + /// It must either be null or point to an initialized ECP point. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_private( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_export( + key: *const mbedtls_ecp_keypair, + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function adds the message padding, then performs an RSA - /// operation. - /// - /// It is the generic wrapper for performing a PKCS#1 encryption - /// operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG to use. It is used for padding generation - /// and it is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. May be - /// \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \brief The ECP checkup routine. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return \c 1 on failure. + pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The RSA context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_rsa_context { + ///< Reserved for internal purposes. + /// Do not set this field in application + /// code. Its meaning might change without + /// notice. + pub private_ver: ::core::ffi::c_int, + ///< The size of \p N in Bytes. + pub private_len: usize, + ///< The public modulus. + pub private_N: mbedtls_mpi, + ///< The public exponent. + pub private_E: mbedtls_mpi, + ///< The private exponent. + pub private_D: mbedtls_mpi, + ///< The first prime factor. + pub private_P: mbedtls_mpi, + ///< The second prime factor. + pub private_Q: mbedtls_mpi, + ///< D % (P - 1). + pub private_DP: mbedtls_mpi, + ///< D % (Q - 1). + pub private_DQ: mbedtls_mpi, + ///< 1 / (Q % P). + pub private_QP: mbedtls_mpi, + ///< cached R^2 mod N. + pub private_RN: mbedtls_mpi, + ///< cached R^2 mod P. + pub private_RP: mbedtls_mpi, + ///< cached R^2 mod Q. + pub private_RQ: mbedtls_mpi, + ///< The cached blinding value. + pub private_Vi: mbedtls_mpi, + ///< The cached un-blinding value. + pub private_Vf: mbedtls_mpi, + ///< Selects padding mode: + ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. + pub private_padding: ::core::ffi::c_int, + ///< Hash identifier of mbedtls_md_type_t type, + ///as specified in md.h for use in the MGF + ///mask generating function used in the + ///EME-OAEP and EMSA-PSS encodings. + pub private_hash_id: ::core::ffi::c_int, +} +impl Default for mbedtls_rsa_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 encryption operation - /// (RSAES-PKCS1-v1_5-ENCRYPT). + /// \brief This function initializes an RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. It is mandatory and used for - /// padding generation. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note This function initializes the padding and the hash + /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + /// information about those parameters. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The RSA context to initialize. This must not be \c NULL. + pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP encryption - /// operation (RSAES-OAEP-ENCRYPT). - /// - /// \note The output buffer must be as large as the size - /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \brief This function sets padding for an already initialized RSA + /// context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is needed for padding - /// generation and is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param ilen The length of the plaintext buffer \p input in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + /// encryption scheme and the RSASSA-PSS signature scheme. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs an RSA operation, then removes the - /// message padding. + /// \note The \p hash_id parameter is ignored when using + /// #MBEDTLS_RSA_PKCS_V15 padding. /// - /// It is the generic wrapper for performing a PKCS#1 decryption - /// operation. + /// \note The choice of padding mode is strictly enforced for private + /// key operations, since there might be security concerns in + /// mixing padding modes. For public key operations it is + /// a default value, which can be overridden by calling specific + /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + /// functions. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N (for example, - /// 128 Bytes if RSA-1024 is used) to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note The hash selected in \p hash_id is always used for OEAP + /// encryption. For PSS signatures, it is always used for + /// making signatures, but can be overridden for verifying them. + /// If set to #MBEDTLS_MD_NONE, it is always overridden. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \param ctx The initialized RSA context to be configured. + /// \param padding The padding mode to use. This must be either + /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. + /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is + /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + /// function but may be not suitable for some operations. + /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_decrypt( + /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + /// \p padding or \p hash_id is invalid. + pub fn mbedtls_rsa_set_padding( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + padding: ::core::ffi::c_int, + hash_id: mbedtls_md_type_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 decryption - /// operation (RSAES-PKCS1-v1_5-DECRYPT). + /// \brief This function retrieves padding mode of initialized + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for example, - /// 128 Bytes if RSA-1024 is used, to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \param ctx The initialized RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \return RSA padding mode. + pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function retrieves hash identifier of mbedtls_md_type_t + /// type. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context. + /// + /// \return Hash identifier of mbedtls_md_type_t type. + pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP decryption - /// operation (RSAES-OAEP-DECRYPT). + /// \brief This function imports a set of core parameters into an + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for - /// example, 128 Bytes if RSA-1024 is used, to be able to - /// hold an arbitrary decrypted message. If it is not - /// large enough to hold the decryption of the particular - /// ciphertext provided, the function returns - /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. + /// + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. + /// + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. + /// + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param E The public exponent. This may be \c NULL. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_decrypt( + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + N: *const mbedtls_mpi, + P: *const mbedtls_mpi, + Q: *const mbedtls_mpi, + D: *const mbedtls_mpi, + E: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a private RSA operation to sign - /// a message digest using PKCS#1. + /// \brief This function imports core RSA parameters, in raw big-endian + /// binary format, into an RSA context. /// - /// It is the generic wrapper for performing a PKCS#1 - /// signature. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_sign() for details on - /// \p md_alg and \p hash_id. + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is mandatory and - /// must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_sign( + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. + /// \param E The public exponent. This may be \c NULL. + /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import_raw( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + N: *const ::core::ffi::c_uchar, + N_len: usize, + P: *const ::core::ffi::c_uchar, + P_len: usize, + Q: *const ::core::ffi::c_uchar, + Q_len: usize, + D: *const ::core::ffi::c_uchar, + D_len: usize, + E: *const ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 signature - /// operation (RSASSA-PKCS1-v1_5-SIGN). + /// \brief This function completes an RSA context from + /// a set of imported core parameters. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// To setup an RSA public key, precisely \c N and \c E + /// must have been imported. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// To setup an RSA private key, sufficient information must + /// be present for the other parameters to be derivable. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// The default implementation supports the following: + ///
  • Derive \c P, \c Q from \c N, \c D, \c E.
    • + ///
  • Derive \c N, \c D from \c P, \c Q, \c E.
+ /// Alternative implementations need not support these. /// - /// \note This function enforces that the provided salt length complies - /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 - /// step 3. The constraint is that the hash length plus the salt - /// length plus 2 bytes must be at most the key length. If this - /// constraint is not met, this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// If this function runs successfully, it guarantees that + /// the RSA context can be used for RSA operations without + /// the risk of failure or crash. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param saltlen The length of the salt that should be used. - /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use - /// the largest possible salt length up to the hash length, - /// which is the largest permitted by some standards including - /// FIPS 186-4 §5.5. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \warning This function need not perform consistency checks + /// for the imported parameters. In particular, parameters that + /// are not needed by the implementation might be silently + /// discarded and left unchecked. To check the consistency + /// of the key material, see mbedtls_rsa_check_privkey(). /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign_ext( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - saltlen: ::core::ffi::c_int, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context holding imported parameters. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations + /// failed. + pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// \brief This function exports the core parameters of an RSA key. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \note This function always uses the maximum possible salt size, - /// up to the length of the payload hash. This choice of salt - /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 - /// v2.2) §9.1.1 step 3. Furthermore this function enforces a - /// minimum salt size which is the hash size minus 2 bytes. If - /// this minimum size is too large given the key size (the salt - /// size, plus the hash size, plus 2 bytes must be no more than - /// the key size in bytes), this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
/// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param N The MPI to hold the RSA modulus. + /// This may be \c NULL if this field need not be exported. + /// \param P The MPI to hold the first prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param Q The MPI to hold the second prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param D The MPI to hold the private exponent. + /// This may be \c NULL if this field need not be exported. + /// \param E The MPI to hold the public exponent. + /// This may be \c NULL if this field need not be exported. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export( + ctx: *const mbedtls_rsa_context, + N: *mut mbedtls_mpi, + P: *mut mbedtls_mpi, + Q: *mut mbedtls_mpi, + D: *mut mbedtls_mpi, + E: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a public RSA operation and checks - /// the message digest. - /// - /// This is the generic wrapper for performing a PKCS#1 - /// verification. + /// \brief This function exports core parameters of an RSA key + /// in raw big-endian binary format. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_verify() about \p md_alg and - /// \p hash_id. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
+ /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \note The length parameters are ignored if the corresponding + /// buffer pointers are NULL. + /// + /// \param ctx The initialized RSA context. + /// \param N The Byte array to store the RSA modulus, + /// or \c NULL if this field need not be exported. + /// \param N_len The size of the buffer for the modulus. + /// \param P The Byte array to hold the first prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param P_len The size of the buffer for the first prime factor. + /// \param Q The Byte array to hold the second prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param Q_len The size of the buffer for the second prime factor. + /// \param D The Byte array to hold the private exponent, + /// or \c NULL if this field need not be exported. + /// \param D_len The size of the buffer for the private exponent. + /// \param E The Byte array to hold the public exponent, + /// or \c NULL if this field need not be exported. + /// \param E_len The size of the buffer for the public exponent. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export_raw( + ctx: *const mbedtls_rsa_context, + N: *mut ::core::ffi::c_uchar, + N_len: usize, + P: *mut ::core::ffi::c_uchar, + P_len: usize, + Q: *mut ::core::ffi::c_uchar, + Q_len: usize, + D: *mut ::core::ffi::c_uchar, + D_len: usize, + E: *mut ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 verification - /// operation (RSASSA-PKCS1-v1_5-VERIFY). + /// \brief This function exports CRT parameters of a private RSA key. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Alternative RSA implementations not using CRT-parameters + /// internally can implement this function based on + /// mbedtls_rsa_deduce_opt(). /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param DP The MPI to hold \c D modulo `P-1`, + /// or \c NULL if it need not be exported. + /// \param DQ The MPI to hold \c D modulo `Q-1`, + /// or \c NULL if it need not be exported. + /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, + /// or \c NULL if it need not be exported. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_export_crt( + ctx: *const mbedtls_rsa_context, + DP: *mut mbedtls_mpi, + DQ: *mut mbedtls_mpi, + QP: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). - /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. If the \c hash_id set in \p ctx by - /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg - /// parameter is used. + /// \brief This function retrieves the length of the RSA modulus in bits. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param ctx The initialized RSA context. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The length of the RSA modulus in bits. + pub fn mbedtls_rsa_get_bitlen(ctx: *const mbedtls_rsa_context) -> usize; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). + /// \brief This function retrieves the length of RSA modulus in Bytes. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \param ctx The initialized RSA context. /// - /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is - /// ignored. + /// \return The length of the RSA modulus in Bytes. + pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; +} +unsafe extern "C" { + /// \brief This function generates an RSA keypair. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param mgf1_hash_id The message digest algorithm used for the - /// verification operation and the mask generation - /// function (MGF1). For more details on the encoding - /// operation and the mask generation function, consult - /// RFC-3447: Public-Key Cryptography Standards - /// (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. - /// \param expected_salt_len The length of the salt used in padding. Use - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note mbedtls_rsa_init() must be called before this function, + /// to set up the RSA context. /// - /// \return \c 0 if the verify operation was successful. + /// \param ctx The initialized RSA context used to hold the key. + /// \param f_rng The RNG function to be used for key generation. + /// This is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. + /// This may be \c NULL if \p f_rng doesn't need a context. + /// \param nbits The size of the public key in bits. + /// \param exponent The public exponent to use. For example, \c 65537. + /// This must be odd and greater than \c 1. + /// + /// \return \c 0 on success. /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify_ext( + pub fn mbedtls_rsa_gen_key( ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - mgf1_hash_id: mbedtls_md_type_t, - expected_salt_len: ::core::ffi::c_int, - sig: *const ::core::ffi::c_uchar, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + nbits: ::core::ffi::c_uint, + exponent: ::core::ffi::c_int, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function copies the components of an RSA context. + /// \brief This function checks if a context contains at least an RSA + /// public key. /// - /// \param dst The destination context. This must be initialized. - /// \param src The source context. This must be initialized. + /// If the function runs successfully, it is guaranteed that + /// enough information is present to perform an RSA public key + /// operation using mbedtls_rsa_public(). + /// + /// \param ctx The initialized RSA context to check. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. - pub fn mbedtls_rsa_copy( - dst: *mut mbedtls_rsa_context, - src: *const mbedtls_rsa_context, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees the components of an RSA key. + /// \brief This function checks if a context contains an RSA private key + /// and perform basic consistency checks. /// - /// \param ctx The RSA context to free. May be \c NULL, in which case - /// this function is a no-op. If it is not \c NULL, it must - /// point to an initialized RSA context. - pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); + /// \note The consistency checks performed by this function not only + /// ensure that mbedtls_rsa_private() can be called successfully + /// on the given context, but that the various parameters are + /// mutually consistent with high probability, in the sense that + /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// + /// \warning This function should catch accidental misconfigurations + /// like swapping of parameters, but it cannot establish full + /// trust in neither the quality nor the consistency of the key + /// material that was used to setup the given RSA context: + ///
  • Consistency: Imported parameters that are irrelevant + /// for the implementation might be silently dropped. If dropped, + /// the current function does not have access to them, + /// and therefore cannot check them. See mbedtls_rsa_complete(). + /// If you want to check the consistency of the entire + /// content of a PKCS1-encoded RSA private key, for example, you + /// should use mbedtls_rsa_validate_params() before setting + /// up the RSA context. + /// Additionally, if the implementation performs empirical checks, + /// these checks substantiate but do not guarantee consistency.
    • + ///
  • Quality: This function is not expected to perform + /// extended quality assessments like checking that the prime + /// factors are safe. Additionally, it is the responsibility of the + /// user to ensure the trustworthiness of the source of his RSA + /// parameters, which goes beyond what is effectively checkable + /// by the library.
+ /// + /// \param ctx The initialized RSA context to check. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The RSA checkup routine. + /// \brief This function checks a public-private RSA key pair. + /// + /// It checks each of the contexts, and makes sure they match. + /// + /// \param pub The initialized RSA context holding the public key. + /// \param prv The initialized RSA context holding the private key. /// /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief The ECDSA context structure. -/// -/// \warning Performing multiple operations concurrently on the same -/// ECDSA context is not supported; objects of this type -/// should not be shared between multiple threads. -/// -/// \note pk_wrap module assumes that "ecdsa_context" is identical -/// to "ecp_keypair" (see for example structure -/// "mbedtls_eckey_info" where ECDSA sign/verify functions -/// are used also for EC key) -pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; -pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pub_priv( + pub_: *const mbedtls_rsa_context, + prv: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { - /// \brief This function checks whether a given group can be used - /// for ECDSA. + /// \brief This function performs an RSA public key operation. /// - /// \param gid The ECP group ID to check. + /// \param ctx The initialized RSA context to use. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 1 if the group can be used, \c 0 otherwise - pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; + /// \note This function does not handle message padding. + /// + /// \note Make sure to set \p input[0] = 0 or ensure that + /// input is smaller than \c N. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_public( + ctx: *mut mbedtls_rsa_context, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message. + /// \brief This function performs an RSA private key operation. /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_ext() is usually preferred. + /// \note Blinding is used if and only if a PRNG is provided. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated - /// as defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \note If blinding is used, both the base of exponentiation + /// and the exponent are blinded, providing protection + /// against some side-channel attacks. /// - /// \see ecp.h + /// \warning It is deprecated and a security risk to not provide + /// a PRNG here and thereby prevent the use of blinding. + /// Future versions of the library may enforce the presence + /// of a PRNG. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized. - /// \param buf The content to be signed. This is usually the hash of - /// the original data to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function, used for blinding. It is mandatory. + /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX - /// or \c MBEDTLS_MPI_XXX error code on failure. - pub fn mbedtls_ecdsa_sign( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_private( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, deterministic version. + /// \brief This function adds the message padding, then performs an RSA + /// operation. /// - /// For more information, see RFC-6979: Deterministic - /// Usage of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). + /// It is the generic wrapper for performing a PKCS#1 encryption + /// operation. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG to use. It is used for padding generation + /// and it is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. May be + /// \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \see ecp.h + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v1.5 encryption operation + /// (RSAES-PKCS1-v1_5-ENCRYPT). /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. It is mandatory and used for + /// padding generation. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_ext( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 OAEP encryption + /// operation (RSAES-OAEP-ENCRYPT). /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_restartable() is usually - /// preferred. + /// \note The output buffer must be as large as the size + /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \note This function is like \c mbedtls_ecdsa_sign() but - /// it can return early and restart according to the - /// limit set with \c mbedtls_ecp_set_max_ops() to - /// reduce blocking. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is needed for padding + /// generation and is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param ilen The length of the plaintext buffer \p input in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs an RSA operation, then removes the + /// message padding. /// - /// \see ecp.h + /// It is the generic wrapper for performing a PKCS#1 decryption + /// operation. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15, + /// mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an + /// inherently dangerous function (CWE-242). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N (for example, + /// 128 Bytes if RSA-1024 is used) to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. - /// - /// \note This function is like \c - /// mbedtls_ecdsa_sign_det_ext() but it can return - /// early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 decryption + /// operation (RSAES-PKCS1-v1_5-DECRYPT). /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \warning This is an inherently dangerous function (CWE-242). Unless + /// it is used in a side channel free and safe way (eg. + /// implementing the TLS protocol as per 7.4.7.1 of RFC 5246), + /// the calling code is vulnerable. /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for example, + /// 128 Bytes if RSA-1024 is used, to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message. - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \brief This function performs a PKCS#1 v2.1 OAEP decryption + /// operation (RSAES-OAEP-DECRYPT). /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for + /// example, 128 Bytes if RSA-1024 is used, to be able to + /// hold an arbitrary decrypted message. If it is not + /// large enough to hold the decryption of the particular + /// ciphertext provided, the function returns + /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message, in a restartable manner + /// \brief This function performs a private RSA operation to sign + /// a message digest using PKCS#1. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// It is the generic wrapper for performing a PKCS#1 + /// signature. /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify_restartable( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, serialized as defined in RFC-4492: - /// Elliptic Curve Cryptography (ECC) Cipher Suites for - /// Transport Layer Security (TLS). - /// - /// \warning It is not thread-safe to use the same context in - /// multiple threads. - /// - /// \note The deterministic version is used if - /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more - /// information, see RFC-6979: Deterministic Usage - /// of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. - /// - /// \see ecp.h + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_sign() for details on + /// \p md_alg and \p hash_id. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is used only for blinding and may be set to \c NULL, but - /// doing so is DEPRECATED. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is mandatory and + /// must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, in a restartable way. - /// - /// \see \c mbedtls_ecdsa_write_signature() - /// - /// \note This function is like \c mbedtls_ecdsa_write_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 signature + /// operation (RSASSA-PKCS1-v1_5-SIGN). /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is unused and may be set to \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \see ecp.h + /// \note This function enforces that the provided salt length complies + /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 + /// step 3. The constraint is that the hash length plus the salt + /// length plus 2 bytes must be at most the key length. If this + /// constraint is not met, this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param saltlen The length of the salt that should be used. + /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use + /// the largest possible salt length up to the hash length, + /// which is the largest permitted by some standards including + /// FIPS 186-4 §5.5. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign_ext( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, - sig: *const ::core::ffi::c_uchar, - slen: usize, + saltlen: ::core::ffi::c_int, + sig: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature, - /// in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \see \c mbedtls_ecdsa_read_signature() + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \note This function is like \c mbedtls_ecdsa_read_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function always uses the maximum possible salt size, + /// up to the length of the payload hash. This choice of salt + /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 + /// v2.2) §9.1.1 step 3. Furthermore this function enforces a + /// minimum salt size which is the hash size minus 2 bytes. If + /// this minimum size is too large given the key size (the salt + /// size, plus the hash size, plus 2 bytes must be no more than + /// the key size in bytes), this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a public RSA operation and checks + /// the message digest. + /// + /// This is the generic wrapper for performing a PKCS#1 + /// verification. + /// + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_verify() about \c md_alg and + /// \c hash_id. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *const ::core::ffi::c_uchar, - slen: usize, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an ECDSA keypair on the given curve. + /// \brief This function performs a PKCS#1 v1.5 verification + /// operation (RSASSA-PKCS1-v1_5-VERIFY). /// - /// \see ecp.h + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \param ctx The ECDSA context to store the keypair in. - /// This must be initialized. - /// \param gid The elliptic curve to use. One of the various - /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_genkey( - ctx: *mut mbedtls_ecdsa_context, - gid: mbedtls_ecp_group_id, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. If the \c hash_id set in \p ctx by + /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg + /// parameter is used. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets up an ECDSA context from an EC key pair. + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param ctx The ECDSA context to setup. This must be initialized. - /// \param key The EC key to use. This must be initialized and hold - /// a private-public key pair or a public key. In the former - /// case, the ECDSA context may be used for signature creation - /// and verification after this call. In the latter case, it - /// may be used for signature verification. + /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is + /// ignored. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_from_keypair( - ctx: *mut mbedtls_ecdsa_context, - key: *const mbedtls_ecp_keypair, + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param mgf1_hash_id The message digest algorithm used for the + /// verification operation and the mask generation + /// function (MGF1). For more details on the encoding + /// operation and the mask generation function, consult + /// RFC-3447: Public-Key Cryptography Standards + /// (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. + /// \param expected_salt_len The length of the salt used in padding. Use + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify_ext( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + mgf1_hash_id: mbedtls_md_type_t, + expected_salt_len: ::core::ffi::c_int, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECDSA context. + /// \brief This function copies the components of an RSA context. /// - /// \param ctx The ECDSA context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); + /// \param dst The destination context. This must be initialized. + /// \param src The source context. This must be initialized. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. + pub fn mbedtls_rsa_copy( + dst: *mut mbedtls_rsa_context, + src: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees an ECDSA context. + /// \brief This function frees the components of an RSA key. /// - /// \param ctx The ECDSA context to free. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must be initialized. - pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); + /// \param ctx The RSA context to free. May be \c NULL, in which case + /// this function is a no-op. If it is not \c NULL, it must + /// point to an initialized RSA context. + pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); } -pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; -pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; -/// \brief Public key types -pub type mbedtls_pk_type_t = ::core::ffi::c_uint; -/// \brief Options for RSASSA-PSS signature verification. -/// See \c mbedtls_rsa_rsassa_pss_verify_ext() -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_rsassa_pss_options { - /// The digest to use for MGF1 in PSS. +unsafe extern "C" { + /// \brief The RSA checkup routine. /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is - /// disabled, this must be equal to the \c md_alg argument passed - /// to mbedtls_pk_verify_ext(). In a future version of the library, - /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is - /// enabled regardless of the status of #MBEDTLS_RSA_C. - pub mgf1_hash_id: mbedtls_md_type_t, - /// The expected length of the salt, in bytes. This may be - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only - /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be - /// ignored (allowing any salt length). - pub expected_salt_len: ::core::ffi::c_int, -} -impl Default for mbedtls_pk_rsassa_pss_options { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; -/// \brief Types for interfacing with the debug module -pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; -/// \brief Item to send to the debug module -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_debug_item { - pub private_type: mbedtls_pk_debug_type, - pub private_name: *const ::core::ffi::c_char, - pub private_value: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_debug_item { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_info_t { - _unused: [u8; 0], -} -/// \brief Public key container -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_context { - ///< Public key information - pub private_pk_info: *const mbedtls_pk_info_t, - ///< Underlying public key context - pub private_pk_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; -/// \brief Types for RSA-alt abstraction -pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_key_len_func = - ::core::option::Option usize>; +/// \brief The ECDSA context structure. +/// +/// \warning Performing multiple operations concurrently on the same +/// ECDSA context is not supported; objects of this type +/// should not be shared between multiple threads. +/// +/// \note pk_wrap module assumes that "ecdsa_context" is identical +/// to "ecp_keypair" (see for example structure +/// "mbedtls_eckey_info" where ECDSA sign/verify functions +/// are used also for EC key) +pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; +pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; unsafe extern "C" { - /// \brief Return information associated with the given PK type - /// - /// \param pk_type PK type to search for. + /// \brief This function checks whether a given group can be used + /// for ECDSA. /// - /// \return The PK info associated with the type or NULL if not found. - pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; -} -unsafe extern "C" { - /// \brief Initialize a #mbedtls_pk_context (as NONE). + /// \param gid The ECP group ID to check. /// - /// \param ctx The context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); + /// \return \c 1 if the group can be used, \c 0 otherwise + pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Free the components of a #mbedtls_pk_context. + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message. /// - /// \param ctx The context to clear. It must have been initialized. - /// If this is \c NULL, this function does nothing. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_ext() is usually preferred. /// - /// \note For contexts that have been set up with - /// mbedtls_pk_setup_opaque(), this does not free the underlying - /// PSA key and you still need to call psa_destroy_key() - /// independently if you want to destroy that key. - pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); -} -unsafe extern "C" { - /// \brief Initialize a PK context with the information given - /// and allocates the type-specific PK subcontext. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated + /// as defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param info Information to use + /// \see ecp.h /// - /// \return 0 on success, - /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, - /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized. + /// \param buf The content to be signed. This is usually the hash of + /// the original data to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function, used both to generate the ECDSA nonce + /// and for blinding. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. /// - /// \note For contexts holding an RSA-alt key, use - /// \c mbedtls_pk_setup_rsa_alt() instead. - pub fn mbedtls_pk_setup( - ctx: *mut mbedtls_pk_context, - info: *const mbedtls_pk_info_t, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX + /// or \c MBEDTLS_MPI_XXX error code on failure. + pub fn mbedtls_ecdsa_sign( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Initialize an RSA-alt context + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, deterministic version. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param key RSA key pointer - /// \param decrypt_func Decryption function - /// \param sign_func Signing function - /// \param key_len_func Function returning key length in bytes + /// For more information, see RFC-6979: Deterministic + /// Usage of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the - /// context wasn't already initialized as RSA_ALT. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. - pub fn mbedtls_pk_setup_rsa_alt( - ctx: *mut mbedtls_pk_context, - key: *mut ::core::ffi::c_void, - decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, - sign_func: mbedtls_pk_rsa_alt_sign_func, - key_len_func: mbedtls_pk_rsa_alt_key_len_func, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Get the size in bits of the underlying key + /// \see ecp.h /// - /// \param ctx The context to query. It must have been initialized. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This + /// may be \c NULL if \p f_rng_blind doesn't need a context + /// parameter. /// - /// \return Key size in bits, or 0 on error - pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_ext( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + md_alg: mbedtls_md_type_t, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Tell if a context can do the operation given by type + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \param ctx The context to query. It must have been initialized. - /// \param type The desired type. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_restartable() is usually + /// preferred. /// - /// \return 1 if the context can do operations on the given type. - /// \return 0 if the context cannot do the operations on the given - /// type. This is always the case for a context that has - /// been initialized but not set up, or that has been - /// cleared with mbedtls_pk_free(). - pub fn mbedtls_pk_can_do( - ctx: *const mbedtls_pk_context, - type_: mbedtls_pk_type_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Verify signature (including padding if relevant). + /// \note This function is like \c mbedtls_ecdsa_sign() but + /// it can return early and restart according to the + /// limit set with \c mbedtls_ecp_set_max_ops() to + /// reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used. - /// This can be #MBEDTLS_MD_NONE if the signature algorithm - /// does not rely on a hash algorithm (non-deterministic - /// ECDSA, RSA PKCS#1 v1.5). - /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then - /// \p hash is the DigestInfo structure used by RFC 8017 - /// §9.2 steps 3–6. If \p md_alg is a valid hash - /// algorithm then \p hash is the digest itself, and this - /// function calculates the DigestInfo encoding internally. - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \see ecp.h /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - /// to verify RSASSA_PSS signatures. - pub fn mbedtls_pk_verify( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_verify() + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_verify(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_verify(). + /// \note This function is like \c + /// mbedtls_ecdsa_sign_det_ext() but it can return + /// early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length - /// \param rs_ctx Restart context (NULL to disable restart) + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return See \c mbedtls_pk_verify(), or - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_verify_restartable( - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This may be + /// \c NULL if \p f_rng_blind doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, - rs_ctx: *mut mbedtls_pk_restart_ctx, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify signature, with options. - /// (Includes verification of the padding depending on type.) - /// - /// \param type Signature type (inc. possible padding type) to verify - /// \param options Pointer to type-specific options, or NULL - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be - /// used for this type of signatures, - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note If hash_len is 0, then the length associated with md_alg - /// is used instead, or an error returned if it is invalid. + /// \see ecp.h /// - /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. /// - /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point - /// to a mbedtls_pk_rsassa_pss_options structure, - /// otherwise it must be NULL. Note that if - /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not - /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. - pub fn mbedtls_pk_verify_ext( - type_: mbedtls_pk_type_t, - options: *const ::core::ffi::c_void, - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature, including padding if relevant. - /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message, in a restartable manner /// - /// \return 0 on success, or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// There is no interface in the PK module to make RSASSA-PSS - /// signatures yet. + /// \see ecp.h /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify_restartable( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature given a signature type. + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, serialized as defined in RFC-4492: + /// Elliptic Curve Cryptography (ECC) Cipher Suites for + /// Transport Layer Security (TLS). /// - /// \param pk_type Signature type. - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \warning It is not thread-safe to use the same context in + /// multiple threads. /// - /// \return 0 on success, or a specific error code. + /// \note The deterministic version is used if + /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + /// information, see RFC-6979: Deterministic Usage + /// of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, - /// see #PSA_ALG_RSA_PSS for a description of PSS options used. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign_ext( - pk_type: mbedtls_pk_type_t, - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_sign() + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_sign(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_sign(). + /// \see \c mbedtls_ecdsa_write_signature() /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. + /// \note This function is like \c mbedtls_ecdsa_write_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// \param rs_ctx Restart context (NULL to disable restart) + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return See \c mbedtls_pk_sign(). + /// \return \c 0 on success. /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_sign_restartable( - ctx: *mut mbedtls_pk_context, + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_pk_restart_ctx, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Decrypt message (including padding if relevant). + /// \brief This function reads and verifies an ECDSA signature. /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param input Input to decrypt - /// \param ilen Input size - /// \param output Decrypted output - /// \param olen Decrypted message length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \see ecp.h /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_decrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Encrypt message (including padding if relevant). - /// - /// \param ctx The PK context to use. It must have been set up. - /// \param input Message to encrypt - /// \param ilen Message size - /// \param output Encrypted output - /// \param olen Encrypted output length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function reads and verifies an ECDSA signature, + /// in a restartable way. /// - /// \note \p f_rng is used for padding generation. + /// \see \c mbedtls_ecdsa_read_signature() /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \note This function is like \c mbedtls_ecdsa_read_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_encrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if a public-private pair of keys matches. - /// - /// \param pub Context holding a public key. - /// \param prv Context holding a private (and public) key. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// - /// \return \c 0 on success (keys were checked and match each other). - /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not - /// be checked - in that case they may or may not match. - /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. - /// \return Another non-zero value if the keys do not match. - pub fn mbedtls_pk_check_pair( - pub_: *const mbedtls_pk_context, - prv: *const mbedtls_pk_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Export debug information - /// - /// \param ctx The PK context to use. It must have been initialized. - /// \param items Place to write debug items + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA - pub fn mbedtls_pk_debug( - ctx: *const mbedtls_pk_context, - items: *mut mbedtls_pk_debug_item, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Access the type name - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type name on success, or "invalid PK" - pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; -} -unsafe extern "C" { - /// \brief Get the key type - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type on success. - /// \return #MBEDTLS_PK_NONE for a context that has not been set up. - pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a private key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// \param pwd Optional password for decryption. - /// Pass \c NULL if expecting a non-encrypted key. - /// Pass a string of \p pwdlen bytes if expecting an encrypted - /// key; a non-encrypted key will also be accepted. - /// The empty password is not supported. - /// \param pwdlen Size of the password in bytes. - /// Ignored if \p pwd is \c NULL. - /// \param f_rng RNG function, must not be \c NULL. Used for blinding. - /// \param p_rng RNG parameter + /// \brief This function generates an ECDSA keypair on the given curve. /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to store the keypair in. + /// This must be initialized. + /// \param gid The elliptic curve to use. One of the various + /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, - pwd: *const ::core::ffi::c_uchar, - pwdlen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_genkey( + ctx: *mut mbedtls_ecdsa_context, + gid: mbedtls_ecp_group_id, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a public key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \brief This function sets up an ECDSA context from an EC key pair. /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to setup. This must be initialized. + /// \param key The EC key to use. This must be initialized and hold + /// a private-public key pair or a public key. In the former + /// case, the ECDSA context may be used for signature creation + /// and verification after this call. In the latter case, it + /// may be used for signature verification. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_public_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_from_keypair( + ctx: *mut mbedtls_ecdsa_context, + key: *const mbedtls_ecp_keypair, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function initializes an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_key_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); } unsafe extern "C" { - /// \brief Write a public key to a SubjectPublicKeyInfo DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function frees an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_pubkey_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to free. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must be initialized. + pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); } -unsafe extern "C" { - /// \brief Write a public key to a PEM string - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_pubkey_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 PEM string - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_key_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Parse a SubjectPublicKeyInfo DER structure - /// - /// \param p the position in the ASN.1 data - /// \param end end of the buffer - /// \param pk The PK context to fill. It must have been initialized - /// but not set up. - /// - /// \return 0 if successful, or a specific PK error code - pub fn mbedtls_pk_parse_subpubkey( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - pk: *mut mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a subjectPublicKey to ASN.1 data - /// Note: function works backwards in data buffer - /// - /// \param p reference to current position pointer - /// \param start start of the buffer (for bounds-checking) - /// \param key PK context which must contain a valid public or private key. - /// - /// \return the length written or a negative error code - pub fn mbedtls_pk_write_pubkey( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - key: *const mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = - 3; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - mbedtls_key_exchange_type_t = 4; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = - 8; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = - 9; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = - 10; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = - 11; -pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; -/// \brief This structure is used for storing ciphersuite information -/// -/// \note members are defined using integral types instead of enums -/// in order to pack structure and reduce memory usage by internal -/// \c ciphersuite_definitions[] -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ssl_ciphersuite_t { - pub private_id: ::core::ffi::c_int, - pub private_name: *const ::core::ffi::c_char, - pub private_cipher: u8, - pub private_mac: u8, - pub private_key_exchange: u8, - pub private_flags: u8, - pub private_min_tls_version: u16, - pub private_max_tls_version: u16, -} -impl Default for mbedtls_ssl_ciphersuite_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_string( - ciphersuite_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_id( - ciphersuite_id: ::core::ffi::c_int, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_pk_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_ec( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_psk( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> usize; -} -/// The type of the context passed to mbedtls_psa_external_get_random(). -/// -/// Mbed TLS initializes the context to all-bits-zero before calling -/// mbedtls_psa_external_get_random() for the first time. -/// -/// The definition of this type in the Mbed TLS source code is for -/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() -/// are expected to replace it with a custom definition. -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_external_random_context_t { - pub private_opaque: [usize; 2usize], +/// The type of the context passed to mbedtls_psa_external_get_random(). +/// +/// Mbed TLS initializes the context to all-bits-zero before calling +/// mbedtls_psa_external_get_random() for the first time. +/// +/// The definition of this type in the Mbed TLS source code is for +/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() +/// are expected to replace it with a custom definition. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_external_random_context_t { + pub private_opaque: [usize; 2usize], } pub type psa_status_t = i32; /// \brief Encoding of a key type. @@ -10579,6478 +10447,7672 @@ pub type psa_key_attributes_t = psa_key_attributes_s; /// Values of this type are generally constructed by macros called /// `PSA_KEY_DERIVATION_INPUT_xxx`. pub type psa_key_derivation_step_t = u16; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following field: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// +/// Functions that take such a structure as input also take an associated +/// input buffer \c custom_data of length \c custom_data_length. +/// +/// The interpretation of this structure and the associated \c custom_data +/// parameter depend on the type of the created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c custom_data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_custom_key_parameters_t = psa_custom_key_parameters_s; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following fields: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// - \c data: a flexible array of bytes. +/// +/// The interpretation of this structure depend on the type of the +/// created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty or if the custom production parameters are omitted +/// altogether, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_key_production_parameters_t = psa_key_production_parameters_s; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; +/// For encrypt-decrypt functions, whether the operation is an encryption +/// or a decryption. +pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; +/// \brief MD5 context structure +/// +/// \warning MD5 is considered a weak message digest and its use +/// constitutes a security risk. We recommend considering +/// stronger message digests instead. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md5_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 4usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_md5_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { - /// \brief Library initialization. - /// - /// Applications must call this function before calling any other - /// function in this module. - /// - /// Applications may call this function more than once. Once a call - /// succeeds, subsequent calls are guaranteed to succeed. + /// \brief Initialize MD5 context /// - /// If the application calls other functions before calling psa_crypto_init(), - /// the behavior is undefined. Implementations are encouraged to either perform - /// the operation as if the library had been initialized or to return - /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, - /// implementations should not return a success status if the lack of - /// initialization may have security implications, for example due to improper - /// seeding of the random number generator. + /// \param ctx MD5 context to be initialized /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - pub fn psa_crypto_init() -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Retrieve the attributes of a key. - /// - /// This function first resets the attribute structure as with - /// psa_reset_key_attributes(). It then copies the attributes of - /// the given key into the given attribute structure. - /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \brief Clear MD5 context /// - /// \param[in] key Identifier of the key to query. - /// \param[in,out] attributes On success, the attributes of the key. - /// On failure, equivalent to a - /// freshly-initialized structure. + /// \param ctx MD5 context to be cleared /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_get_key_attributes( - key: mbedtls_svc_key_id_t, - attributes: *mut psa_key_attributes_t, - ) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Reset a key attribute structure to a freshly initialized state. - /// - /// You must initialize the attribute structure as described in the - /// documentation of the type #psa_key_attributes_t before calling this - /// function. Once the structure has been initialized, you may call this - /// function at any time. + /// \brief Clone (the state of) an MD5 context /// - /// This function frees any auxiliary resources that the structure - /// may contain. + /// \param dst The destination context + /// \param src The context to be cloned /// - /// \param[in,out] attributes The attribute structure to reset. - pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); } unsafe extern "C" { - /// Remove non-essential copies of key material from memory. + /// \brief MD5 context setup /// - /// If the key identifier designates a volatile key, this functions does not do - /// anything and returns successfully. - /// - /// If the key identifier designates a persistent key, then this function will - /// free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and the key can still be used. + /// \param ctx context to be initialized /// - /// \param key Identifier of the key to purge. + /// \return 0 if successful /// - /// \retval #PSA_SUCCESS - /// The key material will have been removed from memory if it is not - /// currently required. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid key identifier. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Make a copy of a key. + /// \brief MD5 process buffer /// - /// Copy key material from one location to another. + /// \param ctx MD5 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// This function is primarily useful to copy a key from one location - /// to another, since it populates a key using the material from - /// another key which may have a different lifetime. + /// \return 0 if successful /// - /// This function may be used to share a key with a different party, - /// subject to implementation-defined restrictions on key sharing. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_update( + ctx: *mut mbedtls_md5_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 final digest /// - /// The policy on the source key must have the usage flag - /// #PSA_KEY_USAGE_COPY set. - /// This flag is sufficient to permit the copy if the key has the lifetime - /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. - /// Some secure elements do not provide a way to copy a key without - /// making it extractable from the secure element. If a key is located - /// in such a secure element, then the key must have both usage flags - /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make - /// a copy of the key outside the secure element. + /// \param ctx MD5 context + /// \param output MD5 checksum result /// - /// The resulting key may only be used in a way that conforms to - /// both the policy of the original key and the policy specified in - /// the \p attributes parameter: - /// - The usage flags on the resulting key are the bitwise-and of the - /// usage flags on the source policy and the usage flags in \p attributes. - /// - If both allow the same algorithm or wildcard-based - /// algorithm policy, the resulting key has the same algorithm policy. - /// - If either of the policies allows an algorithm and the other policy - /// allows a wildcard-based algorithm policy that includes this algorithm, - /// the resulting key allows the same algorithm. - /// - If the policies do not allow any algorithm in common, this function - /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// \return 0 if successful /// - /// The effect of this function on implementation-defined attributes is - /// implementation-defined. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_finish( + ctx: *mut mbedtls_md5_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 process data block (internal use only) /// - /// \param source_key The key to copy. It must allow the usage - /// #PSA_KEY_USAGE_COPY. If a private or secret key is - /// being copied outside of a secure element it must - /// also allow #PSA_KEY_USAGE_EXPORT. - /// \param[in] attributes The attributes for the new key. - /// They are used as follows: - /// - The key type and size may be 0. If either is - /// nonzero, it must match the corresponding - /// attribute of the source key. - /// - The key location (the lifetime and, for - /// persistent keys, the key identifier) is - /// used directly. - /// - The policy constraints (usage flags and - /// algorithm policy) are combined from - /// the source key and \p attributes so that - /// both sets of restrictions apply, as - /// described in the documentation of this function. - /// \param[out] target_key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param ctx MD5 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p source_key is invalid. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The lifetime or identifier in \p attributes are invalid, or - /// the policy constraints on the source and specified in - /// \p attributes are incompatible, or - /// \p attributes specifies a key type or key size - /// which does not match the attributes of the source key. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or - /// the source key is not exportable and its lifetime does not - /// allow copying it to the target's lifetime. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_copy_key( - source_key: mbedtls_svc_key_id_t, - attributes: *const psa_key_attributes_t, - target_key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + /// + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_internal_md5_process( + ctx: *mut mbedtls_md5_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Destroy a key. + /// \brief Output = MD5( input buffer ) /// - /// This function destroys a key from both volatile - /// memory and, if applicable, non-volatile storage. Implementations shall - /// make a best effort to ensure that the key material cannot be recovered. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output MD5 checksum result /// - /// This function also erases any metadata such as policies and frees - /// resources associated with the key. + /// \return 0 if successful /// - /// If a key is currently in use in a multipart operation, then destroying the - /// key will cause the multipart operation to fail. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \param key Identifier of the key to erase. If this is \c 0, do nothing and - /// return #PSA_SUCCESS. + /// \return 0 if successful, or 1 if the test failed /// - /// \retval #PSA_SUCCESS - /// \p key was a valid identifier and the key material that it - /// referred to has been erased. Alternatively, \p key is \c 0. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key cannot be erased because it is - /// read-only, either due to a policy or due to physical restrictions. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p key is not a valid identifier nor \c 0. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE - /// There was a failure in communication with the cryptoprocessor. - /// The key material may still be present in the cryptoprocessor. - /// \retval #PSA_ERROR_DATA_INVALID - /// This error is typically a result of either storage corruption on a - /// cleartext storage backend, or an attempt to read data that was - /// written by an incompatible version of the library. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The storage is corrupted. Implementations shall make a best effort - /// to erase key material even in this stage, however applications - /// should be aware that it may be impossible to guarantee that the - /// key material is not recoverable in such cases. - /// \retval #PSA_ERROR_CORRUPTION_DETECTED - /// An unexpected condition which is not a storage corruption or - /// a communication failure occurred. The cryptoprocessor may have - /// been compromised. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief RIPEMD-160 context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ripemd160_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 5usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_ripemd160_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief Import a key in binary format. + /// \brief Initialize RIPEMD-160 context /// - /// This function supports any output from psa_export_key(). Refer to the - /// documentation of psa_export_public_key() for the format of public keys - /// and to the documentation of psa_export_key() for the format for - /// other key types. + /// \param ctx RIPEMD-160 context to be initialized + pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clear RIPEMD-160 context /// - /// The key data determines the key size. The attributes may optionally - /// specify a key size; in this case it must match the size determined - /// from the key data. A key size of 0 in \p attributes indicates that - /// the key size is solely determined by the key data. + /// \param ctx RIPEMD-160 context to be cleared + pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clone (the state of) a RIPEMD-160 context /// - /// Implementations must reject an attempt to import a key of size 0. + /// \param dst The destination context + /// \param src The context to be cloned + pub fn mbedtls_ripemd160_clone( + dst: *mut mbedtls_ripemd160_context, + src: *const mbedtls_ripemd160_context, + ); +} +unsafe extern "C" { + /// \brief RIPEMD-160 context setup /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. - /// - /// \param[in] attributes The attributes for the new key. - /// The key size is always determined from the - /// \p data buffer. - /// If the key size in \p attributes is nonzero, - /// it must be equal to the size from \p data. - /// \param[out] key On success, an identifier to the newly created key. - /// For persistent keys, this is the key identifier - /// defined in \p attributes. - /// \c 0 on failure. - /// \param[in] data Buffer containing the key data. The content of this - /// buffer is interpreted according to the type declared - /// in \p attributes. - /// All implementations must support at least the format - /// described in the documentation - /// of psa_export_key() or psa_export_public_key() for - /// the chosen type. Implementations may allow other - /// formats, but should be conservative: implementations - /// should err on the side of rejecting content if it - /// may be erroneous (e.g. wrong type or truncated data). - /// \param data_length Size of the \p data buffer in bytes. + /// \param ctx context to be initialized /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular persistent location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key attributes, as a whole, are invalid, or - /// the key data is not correctly formatted, or - /// the size in \p attributes is nonzero and does not match the size - /// of the key data. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_import_key( - attributes: *const psa_key_attributes_t, - data: *const u8, - data_length: usize, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a key in binary format. - /// - /// The output of this function can be passed to psa_import_key() to - /// create an equivalent object. + /// \brief RIPEMD-160 process buffer /// - /// If the implementation of psa_import_key() supports other formats - /// beyond the format specified here, the output from psa_export_key() - /// must use the representation specified here, not the original - /// representation. + /// \param ctx RIPEMD-160 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// For standard key types, the output format is as follows: + /// \return 0 if successful + pub fn mbedtls_ripemd160_update( + ctx: *mut mbedtls_ripemd160_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 final digest /// - /// - For symmetric keys (including MAC keys), the format is the - /// raw bytes of the key. - /// - For DES, the key data consists of 8 bytes. The parity bits must be - /// correct. - /// - For Triple-DES, the format is the concatenation of the - /// two or three DES keys. - /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format - /// is the non-encrypted DER encoding of the representation defined by - /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. - /// ``` - /// RSAPrivateKey ::= SEQUENCE { - /// version INTEGER, -- must be 0 - /// modulus INTEGER, -- n - /// publicExponent INTEGER, -- e - /// privateExponent INTEGER, -- d - /// prime1 INTEGER, -- p - /// prime2 INTEGER, -- q - /// exponent1 INTEGER, -- d mod (p-1) - /// exponent2 INTEGER, -- d mod (q-1) - /// coefficient INTEGER, -- (inverse of q) mod p - /// } - /// ``` - /// - For elliptic curve key pairs (key types for which - /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is - /// a representation of the private value as a `ceiling(m/8)`-byte string - /// where `m` is the bit size associated with the curve, i.e. the bit size - /// of the order of the curve's coordinate field. This byte string is - /// in little-endian order for Montgomery curves (curve types - /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass - /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` - /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). - /// For Weierstrass curves, this is the content of the `privateKey` field of - /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, - /// the format is defined by RFC 7748, and output is masked according to §5. - /// For twisted Edwards curves, the private key is as defined by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For Diffie-Hellman key exchange key pairs (key types for which - /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the - /// format is the representation of the private key `x` as a big-endian byte - /// string. The length of the byte string is the private key size in bytes - /// (leading zeroes are not stripped). - /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is - /// true), the format is the same as for psa_export_public_key(). + /// \param ctx RIPEMD-160 context + /// \param output RIPEMD-160 checksum result /// - /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// \return 0 if successful + pub fn mbedtls_ripemd160_finish( + ctx: *mut mbedtls_ripemd160_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 process data block (internal use only) /// - /// \param key Identifier of the key to export. It must allow the - /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public - /// key. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. + /// \param ctx RIPEMD-160 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_internal_ripemd160_process( + ctx: *mut mbedtls_ripemd160_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a public key or the public part of a key pair in binary format. + /// \brief Output = RIPEMD-160( input buffer ) /// - /// The output of this function can be passed to psa_import_key() to - /// create an object that is equivalent to the public key. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output RIPEMD-160 checksum result /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. + /// \return 0 if successful + pub fn mbedtls_ripemd160( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// For standard key types, the output format is as follows: - /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of - /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. - /// ``` - /// RSAPublicKey ::= SEQUENCE { - /// modulus INTEGER, -- n - /// publicExponent INTEGER } -- e - /// ``` - /// - For elliptic curve keys on a twisted Edwards curve (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY - /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined - /// by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For other elliptic curve public keys (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed - /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. - /// Let `m` be the bit size associated with the curve, i.e. the bit size of - /// `q` for a curve over `F_q`. The representation consists of: - /// - The byte 0x04; - /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; - /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. - /// - For Diffie-Hellman key exchange public keys (key types for which - /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), - /// the format is the representation of the public key `y = g^x mod p` as a - /// big-endian byte string. The length of the byte string is the length of the - /// base prime `p` in bytes. + /// \return 0 if successful, or 1 if the test failed + pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha1_context { + pub work_area: [::core::ffi::c_uchar; 208usize], +} +impl Default for mbedtls_sha1_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-1 context. /// - /// Exporting a public key object or the public part of a key pair is - /// always permitted, regardless of the key's usage flags. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param key Identifier of the key to export. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key is neither a public key nor a key pair. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_public_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message. - /// - /// \note To verify the hash of a message against an - /// expected value, use psa_hash_compare() instead. + /// \brief This function clears a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\p alg). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p hash_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compute( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it is + /// not \c NULL, it must point to an initialized + /// SHA-1 context. + pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message and compare it with a - /// reference value. + /// \brief This function clones the state of a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p input_length or \p hash_length do not match the hash size for \p alg - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compare( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \param dst The SHA-1 context to clone to. This must be initialized. + /// \param src The SHA-1 context to clone from. This must be initialized. + pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); } -/// The type of the state data structure for multipart hash operations. -/// -/// Before calling any function on a hash operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_hash_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_hash_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, -/// for example: -/// \code -/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_hash_operation_init() -/// to the structure, for example: -/// \code -/// psa_hash_operation_t operation; -/// operation = psa_hash_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_hash_operation_t = psa_hash_operation_s; unsafe extern "C" { - /// Set up a multipart hash operation. - /// - /// The sequence of operations to calculate a hash (message digest) - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. - /// -# Call psa_hash_setup() to specify the algorithm. - /// -# Call psa_hash_update() zero, one or more times, passing a fragment - /// of the message each time. The hash that is calculated is the hash - /// of the concatenation of these messages in order. - /// -# To calculate the hash, call psa_hash_finish(). - /// To compare the hash with an expected value, call psa_hash_verify(). - /// - /// If an error occurs at any step after a call to psa_hash_setup(), the - /// operation will need to be reset by a call to psa_hash_abort(). The - /// application may call psa_hash_abort() at any time after the operation - /// has been initialized. + /// \brief This function starts a SHA-1 checksum calculation. /// - /// After a successful call to psa_hash_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_hash_finish() or psa_hash_verify(). - /// - A call to psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_hash_operation_t and not yet in use. - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param ctx The SHA-1 context to initialize. This must be initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a hash algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_setup( - operation: *mut psa_hash_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart hash operation. - /// - /// The application must call psa_hash_setup() before calling this function. + /// \brief This function feeds an input buffer into an ongoing SHA-1 + /// checksum calculation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] input Buffer containing the message fragment to hash. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-1 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_update( - operation: *mut psa_hash_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_update( + ctx: *mut mbedtls_sha1_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message. + /// \brief This function finishes the SHA-1 operation, and writes + /// the result to the output buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \param ctx The SHA-1 context to use. This must be initialized and + /// have a hash operation started. + /// \param output The SHA-1 checksum result. This must be a writable + /// buffer of length \c 20 Bytes. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the hash. Call psa_hash_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// hash values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the hashed data which could allow an attacker to guess - /// a valid hash and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_finish( + ctx: *mut mbedtls_sha1_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief SHA-1 process data block (internal use only). /// - /// \param[in,out] operation Active hash operation. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\c alg) where \c alg is the - /// hash algorithm that is calculated. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p hash buffer is too small. You can determine a - /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) - /// where \c alg is the hash algorithm that is calculated. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_finish( - operation: *mut psa_hash_operation_t, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to use. This must be initialized. + /// \param data The data block being processed. This must be a + /// readable buffer of length \c 64 Bytes. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha1_process( + ctx: *mut mbedtls_sha1_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-1 checksum of a buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). It then - /// compares the calculated hash with the expected hash passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// The SHA-1 result is calculated as + /// output = SHA-1(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual hash and the expected hash is performed - /// in constant time. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. + /// \param output The SHA-1 checksum result. + /// This must be a writable buffer of length \c 20 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_verify( - operation: *mut psa_hash_operation_t, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a hash operation. + /// \brief The SHA-1 checkup routine. /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_hash_setup() again. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_hash_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha256_context { + pub work_area: [::core::ffi::c_uchar; 208usize], + pub is224: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha256_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-256 context. /// - /// In particular, calling psa_hash_abort() after the operation has been - /// terminated by a call to psa_hash_abort(), psa_hash_finish() or - /// psa_hash_verify() is safe and has no effect. + /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-256 context. /// - /// \param[in,out] operation Initialized hash operation. + /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-256 context. + pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-256 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha256_clone( + dst: *mut mbedtls_sha256_context, + src: *const mbedtls_sha256_context, + ); } unsafe extern "C" { - /// Clone a hash operation. + /// \brief This function starts a SHA-224 or SHA-256 checksum + /// calculation. /// - /// This function copies the state of an ongoing hash operation to - /// a new operation object. In other words, this function is equivalent - /// to calling psa_hash_setup() on \p target_operation with the same - /// algorithm that \p source_operation was set up for, then - /// psa_hash_update() on \p target_operation with the same input that - /// that was passed to \p source_operation. After this function returns, the - /// two objects are independent, i.e. subsequent calls involving one of - /// the objects do not affect the other object. + /// \param ctx The context to use. This must be initialized. + /// \param is224 This determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// \param[in] source_operation The active hash operation to clone. - /// \param[in,out] target_operation The operation object to set up. - /// It must be initialized but not active. + /// \note is224 must be defined accordingly to the enabled + /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The \p source_operation state is not valid (it must be active), or - /// the \p target_operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_clone( - source_operation: *const psa_hash_operation_t, - target_operation: *mut psa_hash_operation_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_starts( + ctx: *mut mbedtls_sha256_context, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC (message authentication code) of a message. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-256 checksum calculation. /// - /// \note To verify the MAC of a message against an - /// expected value, use psa_mac_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_update( + ctx: *mut mbedtls_sha256_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function finishes the SHA-256 operation, and writes + /// the result to the output buffer. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p mac_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_compute( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_finish( + ctx: *mut mbedtls_sha256_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC of a message and compare it with a reference value. + /// \brief This function processes a single data block within + /// the ongoing SHA-256 computation. This function is for + /// internal use only. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \param ctx The SHA-256 context. This must be initialized. + /// \param data The buffer holding one block of data. This must + /// be a readable buffer of length \c 64 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected value. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha256_process( + ctx: *mut mbedtls_sha256_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart MAC operations. -/// -/// Before calling any function on a MAC operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_mac_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_mac_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, -/// for example: -/// \code -/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_mac_operation_init() -/// to the structure, for example: -/// \code -/// psa_mac_operation_t operation; -/// operation = psa_mac_operation_init(); -/// \endcode -/// -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Set up a multipart MAC calculation operation. + /// \brief This function calculates the SHA-224 or SHA-256 + /// checksum of a buffer. /// - /// This function sets up the calculation of the MAC - /// (message authentication code) of a byte string. - /// To verify the MAC of a message against an - /// expected value, use psa_mac_verify_setup() instead. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// The sequence of operations to calculate a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_sign_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_sign_finish() to finish - /// calculating the MAC value and retrieve it. + /// The SHA-256 result is calculated as + /// output = SHA-256(input buffer). /// - /// If an error occurs at any step after a call to psa_mac_sign_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// \param is224 Determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// After a successful call to psa_mac_sign_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_sign_finish(). - /// - A call to psa_mac_abort(). + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-224 checkup routine. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-256 checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha512_context { + pub work_area: [::core::ffi::c_uchar; 304usize], + pub is384: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha512_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Set up a multipart MAC verification operation. + /// \brief This function initializes a SHA-512 context. /// - /// This function sets up the verification of the MAC - /// (message authentication code) of a byte string against an expected value. + /// \param ctx The SHA-512 context to initialize. This must + /// not be \c NULL. + pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-512 context. /// - /// The sequence of operations to verify a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_verify_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_verify_finish() to finish - /// calculating the actual MAC of the message and verify it against - /// the expected value. + /// \param ctx The SHA-512 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must point to an initialized + /// SHA-512 context. + pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-512 context. /// - /// If an error occurs at any step after a call to psa_mac_verify_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha512_clone( + dst: *mut mbedtls_sha512_context, + src: *const mbedtls_sha512_context, + ); +} +unsafe extern "C" { + /// \brief This function starts a SHA-384 or SHA-512 checksum + /// calculation. /// - /// After a successful call to psa_mac_verify_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_verify_finish(). - /// - A call to psa_mac_abort(). + /// \param ctx The SHA-512 context to use. This must be initialized. + /// \param is384 Determines which function to use. This must be + /// either \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage - /// PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \note is384 must be defined accordingly to the enabled + /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c key is not compatible with \c alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_starts( + ctx: *mut mbedtls_sha512_context, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart MAC operation. - /// - /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() - /// before calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \brief This function feeds an input buffer into an ongoing + /// SHA-512 checksum calculation. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] input Buffer containing the message fragment to add to - /// the MAC calculation. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. This must + /// be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_update( - operation: *mut psa_mac_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_update( + ctx: *mut mbedtls_sha512_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message. - /// - /// The application must call psa_mac_sign_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). + /// \brief This function finishes the SHA-512 operation, and writes + /// the result to the output buffer. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the MAC. Call psa_mac_verify_finish() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_finish( + ctx: *mut mbedtls_sha512_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function processes a single data block within + /// the ongoing SHA-512 computation. + /// This function is for internal use only. /// - /// \param[in,out] operation Active MAC operation. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. This is always - /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of the key and \c alg is the - /// MAC algorithm that is calculated. + /// \param ctx The SHA-512 context. This must be initialized. + /// \param data The buffer holding one block of data. This + /// must be a readable buffer of length \c 128 Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p mac buffer is too small. You can determine a - /// sufficient buffer size by calling PSA_MAC_LENGTH(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac sign - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_finish( - operation: *mut psa_mac_operation_t, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha512_process( + ctx: *mut mbedtls_sha512_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-512 or SHA-384 + /// checksum of a buffer. /// - /// The application must call psa_mac_verify_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). It then - /// compares the calculated MAC with the expected MAC passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// The SHA-512 result is calculated as + /// output = SHA-512(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual MAC and the expected MAC is performed - /// in constant time. + /// \param input The buffer holding the input data. This must be + /// a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. + /// \param is384 Determines which function to use. This must be either + /// \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \note is384 must be defined accordingly with the supported + /// symbols in the config file. If: + /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or + /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined + /// then the function will return + /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected MAC. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac verify - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_finish( - operation: *mut psa_mac_operation_t, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a MAC operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_mac_sign_setup() or psa_mac_verify_setup() again. + /// \brief The SHA-384 checkup routine. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_mac_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-512 checkup routine. /// - /// In particular, calling psa_mac_abort() after the operation has been - /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or - /// psa_mac_verify_finish() is safe and has no effect. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +///< Operation not defined. +pub const mbedtls_sha3_id_MBEDTLS_SHA3_NONE: mbedtls_sha3_id = 0; +///< SHA3-224 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_224: mbedtls_sha3_id = 1; +///< SHA3-256 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_256: mbedtls_sha3_id = 2; +///< SHA3-384 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_384: mbedtls_sha3_id = 3; +///< SHA3-512 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_512: mbedtls_sha3_id = 4; +/// SHA-3 family id. +/// +/// It identifies the family (SHA3-256, SHA3-512, etc.) +pub type mbedtls_sha3_id = ::core::ffi::c_uint; +/// \brief The SHA-3 context structure. +/// +/// The structure is used SHA-3 checksum calculations. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_sha3_context { + pub private_state: [u64; 25usize], + pub private_index: u32, + pub private_olen: u16, + pub private_max_block_size: u16, +} +unsafe extern "C" { + /// \brief This function initializes a SHA-3 context. /// - /// \param[in,out] operation Initialized MAC operation. + /// \param ctx The SHA-3 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha3_init(ctx: *mut mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-3 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; + /// \param ctx The SHA-3 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-3 context. + pub fn mbedtls_sha3_free(ctx: *mut mbedtls_sha3_context); } unsafe extern "C" { - /// Encrypt a message using a symmetric cipher. + /// \brief This function clones the state of a SHA-3 context. /// - /// This function encrypts a message with a random IV (initialization - /// vector). Use the multipart operation interface with a - /// #psa_cipher_operation_t object to provide other forms of IV. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha3_clone(dst: *mut mbedtls_sha3_context, src: *const mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function starts a SHA-3 checksum + /// calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// The output contains the IV followed by - /// the ciphertext proper. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The context to use. This must be initialized. + /// \param id The id of the SHA-3 family. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_starts( + ctx: *mut mbedtls_sha3_context, + id: mbedtls_sha3_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Decrypt a message using a symmetric cipher. - /// - /// This function decrypts a message encrypted with a symmetric cipher. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-3 checksum calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to decrypt. - /// This consists of the IV followed by the - /// ciphertext proper. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the plaintext is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_update( + ctx: *mut mbedtls_sha3_context, input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + ilen: usize, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart cipher operations. -/// -/// Before calling any function on a cipher operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_cipher_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_cipher_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, -/// for example: -/// \code -/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_cipher_operation_init() -/// to the structure, for example: -/// \code -/// psa_cipher_operation_t operation; -/// operation = psa_cipher_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// Set the key for a multipart symmetric encryption operation. + /// \brief This function finishes the SHA-3 operation, and writes + /// the result to the output buffer. /// - /// The sequence of operations to encrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. - /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to - /// generate or set the IV (initialization vector). You should use - /// psa_cipher_generate_iv() unless the protocol you are implementing - /// requires a specific IV value. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. /// - /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_finish( + ctx: *mut mbedtls_sha3_context, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function calculates the SHA-3 + /// checksum of a buffer. /// - /// After a successful call to psa_cipher_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// The SHA-3 result is calculated as + /// output = SHA-3(id, input buffer, d). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \param id The id of the SHA-3 family. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3( + id: mbedtls_sha3_id, + input: *const u8, + ilen: usize, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart symmetric decryption operation. + /// \brief Checkup routine for the algorithms implemented + /// by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512. /// - /// The sequence of operations to decrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. - /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the - /// decryption. If the IV is prepended to the ciphertext, you can call - /// psa_cipher_update() on a buffer containing the IV followed by the - /// beginning of the message. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). - /// - /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_cipher_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). - /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if the test failed. + pub fn mbedtls_sha3_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// Generate an IV for a symmetric encryption operation. - /// - /// This function generates a random IV (initialization vector), nonce - /// or initial counter value for the encryption operation as appropriate - /// for the chosen algorithm, key type and key size. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] iv Buffer where the generated IV is to be written. - /// \param iv_size Size of the \p iv buffer in bytes. - /// \param[out] iv_length On success, the number of bytes of the - /// generated IV. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p iv buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no IV set), - /// or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_generate_iv( - operation: *mut psa_cipher_operation_t, - iv: *mut u8, - iv_size: usize, - iv_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hash_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// Set the IV for a symmetric encryption or decryption operation. - /// - /// This function sets the IV (initialization vector), nonce - /// or initial counter value for the encryption or decryption operation. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \note When encrypting, applications should use psa_cipher_generate_iv() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] iv Buffer containing the IV to use. - /// \param iv_length Size of the IV in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p iv is not acceptable for the chosen algorithm, - /// or the chosen algorithm does not use an IV. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active cipher - /// encrypt operation, with no IV set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_set_iv( - operation: *mut psa_cipher_operation_t, - iv: *const u8, - iv_length: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub md5: mbedtls_md5_context, + pub ripemd160: mbedtls_ripemd160_context, + pub sha1: mbedtls_sha1_context, + pub sha256: mbedtls_sha256_context, + pub sha512: mbedtls_sha512_context, } -unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active cipher operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() - /// (recommended when encrypting) or psa_cipher_set_iv(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_update( - operation: *mut psa_cipher_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Finish encrypting or decrypting a message in a cipher operation. - /// - /// The application must call psa_cipher_encrypt_setup() or - /// psa_cipher_decrypt_setup() before calling this function. The choice - /// of setup function determines whether this function encrypts or - /// decrypts its input. - /// - /// This function finishes the encryption or decryption of the message - /// formed by concatenating the inputs passed to preceding calls to - /// psa_cipher_update(). - /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input size passed to this operation is not valid for - /// this particular algorithm. For example, the algorithm is a based - /// on block cipher and requires a whole number of blocks, but the - /// total input size is not a multiple of the block size. - /// \retval #PSA_ERROR_INVALID_PADDING - /// This is a decryption operation for an algorithm that includes - /// padding, and the ciphertext does not contain valid padding. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_finish( - operation: *mut psa_cipher_operation_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_cipher_operation_t { + pub private_alg: psa_algorithm_t, + pub private_iv_length: u8, + pub private_block_length: u8, + pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_cipher: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_cipher_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_hash_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_hash_operation_t, +} +impl Default for psa_driver_hash_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_cipher_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, +} +impl Default for psa_driver_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hash_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h. + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. the driver context is not active, in use). + pub private_id: ::core::ffi::c_uint, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_hash_context_t, +} +impl Default for psa_hash_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_cipher_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_default_iv_length: u8, + pub private_ctx: psa_driver_cipher_context_t, +} +impl Default for psa_cipher_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_cipher_operation_s { + #[inline] + pub fn private_iv_required(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_iv_required: ::core::ffi::c_uint, + private_iv_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; + private_iv_required as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; + private_iv_set as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The GCM context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_gcm_context { + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, + ///< Precalculated HTable. + pub private_H: [[u64; 2usize]; 16usize], + ///< The total length of the encrypted data. + pub private_len: u64, + ///< The total length of the additional data. + pub private_add_len: u64, + ///< The first ECTR for tag. + pub private_base_ectr: [::core::ffi::c_uchar; 16usize], + ///< The Y working value. + pub private_y: [::core::ffi::c_uchar; 16usize], + ///< The buf working value. + pub private_buf: [::core::ffi::c_uchar; 16usize], + ///< The operation to perform: + ///#MBEDTLS_GCM_ENCRYPT or + ///#MBEDTLS_GCM_DECRYPT. + pub private_mode: ::core::ffi::c_uchar, + ///< The acceleration to use. + pub private_acceleration: ::core::ffi::c_uchar, +} +impl Default for mbedtls_gcm_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Abort a cipher operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. - /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_cipher_operation_t. - /// - /// In particular, calling psa_cipher_abort() after the operation has been - /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() - /// is safe and has no effect. + /// \brief This function initializes the specified GCM context, + /// to make references valid, and prepares the context + /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). /// - /// \param[in,out] operation Initialized cipher operation. + /// The function does not bind the GCM context to a particular + /// cipher, nor set the key. For this purpose, use + /// mbedtls_gcm_setkey(). /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; + /// \param ctx The GCM context to initialize. This must not be \c NULL. + pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Process an authenticated encryption operation. + /// \brief This function associates a GCM context with a + /// cipher algorithm and a key. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that will be authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] plaintext Data that will be authenticated and - /// encrypted. - /// \param plaintext_length Size of \p plaintext in bytes. - /// \param[out] ciphertext Output buffer for the authenticated and - /// encrypted data. The additional data is not - /// part of this output. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate outputs, the - /// authentication tag is appended to the - /// encrypted data. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p plaintext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p - /// plaintext_length) evaluates to the maximum - /// ciphertext size of any supported AEAD - /// encryption. - /// \param[out] ciphertext_length On success, the size of the output - /// in the \p ciphertext buffer. + /// \param ctx The GCM context. This must be initialized. + /// \param cipher The 128-bit block cipher to use. + /// \param key The encryption key. This must be a readable buffer of at + /// least \p keybits bits. + /// \param keybits The key size in bits. Valid options are: + ///
  • 128 bits
    • + ///
  • 192 bits
    • + ///
  • 256 bits
/// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p ciphertext_size is too small. - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p plaintext_length) or - /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - plaintext: *const u8, - plaintext_length: usize, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_gcm_setkey( + ctx: *mut mbedtls_gcm_context, + cipher: mbedtls_cipher_id_t, + key: *const ::core::ffi::c_uchar, + keybits: ::core::ffi::c_uint, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Process an authenticated decryption operation. + /// \brief This function performs GCM encryption or decryption of a buffer. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that has been authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] ciphertext Data that has been authenticated and - /// encrypted. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate inputs, the buffer - /// must contain the encrypted data followed - /// by the authentication tag. - /// \param ciphertext_length Size of \p ciphertext in bytes. - /// \param[out] plaintext Output buffer for the decrypted data. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p ciphertext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p - /// ciphertext_length) evaluates to the maximum - /// plaintext size of any supported AEAD - /// decryption. - /// \param[out] plaintext_length On success, the size of the output - /// in the \p plaintext buffer. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The ciphertext is not authentic. - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p plaintext_size is too small. - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p ciphertext_length) or - /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used - /// to determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - ciphertext: *const u8, - ciphertext_length: usize, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - ) -> psa_status_t; + /// \warning When this function performs a decryption, it outputs the + /// authentication tag and does not verify that the data is + /// authentic. You should use this function to perform encryption + /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// + /// \param ctx The GCM context to use for encryption or decryption. This + /// must be initialized. + /// \param mode The operation to perform: + /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. + /// The ciphertext is written to \p output and the + /// authentication tag is written to \p tag. + /// - #MBEDTLS_GCM_DECRYPT to perform decryption. + /// The plaintext is written to \p output and the + /// authentication tag is written to \p tag. + /// Note that this mode is not recommended, because it does + /// not verify the authenticity of the data. For this reason, + /// you should use mbedtls_gcm_auth_decrypt() instead of + /// calling this function in decryption mode. + /// \param length The length of the input data, which is equal to the length + /// of the output data. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param input The buffer holding the input data. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size in Bytes. + /// \param output The buffer for holding the output data. If \p length is greater + /// than zero, this must be a writable buffer of at least that + /// size in Bytes. + /// \param tag_len The length of the tag to generate. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// + /// \return \c 0 if the encryption or decryption was performed + /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, + /// this does not indicate that the data is authentic. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the encryption + /// or decryption failed. + pub fn mbedtls_gcm_crypt_and_tag( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + tag_len: usize, + tag: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart AEAD operations. -/// -/// Before calling any function on an AEAD operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_aead_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_aead_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, -/// for example: -/// \code -/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_aead_operation_init() -/// to the structure, for example: -/// \code -/// psa_aead_operation_t operation; -/// operation = psa_aead_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// Set the key for a multipart authenticated encryption operation. + /// \brief This function performs a GCM authenticated decryption of a + /// buffer. /// - /// The sequence of operations to encrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to - /// generate or set the nonce. You should use - /// psa_aead_generate_nonce() unless the protocol you are implementing - /// requires a specific nonce value. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the message to encrypt each time. - /// -# Call psa_aead_finish(). - /// - /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_finish(). - /// - A call to psa_aead_abort(). + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param length The length of the ciphertext to decrypt, which is also + /// the length of the decrypted plaintext. + /// \param iv The initialization vector. This must be a readable buffer + /// of at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param tag The buffer holding the tag to verify. This must be a + /// readable buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to verify. + /// \param input The buffer holding the ciphertext. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size. + /// \param output The buffer for holding the decrypted plaintext. If \p length + /// is greater than zero, this must be a writable buffer of at + /// least that size. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 if successful and authenticated. + /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the decryption + /// failed. + pub fn mbedtls_gcm_auth_decrypt( + ctx: *mut mbedtls_gcm_context, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + tag: *const ::core::ffi::c_uchar, + tag_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart authenticated decryption operation. - /// - /// The sequence of operations to decrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call psa_aead_set_nonce() with the nonce for the decryption. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the ciphertext to decrypt each time. - /// -# Call psa_aead_verify(). - /// - /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_verify(). - /// - A call to psa_aead_abort(). + /// \brief This function starts a GCM encryption or decryption + /// operation. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + /// #MBEDTLS_GCM_DECRYPT. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_starts( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Generate a random nonce for an authenticated encryption operation. - /// - /// This function generates a random nonce for the authenticated encryption - /// operation with an appropriate size for the chosen algorithm, key type - /// and key size. - /// - /// The application must call psa_aead_encrypt_setup() before - /// calling this function. + /// \brief This function feeds an input buffer as associated data + /// (authenticated but not encrypted data) in a GCM + /// encryption or decryption operation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// Call this function after mbedtls_gcm_starts() to pass + /// the associated data. If the associated data is empty, + /// you do not need to call this function. You may not + /// call this function after calling mbedtls_cipher_update(). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] nonce Buffer where the generated nonce is to be - /// written. - /// \param nonce_size Size of the \p nonce buffer in bytes. - /// \param[out] nonce_length On success, the number of bytes of the - /// generated nonce. + /// \param ctx The GCM context. This must have been started with + /// mbedtls_gcm_starts() and must not have yet received + /// any input with mbedtls_gcm_update(). + /// \param add The buffer holding the additional data, or \c NULL + /// if \p add_len is \c 0. + /// \param add_len The length of the additional data. If \c 0, + /// \p add may be \c NULL. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p nonce buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active aead encrypt - /// operation, with no nonce set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_generate_nonce( - operation: *mut psa_aead_operation_t, - nonce: *mut u8, - nonce_size: usize, - nonce_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_update_ad( + ctx: *mut mbedtls_gcm_context, + add: *const ::core::ffi::c_uchar, + add_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the nonce for an authenticated encryption or decryption operation. + /// \brief This function feeds an input buffer into an ongoing GCM + /// encryption or decryption operation. /// - /// This function sets the nonce for the authenticated - /// encryption or decryption operation. + /// You may call this function zero, one or more times + /// to pass successive parts of the input: the plaintext to + /// encrypt, or the ciphertext (not including the tag) to + /// decrypt. After the last part of the input, call + /// mbedtls_gcm_finish(). /// - /// The application must call psa_aead_encrypt_setup() or - /// psa_aead_decrypt_setup() before calling this function. + /// This function may produce output in one of the following + /// ways: + /// - Immediate output: the output length is always equal + /// to the input length. + /// - Buffered output: the output consists of a whole number + /// of 16-byte blocks. If the total input length so far + /// (not including associated data) is 16 \* *B* + *A* + /// with *A* < 16 then the total output length is 16 \* *B*. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// In particular: + /// - It is always correct to call this function with + /// \p output_size >= \p input_length + 15. + /// - If \p input_length is a multiple of 16 for all the calls + /// to this function during an operation, then it is + /// correct to use \p output_size = \p input_length. /// - /// \note When encrypting, applications should use psa_aead_generate_nonce() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] nonce Buffer containing the nonce to use. - /// \param nonce_length Size of the nonce in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param input The buffer holding the input data. If \p input_length + /// is greater than zero, this must be a readable buffer + /// of at least \p input_length bytes. + /// \param input_length The length of the input data in bytes. + /// \param output The buffer for the output data. If \p output_size + /// is greater than zero, this must be a writable buffer of + /// of at least \p output_size bytes. + /// \param output_size The size of the output buffer in bytes. + /// See the function description regarding the output size. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p nonce is not acceptable for the chosen algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no nonce - /// set), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_nonce( - operation: *mut psa_aead_operation_t, - nonce: *const u8, - nonce_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// total input length too long, + /// unsupported input/output buffer overlap detected, + /// or \p output_size too small. + pub fn mbedtls_gcm_update( + ctx: *mut mbedtls_gcm_context, + input: *const ::core::ffi::c_uchar, + input_length: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Declare the lengths of the message and additional data for AEAD. - /// - /// The application must call this function before calling - /// psa_aead_update_ad() or psa_aead_update() if the algorithm for - /// the operation requires it. If the algorithm does not require it, - /// calling this function is optional, but if this function is called - /// then the implementation must enforce the lengths. - /// - /// You may call this function before or after setting the nonce with - /// psa_aead_set_nonce() or psa_aead_generate_nonce(). - /// - /// - For #PSA_ALG_CCM, calling this function is required. - /// - For the other AEAD algorithms defined in this specification, calling - /// this function is not required. - /// - For vendor-defined algorithm, refer to the vendor documentation. + /// \brief This function finishes the GCM operation and generates + /// the authentication tag. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// It wraps up the GCM stream, and generates the + /// tag. The tag can have a maximum length of 16 Bytes. /// - /// \param[in,out] operation Active AEAD operation. - /// \param ad_length Size of the non-encrypted additional - /// authenticated data in bytes. - /// \param plaintext_length Size of the plaintext to encrypt in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to generate. This must be at least + /// four. + /// \param output The buffer for the final output. + /// If \p output_size is nonzero, this must be a writable + /// buffer of at least \p output_size bytes. + /// \param output_size The size of the \p output buffer in bytes. + /// This must be large enough for the output that + /// mbedtls_gcm_update() has not produced. In particular: + /// - If mbedtls_gcm_update() produces immediate output, + /// or if the total input size is a multiple of \c 16, + /// then mbedtls_gcm_finish() never produces any output, + /// so \p output_size can be \c 0. + /// - \p output_size never needs to be more than \c 15. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// At least one of the lengths is not acceptable for the chosen - /// algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and - /// psa_aead_update_ad() and psa_aead_update() must not have been - /// called yet), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_lengths( - operation: *mut psa_aead_operation_t, - ad_length: usize, - plaintext_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// invalid value of \p tag_len, + /// or \p output_size too small. + pub fn mbedtls_gcm_finish( + ctx: *mut mbedtls_gcm_context, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + tag: *mut ::core::ffi::c_uchar, + tag_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Pass additional data to an active AEAD operation. - /// - /// Additional data is authenticated, but not encrypted. - /// - /// You may call this function multiple times to pass successive fragments - /// of the additional data. You may not call this function after passing - /// data to encrypt or decrypt with psa_aead_update(). - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, - /// treat the input as untrusted and prepare to undo any action that - /// depends on the input if psa_aead_verify() returns an error status. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the fragment of - /// additional data. - /// \param input_length Size of the \p input buffer in bytes. + /// \brief This function clears a GCM context and the underlying + /// cipher sub-context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input length overflows the additional data length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, have lengths set if required by the algorithm, and - /// psa_aead_update() must not have been called yet), or the library - /// has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update_ad( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The GCM context to clear. If this is \c NULL, the call has + /// no effect. Otherwise, this must be initialized. + pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active AEAD operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// 3. Call psa_aead_update_ad() to pass all the additional data. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: - /// - Do not use the output in any way other than storing it in a - /// confidential location. If you take any action that depends - /// on the tentative decrypted data, this action will need to be - /// undone if the input turns out not to be valid. Furthermore, - /// if an adversary can observe that this action took place - /// (for example through timing), they may be able to use this - /// fact as an oracle to decrypt any message encrypted with the - /// same key. - /// - In particular, do not copy the output anywhere but to a - /// memory or storage space that you have exclusive access to. - /// - /// This function does not require the input to be aligned to any - /// particular block boundary. If the implementation can only process - /// a whole block at a time, it must consume all the input provided, but - /// it may delay the end of the corresponding output until a subsequent - /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() - /// provides sufficient input. The amount of data that can be delayed - /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, - /// \c alg, \p input_length) where - /// \c key_type is the type of key and \c alg is - /// the algorithm that were used to set up the - /// operation. - /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p - /// input_length) evaluates to the maximum - /// output size of any supported AEAD - /// algorithm. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// \brief The GCM checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or - /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total input length overflows the plaintext length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, and have lengths set if required by the algorithm), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hmac_operation_t { + /// The HMAC algorithm in use + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + /// The hash context. + pub hash_ctx: psa_hash_operation_s, + /// The HMAC part of the context. + pub private_opad: [u8; 128usize], +} +impl Default for mbedtls_psa_hmac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_mac_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_hmac: mbedtls_psa_hmac_operation_t, + pub private_cmac: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_mac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_aead_operation_t { + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_tag_length: u8, + pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub private_ccm: mbedtls_ccm_context, + pub private_gcm: mbedtls_gcm_context, + pub private_chachapoly: mbedtls_chachapoly_context, +} +impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_aead_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl mbedtls_psa_aead_operation_t { + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_sign_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_verify_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +///< Client +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; +///< Server +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; +///< Undefined +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_NONE: mbedtls_ecjpake_role = 2; +/// Roles in the EC J-PAKE exchange +pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; +/// EC J-PAKE context structure. +/// +/// J-PAKE is a symmetric protocol, except for the identifiers used in +/// Zero-Knowledge Proofs, and the serialization of the second message +/// (KeyExchange) as defined by the Thread spec. +/// +/// In order to benefit from this symmetry, we choose a different naming +/// convention from the Thread v1.0 spec. Correspondence is indicated in the +/// description as a pair C: client name, S: server name +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecjpake_context { + ///< Hash to use + pub private_md_type: mbedtls_md_type_t, + ///< Elliptic curve + pub private_grp: mbedtls_ecp_group, + ///< Are we client or server? + pub private_role: mbedtls_ecjpake_role, + ///< Format for point export + pub private_point_format: ::core::ffi::c_int, + ///< My public key 1 C: X1, S: X3 + pub private_Xm1: mbedtls_ecp_point, + ///< My public key 2 C: X2, S: X4 + pub private_Xm2: mbedtls_ecp_point, + ///< Peer public key 1 C: X3, S: X1 + pub private_Xp1: mbedtls_ecp_point, + ///< Peer public key 2 C: X4, S: X2 + pub private_Xp2: mbedtls_ecp_point, + ///< Peer public key C: Xs, S: Xc + pub private_Xp: mbedtls_ecp_point, + ///< My private key 1 C: x1, S: x3 + pub private_xm1: mbedtls_mpi, + ///< My private key 2 C: x2, S: x4 + pub private_xm2: mbedtls_mpi, + ///< Pre-shared secret (passphrase) + pub private_s: mbedtls_mpi, +} +impl Default for mbedtls_ecjpake_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Finish encrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_encrypt_setup(). + /// \brief Initialize an ECJPAKE context. /// - /// This function finishes the authentication of the additional data - /// formed by concatenating the inputs passed to preceding calls to - /// psa_aead_update_ad() with the plaintext formed by concatenating the - /// inputs passed to preceding calls to psa_aead_update(). + /// \param ctx The ECJPAKE context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Set up an ECJPAKE context for use. /// - /// This function has two output buffers: - /// - \p ciphertext contains trailing ciphertext that was buffered from - /// preceding calls to psa_aead_update(). - /// - \p tag contains the authentication tag. + /// \note Currently the only values for hash/curve allowed by the + /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to set up. This must be initialized. + /// \param role The role of the caller. This must be either + /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. + /// \param hash The identifier of the hash function to use, + /// for example #MBEDTLS_MD_SHA256. + /// \param curve The identifier of the elliptic curve to use, + /// for example #MBEDTLS_ECP_DP_SECP256R1. + /// \param secret The pre-shared secret (passphrase). This must be + /// a readable not empty buffer of length \p len Bytes. It need + /// only be valid for the duration of this call. + /// \param len The length of the pre-shared secret \p secret. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] ciphertext Buffer where the last part of the ciphertext - /// is to be written. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] ciphertext_length On success, the number of bytes of - /// returned ciphertext. - /// \param[out] tag Buffer where the authentication tag is - /// to be written. - /// \param tag_size Size of the \p tag buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c - /// key_type, \c key_bits, \c alg) where - /// \c key_type and \c key_bits are the type and - /// bit-size of the key, and \c alg is the - /// algorithm that were used in the call to - /// psa_aead_encrypt_setup(). - /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the - /// maximum tag size of any supported AEAD - /// algorithm. - /// \param[out] tag_length On success, the number of bytes - /// that make up the returned tag. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p ciphertext or \p tag buffer is too small. - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the - /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, - /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to - /// determine the required \p tag buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active encryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_finish( - operation: *mut psa_aead_operation_t, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - tag: *mut u8, - tag_size: usize, - tag_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_setup( + ctx: *mut mbedtls_ecjpake_context, + role: mbedtls_ecjpake_role, + hash: mbedtls_md_type_t, + curve: mbedtls_ecp_group_id, + secret: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish authenticating and decrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_decrypt_setup(). - /// - /// This function finishes the authenticated decryption of the message - /// components: + /// \brief Set the point format for future reads and writes. /// - /// - The additional data consisting of the concatenation of the inputs - /// passed to preceding calls to psa_aead_update_ad(). - /// - The ciphertext consisting of the concatenation of the inputs passed to - /// preceding calls to psa_aead_update(). - /// - The tag passed to this function call. + /// \param ctx The ECJPAKE context to configure. + /// \param point_format The point format to use: + /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) + /// or #MBEDTLS_ECP_PF_COMPRESSED. /// - /// If the authentication tag is correct, this function outputs any remaining - /// plaintext and reports success. If the authentication tag is not correct, - /// this function returns #PSA_ERROR_INVALID_SIGNATURE. + /// \return \c 0 if successful. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format + /// is invalid. + pub fn mbedtls_ecjpake_set_point_format( + ctx: *mut mbedtls_ecjpake_context, + point_format: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if an ECJPAKE context is ready for use. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to check. This must be + /// initialized. /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual tag and the expected tag is performed - /// in constant time. + /// \return \c 0 if the context is ready for use. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. + pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] plaintext Buffer where the last part of the plaintext - /// is to be written. This is the remaining data - /// from previous calls to psa_aead_update() - /// that could not be processed until the end - /// of the input. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] plaintext_length On success, the number of bytes of - /// returned plaintext. - /// \param[in] tag Buffer containing the authentication tag. - /// \param tag_length Size of the \p tag buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be + /// initialized and set up. + /// \param buf The buffer to write the contents to. This must be a + /// writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number + /// of Bytes written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculations were successful, but the authentication tag is - /// not correct. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p plaintext buffer is too small. - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the - /// required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active decryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_verify( - operation: *mut psa_aead_operation_t, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - tag: *const u8, - tag_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort an AEAD operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// \brief Read and process the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_aead_operation_t. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up. + /// \param buf The buffer holding the first round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// In particular, calling psa_aead_abort() after the operation has been - /// terminated by a call to psa_aead_abort(), psa_aead_finish() or - /// psa_aead_verify() is safe and has no effect. + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \param[in,out] operation Initialized AEAD operation. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up, and already have performed round one. + /// \param buf The buffer to write the round two contents to. + /// This must be a writable buffer of length \p len Bytes. + /// \param len The size of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a message with a private key. For hash-and-sign algorithms, - /// this includes the hashing step. + /// \brief Read and process the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \note To perform a multi-part hash-and-sign signature algorithm, first use - /// a multi-part hash operation and then pass the resulting hash to - /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the - /// hash algorithm to use. - /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The input message to sign. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param[in] signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up and already have performed round one. + /// \param buf The buffer holding the second round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a message with a public key, using - /// a hash-and-sign verification algorithm. - /// - /// \note To perform a multi-part hash-and-sign signature verification - /// algorithm, first use a multi-part hash operation to hash the message - /// and then pass the resulting hash to psa_verify_hash(). - /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm - /// to use. + /// \brief Derive the shared secret + /// (TLS: Pre-Master Secret). /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The message whose signature is to be verified. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer containing the signature to verify. - /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed signature - /// is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_derive_secret( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a hash or short message with a private key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief Write the shared key material to be passed to a Key + /// Derivation Function as described in RFC8236. /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. - /// \param[out] signature_length On success, the number of bytes - /// that make up the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_shared_key( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a hash or short message using a public key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief This clears an ECJPAKE context and frees any + /// embedded data structure. /// - /// \param key Identifier of the key to use for the operation. It - /// must be a public key or an asymmetric key pair. The - /// key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message whose signature is to be - /// verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to free. This may be \c NULL, + /// in which case this function does nothing. If it is not + /// \c NULL, it must point to an initialized ECJPAKE context. + pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \retval #PSA_SUCCESS - /// The signature is valid. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief Encrypt a short message with a public key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the encrypted message is to - /// be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_pake_operation_t { + pub private_alg: psa_algorithm_t, + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_role: mbedtls_ecjpake_role, + pub private_buffer: [u8; 336usize], + pub private_buffer_length: usize, + pub private_buffer_offset: usize, + pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// \brief Decrypt a short message with a private key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. It must - /// allow the usage #PSA_KEY_USAGE_DECRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_jpake: mbedtls_ecjpake_context, } -/// The type of the state data structure for key derivation operations. -/// -/// Before calling any function on a key derivation operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_key_derivation_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, -/// for example: -/// \code -/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_key_derivation_operation_init() -/// to the structure, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// operation = psa_key_derivation_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_key_derivation_operation_t = psa_key_derivation_s; -unsafe extern "C" { - /// Set up a key derivation operation. - /// - /// A key derivation algorithm takes some inputs and uses them to generate - /// a byte stream in a deterministic way. - /// This byte stream can be used to produce keys and other - /// cryptographic material. - /// - /// To derive a key: - /// -# Start with an initialized object of type #psa_key_derivation_operation_t. - /// -# Call psa_key_derivation_setup() to select the algorithm. - /// -# Provide the inputs for the key derivation by calling - /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() - /// as appropriate. Which inputs are needed, in what order, and whether - /// they may be keys and if so of what type depends on the algorithm. - /// -# Optionally set the operation's maximum capacity with - /// psa_key_derivation_set_capacity(). You may do this before, in the middle - /// of or after providing inputs. For some algorithms, this step is mandatory - /// because the output depends on the maximum capacity. - /// -# To derive a key, call psa_key_derivation_output_key(). - /// To derive a byte string for a different purpose, call - /// psa_key_derivation_output_bytes(). - /// Successive calls to these functions use successive output bytes - /// calculated by the key derivation algorithm. - /// -# Clean up the key derivation operation object with - /// psa_key_derivation_abort(). - /// - /// If this function returns an error, the key derivation operation object is - /// not changed. - /// - /// If an error occurs at any step after a call to psa_key_derivation_setup(), - /// the operation will need to be reset by a call to psa_key_derivation_abort(). - /// - /// Implementations must reject an attempt to derive a key of size 0. - /// - /// \param[in,out] operation The key derivation operation object - /// to set up. It must - /// have been initialized but not set up yet. - /// \param alg The key derivation algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c alg is not a key derivation algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_setup( - operation: *mut psa_key_derivation_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Retrieve the current capacity of a key derivation operation. - /// - /// The capacity of a key derivation is the maximum number of bytes that it can - /// return. When you get *N* bytes of output from a key derivation operation, - /// this reduces its capacity by *N*. - /// - /// \param[in] operation The operation to query. - /// \param[out] capacity On success, the capacity of the operation. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_get_capacity( - operation: *const psa_key_derivation_operation_t, - capacity: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Set the maximum capacity of a key derivation operation. - /// - /// The capacity of a key derivation operation is the maximum number of bytes - /// that the key derivation operation can return from this point onwards. - /// - /// \param[in,out] operation The key derivation operation object to modify. - /// \param capacity The new capacity of the operation. - /// It must be less or equal to the operation's - /// current capacity. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p capacity is larger than the operation's current capacity. - /// In this case, the operation object remains valid and its capacity - /// remains unchanged. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_set_capacity( - operation: *mut psa_key_derivation_operation_t, - capacity: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_mac_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_mac_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function passes direct inputs, which is usually correct for - /// non-secret inputs. To pass a secret input, which should be in a key - /// object, call psa_key_derivation_input_key() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] data Input data to use. - /// \param data_length Size of the \p data buffer in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow direct inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_bytes( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - data: *const u8, - data_length: usize, - ) -> psa_status_t; +impl Default for psa_driver_mac_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Provide a numeric input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// However, when an algorithm requires a particular order, numeric inputs - /// usually come first as they tend to be configuration parameters. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function is used for inputs which are fixed-size non-negative - /// integers. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] value The value of the numeric input. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow numeric inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_integer( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - value: u64, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_aead_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_aead_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation in the form of a key. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function obtains input from a key object, which is usually correct for - /// secret inputs or for non-secret personalization strings kept in the key - /// store. To pass a non-secret parameter which is not in the key store, - /// call psa_key_derivation_input_bytes() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param key Identifier of the key. It must have an - /// appropriate type for step and must allow the - /// usage #PSA_KEY_USAGE_DERIVE or - /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) - /// and the algorithm used by the operation. - /// - /// \note Once all inputs steps are completed, the operations will allow: - /// - psa_key_derivation_output_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_output_key() if the input for step - /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was - /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_verify_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - /// - psa_key_derivation_verify_key() under the same conditions as - /// psa_key_derivation_verify_bytes(). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key allows neither #PSA_KEY_USAGE_DERIVE nor - /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this - /// algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow key inputs of the given type - /// or does not allow key inputs at all. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_key( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - key: mbedtls_svc_key_id_t, - ) -> psa_status_t; +impl Default for psa_driver_aead_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Perform a key agreement and use the shared secret as input to a key - /// derivation. - /// - /// A key agreement algorithm takes two inputs: a private key \p private_key - /// a public key \p peer_key. - /// The result of this function is passed as input to a key derivation. - /// The output of this key derivation can be extracted by reading from the - /// resulting operation to produce keys and other cryptographic material. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() with a - /// key agreement and derivation algorithm - /// \c alg (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true - /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) - /// is false). - /// The operation must be ready for an - /// input of the type given by \p step. - /// \param step Which step the input data is for. - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. The peer key must be in the - /// same format that psa_import_key() accepts for the - /// public key type corresponding to the type of - /// private_key. That is, this function performs the - /// equivalent of - /// #psa_import_key(..., - /// `peer_key`, `peer_key_length`) where - /// with key attributes indicating the public key - /// type corresponding to the type of `private_key`. - /// For example, for EC keys, this means that peer_key - /// is interpreted as a point on the curve that the - /// private key is on. The standard formats for public - /// keys are documented in the documentation of - /// psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_sign_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, +} +impl Default for psa_driver_sign_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_verify_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, +} +impl Default for psa_driver_verify_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_pake_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_pake_operation_t, +} +impl Default for psa_driver_pake_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_mac_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_mac_size: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_mac_context_t, +} +impl Default for psa_mac_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_mac_operation_s { + #[inline] + pub fn private_is_sign(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_sign: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; + private_is_sign as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_aead_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub private_ad_remaining: usize, + pub private_body_remaining: usize, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_ctx: psa_driver_aead_context_t, +} +impl Default for psa_aead_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_aead_operation_s { + #[inline] + pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_ad_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_body_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(3usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 3usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 3usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(4usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 4usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 4usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_nonce_set: ::core::ffi::c_uint, + private_lengths_set: ::core::ffi::c_uint, + private_ad_started: ::core::ffi::c_uint, + private_body_started: ::core::ffi::c_uint, + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; + private_nonce_set as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; + private_lengths_set as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; + private_ad_started as u64 + }); + __bindgen_bitfield_unit.set(3usize, 1u8, { + let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; + private_body_started as u64 + }); + __bindgen_bitfield_unit.set(4usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hkdf_key_derivation_t { + pub private_info: *mut u8, + pub private_info_length: usize, + pub private_offset_in_block: u8, + pub private_block_number: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_output_block: [u8; 64usize], + pub private_prk: [u8; 64usize], + pub __bindgen_padding_0: [u64; 0usize], + pub private_hmac: psa_mac_operation_s, +} +impl Default for psa_hkdf_key_derivation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_hkdf_key_derivation_t { + #[inline] + pub fn private_state(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_info_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_state: ::core::ffi::c_uint, + private_info_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 2u8, { + let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; + private_state as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; + private_info_set as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_tls12_ecjpake_to_pms_t { + pub private_data: [u8; 32usize], +} +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: + psa_tls12_prf_key_derivation_state_t = 0; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: + psa_tls12_prf_key_derivation_state_t = 1; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 2; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 3; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: + psa_tls12_prf_key_derivation_state_t = 4; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: + psa_tls12_prf_key_derivation_state_t = 5; +pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_tls12_prf_key_derivation_s { + pub private_left_in_block: u8, + pub private_block_number: u8, + pub private_state: psa_tls12_prf_key_derivation_state_t, + pub private_secret: *mut u8, + pub private_secret_length: usize, + pub private_seed: *mut u8, + pub private_seed_length: usize, + pub private_label: *mut u8, + pub private_label_length: usize, + pub private_other_secret: *mut u8, + pub private_other_secret_length: usize, + pub private_Ai: [u8; 64usize], + pub private_output_block: [u8; 64usize], +} +impl Default for psa_tls12_prf_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_key_derivation_context_t { + pub dummy: ::core::ffi::c_uint, + pub private_hkdf: psa_hkdf_key_derivation_t, + pub private_tls12_prf: psa_tls12_prf_key_derivation_t, + pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +} +impl Default for psa_driver_key_derivation_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_key_derivation_s { + pub private_alg: psa_algorithm_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_capacity: usize, + pub __bindgen_padding_0: [u64; 0usize], + pub private_ctx: psa_driver_key_derivation_context_t, +} +impl Default for psa_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_key_derivation_s { + #[inline] + pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_can_output_key: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_can_output_key: u32 = + unsafe { ::core::mem::transmute(private_can_output_key) }; + private_can_output_key as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_custom_key_parameters_s { + pub flags: u32, +} +#[repr(C)] +#[derive(Default)] +pub struct psa_key_production_parameters_s { + pub flags: u32, + pub data: __IncompleteArrayField, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_policy_s { + pub private_usage: psa_key_usage_t, + pub private_alg: psa_algorithm_t, + pub private_alg2: psa_algorithm_t, +} +pub type psa_key_policy_t = psa_key_policy_s; +pub type psa_key_bits_t = u16; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_attributes_s { + pub private_type: psa_key_type_t, + pub private_bits: psa_key_bits_t, + pub private_lifetime: psa_key_lifetime_t, + pub private_policy: psa_key_policy_t, + pub private_id: mbedtls_svc_key_id_t, +} +/// \brief The context for PSA interruptible hash signing. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_sign_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_sign_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_sign_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_sign_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The context for PSA interruptible hash verification. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_verify_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_verify_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_verify_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_verify_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +unsafe extern "C" { + /// \brief Library initialization. + /// + /// Applications must call this function before calling any other + /// function in this module. + /// + /// Applications may call this function more than once. Once a call + /// succeeds, subsequent calls are guaranteed to succeed. + /// + /// If the application calls other functions before calling psa_crypto_init(), + /// the behavior is undefined. Implementations are encouraged to either perform + /// the operation as if the library had been initialized or to return + /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, + /// implementations should not return a success status if the lack of + /// initialization may have security implications, for example due to improper + /// seeding of the random number generator. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + pub fn psa_crypto_init() -> psa_status_t; +} +unsafe extern "C" { + /// Retrieve the attributes of a key. + /// + /// This function first resets the attribute structure as with + /// psa_reset_key_attributes(). It then copies the attributes of + /// the given key into the given attribute structure. + /// + /// \note This function may allocate memory or other resources. + /// Once you have called this function on an attribute structure, + /// you must call psa_reset_key_attributes() to free these resources. + /// + /// \param[in] key Identifier of the key to query. + /// \param[in,out] attributes On success, the attributes of the key. + /// On failure, equivalent to a + /// freshly-initialized structure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_get_key_attributes( + key: mbedtls_svc_key_id_t, + attributes: *mut psa_key_attributes_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Reset a key attribute structure to a freshly initialized state. + /// + /// You must initialize the attribute structure as described in the + /// documentation of the type #psa_key_attributes_t before calling this + /// function. Once the structure has been initialized, you may call this + /// function at any time. + /// + /// This function frees any auxiliary resources that the structure + /// may contain. + /// + /// \param[in,out] attributes The attribute structure to reset. + pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); +} +unsafe extern "C" { + /// Remove non-essential copies of key material from memory. + /// + /// If the key identifier designates a volatile key, this functions does not do + /// anything and returns successfully. + /// + /// If the key identifier designates a persistent key, then this function will + /// free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and the key can still be used. + /// + /// \param key Identifier of the key to purge. + /// + /// \retval #PSA_SUCCESS + /// The key material will have been removed from memory if it is not + /// currently required. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid key identifier. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// Make a copy of a key. + /// + /// Copy key material from one location to another. + /// + /// This function is primarily useful to copy a key from one location + /// to another, since it populates a key using the material from + /// another key which may have a different lifetime. + /// + /// This function may be used to share a key with a different party, + /// subject to implementation-defined restrictions on key sharing. + /// + /// The policy on the source key must have the usage flag + /// #PSA_KEY_USAGE_COPY set. + /// This flag is sufficient to permit the copy if the key has the lifetime + /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. + /// Some secure elements do not provide a way to copy a key without + /// making it extractable from the secure element. If a key is located + /// in such a secure element, then the key must have both usage flags + /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make + /// a copy of the key outside the secure element. + /// + /// The resulting key may only be used in a way that conforms to + /// both the policy of the original key and the policy specified in + /// the \p attributes parameter: + /// - The usage flags on the resulting key are the bitwise-and of the + /// usage flags on the source policy and the usage flags in \p attributes. + /// - If both allow the same algorithm or wildcard-based + /// algorithm policy, the resulting key has the same algorithm policy. + /// - If either of the policies allows an algorithm and the other policy + /// allows a wildcard-based algorithm policy that includes this algorithm, + /// the resulting key allows the same algorithm. + /// - If the policies do not allow any algorithm in common, this function + /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// + /// The effect of this function on implementation-defined attributes is + /// implementation-defined. + /// + /// \param source_key The key to copy. It must allow the usage + /// #PSA_KEY_USAGE_COPY. If a private or secret key is + /// being copied outside of a secure element it must + /// also allow #PSA_KEY_USAGE_EXPORT. + /// \param[in] attributes The attributes for the new key. + /// They are used as follows: + /// - The key type and size may be 0. If either is + /// nonzero, it must match the corresponding + /// attribute of the source key. + /// - The key location (the lifetime and, for + /// persistent keys, the key identifier) is + /// used directly. + /// - The policy constraints (usage flags and + /// algorithm policy) are combined from + /// the source key and \p attributes so that + /// both sets of restrictions apply, as + /// described in the documentation of this function. + /// \param[out] target_key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p source_key is invalid. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The lifetime or identifier in \p attributes are invalid, or + /// the policy constraints on the source and specified in + /// \p attributes are incompatible, or + /// \p attributes specifies a key type or key size + /// which does not match the attributes of the source key. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or + /// the source key is not exportable and its lifetime does not + /// allow copying it to the target's lifetime. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_copy_key( + source_key: mbedtls_svc_key_id_t, + attributes: *const psa_key_attributes_t, + target_key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Destroy a key. + /// + /// This function destroys a key from both volatile + /// memory and, if applicable, non-volatile storage. Implementations shall + /// make a best effort to ensure that the key material cannot be recovered. + /// + /// This function also erases any metadata such as policies and frees + /// resources associated with the key. + /// + /// If a key is currently in use in a multipart operation, then destroying the + /// key will cause the multipart operation to fail. + /// + /// \warning We can only guarantee that the the key material will + /// eventually be wiped from memory. With threading enabled + /// and during concurrent execution, copies of the key material may + /// still exist until all threads have finished using the key. + /// + /// \param key Identifier of the key to erase. If this is \c 0, do nothing and + /// return #PSA_SUCCESS. + /// + /// \retval #PSA_SUCCESS + /// \p key was a valid identifier and the key material that it + /// referred to has been erased. Alternatively, \p key is \c 0. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key cannot be erased because it is + /// read-only, either due to a policy or due to physical restrictions. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p key is not a valid identifier nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE + /// There was a failure in communication with the cryptoprocessor. + /// The key material may still be present in the cryptoprocessor. + /// \retval #PSA_ERROR_DATA_INVALID + /// This error is typically a result of either storage corruption on a + /// cleartext storage backend, or an attempt to read data that was + /// written by an incompatible version of the library. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The storage is corrupted. Implementations shall make a best effort + /// to erase key material even in this stage, however applications + /// should be aware that it may be impossible to guarantee that the + /// key material is not recoverable in such cases. + /// \retval #PSA_ERROR_CORRUPTION_DETECTED + /// An unexpected condition which is not a storage corruption or + /// a communication failure occurred. The cryptoprocessor may have + /// been compromised. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Import a key in binary format. + /// + /// This function supports any output from psa_export_key(). Refer to the + /// documentation of psa_export_public_key() for the format of public keys + /// and to the documentation of psa_export_key() for the format for + /// other key types. + /// + /// The key data determines the key size. The attributes may optionally + /// specify a key size; in this case it must match the size determined + /// from the key data. A key size of 0 in \p attributes indicates that + /// the key size is solely determined by the key data. + /// + /// Implementations must reject an attempt to import a key of size 0. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// \param[in] attributes The attributes for the new key. + /// The key size is always determined from the + /// \p data buffer. + /// If the key size in \p attributes is nonzero, + /// it must be equal to the size from \p data. + /// \param[out] key On success, an identifier to the newly created key. + /// For persistent keys, this is the key identifier + /// defined in \p attributes. + /// \c 0 on failure. + /// \param[in] data Buffer containing the key data. The content of this + /// buffer is interpreted according to the type declared + /// in \p attributes. + /// All implementations must support at least the format + /// described in the documentation + /// of psa_export_key() or psa_export_public_key() for + /// the chosen type. Implementations may allow other + /// formats, but should be conservative: implementations + /// should err on the side of rejecting content if it + /// may be erroneous (e.g. wrong type or truncated data). + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular persistent location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key attributes, as a whole, are invalid, or + /// the key data is not correctly formatted, or + /// the size in \p attributes is nonzero and does not match the size + /// of the key data. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_import_key( + attributes: *const psa_key_attributes_t, + data: *const u8, + data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a key in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an equivalent object. + /// + /// If the implementation of psa_import_key() supports other formats + /// beyond the format specified here, the output from psa_export_key() + /// must use the representation specified here, not the original + /// representation. + /// + /// For standard key types, the output format is as follows: + /// + /// - For symmetric keys (including MAC keys), the format is the + /// raw bytes of the key. + /// - For DES, the key data consists of 8 bytes. The parity bits must be + /// correct. + /// - For Triple-DES, the format is the concatenation of the + /// two or three DES keys. + /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format + /// is the non-encrypted DER encoding of the representation defined by + /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. + /// ``` + /// RSAPrivateKey ::= SEQUENCE { + /// version INTEGER, -- must be 0 + /// modulus INTEGER, -- n + /// publicExponent INTEGER, -- e + /// privateExponent INTEGER, -- d + /// prime1 INTEGER, -- p + /// prime2 INTEGER, -- q + /// exponent1 INTEGER, -- d mod (p-1) + /// exponent2 INTEGER, -- d mod (q-1) + /// coefficient INTEGER, -- (inverse of q) mod p + /// } + /// ``` + /// - For elliptic curve key pairs (key types for which + /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is + /// a representation of the private value as a `ceiling(m/8)`-byte string + /// where `m` is the bit size associated with the curve, i.e. the bit size + /// of the order of the curve's coordinate field. This byte string is + /// in little-endian order for Montgomery curves (curve types + /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass + /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` + /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). + /// For Weierstrass curves, this is the content of the `privateKey` field of + /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, + /// the format is defined by RFC 7748, and output is masked according to §5. + /// For twisted Edwards curves, the private key is as defined by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For Diffie-Hellman key exchange key pairs (key types for which + /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the + /// format is the representation of the private key `x` as a big-endian byte + /// string. The length of the byte string is the private key size in bytes + /// (leading zeroes are not stripped). + /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is + /// true), the format is the same as for psa_export_public_key(). + /// + /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// + /// \param key Identifier of the key to export. It must allow the + /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public + /// key. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a public key or the public part of a key pair in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an object that is equivalent to the public key. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// For standard key types, the output format is as follows: + /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of + /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. + /// ``` + /// RSAPublicKey ::= SEQUENCE { + /// modulus INTEGER, -- n + /// publicExponent INTEGER } -- e + /// ``` + /// - For elliptic curve keys on a twisted Edwards curve (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY + /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined + /// by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For other elliptic curve public keys (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed + /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. + /// Let `m` be the bit size associated with the curve, i.e. the bit size of + /// `q` for a curve over `F_q`. The representation consists of: + /// - The byte 0x04; + /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; + /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. + /// - For Diffie-Hellman key exchange public keys (key types for which + /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), + /// the format is the representation of the public key `y = g^x mod p` as a + /// big-endian byte string. The length of the byte string is the length of the + /// base prime `p` in bytes. + /// + /// Exporting a public key object or the public part of a key pair is + /// always permitted, regardless of the key's usage flags. + /// + /// \param key Identifier of the key to export. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key is neither a public key nor a key pair. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_public_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message. + /// + /// \note To verify the hash of a message against an + /// expected value, use psa_hash_compare() instead. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\p alg). /// /// \retval #PSA_SUCCESS /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p hash_size is too small + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compute( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message and compare it with a + /// reference value. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the input. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c private_key is not compatible with \c alg, - /// or \p peer_key is not valid for \c alg or not compatible with - /// \c private_key, or \c step does not allow an input resulting - /// from a key agreement. + /// \p input_length or \p hash_length do not match the hash size for \p alg + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compare( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; +} +/// The type of the state data structure for multipart hash operations. +/// +/// Before calling any function on a hash operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_hash_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_hash_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, +/// for example: +/// \code +/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_hash_operation_init() +/// to the structure, for example: +/// \code +/// psa_hash_operation_t operation; +/// operation = psa_hash_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_hash_operation_t = psa_hash_operation_s; +unsafe extern "C" { + /// Set up a multipart hash operation. + /// + /// The sequence of operations to calculate a hash (message digest) + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. + /// -# Call psa_hash_setup() to specify the algorithm. + /// -# Call psa_hash_update() zero, one or more times, passing a fragment + /// of the message each time. The hash that is calculated is the hash + /// of the concatenation of these messages in order. + /// -# To calculate the hash, call psa_hash_finish(). + /// To compare the hash with an expected value, call psa_hash_verify(). + /// + /// If an error occurs at any step after a call to psa_hash_setup(), the + /// operation will need to be reset by a call to psa_hash_abort(). The + /// application may call psa_hash_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_hash_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_hash_finish() or psa_hash_verify(). + /// - A call to psa_hash_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_hash_operation_t and not yet in use. + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. + /// \p alg is not a supported hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a hash algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this key agreement \p step, - /// or the library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_key_agreement( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, + pub fn psa_hash_setup( + operation: *mut psa_hash_operation_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// Read some data from a key derivation operation. + /// Add a message fragment to a multipart hash operation. /// - /// This function calculates output bytes from a key derivation algorithm and - /// return those bytes. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the requested number of bytes from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. + /// The application must call psa_hash_setup() before calling this function. /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] output Buffer where the output will be written. - /// \param output_length Number of bytes to output. + /// \param[in,out] operation Active hash operation. + /// \param[in] input Buffer containing the message fragment to hash. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// no output is written to the output buffer. - /// The operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller output buffer. + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_update( + operation: *mut psa_hash_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \warning Applications should not call this function if they expect + /// a specific value for the hash. Call psa_hash_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// hash values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the hashed data which could allow an attacker to guess + /// a valid hash and thereby bypass security controls. + /// + /// \param[in,out] operation Active hash operation. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\c alg) where \c alg is the + /// hash algorithm that is calculated. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p hash buffer is too small. You can determine a + /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) + /// where \c alg is the hash algorithm that is calculated. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_finish( + operation: *mut psa_hash_operation_t, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message and compare it with + /// an expected value. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). It then + /// compares the calculated hash with the expected hash passed as a + /// parameter to this function. + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual hash and the expected hash is performed + /// in constant time. + /// + /// \param[in,out] operation Active hash operation. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_bytes( - operation: *mut psa_key_derivation_operation_t, - output: *mut u8, - output_length: usize, + pub fn psa_hash_verify( + operation: *mut psa_hash_operation_t, + hash: *const u8, + hash_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// Derive a key from an ongoing key derivation operation. - /// - /// This function calculates output bytes from a key derivation algorithm - /// and uses those bytes to generate a key deterministically. - /// The key's location, usage policy, type and size are taken from - /// \p attributes. - /// - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads as many bytes as required from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// How much output is produced and consumed from the operation, and how - /// the key is derived, depends on the key type and on the key size - /// (denoted \c bits below): - /// - /// - For key types for which the key is an arbitrary sequence of bytes - /// of a given size, this function is functionally equivalent to - /// calling #psa_key_derivation_output_bytes - /// and passing the resulting output to #psa_import_key. - /// However, this function has a security benefit: - /// if the implementation provides an isolation boundary then - /// the key material is not exposed outside the isolation boundary. - /// As a consequence, for these key types, this function always consumes - /// exactly (\c bits / 8) bytes from the operation. - /// The following key types defined in this specification follow this scheme: - /// - /// - #PSA_KEY_TYPE_AES; - /// - #PSA_KEY_TYPE_ARIA; - /// - #PSA_KEY_TYPE_CAMELLIA; - /// - #PSA_KEY_TYPE_DERIVE; - /// - #PSA_KEY_TYPE_HMAC; - /// - #PSA_KEY_TYPE_PASSWORD_HASH. - /// - /// - For ECC keys on a Montgomery elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Montgomery curve), this function always draws a byte string whose - /// length is determined by the curve, and sets the mandatory bits - /// accordingly. That is: + /// Abort a hash operation. /// - /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte - /// string and process it as specified in RFC 7748 §5. - /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte - /// string and process it as specified in RFC 7748 §5. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_hash_setup() again. /// - /// - For key types for which the key is represented by a single sequence of - /// \c bits bits with constraints as to which bit sequences are acceptable, - /// this function draws a byte string of length (\c bits / 8) bytes rounded - /// up to the nearest whole number of bytes. If the resulting byte string - /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. - /// This process is repeated until an acceptable byte string is drawn. - /// The byte string drawn from the operation is interpreted as specified - /// for the output produced by psa_export_key(). - /// The following key types defined in this specification follow this scheme: + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_hash_operation_t. /// - /// - #PSA_KEY_TYPE_DES. - /// Force-set the parity bits, but discard forbidden weak keys. - /// For 2-key and 3-key triple-DES, the three keys are generated - /// successively (for example, for 3-key triple-DES, - /// if the first 8 bytes specify a weak key and the next 8 bytes do not, - /// discard the first 8 bytes, use the next 8 bytes as the first key, - /// and continue reading output from the operation to derive the other - /// two keys). - /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) - /// where \c group designates any Diffie-Hellman group) and - /// ECC keys on a Weierstrass elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Weierstrass curve). - /// For these key types, interpret the byte string as integer - /// in big-endian order. Discard it if it is not in the range - /// [0, *N* - 2] where *N* is the boundary of the private key domain - /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, - /// or the order of the curve's base point for ECC). - /// Add 1 to the resulting integer and use this as the private key *x*. - /// This method allows compliance to NIST standards, specifically - /// the methods titled "key-pair generation by testing candidates" - /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, - /// in FIPS 186-4 §B.1.2 for DSA, and - /// in NIST SP 800-56A §5.6.1.2.2 or - /// FIPS 186-4 §B.4.2 for elliptic curve keys. + /// In particular, calling psa_hash_abort() after the operation has been + /// terminated by a call to psa_hash_abort(), psa_hash_finish() or + /// psa_hash_verify() is safe and has no effect. /// - /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, - /// the way in which the operation output is consumed is - /// implementation-defined. + /// \param[in,out] operation Initialized hash operation. /// - /// In all cases, the data that is read is discarded from the operation. - /// The operation's capacity is decreased by the number of bytes read. + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Clone a hash operation. /// - /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, - /// the input to that step must be provided with psa_key_derivation_input_key(). - /// Future versions of this specification may include additional restrictions - /// on the derived key based on the attributes and strength of the secret key. + /// This function copies the state of an ongoing hash operation to + /// a new operation object. In other words, this function is equivalent + /// to calling psa_hash_setup() on \p target_operation with the same + /// algorithm that \p source_operation was set up for, then + /// psa_hash_update() on \p target_operation with the same input that + /// that was passed to \p source_operation. After this function returns, the + /// two objects are independent, i.e. subsequent calls involving one of + /// the objects do not affect the other object. /// - /// \param[in] attributes The attributes for the new key. - /// If the key type to be created is - /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - /// the policy must be the same as in the current - /// operation. - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in] source_operation The active hash operation to clone. + /// \param[in,out] target_operation The operation object to set up. + /// It must be initialized but not active. /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// There was not enough data to create the desired key. - /// Note that in this case, no output is written to the output buffer. - /// The operation's capacity is set to 0, thus subsequent calls to - /// this function will not succeed, even with a smaller output buffer. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The provided key attributes are not valid for the operation. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The #PSA_KEY_DERIVATION_INPUT_SECRET or - /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - /// key; or one of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_SUCCESS \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The \p source_operation state is not valid (it must be active), or + /// the \p target_operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_key( - attributes: *const psa_key_attributes_t, - operation: *mut psa_key_derivation_operation_t, - key: *mut mbedtls_svc_key_id_t, + pub fn psa_hash_clone( + source_operation: *const psa_hash_operation_t, + target_operation: *mut psa_hash_operation_t, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value in constant time. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the expected number of bytes from the - /// stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to the following code: - /// \code - /// psa_key_derivation_output_bytes(operation, tmp, output_length); - /// if (memcmp(output, tmp, output_length) != 0) - /// return PSA_ERROR_INVALID_SIGNATURE; - /// \endcode - /// except (1) it works even if the key's policy does not allow outputting the - /// bytes, and (2) the comparison will be done in constant time. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC (message authentication code) of a message. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected_output Buffer containing the expected derivation output. - /// \param output_length Length of the expected output; this is also the - /// number of bytes that will be read. + /// \note To verify the MAC of a message against an + /// expected value, use psa_mac_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but it differs from the expected - /// output. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p mac_size is too small /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_bytes( - operation: *mut psa_key_derivation_operation_t, - expected_output: *const u8, - output_length: usize, + pub fn psa_mac_compute( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value - /// stored in a key object. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value, provided as key of type - /// #PSA_KEY_TYPE_PASSWORD_HASH. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the number of bytes corresponding to the - /// length of the expected value from the stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to exporting the key and calling - /// psa_key_derivation_verify_bytes() on the result, except that it - /// works even if the key cannot be exported. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC of a message and compare it with a reference value. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH - /// containing the expected output. Its policy must - /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag - /// and the permitted algorithm must match the - /// operation. The value of this key was likely - /// computed by a previous call to - /// psa_key_derivation_output_key(). + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the input. /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but if differs from the expected - /// output. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// The key passed as the expected value does not exist. + /// The MAC of the message was calculated successfully, but it + /// differs from the expected value. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key passed as the expected value has an invalid type. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key passed as the expected value does not allow this usage or - /// this algorithm; or one of the inputs was a key whose policy didn't - /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// the length of the expected value. In this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_key( - operation: *mut psa_key_derivation_operation_t, - expected: psa_key_id_t, + pub fn psa_mac_verify( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *const u8, + mac_length: usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart MAC operations. +/// +/// Before calling any function on a MAC operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_mac_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_mac_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, +/// for example: +/// \code +/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_mac_operation_init() +/// to the structure, for example: +/// \code +/// psa_mac_operation_t operation; +/// operation = psa_mac_operation_init(); +/// \endcode +/// +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Abort a key derivation operation. + /// Set up a multipart MAC calculation operation. /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_key_derivation_setup() again. + /// This function sets up the calculation of the MAC + /// (message authentication code) of a byte string. + /// To verify the MAC of a message against an + /// expected value, use psa_mac_verify_setup() instead. /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_key_derivation_operation_t. + /// The sequence of operations to calculate a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_sign_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_sign_finish() to finish + /// calculating the MAC value and retrieve it. /// - /// In particular, it is valid to call psa_key_derivation_abort() twice, or to - /// call psa_key_derivation_abort() on an operation that has not been set up. + /// If an error occurs at any step after a call to psa_mac_sign_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. /// - /// \param[in,out] operation The operation to abort. + /// After a successful call to psa_mac_sign_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_sign_finish(). + /// - A call to psa_mac_abort(). /// - /// \retval #PSA_SUCCESS \emptydescription + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) - -> psa_status_t; + pub fn psa_mac_sign_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Perform a key agreement and return the raw shared secret. + /// Set up a multipart MAC verification operation. /// - /// \warning The raw result of a key agreement algorithm such as finite-field - /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should - /// not be used directly as key material. It should instead be passed as - /// input to a key derivation algorithm. To chain a key agreement with - /// a key derivation, use psa_key_derivation_key_agreement() and other - /// functions from the key derivation interface. + /// This function sets up the verification of the MAC + /// (message authentication code) of a byte string against an expected value. /// - /// \param alg The key agreement algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) - /// is true). - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. It must be - /// in the same format that psa_import_key() - /// accepts. The standard formats for public - /// keys are documented in the documentation - /// of psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// The sequence of operations to verify a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_verify_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_verify_finish() to finish + /// calculating the actual MAC of the message and verify it against + /// the expected value. + /// + /// If an error occurs at any step after a call to psa_mac_verify_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_mac_verify_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_verify_finish(). + /// - A call to psa_mac_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage + /// PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). /// /// \retval #PSA_SUCCESS /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a key agreement algorithm, or - /// \p private_key is not compatible with \p alg, - /// or \p peer_key is not valid for \p alg or not compatible with - /// \p private_key. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p output_size is too small + /// \c key is not compatible with \c alg. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported key agreement algorithm. + /// \c alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_raw_key_agreement( + pub fn psa_mac_verify_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate random bytes. - /// - /// \warning This function **can** fail! Callers MUST check the return status - /// and MUST NOT use the content of the output buffer if the return - /// status is not #PSA_SUCCESS. - /// - /// \note To generate a key, use psa_generate_key() instead. - /// - /// \param[out] output Output buffer for the generated data. - /// \param output_size Number of bytes to generate and output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Generate a key or key pair. - /// - /// The key is generated randomly. - /// Its location, usage policy, type and size are taken from \p attributes. + /// Add a message fragment to a multipart MAC operation. /// - /// Implementations must reject an attempt to generate a key of size 0. + /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() + /// before calling this function. /// - /// The following type-specific considerations apply: - /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the public exponent is 65537. - /// The modulus is a product of two probabilistic primes - /// between 2^{n-1} and 2^n where n is the bit size specified in the - /// attributes. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param[in] attributes The attributes for the new key. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in,out] operation Active MAC operation. + /// \param[in] input Buffer containing the message fragment to add to + /// the MAC calculation. + /// \param input_length Size of the \p input buffer in bytes. /// /// \retval #PSA_SUCCESS /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_generate_key( - attributes: *const psa_key_attributes_t, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; -} -/// The type of the state data structure for interruptible hash -/// signing operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = -/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_sign_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// operation = psa_sign_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; -/// The type of the state data structure for interruptible hash -/// verification operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = -/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_verify_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// operation = psa_verify_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; -unsafe extern "C" { - /// \brief Set the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note The time taken to execute a single op is - /// implementation specific and depends on - /// software, hardware, the algorithm, key type and - /// curve chosen. Even within a single operation, - /// successive ops can take differing amounts of - /// time. The only guarantee is that lower values - /// for \p max_ops means functions will block for a - /// lesser maximum amount of time. The functions - /// \c psa_sign_interruptible_get_num_ops() and - /// \c psa_verify_interruptible_get_num_ops() are - /// provided to help with tuning this value. - /// - /// \note This value defaults to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which - /// means the whole operation will be done in one - /// go, regardless of the number of ops required. - /// - /// \note If more ops are needed to complete a - /// computation, #PSA_OPERATION_INCOMPLETE will be - /// returned by the function performing the - /// computation. It is then the caller's - /// responsibility to either call again with the - /// same operation context until it returns 0 or an - /// error code; or to call the relevant abort - /// function if the answer is no longer required. - /// - /// \note The interpretation of \p max_ops is also - /// implementation defined. On a hard real time - /// system, this can indicate a hard deadline, as a - /// real-time system needs a guarantee of not - /// spending more than X time, however care must be - /// taken in such an implementation to avoid the - /// situation whereby calls just return, not being - /// able to do any actual work within the allotted - /// time. On a non-real-time system, the - /// implementation can be more relaxed, but again - /// whether this number should be interpreted as as - /// hard or soft limit or even whether a less than - /// or equals as regards to ops executed in a - /// single call is implementation defined. - /// - /// \note For keys in local storage when no accelerator - /// driver applies, please see also the - /// documentation for \c mbedtls_ecp_set_max_ops(), - /// which is the internal implementation in these - /// cases. - /// - /// \warning With implementations that interpret this number - /// as a hard limit, setting this number too small - /// may result in an infinite loop, whereby each - /// call results in immediate return with no ops - /// done (as there is not enough time to execute - /// any), and thus no result will ever be achieved. - /// - /// \note This only applies to functions whose - /// documentation mentions they may return - /// #PSA_OPERATION_INCOMPLETE. - /// - /// \param max_ops The maximum number of ops to be executed in a - /// single call. This can be a number from 0 to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 - /// is the least amount of work done per call. - pub fn psa_interruptible_set_max_ops(max_ops: u32); -} -unsafe extern "C" { - /// \brief Get the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. This will return the last - /// value set by - /// \c psa_interruptible_set_max_ops() or - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if - /// that function has never been called. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \return Maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - pub fn psa_interruptible_get_max_ops() -> u32; + pub fn psa_mac_update( + operation: *mut psa_mac_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash signing - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling - /// \c psa_sign_hash_interruptible_abort() on - /// the operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message. /// - /// \note This interface is guaranteed re-entrant and - /// thus may be called from driver code. + /// The application must call psa_mac_sign_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// \warning Applications should not call this function if they expect + /// a specific value for the MAC. Call psa_mac_verify_finish() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \param operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// \param[in,out] operation Active MAC operation. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. This is always + /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of the key and \c alg is the + /// MAC algorithm that is calculated. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_sign_hash_get_num_ops( - operation: *const psa_sign_hash_interruptible_operation_t, - ) -> u32; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p mac buffer is too small. You can determine a + /// sufficient buffer size by calling PSA_MAC_LENGTH(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac sign + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_sign_finish( + operation: *mut psa_mac_operation_t, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash verification - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling \c - /// psa_verify_hash_interruptible_abort() on the - /// operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message and compare it with + /// an expected value. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// The application must call psa_mac_verify_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). It then + /// compares the calculated MAC with the expected MAC passed as a + /// parameter to this function. /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param operation The \c - /// psa_verify_hash_interruptible_operation_t to - /// use. This must be initialized first. + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual MAC and the expected MAC is performed + /// in constant time. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_verify_hash_get_num_ops( - operation: *const psa_verify_hash_interruptible_operation_t, - ) -> u32; + /// \param[in,out] operation Active MAC operation. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The MAC of the message was calculated successfully, but it + /// differs from the expected MAC. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac verify + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_verify_finish( + operation: *mut psa_mac_operation_t, + mac: *const u8, + mac_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start signing a hash or short message with a - /// private key, in an interruptible manner. + /// Abort a MAC operation. /// - /// \see \c psa_sign_hash_complete() + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_mac_sign_setup() or psa_mac_verify_setup() again. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_mac_operation_t. /// - /// \note This function combined with \c - /// psa_sign_hash_complete() is equivalent to - /// \c psa_sign_hash() but - /// \c psa_sign_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// In particular, calling psa_mac_abort() after the operation has been + /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or + /// psa_mac_verify_finish() is safe and has no effect. /// - /// \note Users should call \c psa_sign_hash_complete() - /// repeatedly on the same context after a - /// successful call to this function until \c - /// psa_sign_hash_complete() either returns 0 or an - /// error. \c psa_sign_hash_complete() will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// \param[in,out] operation Initialized MAC operation. /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_sign_hash_abort(). + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Encrypt a message using a symmetric cipher. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// This function encrypts a message with a random IV (initialization + /// vector). Use the multipart operation interface with a + /// #psa_cipher_operation_t object to provide other forms of IV. /// /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. + /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// The output contains the IV followed by + /// the ciphertext proper. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. /// /// \retval #PSA_SUCCESS - /// The operation started successfully - call \c psa_sign_hash_complete() - /// with the same context to complete the operation - /// + /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does - /// not permit the requested algorithm. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// An operation has previously been started on this context, and is - /// still in progress. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Decrypt a message using a symmetric cipher. + /// + /// This function decrypts a message encrypted with a symmetric cipher. + /// + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to decrypt. + /// This consists of the IV followed by the + /// ciphertext proper. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the plaintext is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_start( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt( key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart cipher operations. +/// +/// Before calling any function on a cipher operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_cipher_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_cipher_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, +/// for example: +/// \code +/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_cipher_operation_init() +/// to the structure, for example: +/// \code +/// psa_cipher_operation_t operation; +/// operation = psa_cipher_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// signing a hash or short message with a private - /// key, in an interruptible manner. - /// - /// \see \c psa_sign_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_sign_hash_start() is equivalent to - /// \c psa_sign_hash() but this function can return - /// early and resume according to the limit set with - /// \c psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// Set the key for a multipart symmetric encryption operation. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// The sequence of operations to encrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. + /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to + /// generate or set the IV (initialization vector). You should use + /// psa_cipher_generate_iv() unless the protocol you are implementing + /// requires a specific IV value. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_sign_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_sign_hash_start() called with it - /// first. + /// After a successful call to psa_cipher_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c - /// key_bits, \c alg) where \c key_type and \c - /// key_bits are the type and bit-size - /// respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// Operation completed successfully - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_sign_hash_start(). - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_sign_hash_start() with this operation object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_sign_hash_complete( - operation: *mut psa_sign_hash_interruptible_operation_t, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Abort a sign hash operation. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function is the only function that clears - /// the number of ops completed as part of the - /// operation. Please ensure you copy this value via - /// \c psa_sign_hash_get_num_ops() if required - /// before calling. - /// - /// \note Aborting an operation frees all associated - /// resources except for the \p operation structure - /// itself. Once aborted, the operation object can - /// be reused for another operation by calling \c - /// psa_sign_hash_start() again. - /// - /// \note You may call this function any time after the - /// operation object has been initialized. In - /// particular, calling \c psa_sign_hash_abort() - /// after the operation has already been terminated - /// by a call to \c psa_sign_hash_abort() or - /// psa_sign_hash_complete() is safe. - /// - /// \param[in,out] operation Initialized sign hash operation. - /// - /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_abort( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_encrypt_setup( + operation: *mut psa_cipher_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start reading and verifying a hash or short - /// message, in an interruptible manner. - /// - /// \see \c psa_verify_hash_complete() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_verify_hash_complete() is equivalent to - /// \c psa_verify_hash() but \c - /// psa_verify_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function. + /// Set the key for a multipart symmetric decryption operation. /// - /// \note Users should call \c psa_verify_hash_complete() - /// repeatedly on the same operation object after a - /// successful call to this function until \c - /// psa_verify_hash_complete() either returns 0 or - /// an error. \c psa_verify_hash_complete() will - /// return #PSA_OPERATION_INCOMPLETE if there is - /// more work to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The sequence of operations to decrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. + /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the + /// decryption. If the IV is prepended to the ciphertext, you can call + /// psa_cipher_update() on a buffer containing the IV followed by the + /// beginning of the message. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_verify_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// After a successful call to psa_cipher_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. /// \param key Identifier of the key to use for the operation. - /// The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash whose signature is to be verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// The operation started successfully - please call \c - /// psa_verify_hash_complete() with the same context to complete the - /// operation. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// Another operation has already been started on this context, and is - /// still in progress. - /// - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does - /// not permit the requested algorithm. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_start( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt_setup( + operation: *mut psa_cipher_operation_t, key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// reading and verifying a hash or short message - /// signed with a private key, in an interruptible - /// manner. - /// - /// \see \c psa_verify_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// Generate an IV for a symmetric encryption operation. /// - /// \note This function combined with \c - /// psa_verify_hash_start() is equivalent to - /// \c psa_verify_hash() but this function can - /// return early and resume according to the limit - /// set with \c psa_interruptible_set_max_ops() to - /// reduce the maximum time spent in a function - /// call. + /// This function generates a random IV (initialization vector), nonce + /// or initial counter value for the encryption operation as appropriate + /// for the chosen algorithm, key type and key size. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_verify_hash_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_verify_hash_start() called with it - /// first. + /// \param[in,out] operation Active cipher operation. + /// \param[out] iv Buffer where the generated IV is to be written. + /// \param iv_size Size of the \p iv buffer in bytes. + /// \param[out] iv_length On success, the number of bytes of the + /// generated IV. /// /// \retval #PSA_SUCCESS - /// Operation completed successfully, and the passed signature is valid. - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_verify_hash_start(). - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p iv buffer is too small. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_verify_hash_start() on this object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_verify_hash_complete( - operation: *mut psa_verify_hash_interruptible_operation_t, + /// The operation state is not valid (it must be active, with no IV set), + /// or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_generate_iv( + operation: *mut psa_cipher_operation_t, + iv: *mut u8, + iv_size: usize, + iv_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Abort a verify hash operation. + /// Set the IV for a symmetric encryption or decryption operation. /// - /// \warning This is a beta API, and thus subject to change at - /// any point. It is not bound by the usual interface - /// stability promises. + /// This function sets the IV (initialization vector), nonce + /// or initial counter value for the encryption or decryption operation. /// - /// \note This function is the only function that clears the - /// number of ops completed as part of the operation. - /// Please ensure you copy this value via - /// \c psa_verify_hash_get_num_ops() if required - /// before calling. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note Aborting an operation frees all associated - /// resources except for the operation structure - /// itself. Once aborted, the operation object can be - /// reused for another operation by calling \c - /// psa_verify_hash_start() again. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \note You may call this function any time after the - /// operation object has been initialized. - /// In particular, calling \c psa_verify_hash_abort() - /// after the operation has already been terminated by - /// a call to \c psa_verify_hash_abort() or - /// psa_verify_hash_complete() is safe. + /// \note When encrypting, applications should use psa_cipher_generate_iv() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \param[in,out] operation Initialized verify hash operation. + /// \param[in,out] operation Active cipher operation. + /// \param[in] iv Buffer containing the IV to use. + /// \param iv_length Size of the IV in bytes. /// /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p iv is not acceptable for the chosen algorithm, + /// or the chosen algorithm does not use an IV. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be an active cipher + /// encrypt operation, with no IV set), or the library has not been + /// previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_abort( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_set_iv( + operation: *mut psa_cipher_operation_t, + iv: *const u8, + iv_length: usize, ) -> psa_status_t; } -/// \brief The GCM context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_gcm_context { - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, - ///< Precalculated HTable low. - pub private_HL: [u64; 16usize], - ///< Precalculated HTable high. - pub private_HH: [u64; 16usize], - ///< The total length of the encrypted data. - pub private_len: u64, - ///< The total length of the additional data. - pub private_add_len: u64, - ///< The first ECTR for tag. - pub private_base_ectr: [::core::ffi::c_uchar; 16usize], - ///< The Y working value. - pub private_y: [::core::ffi::c_uchar; 16usize], - ///< The buf working value. - pub private_buf: [::core::ffi::c_uchar; 16usize], - ///< The operation to perform: - ///#MBEDTLS_GCM_ENCRYPT or - ///#MBEDTLS_GCM_DECRYPT. - pub private_mode: ::core::ffi::c_int, -} -impl Default for mbedtls_gcm_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes the specified GCM context, - /// to make references valid, and prepares the context - /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). + /// Encrypt or decrypt a message fragment in an active cipher operation. /// - /// The function does not bind the GCM context to a particular - /// cipher, nor set the key. For this purpose, use - /// mbedtls_gcm_setkey(). + /// Before calling this function, you must: + /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() + /// (recommended when encrypting) or psa_cipher_set_iv(). /// - /// \param ctx The GCM context to initialize. This must not be \c NULL. - pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief This function associates a GCM context with a - /// cipher algorithm and a key. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param cipher The 128-bit block cipher to use. - /// \param key The encryption key. This must be a readable buffer of at - /// least \p keybits bits. - /// \param keybits The key size in bits. Valid options are: - ///
  • 128 bits
    • - ///
  • 192 bits
    • - ///
  • 256 bits
+ /// \param[in,out] operation Active cipher operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A cipher-specific error code on failure. - pub fn mbedtls_gcm_setkey( - ctx: *mut mbedtls_gcm_context, - cipher: mbedtls_cipher_id_t, - key: *const ::core::ffi::c_uchar, - keybits: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_update( + operation: *mut psa_cipher_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs GCM encryption or decryption of a buffer. + /// Finish encrypting or decrypting a message in a cipher operation. /// - /// \note For encryption, the output buffer can be the same as the - /// input buffer. For decryption, the output buffer cannot be - /// the same as input buffer. If the buffers overlap, the output - /// buffer must trail at least 8 Bytes behind the input buffer. + /// The application must call psa_cipher_encrypt_setup() or + /// psa_cipher_decrypt_setup() before calling this function. The choice + /// of setup function determines whether this function encrypts or + /// decrypts its input. /// - /// \warning When this function performs a decryption, it outputs the - /// authentication tag and does not verify that the data is - /// authentic. You should use this function to perform encryption - /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// This function finishes the encryption or decryption of the message + /// formed by concatenating the inputs passed to preceding calls to + /// psa_cipher_update(). /// - /// \param ctx The GCM context to use for encryption or decryption. This - /// must be initialized. - /// \param mode The operation to perform: - /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. - /// The ciphertext is written to \p output and the - /// authentication tag is written to \p tag. - /// - #MBEDTLS_GCM_DECRYPT to perform decryption. - /// The plaintext is written to \p output and the - /// authentication tag is written to \p tag. - /// Note that this mode is not recommended, because it does - /// not verify the authenticity of the data. For this reason, - /// you should use mbedtls_gcm_auth_decrypt() instead of - /// calling this function in decryption mode. - /// \param length The length of the input data, which is equal to the length - /// of the output data. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param input The buffer holding the input data. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size in Bytes. - /// \param output The buffer for holding the output data. If \p length is greater - /// than zero, this must be a writable buffer of at least that - /// size in Bytes. - /// \param tag_len The length of the tag to generate. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \return \c 0 if the encryption or decryption was performed - /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, - /// this does not indicate that the data is authentic. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the encryption - /// or decryption failed. - pub fn mbedtls_gcm_crypt_and_tag( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - tag_len: usize, - tag: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active cipher operation. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input size passed to this operation is not valid for + /// this particular algorithm. For example, the algorithm is a based + /// on block cipher and requires a whole number of blocks, but the + /// total input size is not a multiple of the block size. + /// \retval #PSA_ERROR_INVALID_PADDING + /// This is a decryption operation for an algorithm that includes + /// padding, and the ciphertext does not contain valid padding. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_finish( + operation: *mut psa_cipher_operation_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs a GCM authenticated decryption of a - /// buffer. + /// Abort a cipher operation. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. /// - /// \param ctx The GCM context. This must be initialized. - /// \param length The length of the ciphertext to decrypt, which is also - /// the length of the decrypted plaintext. - /// \param iv The initialization vector. This must be a readable buffer - /// of at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param tag The buffer holding the tag to verify. This must be a - /// readable buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to verify. - /// \param input The buffer holding the ciphertext. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size. - /// \param output The buffer for holding the decrypted plaintext. If \p length - /// is greater than zero, this must be a writable buffer of at - /// least that size. + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_cipher_operation_t. /// - /// \return \c 0 if successful and authenticated. - /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the decryption - /// failed. - pub fn mbedtls_gcm_auth_decrypt( - ctx: *mut mbedtls_gcm_context, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - tag: *const ::core::ffi::c_uchar, - tag_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// In particular, calling psa_cipher_abort() after the operation has been + /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() + /// is safe and has no effect. + /// + /// \param[in,out] operation Initialized cipher operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a GCM encryption or decryption - /// operation. + /// Process an authenticated encryption operation. /// - /// \param ctx The GCM context. This must be initialized. - /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or - /// #MBEDTLS_GCM_DECRYPT. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that will be authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] plaintext Data that will be authenticated and + /// encrypted. + /// \param plaintext_length Size of \p plaintext in bytes. + /// \param[out] ciphertext Output buffer for the authenticated and + /// encrypted data. The additional data is not + /// part of this output. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate outputs, the + /// authentication tag is appended to the + /// encrypted data. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p plaintext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p + /// plaintext_length) evaluates to the maximum + /// ciphertext size of any supported AEAD + /// encryption. + /// \param[out] ciphertext_length On success, the size of the output + /// in the \p ciphertext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_starts( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p ciphertext_size is too small. + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p plaintext_length) or + /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + plaintext: *const u8, + plaintext_length: usize, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer as associated data - /// (authenticated but not encrypted data) in a GCM - /// encryption or decryption operation. - /// - /// Call this function after mbedtls_gcm_starts() to pass - /// the associated data. If the associated data is empty, - /// you do not need to call this function. You may not - /// call this function after calling mbedtls_cipher_update(). + /// Process an authenticated decryption operation. /// - /// \param ctx The GCM context. This must have been started with - /// mbedtls_gcm_starts() and must not have yet received - /// any input with mbedtls_gcm_update(). - /// \param add The buffer holding the additional data, or \c NULL - /// if \p add_len is \c 0. - /// \param add_len The length of the additional data. If \c 0, - /// \p add may be \c NULL. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that has been authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] ciphertext Data that has been authenticated and + /// encrypted. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate inputs, the buffer + /// must contain the encrypted data followed + /// by the authentication tag. + /// \param ciphertext_length Size of \p ciphertext in bytes. + /// \param[out] plaintext Output buffer for the decrypted data. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p ciphertext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p + /// ciphertext_length) evaluates to the maximum + /// plaintext size of any supported AEAD + /// decryption. + /// \param[out] plaintext_length On success, the size of the output + /// in the \p plaintext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_update_ad( - ctx: *mut mbedtls_gcm_context, - add: *const ::core::ffi::c_uchar, - add_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The ciphertext is not authentic. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p plaintext_size is too small. + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p ciphertext_length) or + /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used + /// to determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + ciphertext: *const u8, + ciphertext_length: usize, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for multipart AEAD operations. +/// +/// Before calling any function on an AEAD operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_aead_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_aead_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, +/// for example: +/// \code +/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_aead_operation_init() +/// to the structure, for example: +/// \code +/// psa_aead_operation_t operation; +/// operation = psa_aead_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing GCM - /// encryption or decryption operation. - /// - /// You may call this function zero, one or more times - /// to pass successive parts of the input: the plaintext to - /// encrypt, or the ciphertext (not including the tag) to - /// decrypt. After the last part of the input, call - /// mbedtls_gcm_finish(). + /// Set the key for a multipart authenticated encryption operation. /// - /// This function may produce output in one of the following - /// ways: - /// - Immediate output: the output length is always equal - /// to the input length. - /// - Buffered output: the output consists of a whole number - /// of 16-byte blocks. If the total input length so far - /// (not including associated data) is 16 \* *B* + *A* - /// with *A* < 16 then the total output length is 16 \* *B*. + /// The sequence of operations to encrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to + /// generate or set the nonce. You should use + /// psa_aead_generate_nonce() unless the protocol you are implementing + /// requires a specific nonce value. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the message to encrypt each time. + /// -# Call psa_aead_finish(). /// - /// In particular: - /// - It is always correct to call this function with - /// \p output_size >= \p input_length + 15. - /// - If \p input_length is a multiple of 16 for all the calls - /// to this function during an operation, then it is - /// correct to use \p output_size = \p input_length. + /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// After a successful call to psa_aead_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_finish(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param input The buffer holding the input data. If \p input_length - /// is greater than zero, this must be a readable buffer - /// of at least \p input_length bytes. - /// \param input_length The length of the input data in bytes. - /// \param output The buffer for the output data. If \p output_size - /// is greater than zero, this must be a writable buffer of - /// of at least \p output_size bytes. - /// \param output_size The size of the output buffer in bytes. - /// See the function description regarding the output size. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// total input length too long, - /// unsupported input/output buffer overlap detected, - /// or \p output_size too small. - pub fn mbedtls_gcm_update( - ctx: *mut mbedtls_gcm_context, - input: *const ::core::ffi::c_uchar, - input_length: usize, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the GCM operation and generates - /// the authentication tag. + /// Set the key for a multipart authenticated decryption operation. /// - /// It wraps up the GCM stream, and generates the - /// tag. The tag can have a maximum length of 16 Bytes. + /// The sequence of operations to decrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call psa_aead_set_nonce() with the nonce for the decryption. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the ciphertext to decrypt each time. + /// -# Call psa_aead_verify(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to generate. This must be at least - /// four. - /// \param output The buffer for the final output. - /// If \p output_size is nonzero, this must be a writable - /// buffer of at least \p output_size bytes. - /// \param output_size The size of the \p output buffer in bytes. - /// This must be large enough for the output that - /// mbedtls_gcm_update() has not produced. In particular: - /// - If mbedtls_gcm_update() produces immediate output, - /// or if the total input size is a multiple of \c 16, - /// then mbedtls_gcm_finish() never produces any output, - /// so \p output_size can be \c 0. - /// - \p output_size never needs to be more than \c 15. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// invalid value of \p tag_len, - /// or \p output_size too small. - pub fn mbedtls_gcm_finish( - ctx: *mut mbedtls_gcm_context, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - tag: *mut ::core::ffi::c_uchar, - tag_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function clears a GCM context and the underlying - /// cipher sub-context. + /// After a successful call to psa_aead_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_verify(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context to clear. If this is \c NULL, the call has - /// no effect. Otherwise, this must be initialized. - pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief The GCM checkup routine. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; -/// For encrypt-decrypt functions, whether the operation is an encryption -/// or a decryption. -pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; -/// \brief MD5 context structure -/// -/// \warning MD5 is considered a weak message digest and its use -/// constitutes a security risk. We recommend considering -/// stronger message digests instead. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md5_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 4usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_md5_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize MD5 context + /// Generate a random nonce for an authenticated encryption operation. /// - /// \param ctx MD5 context to be initialized + /// This function generates a random nonce for the authenticated encryption + /// operation with an appropriate size for the chosen algorithm, key type + /// and key size. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief Clear MD5 context + /// The application must call psa_aead_encrypt_setup() before + /// calling this function. /// - /// \param ctx MD5 context to be cleared + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); + /// \param[in,out] operation Active AEAD operation. + /// \param[out] nonce Buffer where the generated nonce is to be + /// written. + /// \param nonce_size Size of the \p nonce buffer in bytes. + /// \param[out] nonce_length On success, the number of bytes of the + /// generated nonce. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p nonce buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active aead encrypt + /// operation, with no nonce set), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_generate_nonce( + operation: *mut psa_aead_operation_t, + nonce: *mut u8, + nonce_size: usize, + nonce_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) an MD5 context + /// Set the nonce for an authenticated encryption or decryption operation. /// - /// \param dst The destination context - /// \param src The context to be cloned + /// This function sets the nonce for the authenticated + /// encryption or decryption operation. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief MD5 context setup + /// The application must call psa_aead_encrypt_setup() or + /// psa_aead_decrypt_setup() before calling this function. /// - /// \param ctx context to be initialized + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \note When encrypting, applications should use psa_aead_generate_nonce() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] nonce Buffer containing the nonce to use. + /// \param nonce_length Size of the nonce in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p nonce is not acceptable for the chosen algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with no nonce + /// set), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_nonce( + operation: *mut psa_aead_operation_t, + nonce: *const u8, + nonce_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process buffer + /// Declare the lengths of the message and additional data for AEAD. /// - /// \param ctx MD5 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// The application must call this function before calling + /// psa_aead_update_ad() or psa_aead_update() if the algorithm for + /// the operation requires it. If the algorithm does not require it, + /// calling this function is optional, but if this function is called + /// then the implementation must enforce the lengths. /// - /// \return 0 if successful + /// You may call this function before or after setting the nonce with + /// psa_aead_set_nonce() or psa_aead_generate_nonce(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_update( - ctx: *mut mbedtls_md5_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief MD5 final digest + /// - For #PSA_ALG_CCM, calling this function is required. + /// - For the other AEAD algorithms defined in this specification, calling + /// this function is not required. + /// - For vendor-defined algorithm, refer to the vendor documentation. /// - /// \param ctx MD5 context - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \param[in,out] operation Active AEAD operation. + /// \param ad_length Size of the non-encrypted additional + /// authenticated data in bytes. + /// \param plaintext_length Size of the plaintext to encrypt in bytes. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_finish( - ctx: *mut mbedtls_md5_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// At least one of the lengths is not acceptable for the chosen + /// algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and + /// psa_aead_update_ad() and psa_aead_update() must not have been + /// called yet), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_lengths( + operation: *mut psa_aead_operation_t, + ad_length: usize, + plaintext_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process data block (internal use only) + /// Pass additional data to an active AEAD operation. /// - /// \param ctx MD5 context - /// \param data buffer holding one block of data + /// Additional data is authenticated, but not encrypted. /// - /// \return 0 if successful + /// You may call this function multiple times to pass successive fragments + /// of the additional data. You may not call this function after passing + /// data to encrypt or decrypt with psa_aead_update(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_internal_md5_process( - ctx: *mut mbedtls_md5_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = MD5( input buffer ) + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, + /// treat the input as untrusted and prepare to undo any action that + /// depends on the input if psa_aead_verify() returns an error status. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the fragment of + /// additional data. + /// \param input_length Size of the \p input buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input length overflows the additional data length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, have lengths set if required by the algorithm, and + /// psa_aead_update() must not have been called yet), or the library + /// has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update_ad( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Encrypt or decrypt a message fragment in an active AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). + /// 3. Call psa_aead_update_ad() to pass all the additional data. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief RIPEMD-160 context structure -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ripemd160_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 5usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_ripemd160_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize RIPEMD-160 context + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \param ctx RIPEMD-160 context to be initialized - pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); -} -unsafe extern "C" { - /// \brief Clear RIPEMD-160 context + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: + /// - Do not use the output in any way other than storing it in a + /// confidential location. If you take any action that depends + /// on the tentative decrypted data, this action will need to be + /// undone if the input turns out not to be valid. Furthermore, + /// if an adversary can observe that this action took place + /// (for example through timing), they may be able to use this + /// fact as an oracle to decrypt any message encrypted with the + /// same key. + /// - In particular, do not copy the output anywhere but to a + /// memory or storage space that you have exclusive access to. /// - /// \param ctx RIPEMD-160 context to be cleared - pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); + /// This function does not require the input to be aligned to any + /// particular block boundary. If the implementation can only process + /// a whole block at a time, it must consume all the input provided, but + /// it may delay the end of the corresponding output until a subsequent + /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() + /// provides sufficient input. The amount of data that can be delayed + /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, + /// \c alg, \p input_length) where + /// \c key_type is the type of key and \c alg is + /// the algorithm that were used to set up the + /// operation. + /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p + /// input_length) evaluates to the maximum + /// output size of any supported AEAD + /// algorithm. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or + /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total input length overflows the plaintext length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, and have lengths set if required by the algorithm), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) a RIPEMD-160 context + /// Finish encrypting a message in an AEAD operation. /// - /// \param dst The destination context - /// \param src The context to be cloned - pub fn mbedtls_ripemd160_clone( - dst: *mut mbedtls_ripemd160_context, - src: *const mbedtls_ripemd160_context, - ); -} -unsafe extern "C" { - /// \brief RIPEMD-160 context setup + /// The operation must have been set up with psa_aead_encrypt_setup(). /// - /// \param ctx context to be initialized + /// This function finishes the authentication of the additional data + /// formed by concatenating the inputs passed to preceding calls to + /// psa_aead_update_ad() with the plaintext formed by concatenating the + /// inputs passed to preceding calls to psa_aead_update(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process buffer + /// This function has two output buffers: + /// - \p ciphertext contains trailing ciphertext that was buffered from + /// preceding calls to psa_aead_update(). + /// - \p tag contains the authentication tag. /// - /// \param ctx RIPEMD-160 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_update( - ctx: *mut mbedtls_ripemd160_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[out] ciphertext Buffer where the last part of the ciphertext + /// is to be written. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] ciphertext_length On success, the number of bytes of + /// returned ciphertext. + /// \param[out] tag Buffer where the authentication tag is + /// to be written. + /// \param tag_size Size of the \p tag buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c + /// key_type, \c key_bits, \c alg) where + /// \c key_type and \c key_bits are the type and + /// bit-size of the key, and \c alg is the + /// algorithm that were used in the call to + /// psa_aead_encrypt_setup(). + /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the + /// maximum tag size of any supported AEAD + /// algorithm. + /// \param[out] tag_length On success, the number of bytes + /// that make up the returned tag. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p ciphertext or \p tag buffer is too small. + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the + /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, + /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to + /// determine the required \p tag buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active encryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_finish( + operation: *mut psa_aead_operation_t, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + tag: *mut u8, + tag_size: usize, + tag_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief RIPEMD-160 final digest + /// Finish authenticating and decrypting a message in an AEAD operation. /// - /// \param ctx RIPEMD-160 context - /// \param output RIPEMD-160 checksum result + /// The operation must have been set up with psa_aead_decrypt_setup(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_finish( - ctx: *mut mbedtls_ripemd160_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process data block (internal use only) + /// This function finishes the authenticated decryption of the message + /// components: /// - /// \param ctx RIPEMD-160 context - /// \param data buffer holding one block of data + /// - The additional data consisting of the concatenation of the inputs + /// passed to preceding calls to psa_aead_update_ad(). + /// - The ciphertext consisting of the concatenation of the inputs passed to + /// preceding calls to psa_aead_update(). + /// - The tag passed to this function call. /// - /// \return 0 if successful - pub fn mbedtls_internal_ripemd160_process( - ctx: *mut mbedtls_ripemd160_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = RIPEMD-160( input buffer ) + /// If the authentication tag is correct, this function outputs any remaining + /// plaintext and reports success. If the authentication tag is not correct, + /// this function returns #PSA_ERROR_INVALID_SIGNATURE. /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output RIPEMD-160 checksum result + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual tag and the expected tag is performed + /// in constant time. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[out] plaintext Buffer where the last part of the plaintext + /// is to be written. This is the remaining data + /// from previous calls to psa_aead_update() + /// that could not be processed until the end + /// of the input. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] plaintext_length On success, the number of bytes of + /// returned plaintext. + /// \param[in] tag Buffer containing the authentication tag. + /// \param tag_length Size of the \p tag buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculations were successful, but the authentication tag is + /// not correct. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p plaintext buffer is too small. + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the + /// required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active decryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_verify( + operation: *mut psa_aead_operation_t, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + tag: *const u8, + tag_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Abort an AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed - pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha1_context { - pub work_area: [::core::ffi::c_uchar; 208usize], -} -impl Default for mbedtls_sha1_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_aead_operation_t. + /// + /// In particular, calling psa_aead_abort() after the operation has been + /// terminated by a call to psa_aead_abort(), psa_aead_finish() or + /// psa_aead_verify() is safe and has no effect. + /// + /// \param[in,out] operation Initialized AEAD operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-1 context. - /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \brief Sign a message with a private key. For hash-and-sign algorithms, + /// this includes the hashing step. /// - /// \param ctx The SHA-1 context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-1 context. + /// \note To perform a multi-part hash-and-sign signature algorithm, first use + /// a multi-part hash operation and then pass the resulting hash to + /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the + /// hash algorithm to use. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in] key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The input message to sign. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param[in] signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. /// - /// \param ctx The SHA-1 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it is - /// not \c NULL, it must point to an initialized - /// SHA-1 context. - pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-1 context. + /// \brief Verify the signature of a message with a public key, using + /// a hash-and-sign verification algorithm. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \note To perform a multi-part hash-and-sign signature verification + /// algorithm, first use a multi-part hash operation to hash the message + /// and then pass the resulting hash to psa_verify_hash(). + /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm + /// to use. /// - /// \param dst The SHA-1 context to clone to. This must be initialized. - /// \param src The SHA-1 context to clone from. This must be initialized. - pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); + /// \param[in] key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The message whose signature is to be verified. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed signature + /// is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-1 checksum calculation. + /// \brief Sign a hash or short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context to initialize. This must be initialized. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. + /// \param[out] signature_length On success, the number of bytes + /// that make up the returned signature value. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing SHA-1 - /// checksum calculation. + /// \brief Verify the signature of a hash or short message using a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. + /// \param key Identifier of the key to use for the operation. It + /// must be a public key or an asymmetric key pair. The + /// key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message whose signature is to be + /// verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_update( - ctx: *mut mbedtls_sha1_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// The signature is valid. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the SHA-1 operation, and writes - /// the result to the output buffer. + /// \brief Encrypt a short message with a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized and - /// have a hash operation started. - /// \param output The SHA-1 checksum result. This must be a writable - /// buffer of length \c 20 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the encrypted message is to + /// be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_finish( - ctx: *mut mbedtls_sha1_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief SHA-1 process data block (internal use only). + /// \brief Decrypt a short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. It must + /// allow the usage #PSA_KEY_USAGE_DECRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized. - /// \param data The data block being processed. This must be a - /// readable buffer of length \c 64 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha1_process( - ctx: *mut mbedtls_sha1_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for key derivation operations. +/// +/// Before calling any function on a key derivation operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_key_derivation_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, +/// for example: +/// \code +/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_key_derivation_operation_init() +/// to the structure, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// operation = psa_key_derivation_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_key_derivation_operation_t = psa_key_derivation_s; unsafe extern "C" { - /// \brief This function calculates the SHA-1 checksum of a buffer. + /// Set up a key derivation operation. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// A key derivation algorithm takes some inputs and uses them to generate + /// a byte stream in a deterministic way. + /// This byte stream can be used to produce keys and other + /// cryptographic material. /// - /// The SHA-1 result is calculated as - /// output = SHA-1(input buffer). + /// To derive a key: + /// -# Start with an initialized object of type #psa_key_derivation_operation_t. + /// -# Call psa_key_derivation_setup() to select the algorithm. + /// -# Provide the inputs for the key derivation by calling + /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() + /// as appropriate. Which inputs are needed, in what order, and whether + /// they may be keys and if so of what type depends on the algorithm. + /// -# Optionally set the operation's maximum capacity with + /// psa_key_derivation_set_capacity(). You may do this before, in the middle + /// of or after providing inputs. For some algorithms, this step is mandatory + /// because the output depends on the maximum capacity. + /// -# To derive a key, call psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// To derive a byte string for a different purpose, call + /// psa_key_derivation_output_bytes(). + /// Successive calls to these functions use successive output bytes + /// calculated by the key derivation algorithm. + /// -# Clean up the key derivation operation object with + /// psa_key_derivation_abort(). /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// If this function returns an error, the key derivation operation object is + /// not changed. /// - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. - /// \param output The SHA-1 checksum result. - /// This must be a writable buffer of length \c 20 Bytes. + /// If an error occurs at any step after a call to psa_key_derivation_setup(), + /// the operation will need to be reset by a call to psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-1 checkup routine. + /// Implementations must reject an attempt to derive a key of size 0. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in,out] operation The key derivation operation object + /// to set up. It must + /// have been initialized but not set up yet. + /// \param alg The key derivation algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha256_context { - pub work_area: [::core::ffi::c_uchar; 208usize], - pub is224: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha256_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c alg is not a key derivation algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_setup( + operation: *mut psa_key_derivation_operation_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-256 context. + /// Retrieve the current capacity of a key derivation operation. /// - /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. - pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-256 context. + /// The capacity of a key derivation is the maximum number of bytes that it can + /// return. When you get *N* bytes of output from a key derivation operation, + /// this reduces its capacity by *N*. /// - /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which - /// case this function returns immediately. If it is not \c NULL, - /// it must point to an initialized SHA-256 context. - pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clones the state of a SHA-256 context. + /// \param[in] operation The operation to query. + /// \param[out] capacity On success, the capacity of the operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha256_clone( - dst: *mut mbedtls_sha256_context, - src: *const mbedtls_sha256_context, - ); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_get_capacity( + operation: *const psa_key_derivation_operation_t, + capacity: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-224 or SHA-256 checksum - /// calculation. + /// Set the maximum capacity of a key derivation operation. /// - /// \param ctx The context to use. This must be initialized. - /// \param is224 This determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// The capacity of a key derivation operation is the maximum number of bytes + /// that the key derivation operation can return from this point onwards. /// - /// \note is224 must be defined accordingly to the enabled - /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to modify. + /// \param capacity The new capacity of the operation. + /// It must be less or equal to the operation's + /// current capacity. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_starts( - ctx: *mut mbedtls_sha256_context, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p capacity is larger than the operation's current capacity. + /// In this case, the operation object remains valid and its capacity + /// remains unchanged. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_set_capacity( + operation: *mut psa_key_derivation_operation_t, + capacity: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-256 checksum calculation. + /// Provide an input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_update( - ctx: *mut mbedtls_sha256_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-256 operation, and writes - /// the result to the output buffer. + /// This function passes direct inputs, which is usually correct for + /// non-secret inputs. To pass a secret input, which should be in a key + /// object, call psa_key_derivation_input_key() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_finish( - ctx: *mut mbedtls_sha256_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] data Input data to use. + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow direct inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_bytes( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + data: *const u8, + data_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-256 computation. This function is for - /// internal use only. + /// Provide a numeric input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized. - /// \param data The buffer holding one block of data. This must - /// be a readable buffer of length \c 64 Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// However, when an algorithm requires a particular order, numeric inputs + /// usually come first as they tend to be configuration parameters. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha256_process( - ctx: *mut mbedtls_sha256_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// This function is used for inputs which are fixed-size non-negative + /// integers. + /// + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] value The value of the numeric input. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow numeric inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_integer( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + value: u64, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function calculates the SHA-224 or SHA-256 - /// checksum of a buffer. + /// Provide an input for key derivation in the form of a key. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// The SHA-256 result is calculated as - /// output = SHA-256(input buffer). + /// This function obtains input from a key object, which is usually correct for + /// secret inputs or for non-secret personalization strings kept in the key + /// store. To pass a non-secret parameter which is not in the key store, + /// call psa_key_derivation_input_bytes() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. - /// \param is224 Determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param key Identifier of the key. It must have an + /// appropriate type for step and must allow the + /// usage #PSA_KEY_USAGE_DERIVE or + /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + /// and the algorithm used by the operation. + /// + /// \note Once all inputs steps are completed, the operations will allow: + /// - psa_key_derivation_output_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() + /// if the input for step + /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_verify_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + /// - psa_key_derivation_verify_key() under the same conditions as + /// psa_key_derivation_verify_bytes(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key allows neither #PSA_KEY_USAGE_DERIVE nor + /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + /// algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow key inputs of the given type + /// or does not allow key inputs at all. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_key( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + key: mbedtls_svc_key_id_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief The SHA-224 checkup routine. + /// Perform a key agreement and use the shared secret as input to a key + /// derivation. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-256 checkup routine. + /// A key agreement algorithm takes two inputs: a private key \p private_key + /// a public key \p peer_key. + /// The result of this function is passed as input to a key derivation. + /// The output of this key derivation can be extracted by reading from the + /// resulting operation to produce keys and other cryptographic material. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha512_context { - pub work_area: [::core::ffi::c_uchar; 304usize], - pub is384: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha512_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief This function initializes a SHA-512 context. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \param ctx The SHA-512 context to initialize. This must - /// not be \c NULL. - pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-512 context. + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() with a + /// key agreement and derivation algorithm + /// \c alg (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true + /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) + /// is false). + /// The operation must be ready for an + /// input of the type given by \p step. + /// \param step Which step the input data is for. + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. The peer key must be in the + /// same format that psa_import_key() accepts for the + /// public key type corresponding to the type of + /// private_key. That is, this function performs the + /// equivalent of + /// #psa_import_key(..., + /// `peer_key`, `peer_key_length`) where + /// with key attributes indicating the public key + /// type corresponding to the type of `private_key`. + /// For example, for EC keys, this means that peer_key + /// is interpreted as a point on the curve that the + /// private key is on. The standard formats for public + /// keys are documented in the documentation of + /// psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. /// - /// \param ctx The SHA-512 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must point to an initialized - /// SHA-512 context. - pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c private_key is not compatible with \c alg, + /// or \p peer_key is not valid for \c alg or not compatible with + /// \c private_key, or \c step does not allow an input resulting + /// from a key agreement. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this key agreement \p step, + /// or the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_key_agreement( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-512 context. + /// Read some data from a key derivation operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha512_clone( - dst: *mut mbedtls_sha512_context, - src: *const mbedtls_sha512_context, - ); -} -unsafe extern "C" { - /// \brief This function starts a SHA-384 or SHA-512 checksum - /// calculation. + /// This function calculates output bytes from a key derivation algorithm and + /// return those bytes. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the requested number of bytes from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context to use. This must be initialized. - /// \param is384 Determines which function to use. This must be - /// either \c 0 for SHA-512, or \c 1 for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \note is384 must be defined accordingly to the enabled - /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] output Buffer where the output will be written. + /// \param output_length Number of bytes to output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_starts( - ctx: *mut mbedtls_sha512_context, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// no output is written to the output buffer. + /// The operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_bytes( + operation: *mut psa_key_derivation_operation_t, + output: *mut u8, + output_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-512 checksum calculation. + /// Derive a key from an ongoing key derivation operation. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. This must - /// be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// This function calculates output bytes from a key derivation algorithm + /// and uses those bytes to generate a key deterministically. + /// The key's location, usage policy, type and size are taken from + /// \p attributes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_update( - ctx: *mut mbedtls_sha512_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-512 operation, and writes - /// the result to the output buffer. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads as many bytes as required from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_finish( - ctx: *mut mbedtls_sha512_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-512 computation. - /// This function is for internal use only. + /// How much output is produced and consumed from the operation, and how + /// the key is derived, depends on the key type and on the key size + /// (denoted \c bits below): /// - /// \param ctx The SHA-512 context. This must be initialized. - /// \param data The buffer holding one block of data. This - /// must be a readable buffer of length \c 128 Bytes. + /// - For key types for which the key is an arbitrary sequence of bytes + /// of a given size, this function is functionally equivalent to + /// calling #psa_key_derivation_output_bytes + /// and passing the resulting output to #psa_import_key. + /// However, this function has a security benefit: + /// if the implementation provides an isolation boundary then + /// the key material is not exposed outside the isolation boundary. + /// As a consequence, for these key types, this function always consumes + /// exactly (\c bits / 8) bytes from the operation. + /// The following key types defined in this specification follow this scheme: /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha512_process( - ctx: *mut mbedtls_sha512_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function calculates the SHA-512 or SHA-384 - /// checksum of a buffer. + /// - #PSA_KEY_TYPE_AES; + /// - #PSA_KEY_TYPE_ARIA; + /// - #PSA_KEY_TYPE_CAMELLIA; + /// - #PSA_KEY_TYPE_DERIVE; + /// - #PSA_KEY_TYPE_HMAC; + /// - #PSA_KEY_TYPE_PASSWORD_HASH. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// - For ECC keys on a Montgomery elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Montgomery curve), this function always draws a byte string whose + /// length is determined by the curve, and sets the mandatory bits + /// accordingly. That is: /// - /// The SHA-512 result is calculated as - /// output = SHA-512(input buffer). + /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte + /// string and process it as specified in RFC 7748 §5. + /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte + /// string and process it as specified in RFC 7748 §5. /// - /// \param input The buffer holding the input data. This must be - /// a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. - /// \param is384 Determines which function to use. This must be either - /// \c 0 for SHA-512, or \c 1 for SHA-384. + /// - For key types for which the key is represented by a single sequence of + /// \c bits bits with constraints as to which bit sequences are acceptable, + /// this function draws a byte string of length (\c bits / 8) bytes rounded + /// up to the nearest whole number of bytes. If the resulting byte string + /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. + /// This process is repeated until an acceptable byte string is drawn. + /// The byte string drawn from the operation is interpreted as specified + /// for the output produced by psa_export_key(). + /// The following key types defined in this specification follow this scheme: /// - /// \note is384 must be defined accordingly with the supported - /// symbols in the config file. If: - /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or - /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined - /// then the function will return - /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// - #PSA_KEY_TYPE_DES. + /// Force-set the parity bits, but discard forbidden weak keys. + /// For 2-key and 3-key triple-DES, the three keys are generated + /// successively (for example, for 3-key triple-DES, + /// if the first 8 bytes specify a weak key and the next 8 bytes do not, + /// discard the first 8 bytes, use the next 8 bytes as the first key, + /// and continue reading output from the operation to derive the other + /// two keys). + /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) + /// where \c group designates any Diffie-Hellman group) and + /// ECC keys on a Weierstrass elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Weierstrass curve). + /// For these key types, interpret the byte string as integer + /// in big-endian order. Discard it if it is not in the range + /// [0, *N* - 2] where *N* is the boundary of the private key domain + /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, + /// or the order of the curve's base point for ECC). + /// Add 1 to the resulting integer and use this as the private key *x*. + /// This method allows compliance to NIST standards, specifically + /// the methods titled "key-pair generation by testing candidates" + /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, + /// in FIPS 186-4 §B.1.2 for DSA, and + /// in NIST SP 800-56A §5.6.1.2.2 or + /// FIPS 186-4 §B.4.2 for elliptic curve keys. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-384 checkup routine. + /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, + /// the way in which the operation output is consumed is + /// implementation-defined. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-512 checkup routine. + /// In all cases, the data that is read is discarded from the operation. + /// The operation's capacity is decreased by the number of bytes read. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hash_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub md5: mbedtls_md5_context, - pub ripemd160: mbedtls_ripemd160_context, - pub sha1: mbedtls_sha1_context, - pub sha256: mbedtls_sha256_context, - pub sha512: mbedtls_sha512_context, -} -impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_hash_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_cipher_operation_t { - pub private_alg: psa_algorithm_t, - pub private_iv_length: u8, - pub private_block_length: u8, - pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_cipher: mbedtls_cipher_context_t, -} -impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_cipher_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_hash_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_hash_operation_t, -} -impl Default for psa_driver_hash_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_cipher_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, -} -impl Default for psa_driver_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_hash_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h. - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. the driver context is not active, in use). - pub private_id: ::core::ffi::c_uint, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_hash_context_t, -} -impl Default for psa_hash_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_cipher_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_default_iv_length: u8, - pub private_ctx: psa_driver_cipher_context_t, + /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, + /// the input to that step must be provided with psa_key_derivation_input_key(). + /// Future versions of this specification may include additional restrictions + /// on the derived key based on the attributes and strength of the secret key. + /// + /// \note This function is equivalent to calling + /// psa_key_derivation_output_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for psa_cipher_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// See the description of psa_key_derivation_out_key() for the operation of + /// this function with the default production parameters. + /// Mbed TLS currently does not currently support any non-default production + /// parameters. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_custom( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl psa_cipher_operation_s { - #[inline] - pub fn private_iv_required(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_iv_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_iv_required: ::core::ffi::c_uint, - private_iv_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; - private_iv_required as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; - private_iv_set as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] params Customization parameters for the key derivation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// Mbed TLS currently only supports the default + /// production parameters, i.e. + /// #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + /// for all key types. + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_ext( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hmac_operation_t { - /// The HMAC algorithm in use - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - /// The hash context. - pub hash_ctx: psa_hash_operation_s, - /// The HMAC part of the context. - pub private_opad: [u8; 128usize], +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value in constant time. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the expected number of bytes from the + /// stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to the following code: + /// \code + /// psa_key_derivation_output_bytes(operation, tmp, output_length); + /// if (memcmp(output, tmp, output_length) != 0) + /// return PSA_ERROR_INVALID_SIGNATURE; + /// \endcode + /// except (1) it works even if the key's policy does not allow outputting the + /// bytes, and (2) the comparison will be done in constant time. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected Buffer containing the expected derivation output. + /// \param expected_length Length of the expected output; this is also the + /// number of bytes that will be read. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but it differs from the expected + /// output. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_bytes( + operation: *mut psa_key_derivation_operation_t, + expected: *const u8, + expected_length: usize, + ) -> psa_status_t; } -impl Default for mbedtls_psa_hmac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value + /// stored in a key object. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value, provided as key of type + /// #PSA_KEY_TYPE_PASSWORD_HASH. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the number of bytes corresponding to the + /// length of the expected value from the stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to exporting the key and calling + /// psa_key_derivation_verify_bytes() on the result, except that it + /// works even if the key cannot be exported. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + /// containing the expected output. Its policy must + /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + /// and the permitted algorithm must match the + /// operation. The value of this key was likely + /// computed by a previous call to + /// psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but if differs from the expected + /// output. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// The key passed as the expected value does not exist. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key passed as the expected value has an invalid type. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key passed as the expected value does not allow this usage or + /// this algorithm; or one of the inputs was a key whose policy didn't + /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// the length of the expected value. In this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_key( + operation: *mut psa_key_derivation_operation_t, + expected: psa_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_mac_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// Abort a key derivation operation. + /// + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_key_derivation_setup() again. + /// + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_key_derivation_operation_t. + /// + /// In particular, it is valid to call psa_key_derivation_abort() twice, or to + /// call psa_key_derivation_abort() on an operation that has not been set up. + /// + /// \param[in,out] operation The operation to abort. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) + -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_hmac: mbedtls_psa_hmac_operation_t, - pub private_cmac: mbedtls_cipher_context_t, +unsafe extern "C" { + /// Perform a key agreement and return the raw shared secret. + /// + /// \warning The raw result of a key agreement algorithm such as finite-field + /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should + /// not be used directly as key material. It should instead be passed as + /// input to a key derivation algorithm. To chain a key agreement with + /// a key derivation, use psa_key_derivation_key_agreement() and other + /// functions from the key derivation interface. + /// + /// \param alg The key agreement algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) + /// is true). + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. It must be + /// in the same format that psa_import_key() + /// accepts. The standard formats for public + /// keys are documented in the documentation + /// of psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a key agreement algorithm, or + /// \p private_key is not compatible with \p alg, + /// or \p peer_key is not valid for \p alg or not compatible with + /// \p private_key. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p output_size is too small + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not a supported key agreement algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_raw_key_agreement( + alg: psa_algorithm_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Generate random bytes. + /// + /// \warning This function **can** fail! Callers MUST check the return status + /// and MUST NOT use the content of the output buffer if the return + /// status is not #PSA_SUCCESS. + /// + /// \note To generate a key, use psa_generate_key() instead. + /// + /// \param[out] output Output buffer for the generated data. + /// \param output_size Number of bytes to generate and output. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair. + /// + /// The key is generated randomly. + /// Its location, usage policy, type and size are taken from \p attributes. + /// + /// Implementations must reject an attempt to generate a key of size 0. + /// + /// The following type-specific considerations apply: + /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), + /// the public exponent is 65537. + /// The modulus is a product of two probabilistic primes + /// between 2^{n-1} and 2^n where n is the bit size specified in the + /// attributes. + /// + /// \note This function is equivalent to calling psa_generate_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key( + attributes: *const psa_key_attributes_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// See the description of psa_generate_key() for the operation of this + /// function with the default production parameters. In addition, this function + /// supports the following production customizations, described in more detail + /// in the documentation of ::psa_custom_key_parameters_t: + /// + /// - RSA keys: generation with a custom public exponent. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_custom( + attributes: *const psa_key_attributes_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_aead_operation_t { - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_tag_length: u8, - pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] params Customization parameters for the key generation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_ext( + attributes: *const psa_key_attributes_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub private_ccm: mbedtls_ccm_context, - pub private_gcm: mbedtls_gcm_context, - pub private_chachapoly: mbedtls_chachapoly_context, +/// The type of the state data structure for interruptible hash +/// signing operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = +/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_sign_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// operation = psa_sign_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; +/// The type of the state data structure for interruptible hash +/// verification operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = +/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_verify_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// operation = psa_verify_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; +unsafe extern "C" { + /// \brief Set the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note The time taken to execute a single op is + /// implementation specific and depends on + /// software, hardware, the algorithm, key type and + /// curve chosen. Even within a single operation, + /// successive ops can take differing amounts of + /// time. The only guarantee is that lower values + /// for \p max_ops means functions will block for a + /// lesser maximum amount of time. The functions + /// \c psa_sign_interruptible_get_num_ops() and + /// \c psa_verify_interruptible_get_num_ops() are + /// provided to help with tuning this value. + /// + /// \note This value defaults to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + /// means the whole operation will be done in one + /// go, regardless of the number of ops required. + /// + /// \note If more ops are needed to complete a + /// computation, #PSA_OPERATION_INCOMPLETE will be + /// returned by the function performing the + /// computation. It is then the caller's + /// responsibility to either call again with the + /// same operation context until it returns 0 or an + /// error code; or to call the relevant abort + /// function if the answer is no longer required. + /// + /// \note The interpretation of \p max_ops is also + /// implementation defined. On a hard real time + /// system, this can indicate a hard deadline, as a + /// real-time system needs a guarantee of not + /// spending more than X time, however care must be + /// taken in such an implementation to avoid the + /// situation whereby calls just return, not being + /// able to do any actual work within the allotted + /// time. On a non-real-time system, the + /// implementation can be more relaxed, but again + /// whether this number should be interpreted as as + /// hard or soft limit or even whether a less than + /// or equals as regards to ops executed in a + /// single call is implementation defined. + /// + /// \note For keys in local storage when no accelerator + /// driver applies, please see also the + /// documentation for \c mbedtls_ecp_set_max_ops(), + /// which is the internal implementation in these + /// cases. + /// + /// \warning With implementations that interpret this number + /// as a hard limit, setting this number too small + /// may result in an infinite loop, whereby each + /// call results in immediate return with no ops + /// done (as there is not enough time to execute + /// any), and thus no result will ever be achieved. + /// + /// \note This only applies to functions whose + /// documentation mentions they may return + /// #PSA_OPERATION_INCOMPLETE. + /// + /// \param max_ops The maximum number of ops to be executed in a + /// single call. This can be a number from 0 to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + /// is the least amount of work done per call. + pub fn psa_interruptible_set_max_ops(max_ops: u32); } -impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. This will return the last + /// value set by + /// \c psa_interruptible_set_max_ops() or + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + /// that function has never been called. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \return Maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + pub fn psa_interruptible_get_max_ops() -> u32; } -impl Default for mbedtls_psa_aead_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash signing + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling + /// \c psa_sign_hash_interruptible_abort() on + /// the operation, a value of 0 will be returned. + /// + /// \note This interface is guaranteed re-entrant and + /// thus may be called from driver code. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_sign_hash_get_num_ops( + operation: *const psa_sign_hash_interruptible_operation_t, + ) -> u32; } -impl mbedtls_psa_aead_operation_t { - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash verification + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling \c + /// psa_verify_hash_interruptible_abort() on the + /// operation, a value of 0 will be returned. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c + /// psa_verify_hash_interruptible_operation_t to + /// use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_verify_hash_get_num_ops( + operation: *const psa_verify_hash_interruptible_operation_t, + ) -> u32; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_sign_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Start signing a hash or short message with a + /// private key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_complete() is equivalent to + /// \c psa_sign_hash() but + /// \c psa_sign_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call \c psa_sign_hash_complete() + /// repeatedly on the same context after a + /// successful call to this function until \c + /// psa_sign_hash_complete() either returns 0 or an + /// error. \c psa_sign_hash_complete() will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - call \c psa_sign_hash_complete() + /// with the same context to complete the operation + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + /// not permit the requested algorithm. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation has previously been started on this context, and is + /// still in progress. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_start( + operation: *mut psa_sign_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_verify_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Continue and eventually complete the action of + /// signing a hash or short message with a private + /// key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_start() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_start() is equivalent to + /// \c psa_sign_hash() but this function can return + /// early and resume according to the limit set with + /// \c psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_sign_hash_start() called with it + /// first. + /// + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + /// key_bits, \c alg) where \c key_type and \c + /// key_bits are the type and bit-size + /// respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. + /// + /// \retval #PSA_SUCCESS + /// Operation completed successfully + /// + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \c key. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_sign_hash_start(). + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_sign_hash_start() with this operation object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_sign_hash_complete( + operation: *mut psa_sign_hash_interruptible_operation_t, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } -///< Client -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; -///< Server -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; -/// Roles in the EC J-PAKE exchange -pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; -/// EC J-PAKE context structure. -/// -/// J-PAKE is a symmetric protocol, except for the identifiers used in -/// Zero-Knowledge Proofs, and the serialization of the second message -/// (KeyExchange) as defined by the Thread spec. -/// -/// In order to benefit from this symmetry, we choose a different naming -/// convention from the Thread v1.0 spec. Correspondence is indicated in the -/// description as a pair C: client name, S: server name -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecjpake_context { - ///< Hash to use - pub private_md_type: mbedtls_md_type_t, - ///< Elliptic curve - pub private_grp: mbedtls_ecp_group, - ///< Are we client or server? - pub private_role: mbedtls_ecjpake_role, - ///< Format for point export - pub private_point_format: ::core::ffi::c_int, - ///< My public key 1 C: X1, S: X3 - pub private_Xm1: mbedtls_ecp_point, - ///< My public key 2 C: X2, S: X4 - pub private_Xm2: mbedtls_ecp_point, - ///< Peer public key 1 C: X3, S: X1 - pub private_Xp1: mbedtls_ecp_point, - ///< Peer public key 2 C: X4, S: X2 - pub private_Xp2: mbedtls_ecp_point, - ///< Peer public key C: Xs, S: Xc - pub private_Xp: mbedtls_ecp_point, - ///< My private key 1 C: x1, S: x3 - pub private_xm1: mbedtls_mpi, - ///< My private key 2 C: x2, S: x4 - pub private_xm2: mbedtls_mpi, - ///< Pre-shared secret (passphrase) - pub private_s: mbedtls_mpi, +unsafe extern "C" { + /// \brief Abort a sign hash operation. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function is the only function that clears + /// the number of ops completed as part of the + /// operation. Please ensure you copy this value via + /// \c psa_sign_hash_get_num_ops() if required + /// before calling. + /// + /// \note Aborting an operation frees all associated + /// resources except for the \p operation structure + /// itself. Once aborted, the operation object can + /// be reused for another operation by calling \c + /// psa_sign_hash_start() again. + /// + /// \note You may call this function any time after the + /// operation object has been initialized. In + /// particular, calling \c psa_sign_hash_abort() + /// after the operation has already been terminated + /// by a call to \c psa_sign_hash_abort() or + /// psa_sign_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized sign hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_abort( + operation: *mut psa_sign_hash_interruptible_operation_t, + ) -> psa_status_t; } -impl Default for mbedtls_ecjpake_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Start reading and verifying a hash or short + /// message, in an interruptible manner. + /// + /// \see \c psa_verify_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_verify_hash_complete() is equivalent to + /// \c psa_verify_hash() but \c + /// psa_verify_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function. + /// + /// \note Users should call \c psa_verify_hash_complete() + /// repeatedly on the same operation object after a + /// successful call to this function until \c + /// psa_verify_hash_complete() either returns 0 or + /// an error. \c psa_verify_hash_complete() will + /// return #PSA_OPERATION_INCOMPLETE if there is + /// more work to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_verify_hash_abort(). + /// + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash whose signature is to be verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - please call \c + /// psa_verify_hash_complete() with the same context to complete the + /// operation. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// Another operation has already been started on this context, and is + /// still in progress. + /// + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + /// not permit the requested algorithm. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_start( + operation: *mut psa_verify_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize an ECJPAKE context. + /// \brief Continue and eventually complete the action of + /// reading and verifying a hash or short message + /// signed with a private key, in an interruptible + /// manner. /// - /// \param ctx The ECJPAKE context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); -} -unsafe extern "C" { - /// \brief Set up an ECJPAKE context for use. + /// \see \c psa_verify_hash_start() /// - /// \note Currently the only values for hash/curve allowed by the - /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. /// - /// \param ctx The ECJPAKE context to set up. This must be initialized. - /// \param role The role of the caller. This must be either - /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. - /// \param hash The identifier of the hash function to use, - /// for example #MBEDTLS_MD_SHA256. - /// \param curve The identifier of the elliptic curve to use, - /// for example #MBEDTLS_ECP_DP_SECP256R1. - /// \param secret The pre-shared secret (passphrase). This must be - /// a readable not empty buffer of length \p len Bytes. It need - /// only be valid for the duration of this call. - /// \param len The length of the pre-shared secret \p secret. + /// \note This function combined with \c + /// psa_verify_hash_start() is equivalent to + /// \c psa_verify_hash() but this function can + /// return early and resume according to the limit + /// set with \c psa_interruptible_set_max_ops() to + /// reduce the maximum time spent in a function + /// call. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_setup( - ctx: *mut mbedtls_ecjpake_context, - role: mbedtls_ecjpake_role, - hash: mbedtls_md_type_t, - curve: mbedtls_ecp_group_id, - secret: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the point format for future reads and writes. + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. /// - /// \param ctx The ECJPAKE context to configure. - /// \param point_format The point format to use: - /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) - /// or #MBEDTLS_ECP_PF_COMPRESSED. + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_verify_hash_abort(). /// - /// \return \c 0 if successful. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format - /// is invalid. - pub fn mbedtls_ecjpake_set_point_format( - ctx: *mut mbedtls_ecjpake_context, - point_format: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if an ECJPAKE context is ready for use. + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_verify_hash_start() called with it + /// first. /// - /// \param ctx The ECJPAKE context to check. This must be - /// initialized. + /// \retval #PSA_SUCCESS + /// Operation completed successfully, and the passed signature is valid. /// - /// \return \c 0 if the context is ready for use. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. - pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_verify_hash_start(). + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_verify_hash_start() on this object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_verify_hash_complete( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate and write the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \brief Abort a verify hash operation. /// - /// \param ctx The ECJPAKE context to use. This must be - /// initialized and set up. - /// \param buf The buffer to write the contents to. This must be a - /// writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number - /// of Bytes written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \warning This is a beta API, and thus subject to change at + /// any point. It is not bound by the usual interface + /// stability promises. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Read and process the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \note This function is the only function that clears the + /// number of ops completed as part of the operation. + /// Please ensure you copy this value via + /// \c psa_verify_hash_get_num_ops() if required + /// before calling. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up. - /// \param buf The buffer holding the first round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// \note Aborting an operation frees all associated + /// resources except for the operation structure + /// itself. Once aborted, the operation object can be + /// reused for another operation by calling \c + /// psa_verify_hash_start() again. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \note You may call this function any time after the + /// operation object has been initialized. + /// In particular, calling \c psa_verify_hash_abort() + /// after the operation has already been terminated by + /// a call to \c psa_verify_hash_abort() or + /// psa_verify_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized verify hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_abort( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } +pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// \brief Generate and write the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Open a handle to an existing persistent key. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up, and already have performed round one. - /// \param buf The buffer to write the round two contents to. - /// This must be a writable buffer of length \p len Bytes. - /// \param len The size of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Open a handle to a persistent key. A key is persistent if it was created + /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key + /// always has a nonzero key identifier, set with psa_set_key_id() when + /// creating the key. Implementations may provide additional pre-provisioned + /// keys that can be opened with psa_open_key(). Such keys have an application + /// key identifier in the vendor range, as documented in the description of + /// #psa_key_id_t. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// The application must eventually close the handle with psa_close_key() or + /// psa_destroy_key() to release associated resources. If the application dies + /// without calling one of these functions, the implementation should perform + /// the equivalent of a call to psa_close_key(). + /// + /// Some implementations permit an application to open the same key multiple + /// times. If this is successful, each call to psa_open_key() will return a + /// different key handle. + /// + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. + /// + /// \note Applications that rely on opening a key multiple times will not be + /// portable to implementations that only permit a single key handle to be + /// opened. See also :ref:\`key-handles\`. + /// + /// + /// \param key The persistent identifier of the key. + /// \param[out] handle On success, a handle to the key. + /// + /// \retval #PSA_SUCCESS + /// Success. The application can now use the value of `*handle` + /// to access the key. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY + /// The implementation does not have sufficient resources to open the + /// key. This can be due to reaching an implementation limit on the + /// number of open keys, the number of open key handles, or available + /// memory. + /// \retval #PSA_ERROR_DOES_NOT_EXIST + /// There is no persistent key with key identifier \p key. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid persistent key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The specified key exists, but the application does not have the + /// permission to access it. Note that this specification does not + /// define any way to create such a key, but it may be possible + /// through implementation-specific means. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Read and process the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Close a key handle. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up and already have performed round one. - /// \param buf The buffer holding the second round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// If the handle designates a volatile key, this will destroy the key material + /// and free all associated resources, just like psa_destroy_key(). /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Derive the shared secret - /// (TLS: Pre-Master Secret). + /// If this is the last open handle to a persistent key, then closing the handle + /// will free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and can be opened again later + /// with a call to psa_open_key(). /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Closing the key handle makes the handle invalid, and the key handle + /// must not be used again by the application. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_derive_secret( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write the shared key material to be passed to a Key - /// Derivation Function as described in RFC8236. + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \note If the key handle was used to set up an active + /// :ref:\`multipart operation \`, then closing the + /// key handle can cause the multipart operation to fail. Applications should + /// maintain the key handle until after the multipart operation has finished. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_shared_key( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This clears an ECJPAKE context and frees any - /// embedded data structure. + /// \param handle The key handle to close. + /// If this is \c 0, do nothing and return \c PSA_SUCCESS. /// - /// \param ctx The ECJPAKE context to free. This may be \c NULL, - /// in which case this function does nothing. If it is not - /// \c NULL, it must point to an initialized ECJPAKE context. - pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); + /// \retval #PSA_SUCCESS + /// \p handle was a valid handle or \c 0. It is now closed. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p handle is not a valid handle nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// \brief Library deinitialization. /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_pake_operation_t { - pub private_alg: psa_algorithm_t, - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: u8, - pub private_buffer: [u8; 336usize], - pub private_buffer_length: usize, - pub private_buffer_offset: usize, - pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_jpake: mbedtls_ecjpake_context, -} -impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_pake_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_mac_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_mac_operation_t, -} -impl Default for psa_driver_mac_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_aead_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_aead_operation_t, -} -impl Default for psa_driver_aead_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_sign_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, -} -impl Default for psa_driver_sign_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_verify_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, -} -impl Default for psa_driver_verify_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_pake_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_pake_operation_t, -} -impl Default for psa_driver_pake_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// This function clears all data associated with the PSA layer, + /// including the whole key store. + /// This function is not thread safe, it wipes every key slot regardless of + /// state and reader count. It should only be called when no slot is in use. + /// + /// This is an Mbed TLS extension. + pub fn mbedtls_psa_crypto_free(); } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. #[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_mac_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_mac_size: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_mac_context_t, +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_stats_s { + /// Number of slots containing key material for a volatile key. + pub private_volatile_slots: usize, + /// Number of slots containing key material for a key which is in + /// internal persistent storage. + pub private_persistent_slots: usize, + /// Number of slots containing a reference to a key in a + /// secure element. + pub private_external_slots: usize, + /// Number of slots which are occupied, but do not contain + /// key material yet. + pub private_half_filled_slots: usize, + /// Number of slots that contain cache data. + pub private_cache_slots: usize, + /// Number of slots that are not used for anything. + pub private_empty_slots: usize, + /// Number of slots that are locked. + pub private_locked_slots: usize, + /// Largest key id value among open keys in internal persistent storage. + pub private_max_open_internal_key_id: psa_key_id_t, + /// Largest key id value among open keys in secure elements. + pub private_max_open_external_key_id: psa_key_id_t, } -impl Default for psa_mac_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. +pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; +unsafe extern "C" { + /// \brief Get statistics about + /// resource consumption related to the PSA keystore. + /// + /// \note When Mbed TLS is built as part of a service, with isolation + /// between the application and the keystore, the service may or + /// may not expose this function. + pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); } -impl psa_mac_operation_s { - #[inline] - pub fn private_is_sign(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_sign: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; - private_is_sign as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Inject an initial entropy seed for the random generator into + /// secure storage. + /// + /// This function injects data to be used as a seed for the random generator + /// used by the PSA Crypto implementation. On devices that lack a trusted + /// entropy source (preferably a hardware random number generator), + /// the Mbed PSA Crypto implementation uses this value to seed its + /// random generator. + /// + /// On devices without a trusted entropy source, this function must be + /// called exactly once in the lifetime of the device. On devices with + /// a trusted entropy source, calling this function is optional. + /// In all cases, this function may only be called before calling any + /// other function in the PSA Crypto API, including psa_crypto_init(). + /// + /// When this function returns successfully, it populates a file in + /// persistent storage. Once the file has been created, this function + /// can no longer succeed. + /// + /// If any error occurs, this function does not change the system state. + /// You can call this function again after correcting the reason for the + /// error if possible. + /// + /// \warning This function **can** fail! Callers MUST check the return status. + /// + /// \warning If you use this function, you should use it as part of a + /// factory provisioning process. The value of the injected seed + /// is critical to the security of the device. It must be + /// *secret*, *unpredictable* and (statistically) *unique per device*. + /// You should be generate it randomly using a cryptographically + /// secure random generator seeded from trusted entropy sources. + /// You should transmit it securely to the device and ensure + /// that its value is not leaked or stored anywhere beyond the + /// needs of transmitting it from the point of generation to + /// the call of this function, and erase all copies of the value + /// once this function returns. + /// + /// This is an Mbed TLS extension. + /// + /// \note This function is only available on the following platforms: + /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. + /// Note that you must provide compatible implementations of + /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. + /// * In a client-server integration of PSA Cryptography, on the client side, + /// if the server supports this feature. + /// \param[in] seed Buffer containing the seed value to inject. + /// \param[in] seed_size Size of the \p seed buffer. + /// The size of the seed in bytes must be greater + /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE + /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM + /// in `library/entropy_poll.h` in the Mbed TLS source + /// code. + /// It must be less or equal to + /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. + /// + /// \retval #PSA_SUCCESS + /// The seed value was injected successfully. The random generator + /// of the PSA Crypto implementation is now ready for use. + /// You may now call psa_crypto_init() and use the PSA Crypto + /// implementation. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p seed_size is out of range. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// There was a failure reading or writing from storage. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The library has already been initialized. It is no longer + /// possible to call this function. + pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_aead_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub private_ad_remaining: usize, - pub private_body_remaining: usize, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_ctx: psa_driver_aead_context_t, +unsafe extern "C" { + /// External random generator function, implemented by the platform. + /// + /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, + /// this function replaces Mbed TLS's entropy and DRBG modules for all + /// random generation triggered via PSA crypto interfaces. + /// + /// \note This random generator must deliver random numbers with cryptographic + /// quality and high performance. It must supply unpredictable numbers + /// with a uniform distribution. The implementation of this function + /// is responsible for ensuring that the random generator is seeded + /// with sufficient entropy. If you have a hardware TRNG which is slow + /// or delivers non-uniform output, declare it as an entropy source + /// with mbedtls_entropy_add_source() instead of enabling this option. + /// + /// \param[in,out] context Pointer to the random generator context. + /// This is all-bits-zero on the first call + /// and preserved between successive calls. + /// \param[out] output Output buffer. On success, this buffer + /// contains random data with a uniform + /// distribution. + /// \param output_size The size of the \p output buffer in bytes. + /// \param[out] output_length On success, set this value to \p output_size. + /// + /// \retval #PSA_SUCCESS + /// Success. The output buffer contains \p output_size bytes of + /// cryptographic-quality random data, and \c *output_length is + /// set to \p output_size. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + /// The random generator requires extra entropy and there is no + /// way to obtain entropy under current environment conditions. + /// This error should not happen under normal circumstances since + /// this function is responsible for obtaining as much entropy as + /// it needs. However implementations of this function may return + /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain + /// entropy without blocking indefinitely. + /// \retval #PSA_ERROR_HARDWARE_FAILURE + /// A failure of the random generator hardware that isn't covered + /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. + pub fn mbedtls_psa_external_get_random( + context: *mut mbedtls_psa_external_random_context_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_aead_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// A slot number identifying a key in a driver. +/// +/// Values of this type are used to identify built-in keys. +pub type psa_drv_slot_number_t = u64; +unsafe extern "C" { + /// Check if PSA is capable of handling the specified hash algorithm. + /// + /// This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + /// set and that psa_crypto_init has already been called. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the algorithm. + /// This might be improved in the future. + /// + /// \param hash_alg The hash algorithm. + /// + /// \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + pub fn psa_can_do_hash(hash_alg: psa_algorithm_t) -> ::core::ffi::c_int; } -impl psa_aead_operation_s { - #[inline] - pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_ad_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_body_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(3usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 3usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 3usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(4usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 4usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 4usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_nonce_set: ::core::ffi::c_uint, - private_lengths_set: ::core::ffi::c_uint, - private_ad_started: ::core::ffi::c_uint, - private_body_started: ::core::ffi::c_uint, - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; - private_nonce_set as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; - private_lengths_set as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; - private_ad_started as u64 - }); - __bindgen_bitfield_unit.set(3usize, 1u8, { - let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; - private_body_started as u64 - }); - __bindgen_bitfield_unit.set(4usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Tell if PSA is ready for this cipher. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the key type and algorithm. + /// This might be improved in the future. + /// + /// \param key_type The key type. + /// \param cipher_alg The cipher algorithm. + /// + /// \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. + pub fn psa_can_do_cipher( + key_type: psa_key_type_t, + cipher_alg: psa_algorithm_t, + ) -> ::core::ffi::c_int; +} +/// \brief Encoding of the application role of PAKE +/// +/// Encodes the application's role in the algorithm is being executed. For more +/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX +/// constants. +pub type psa_pake_role_t = u8; +/// Encoding of input and output indicators for PAKE. +/// +/// Some PAKE algorithms need to exchange more data than just a single key share. +/// This type is for encoding additional input and output data for such +/// algorithms. +pub type psa_pake_step_t = u8; +/// Encoding of the type of the PAKE's primitive. +/// +/// Values defined by this standard will never be in the range 0x80-0xff. +/// Vendors who define additional types must use an encoding in this range. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_primitive_type_t = u8; +/// \brief Encoding of the family of the primitive associated with the PAKE. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_family_t = u8; +/// \brief Encoding of the primitive associated with the PAKE. +/// +/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. +pub type psa_pake_primitive_t = u32; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_pake_cipher_suite_s { + pub algorithm: psa_algorithm_t, + pub type_: psa_pake_primitive_type_t, + pub family: psa_pake_family_t, + pub bits: u16, + pub hash: psa_algorithm_t, } #[repr(C)] -#[repr(align(16))] #[derive(Copy, Clone)] -pub struct psa_hkdf_key_derivation_t { - pub private_info: *mut u8, - pub private_info_length: usize, - pub private_offset_in_block: u8, - pub private_block_number: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_output_block: [u8; 64usize], - pub private_prk: [u8; 64usize], - pub __bindgen_padding_0: [u64; 0usize], - pub private_hmac: psa_mac_operation_s, +pub struct psa_crypto_driver_pake_inputs_s { + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_user: *mut u8, + pub private_user_len: usize, + pub private_peer: *mut u8, + pub private_peer_len: usize, + pub private_attributes: psa_key_attributes_t, + pub private_cipher_suite: psa_pake_cipher_suite_s, } -impl Default for psa_hkdf_key_derivation_t { +impl Default for psa_crypto_driver_pake_inputs_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17059,126 +18121,97 @@ impl Default for psa_hkdf_key_derivation_t { } } } -impl psa_hkdf_key_derivation_t { - #[inline] - pub fn private_state(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } - } - #[inline] - pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 2u8, val as u64) - } - } - #[inline] - pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 2u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 2u8, - val as u64, - ) - } - } - #[inline] - pub fn private_info_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { +pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = + 10; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = + 11; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; +pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; +pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; +pub const psa_jpake_round_PSA_JPAKE_FIRST: psa_jpake_round = 0; +pub const psa_jpake_round_PSA_JPAKE_SECOND: psa_jpake_round = 1; +pub const psa_jpake_round_PSA_JPAKE_FINISHED: psa_jpake_round = 2; +pub type psa_jpake_round = ::core::ffi::c_uint; +pub use self::psa_jpake_round as psa_jpake_round_t; +pub const psa_jpake_io_mode_PSA_JPAKE_INPUT: psa_jpake_io_mode = 0; +pub const psa_jpake_io_mode_PSA_JPAKE_OUTPUT: psa_jpake_io_mode = 1; +pub type psa_jpake_io_mode = ::core::ffi::c_uint; +pub use self::psa_jpake_io_mode as psa_jpake_io_mode_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_jpake_computation_stage_s { + pub private_round: psa_jpake_round_t, + pub private_io_mode: psa_jpake_io_mode_t, + pub private_inputs: u8, + pub private_outputs: u8, + pub private_step: psa_pake_step_t, +} +impl Default for psa_jpake_computation_stage_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_pake_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_primitive: psa_pake_primitive_t, + pub private_stage: u8, + pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, + pub private_data: psa_pake_operation_s__bindgen_ty_2, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_pake_operation_s__bindgen_ty_1 { + pub private_dummy: u8, + pub private_jpake: psa_jpake_computation_stage_s, +} +impl Default for psa_pake_operation_s__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub fn new_bitfield_1( - private_state: ::core::ffi::c_uint, - private_info_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 2u8, { - let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; - private_state as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; - private_info_set as u64 - }); - __bindgen_bitfield_unit - } -} -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_tls12_ecjpake_to_pms_t { - pub private_data: [u8; 32usize], } -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: - psa_tls12_prf_key_derivation_state_t = 0; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: - psa_tls12_prf_key_derivation_state_t = 1; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 2; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 3; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: - psa_tls12_prf_key_derivation_state_t = 4; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: - psa_tls12_prf_key_derivation_state_t = 5; -pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct psa_tls12_prf_key_derivation_s { - pub private_left_in_block: u8, - pub private_block_number: u8, - pub private_state: psa_tls12_prf_key_derivation_state_t, - pub private_secret: *mut u8, - pub private_secret_length: usize, - pub private_seed: *mut u8, - pub private_seed_length: usize, - pub private_label: *mut u8, - pub private_label_length: usize, - pub private_other_secret: *mut u8, - pub private_other_secret_length: usize, - pub private_Ai: [u8; 64usize], - pub private_output_block: [u8; 64usize], +pub union psa_pake_operation_s__bindgen_ty_2 { + pub private_ctx: psa_driver_pake_context_t, + pub private_inputs: psa_crypto_driver_pake_inputs_s, } -impl Default for psa_tls12_prf_key_derivation_s { +impl Default for psa_pake_operation_s__bindgen_ty_2 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for psa_pake_operation_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17187,1462 +18220,1629 @@ impl Default for psa_tls12_prf_key_derivation_s { } } } -pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_key_derivation_s { - pub private_alg: psa_algorithm_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_capacity: usize, - pub __bindgen_padding_0: [u64; 0usize], - pub private_ctx: psa_key_derivation_s__bindgen_ty_1, +/// The type of the data structure for PAKE cipher suites. +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; +/// The type of the state data structure for PAKE operations. +/// +/// Before calling any function on a PAKE operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_pake_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_pake_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, +/// for example: +/// \code +/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_pake_operation_init() +/// to the structure, for example: +/// \code +/// psa_pake_operation_t operation; +/// operation = psa_pake_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_operation_t = psa_pake_operation_s; +/// The type of input values for PAKE operations. +pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; +/// The type of computation stage for J-PAKE operations. +pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; +unsafe extern "C" { + /// Get the length of the password in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] password_len Password length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + password_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the password from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] buffer Return buffer for password. + /// \param buffer_size Size of the return buffer in bytes. + /// \param[out] buffer_length Actual size of the password in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password( + inputs: *const psa_crypto_driver_pake_inputs_t, + buffer: *mut u8, + buffer_size: usize, + buffer_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the user id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_len User id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_user_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the peer id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_len Peer id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_peer_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_len: *mut usize, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_key_derivation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_hkdf: psa_hkdf_key_derivation_t, - pub private_tls12_prf: psa_tls12_prf_key_derivation_t, - pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +unsafe extern "C" { + /// Get the user id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_id User id. + /// \param user_id_size Size of \p user_id in bytes. + /// \param[out] user_id_len Size of the user id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p user_id is too small. + pub fn psa_crypto_driver_pake_get_user( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_id: *mut u8, + user_id_size: usize, + user_id_len: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the peer id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_id Peer id. + /// \param peer_id_size Size of \p peer_id in bytes. + /// \param[out] peer_id_length Size of the peer id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p peer_id is too small. + pub fn psa_crypto_driver_pake_get_peer( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_id: *mut u8, + peer_id_size: usize, + peer_id_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the cipher suite from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] cipher_suite Return buffer for role. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Cipher_suite hasn't been set yet. + pub fn psa_crypto_driver_pake_get_cipher_suite( + inputs: *const psa_crypto_driver_pake_inputs_t, + cipher_suite: *mut psa_pake_cipher_suite_t, + ) -> psa_status_t; } -impl psa_key_derivation_s { - #[inline] - pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_can_output_key: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_can_output_key: u32 = - unsafe { ::core::mem::transmute(private_can_output_key) }; - private_can_output_key as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Set the session information for a password-authenticated key exchange. + /// + /// The sequence of operations to set up a password-authenticated key exchange + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_pake_operation_t, e.g. + /// #PSA_PAKE_OPERATION_INIT. + /// -# Call psa_pake_setup() to specify the cipher suite. + /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the + /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + /// to be called depends on the algorithm in use. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// A typical sequence of calls to perform a password-authenticated key + /// exchange: + /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + /// key share that needs to be sent to the peer. + /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + /// the key share that was received from the peer. + /// -# Depending on the algorithm additional calls to psa_pake_output() and + /// psa_pake_input() might be necessary. + /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// If an error occurs at any step after a call to psa_pake_setup(), + /// the operation will need to be reset by a call to psa_pake_abort(). The + /// application may call psa_pake_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_pake_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A call to psa_pake_abort(). + /// - A successful call to psa_pake_get_implicit_key(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized but not set up yet. + /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + /// characterizes a PAKE algorithm and determines + /// the algorithm as well.) + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the + /// PAKE primitive in \p cipher_suite is not compatible with the + /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + /// or not compatible with the PAKE algorithm and primitive. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, + /// or the PAKE primitive in \p cipher_suite is not supported or not + /// compatible with the PAKE algorithm, or the hash algorithm in + /// \p cipher_suite is not supported or not compatible with the PAKE + /// algorithm and primitive. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_setup( + operation: *mut psa_pake_operation_t, + cipher_suite: *const psa_pake_cipher_suite_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_key_policy_s { - pub private_usage: psa_key_usage_t, - pub private_alg: psa_algorithm_t, - pub private_alg2: psa_algorithm_t, +unsafe extern "C" { + /// Set the password for a password-authenticated key exchange from key ID. + /// + /// Call this function when the password, or a value derived from the password, + /// is already present in the key store. + /// + /// \param[in,out] operation The operation object to set the password for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the password hasn't + /// been set yet (psa_pake_set_password_key() + /// hasn't been called yet). + /// \param password Identifier of the key holding the password or a + /// value derived from the password (eg. by a + /// memory-hard function). It must remain valid + /// until the operation terminates. It must be of + /// type #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + /// the usage #PSA_KEY_USAGE_DERIVE. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p password is not a valid key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + /// permit the \p operation's algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + /// the \p operation's cipher suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size of \p password is not supported with the + /// \p operation's cipher suite. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must have been set up.), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_password_key( + operation: *mut psa_pake_operation_t, + password: mbedtls_svc_key_id_t, + ) -> psa_status_t; } -pub type psa_key_policy_t = psa_key_policy_s; -pub type psa_key_bits_t = u16; -/// A mask of flags that can be stored in key attributes. -/// -/// This type is also used internally to store flags in slots. Internal -/// flags are defined in library/psa_crypto_core.h. Internal flags may have -/// the same value as external flags if they are properly handled during -/// key creation and in psa_get_key_attributes. -pub type psa_key_attributes_flag_t = u16; -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_core_key_attributes_t { - pub private_type: psa_key_type_t, - pub private_bits: psa_key_bits_t, - pub private_lifetime: psa_key_lifetime_t, - pub private_id: mbedtls_svc_key_id_t, - pub private_policy: psa_key_policy_t, - pub private_flags: psa_key_attributes_flag_t, +unsafe extern "C" { + /// Set the user ID for a password-authenticated key exchange. + /// + /// Call this function to set the user ID. For PAKE algorithms that associate a + /// user identifier with each side of the session you need to call + /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single + /// user identifier with the session, call psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the user ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the user ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the user ID hasn't + /// been set (psa_pake_set_user() hasn't been + /// called yet). + /// \param[in] user_id The user ID to authenticate with. + /// \param user_id_len Size of the \p user_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p user_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The value of \p user_id is not supported by the implementation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_user( + operation: *mut psa_pake_operation_t, + user_id: *const u8, + user_id_len: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_key_attributes_s { - pub private_core: psa_core_key_attributes_t, - pub private_domain_parameters: *mut ::core::ffi::c_void, - pub private_domain_parameters_size: usize, +unsafe extern "C" { + /// Set the peer ID for a password-authenticated key exchange. + /// + /// Call this function in addition to psa_pake_set_user() for PAKE algorithms + /// that associate a user identifier with each side of the session. For PAKE + /// algorithms that associate a single user identifier with the session, call + /// psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the peer ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the peer ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the peer ID hasn't + /// been set (psa_pake_set_peer() hasn't been + /// called yet). + /// \param[in] peer_id The peer's ID to authenticate. + /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p peer_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm doesn't associate a second identity with the session. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// Calling psa_pake_set_peer() is invalid with the \p operation's + /// algorithm, the operation state is not valid, or the library has not + /// been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_peer( + operation: *mut psa_pake_operation_t, + peer_id: *const u8, + peer_id_len: usize, + ) -> psa_status_t; } -impl Default for psa_key_attributes_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Set the application role for a password-authenticated key exchange. + /// + /// Not all PAKE algorithms need to differentiate the communicating entities. + /// It is optional to call this function for PAKEs that don't require a role + /// to be specified. For such PAKEs the application role parameter is ignored, + /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \param[in,out] operation The operation object to specify the + /// application's role for. It must have been set up + /// by psa_pake_setup() and not yet in use (neither + /// psa_pake_output() nor psa_pake_input() has been + /// called yet). It must be on operation for which + /// the application's role hasn't been specified + /// (psa_pake_set_role() hasn't been called yet). + /// \param role A value of type ::psa_pake_role_t indicating the + /// application's role in the PAKE the algorithm + /// that is being set up. For more information see + /// the documentation of \c PSA_PAKE_ROLE_XXX + /// constants. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The \p role is not a valid PAKE role in the \p operation’s algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The \p role for this algorithm is not supported or is not valid. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_role( + operation: *mut psa_pake_operation_t, + role: psa_pake_role_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Set domain parameters for a key. + /// Get output for a step of a password-authenticated key exchange. /// - /// Some key types require additional domain parameters in addition to - /// the key type identifier and the key size. Use this function instead - /// of psa_set_key_type() when you need to specify domain parameters. + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. /// - /// The format for the required domain parameters varies based on the key type. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the domain parameter data consists of the public exponent, - /// represented as a big-endian integer with no leading zeros. - /// This information is used when generating an RSA key pair. - /// When importing a key, the public exponent is read from the imported - /// key data and the exponent recorded in the attribute structure is ignored. - /// As an exception, the public exponent 65537 is represented by an empty - /// byte string. - /// - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR), - /// the `Dss-Params` format as defined by RFC 3279 §2.3.2. - /// ``` - /// Dss-Params ::= SEQUENCE { - /// p INTEGER, - /// q INTEGER, - /// g INTEGER - /// } - /// ``` - /// - For Diffie-Hellman key exchange keys - /// (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - /// #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the - /// `DomainParameters` format as defined by RFC 3279 §2.3.3. - /// ``` - /// DomainParameters ::= SEQUENCE { - /// p INTEGER, -- odd prime, p=jq +1 - /// g INTEGER, -- generator, g - /// q INTEGER, -- factor of p-1 - /// j INTEGER OPTIONAL, -- subgroup factor - /// validationParams ValidationParams OPTIONAL - /// } - /// ValidationParams ::= SEQUENCE { - /// seed BIT STRING, - /// pgenCounter INTEGER - /// } - /// ``` + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step of the algorithm for which the output is + /// requested. + /// \param[out] output Buffer where the output is to be written in the + /// format appropriate for this \p step. Refer to + /// the documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param output_size Size of the \p output buffer in bytes. This must + /// be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c + /// primitive, \p output_step) where \c alg and + /// \p primitive are the PAKE algorithm and primitive + /// in the operation's cipher suite, and \p step is + /// the output step. + /// + /// \param[out] output_length On success, the number of bytes of the returned + /// output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p step is not compatible with the operation's algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step is not supported with the operation's algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_output( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Provide input for a step of a password-authenticated key exchange. + /// + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. + /// + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \param[in,out] attributes Attribute structure where the specified domain - /// parameters will be stored. - /// If this function fails, the content of - /// \p attributes is not modified. - /// \param type Key type (a \c PSA_KEY_TYPE_XXX value). - /// \param[in] data Buffer containing the key domain parameters. - /// The content of this buffer is interpreted - /// according to \p type as described above. - /// \param data_length Size of the \p data buffer in bytes. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step for which the input is provided. + /// \param[in] input Buffer containing the input in the format + /// appropriate for this \p step. Refer to the + /// documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p input_length is not compatible with the \p operation’s algorithm, + /// or the \p input is not valid for the \p operation's algorithm, + /// cipher suite or \p step. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step p is not supported with the \p operation's algorithm, or the + /// \p input is not supported for the \p operation's algorithm, cipher + /// suite or \p step. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - pub fn psa_set_key_domain_parameters( - attributes: *mut psa_key_attributes_t, - type_: psa_key_type_t, - data: *const u8, - data_length: usize, + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_input( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + input: *const u8, + input_length: usize, ) -> psa_status_t; } -/// \brief The context for PSA interruptible hash signing. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_sign_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_sign_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_sign_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_sign_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -/// \brief The context for PSA interruptible hash verification. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_verify_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_verify_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_verify_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_verify_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// Open a handle to an existing persistent key. - /// - /// Open a handle to a persistent key. A key is persistent if it was created - /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key - /// always has a nonzero key identifier, set with psa_set_key_id() when - /// creating the key. Implementations may provide additional pre-provisioned - /// keys that can be opened with psa_open_key(). Such keys have an application - /// key identifier in the vendor range, as documented in the description of - /// #psa_key_id_t. + /// Get implicitly confirmed shared secret from a PAKE. /// - /// The application must eventually close the handle with psa_close_key() or - /// psa_destroy_key() to release associated resources. If the application dies - /// without calling one of these functions, the implementation should perform - /// the equivalent of a call to psa_close_key(). + /// At this point there is a cryptographic guarantee that only the authenticated + /// party who used the same password is able to compute the key. But there is no + /// guarantee that the peer is the party it claims to be and was able to do so. /// - /// Some implementations permit an application to open the same key multiple - /// times. If this is successful, each call to psa_open_key() will return a - /// different key handle. + /// That is, the authentication is only implicit. Since the peer is not + /// authenticated yet, no action should be taken yet that assumes that the peer + /// is who it claims to be. For example, do not access restricted files on the + /// peer's behalf until an explicit authentication has succeeded. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function can be called after the key exchange phase of the operation + /// has completed. It imports the shared secret output of the PAKE into the + /// provided derivation operation. The input step + /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + /// material in the key derivation operation. /// - /// \note Applications that rely on opening a key multiple times will not be - /// portable to implementations that only permit a single key handle to be - /// opened. See also :ref:\`key-handles\`. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// + /// When this function returns successfully, \p operation becomes inactive. + /// If this function returns an error status, both \p operation + /// and \c key_derivation operations enter an error state and must be aborted by + /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. /// - /// \param key The persistent identifier of the key. - /// \param[out] handle On success, a handle to the key. + /// \param[in,out] operation Active PAKE operation. + /// \param[out] output A key derivation operation that is ready + /// for an input step of type + /// #PSA_KEY_DERIVATION_INPUT_SECRET. /// /// \retval #PSA_SUCCESS - /// Success. The application can now use the value of `*handle` - /// to access the key. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY - /// The implementation does not have sufficient resources to open the - /// key. This can be due to reaching an implementation limit on the - /// number of open keys, the number of open key handles, or available - /// memory. - /// \retval #PSA_ERROR_DOES_NOT_EXIST - /// There is no persistent key with key identifier \p key. + /// Success. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid persistent key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The specified key exists, but the application does not have the - /// permission to access it. Note that this specification does not - /// define any way to create such a key, but it may be possible - /// through implementation-specific means. + /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + /// algorithm in the \p output key derivation operation. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// Input from a PAKE is not supported by the algorithm in the \p output + /// key derivation operation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The PAKE operation state is not valid (it must be active, but beyond + /// that validity is specific to the algorithm), or + /// the library has not been previously initialized by psa_crypto_init(), + /// or the state of \p output is not valid for + /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + /// step is out of order or the application has done this step already + /// and it may not be repeated. /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_get_implicit_key( + operation: *mut psa_pake_operation_t, + output: *mut psa_key_derivation_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Close a key handle. - /// - /// If the handle designates a volatile key, this will destroy the key material - /// and free all associated resources, just like psa_destroy_key(). - /// - /// If this is the last open handle to a persistent key, then closing the handle - /// will free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and can be opened again later - /// with a call to psa_open_key(). + /// Abort a PAKE operation. /// - /// Closing the key handle makes the handle invalid, and the key handle - /// must not be used again by the application. + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_pake_setup() again. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_pake_operation_t. /// - /// \note If the key handle was used to set up an active - /// :ref:\`multipart operation \`, then closing the - /// key handle can cause the multipart operation to fail. Applications should - /// maintain the key handle until after the multipart operation has finished. + /// In particular, calling psa_pake_abort() after the operation has been + /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + /// is safe and has no effect. /// - /// \param handle The key handle to close. - /// If this is \c 0, do nothing and return \c PSA_SUCCESS. + /// \param[in,out] operation The operation to abort. /// /// \retval #PSA_SUCCESS - /// \p handle was a valid handle or \c 0. It is now closed. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p handle is not a valid handle nor \c 0. + /// Success. /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; } -unsafe extern "C" { - /// \brief Library deinitialization. +pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; +pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; +/// \brief Public key types +pub type mbedtls_pk_type_t = ::core::ffi::c_uint; +/// \brief Options for RSASSA-PSS signature verification. +/// See \c mbedtls_rsa_rsassa_pss_verify_ext() +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_rsassa_pss_options { + /// The digest to use for MGF1 in PSS. /// - /// This function clears all data associated with the PSA layer, - /// including the whole key store. + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is + /// disabled, this must be equal to the \c md_alg argument passed + /// to mbedtls_pk_verify_ext(). In a future version of the library, + /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is + /// enabled regardless of the status of #MBEDTLS_RSA_C. + pub mgf1_hash_id: mbedtls_md_type_t, + /// The expected length of the salt, in bytes. This may be + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. /// - /// This is an Mbed TLS extension. - pub fn mbedtls_psa_crypto_free(); + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only + /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be + /// ignored (allowing any salt length). + pub expected_salt_len: ::core::ffi::c_int, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. +impl Default for mbedtls_pk_rsassa_pss_options { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_PSA_EC: mbedtls_pk_debug_type = 3; +/// \brief Types for interfacing with the debug module +pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; +/// \brief Item to send to the debug module #[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_stats_s { - /// Number of slots containing key material for a volatile key. - pub private_volatile_slots: usize, - /// Number of slots containing key material for a key which is in - /// internal persistent storage. - pub private_persistent_slots: usize, - /// Number of slots containing a reference to a key in a - /// secure element. - pub private_external_slots: usize, - /// Number of slots which are occupied, but do not contain - /// key material yet. - pub private_half_filled_slots: usize, - /// Number of slots that contain cache data. - pub private_cache_slots: usize, - /// Number of slots that are not used for anything. - pub private_empty_slots: usize, - /// Number of slots that are locked. - pub private_locked_slots: usize, - /// Largest key id value among open keys in internal persistent storage. - pub private_max_open_internal_key_id: psa_key_id_t, - /// Largest key id value among open keys in secure elements. - pub private_max_open_external_key_id: psa_key_id_t, +#[derive(Copy, Clone)] +pub struct mbedtls_pk_debug_item { + pub private_type: mbedtls_pk_debug_type, + pub private_name: *const ::core::ffi::c_char, + pub private_value: *mut ::core::ffi::c_void, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. -pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; -unsafe extern "C" { - /// \brief Get statistics about - /// resource consumption related to the PSA keystore. - /// - /// \note When Mbed Crypto is built as part of a service, with isolation - /// between the application and the keystore, the service may or - /// may not expose this function. - pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); +impl Default for mbedtls_pk_debug_item { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief Inject an initial entropy seed for the random generator into - /// secure storage. - /// - /// This function injects data to be used as a seed for the random generator - /// used by the PSA Crypto implementation. On devices that lack a trusted - /// entropy source (preferably a hardware random number generator), - /// the Mbed PSA Crypto implementation uses this value to seed its - /// random generator. - /// - /// On devices without a trusted entropy source, this function must be - /// called exactly once in the lifetime of the device. On devices with - /// a trusted entropy source, calling this function is optional. - /// In all cases, this function may only be called before calling any - /// other function in the PSA Crypto API, including psa_crypto_init(). - /// - /// When this function returns successfully, it populates a file in - /// persistent storage. Once the file has been created, this function - /// can no longer succeed. - /// - /// If any error occurs, this function does not change the system state. - /// You can call this function again after correcting the reason for the - /// error if possible. - /// - /// \warning This function **can** fail! Callers MUST check the return status. - /// - /// \warning If you use this function, you should use it as part of a - /// factory provisioning process. The value of the injected seed - /// is critical to the security of the device. It must be - /// *secret*, *unpredictable* and (statistically) *unique per device*. - /// You should be generate it randomly using a cryptographically - /// secure random generator seeded from trusted entropy sources. - /// You should transmit it securely to the device and ensure - /// that its value is not leaked or stored anywhere beyond the - /// needs of transmitting it from the point of generation to - /// the call of this function, and erase all copies of the value - /// once this function returns. - /// - /// This is an Mbed TLS extension. - /// - /// \note This function is only available on the following platforms: - /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. - /// Note that you must provide compatible implementations of - /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. - /// * In a client-server integration of PSA Cryptography, on the client side, - /// if the server supports this feature. - /// \param[in] seed Buffer containing the seed value to inject. - /// \param[in] seed_size Size of the \p seed buffer. - /// The size of the seed in bytes must be greater - /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE - /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM - /// in `library/entropy_poll.h` in the Mbed TLS source - /// code. - /// It must be less or equal to - /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. - /// - /// \retval #PSA_SUCCESS - /// The seed value was injected successfully. The random generator - /// of the PSA Crypto implementation is now ready for use. - /// You may now call psa_crypto_init() and use the PSA Crypto - /// implementation. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p seed_size is out of range. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// There was a failure reading or writing from storage. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The library has already been initialized. It is no longer - /// possible to call this function. - pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_info_t { + _unused: [u8; 0], } -unsafe extern "C" { - /// \brief Get domain parameters for a key. - /// - /// Get the domain parameters for a key with this function, if any. The format - /// of the domain parameters written to \p data is specified in the - /// documentation for psa_set_key_domain_parameters(). - /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. - /// - /// \param[in] attributes The key attribute structure to query. - /// \param[out] data On success, the key domain parameters. - /// \param data_size Size of the \p data buffer in bytes. - /// The buffer is guaranteed to be large - /// enough if its size in bytes is at least - /// the value given by - /// PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - /// \param[out] data_length On success, the number of bytes - /// that make up the key domain parameters data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - pub fn psa_get_key_domain_parameters( - attributes: *const psa_key_attributes_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; +/// \brief Public key container +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_context { + ///< Public key information + pub private_pk_info: *const mbedtls_pk_info_t, + ///< Underlying public key context + pub private_pk_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_pk_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } +pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; +/// \brief Types for RSA-alt abstraction +pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_key_len_func = + ::core::option::Option usize>; unsafe extern "C" { - /// Convert an ECC curve identifier from the PSA encoding to Mbed TLS. - /// - /// \note This function is provided solely for the convenience of - /// Mbed TLS and may be removed at any time without notice. + /// \brief Return information associated with the given PK type /// - /// \param curve A PSA elliptic curve identifier - /// (`PSA_ECC_FAMILY_xxx`). - /// \param bits The bit-length of a private key on \p curve. - /// \param bits_is_sloppy If true, \p bits may be the bit-length rounded up - /// to the nearest multiple of 8. This allows the caller - /// to infer the exact curve from the length of a key - /// which is supplied as a byte string. + /// \param pk_type PK type to search for. /// - /// \return The corresponding Mbed TLS elliptic curve identifier - /// (`MBEDTLS_ECP_DP_xxx`). - /// \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized. - /// \return #MBEDTLS_ECP_DP_NONE if \p bits is not - /// correct for \p curve. - pub fn mbedtls_ecc_group_of_psa( - curve: psa_ecc_family_t, - bits: usize, - bits_is_sloppy: ::core::ffi::c_int, - ) -> mbedtls_ecp_group_id; + /// \return The PK info associated with the type or NULL if not found. + pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; } unsafe extern "C" { - /// External random generator function, implemented by the platform. - /// - /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, - /// this function replaces Mbed TLS's entropy and DRBG modules for all - /// random generation triggered via PSA crypto interfaces. - /// - /// \note This random generator must deliver random numbers with cryptographic - /// quality and high performance. It must supply unpredictable numbers - /// with a uniform distribution. The implementation of this function - /// is responsible for ensuring that the random generator is seeded - /// with sufficient entropy. If you have a hardware TRNG which is slow - /// or delivers non-uniform output, declare it as an entropy source - /// with mbedtls_entropy_add_source() instead of enabling this option. - /// - /// \param[in,out] context Pointer to the random generator context. - /// This is all-bits-zero on the first call - /// and preserved between successive calls. - /// \param[out] output Output buffer. On success, this buffer - /// contains random data with a uniform - /// distribution. - /// \param output_size The size of the \p output buffer in bytes. - /// \param[out] output_length On success, set this value to \p output_size. + /// \brief Initialize a #mbedtls_pk_context (as NONE). /// - /// \retval #PSA_SUCCESS - /// Success. The output buffer contains \p output_size bytes of - /// cryptographic-quality random data, and \c *output_length is - /// set to \p output_size. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - /// The random generator requires extra entropy and there is no - /// way to obtain entropy under current environment conditions. - /// This error should not happen under normal circumstances since - /// this function is responsible for obtaining as much entropy as - /// it needs. However implementations of this function may return - /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain - /// entropy without blocking indefinitely. - /// \retval #PSA_ERROR_HARDWARE_FAILURE - /// A failure of the random generator hardware that isn't covered - /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. - pub fn mbedtls_psa_external_get_random( - context: *mut mbedtls_psa_external_random_context_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); } -/// A slot number identifying a key in a driver. -/// -/// Values of this type are used to identify built-in keys. -pub type psa_drv_slot_number_t = u64; -/// \brief Encoding of the application role of PAKE -/// -/// Encodes the application's role in the algorithm is being executed. For more -/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX -/// constants. -pub type psa_pake_role_t = u8; -/// Encoding of input and output indicators for PAKE. -/// -/// Some PAKE algorithms need to exchange more data than just a single key share. -/// This type is for encoding additional input and output data for such -/// algorithms. -pub type psa_pake_step_t = u8; -/// Encoding of the type of the PAKE's primitive. -/// -/// Values defined by this standard will never be in the range 0x80-0xff. -/// Vendors who define additional types must use an encoding in this range. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_primitive_type_t = u8; -/// \brief Encoding of the family of the primitive associated with the PAKE. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_family_t = u8; -/// \brief Encoding of the primitive associated with the PAKE. -/// -/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. -pub type psa_pake_primitive_t = u32; -/// The type of the data structure for PAKE cipher suites. -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; -/// The type of the state data structure for PAKE operations. -/// -/// Before calling any function on a PAKE operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_pake_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_pake_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, -/// for example: -/// \code -/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_pake_operation_init() -/// to the structure, for example: -/// \code -/// psa_pake_operation_t operation; -/// operation = psa_pake_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_operation_t = psa_pake_operation_s; -/// The type of input values for PAKE operations. -pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; -/// The type of computation stage for J-PAKE operations. -pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; unsafe extern "C" { - /// Get the length of the password in bytes from given inputs. + /// \brief Free the components of a #mbedtls_pk_context. /// - /// \param[in] inputs Operation inputs. - /// \param[out] password_len Password length. + /// \param ctx The context to clear. It must have been initialized. + /// If this is \c NULL, this function does nothing. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - password_len: *mut usize, - ) -> psa_status_t; + /// \note For contexts that have been set up with + /// mbedtls_pk_setup_opaque(), this does not free the underlying + /// PSA key and you still need to call psa_destroy_key() + /// independently if you want to destroy that key. + pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); } unsafe extern "C" { - /// Get the password from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] buffer Return buffer for password. - /// \param buffer_size Size of the return buffer in bytes. - /// \param[out] buffer_length Actual size of the password in bytes. + /// \brief Initialize a PK context with the information given + /// and allocates the type-specific PK subcontext. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password( - inputs: *const psa_crypto_driver_pake_inputs_t, - buffer: *mut u8, - buffer_size: usize, - buffer_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// Get the role from given inputs. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param info Information to use /// - /// \param[in] inputs Operation inputs. - /// \param[out] role Return buffer for role. + /// \return 0 on success, + /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, + /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Role hasn't been set yet. - pub fn psa_crypto_driver_pake_get_role( - inputs: *const psa_crypto_driver_pake_inputs_t, - role: *mut psa_pake_role_t, - ) -> psa_status_t; + /// \note For contexts holding an RSA-alt key, use + /// \c mbedtls_pk_setup_rsa_alt() instead. + pub fn mbedtls_pk_setup( + ctx: *mut mbedtls_pk_context, + info: *const mbedtls_pk_info_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the user id in bytes from given inputs. + /// \brief Initialize an RSA-alt context /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_len User id length. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param key RSA key pointer + /// \param decrypt_func Decryption function + /// \param sign_func Signing function + /// \param key_len_func Function returning key length in bytes /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_user_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_len: *mut usize, - ) -> psa_status_t; + /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the + /// context wasn't already initialized as RSA_ALT. + /// + /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. + pub fn mbedtls_pk_setup_rsa_alt( + ctx: *mut mbedtls_pk_context, + key: *mut ::core::ffi::c_void, + decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, + sign_func: mbedtls_pk_rsa_alt_sign_func, + key_len_func: mbedtls_pk_rsa_alt_key_len_func, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the peer id in bytes from given inputs. + /// \brief Get the size in bits of the underlying key /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_len Peer id length. + /// \param ctx The context to query. It must have been initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_peer_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_len: *mut usize, - ) -> psa_status_t; + /// \return Key size in bits, or 0 on error + pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; } unsafe extern "C" { - /// Get the user id from given inputs. + /// \brief Tell if a context can do the operation given by type /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_id User id. - /// \param user_id_size Size of \p user_id in bytes. - /// \param[out] user_id_len Size of the user id in bytes. + /// \param ctx The context to query. It must have been initialized. + /// \param type The desired type. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p user_id is too small. - pub fn psa_crypto_driver_pake_get_user( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_id: *mut u8, - user_id_size: usize, - user_id_len: *mut usize, - ) -> psa_status_t; + /// \return 1 if the context can do operations on the given type. + /// \return 0 if the context cannot do the operations on the given + /// type. This is always the case for a context that has + /// been initialized but not set up, or that has been + /// cleared with mbedtls_pk_free(). + pub fn mbedtls_pk_can_do( + ctx: *const mbedtls_pk_context, + type_: mbedtls_pk_type_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the peer id from given inputs. + /// \brief Determine valid PSA attributes that can be used to + /// import a key into PSA. /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_id Peer id. - /// \param peer_id_size Size of \p peer_id in bytes. - /// \param[out] peer_id_length Size of the peer id in bytes. + /// The attributes determined by this function are suitable + /// for calling mbedtls_pk_import_into_psa() to create + /// a PSA key with the same key material. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p peer_id is too small. - pub fn psa_crypto_driver_pake_get_peer( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_id: *mut u8, - peer_id_size: usize, - peer_id_length: *mut usize, - ) -> psa_status_t; + /// The typical flow of operations involving this function is + /// ``` + /// psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + /// int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + /// if (ret != 0) ...; // error handling omitted + /// // Tweak attributes if desired + /// psa_key_id_t key_id = 0; + /// ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + /// if (ret != 0) ...; // error handling omitted + /// ``` + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + /// - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_ENCRYPT as well as + /// #PSA_KEY_USAGE_DECRYPT. + /// - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type. + /// - #PSA_KEY_USAGE_ENCRYPT: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_HASH as well as + /// #PSA_KEY_USAGE_SIGN_HASH. + /// - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + /// #PSA_KEY_USAGE_SIGN_MESSAGE. + /// - #PSA_KEY_USAGE_VERIFY_HASH: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + /// \p attributes will contain a public key type. + /// \param[out] attributes + /// On success, valid attributes to import the key into PSA. + /// - The lifetime and key identifier are unchanged. If the + /// attribute structure was initialized or reset before + /// calling this function, this will result in a volatile + /// key. Call psa_set_key_identifier() before or after this + /// function if you wish to create a persistent key. Call + /// psa_set_key_lifetime() before or after this function if + /// you wish to import the key in a secure element. + /// - The key type and bit-size are determined by the contents + /// of the PK context. If the PK context contains a key + /// pair, the key type can be either a key pair type or + /// the corresponding public key type, depending on + /// \p usage. If the PK context contains a public key, + /// the key type is a public key type. + /// - The key's policy is determined by the key type and + /// the \p usage parameter. The usage always allows + /// \p usage, exporting and copying the key, and + /// possibly other permissions as documented for the + /// \p usage parameter. + /// The permitted algorithm policy is determined as follows + /// based on the #mbedtls_pk_type_t type of \p pk, + /// the chosen \p usage and other factors: + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V15: + /// #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_PKCS1V15_CRYPT + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V21 and the digest type + /// corresponding to the PSA algorithm \c hash: + /// #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_OAEP(\c hash) + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA_ALT: not supported. + /// - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + /// if \p usage is SIGN/VERIFY: + /// #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + /// if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + /// otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + /// - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + /// if \p usage is DERIVE: + /// #PSA_ALG_ECDH. + /// - #MBEDTLS_PK_OPAQUE: same as the primary algorithm + /// set for the underlying PSA key, except that + /// sign/decrypt flags are removed if the type is + /// set to a public key type. + /// The underlying key must allow \p usage. + /// Note that the enrollment algorithm set with + /// psa_set_key_enrollment_algorithm() is not copied. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_get_psa_attributes( + pk: *const mbedtls_pk_context, + usage: psa_key_usage_t, + attributes: *mut psa_key_attributes_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the cipher suite from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] cipher_suite Return buffer for role. + /// \brief Import a key into the PSA key store. + /// + /// This function is equivalent to calling psa_import_key() + /// with the key material from \p pk. + /// + /// The typical way to use this function is: + /// -# Call mbedtls_pk_get_psa_attributes() to obtain + /// attributes for the given key. + /// -# If desired, modify the attributes, for example: + /// - To create a persistent key, call + /// psa_set_key_identifier() and optionally + /// psa_set_key_lifetime(). + /// - To import only the public part of a key pair: + /// + /// psa_set_key_type(&attributes, + /// PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + /// psa_get_key_type(&attributes))); + /// - Restrict the key usage if desired. + /// -# Call mbedtls_pk_import_into_psa(). + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param[in] attributes + /// The attributes to use for the new key. They must be + /// compatible with \p pk. In particular, the key type + /// must match the content of \p pk. + /// If \p pk contains a key pair, the key type in + /// attributes can be either the key pair type or the + /// corresponding public key type (to import only the + /// public part). + /// \param[out] key_id + /// On success, the identifier of the newly created key. + /// On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_import_into_psa( + pk: *const mbedtls_pk_context, + attributes: *const psa_key_attributes_t, + key_id: *mut mbedtls_svc_key_id_t, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Create a PK context starting from a key stored in PSA. + /// This key: + /// - must be exportable and + /// - must be an RSA or EC key pair or public key (FFDH is not supported in PK). + /// + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. + /// + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_sign(), mbedtls_pk_verify(), + /// mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. + /// * For ECDSA, the choice of deterministic vs randomized will + /// be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. + /// * For an RSA key, the output PK context will allow both + /// encrypt/decrypt and sign/verify regardless of the original + /// key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. + /// + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Cipher_suite hasn't been set yet. - pub fn psa_crypto_driver_pake_get_cipher_suite( - inputs: *const psa_crypto_driver_pake_inputs_t, - cipher_suite: *mut psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the session information for a password-authenticated key exchange. + /// \brief Create a PK context for the public key of a PSA key. /// - /// The sequence of operations to set up a password-authenticated key exchange - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_pake_operation_t, e.g. - /// #PSA_PAKE_OPERATION_INIT. - /// -# Call psa_pake_setup() to specify the cipher suite. - /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the - /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - /// to be called depends on the algorithm in use. + /// The key must be an RSA or ECC key. It can be either a + /// public key or a key pair, and only the public key is copied. + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_verify() or + /// mbedtls_pk_encrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. /// - /// A typical sequence of calls to perform a password-authenticated key - /// exchange: - /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - /// key share that needs to be sent to the peer. - /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - /// the key share that was received from the peer. - /// -# Depending on the algorithm additional calls to psa_pake_output() and - /// psa_pake_input() might be necessary. - /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// For an RSA key, the output PK context will allow both + /// encrypt and verify regardless of the original key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// If an error occurs at any step after a call to psa_pake_setup(), - /// the operation will need to be reset by a call to psa_pake_abort(). The - /// application may call psa_pake_abort() at any time after the operation - /// has been initialized. + /// \return 0 on success. + /// \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_public_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature (including padding if relevant). /// - /// After a successful call to psa_pake_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A call to psa_pake_abort(). - /// - A successful call to psa_pake_get_implicit_key(). + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used. + /// This can be #MBEDTLS_MD_NONE if the signature algorithm + /// does not rely on a hash algorithm (non-deterministic + /// ECDSA, RSA PKCS#1 v1.5). + /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + /// \p hash is the DigestInfo structure used by RFC 8017 + /// §9.2 steps 3–6. If \p md_alg is a valid hash + /// algorithm then \p hash is the digest itself, and this + /// function calculates the DigestInfo encoding internally. + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Signature to verify + /// \param sig_len Signature length /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized but not set up yet. - /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - /// characterizes a PAKE algorithm and determines - /// the algorithm as well.) + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (accepting any salt length), + /// depending on the padding mode in the underlying RSA context. + /// For a pk object constructed by parsing, this is PKCS#1 v1.5 + /// by default. Use mbedtls_pk_verify_ext() to explicitly select + /// a different algorithm. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the - /// PAKE primitive in \p cipher_suite is not compatible with the - /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - /// or not compatible with the PAKE algorithm and primitive. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, - /// or the PAKE primitive in \p cipher_suite is not supported or not - /// compatible with the PAKE algorithm, or the hash algorithm in - /// \p cipher_suite is not supported or not compatible with the PAKE - /// algorithm and primitive. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_setup( - operation: *mut psa_pake_operation_t, - cipher_suite: *const psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + pub fn mbedtls_pk_verify( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the password for a password-authenticated key exchange from key ID. + /// \brief Restartable version of \c mbedtls_pk_verify() /// - /// Call this function when the password, or a value derived from the password, - /// is already present in the key store. + /// \note Performs the same job as \c mbedtls_pk_verify(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_verify(). /// - /// \param[in,out] operation The operation object to set the password for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the password hasn't - /// been set yet (psa_pake_set_password_key() - /// hasn't been called yet). - /// \param password Identifier of the key holding the password or a - /// value derived from the password (eg. by a - /// memory-hard function). It must remain valid - /// until the operation terminates. It must be of - /// type #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - /// the usage #PSA_KEY_USAGE_DERIVE. + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p password is not a valid key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - /// permit the \p operation's algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - /// the \p operation's cipher suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size of \p password is not supported with the - /// \p operation's cipher suite. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must have been set up.), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_password_key( - operation: *mut psa_pake_operation_t, - password: mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return See \c mbedtls_pk_verify(), or + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_verify_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature, with options. + /// (Includes verification of the padding depending on type.) + /// + /// \param type Signature type (inc. possible padding type) to verify + /// \param options Pointer to type-specific options, or NULL + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be + /// used for this type of signatures, + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + /// + /// \note If hash_len is 0, then the length associated with md_alg + /// is used instead, or an error returned if it is invalid. + /// + /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// + /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point + /// to a mbedtls_pk_rsassa_pss_options structure, + /// otherwise it must be NULL. Note that if + /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not + /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. + pub fn mbedtls_pk_verify_ext( + type_: mbedtls_pk_type_t, + options: *const ::core::ffi::c_void, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the user ID for a password-authenticated key exchange. + /// \brief Make signature, including padding if relevant. /// - /// Call this function to set the user ID. For PAKE algorithms that associate a - /// user identifier with each side of the session you need to call - /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single - /// user identifier with the session, call psa_pake_set_user() only. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (using the largest possible salt + /// length up to the hash length), depending on the padding mode + /// in the underlying RSA context. For a pk object constructed + /// by parsing, this is PKCS#1 v1.5 by default. Use + /// mbedtls_pk_verify_ext() to explicitly select a different + /// algorithm. /// - /// \param[in,out] operation The operation object to set the user ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the user ID hasn't - /// been set (psa_pake_set_user() hasn't been - /// called yet). - /// \param[in] user_id The user ID to authenticate with. - /// (temporary limitation: "client" or "server" only) - /// \param user_id_len Size of the \p user_id buffer in bytes. + /// \return 0 on success, or a specific error code. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The value of \p user_id is not supported by the implementation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_user( - operation: *mut psa_pake_operation_t, - user_id: *const u8, - user_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the peer ID for a password-authenticated key exchange. + /// \brief Make signature given a signature type. /// - /// Call this function in addition to psa_pake_set_user() for PAKE algorithms - /// that associate a user identifier with each side of the session. For PAKE - /// algorithms that associate a single user identifier with the session, call - /// psa_pake_set_user() only. + /// \param pk_type Signature type. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \return 0 on success, or a specific error code. /// - /// \param[in,out] operation The operation object to set the peer ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the peer ID hasn't - /// been set (psa_pake_set_peer() hasn't been - /// called yet). - /// \param[in] peer_id The peer's ID to authenticate. - /// (temporary limitation: "client" or "server" only) - /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, + /// see #PSA_ALG_RSA_PSS for a description of PSS options used. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm doesn't associate a second identity with the session. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// Calling psa_pake_set_peer() is invalid with the \p operation's - /// algorithm, the operation state is not valid, or the library has not - /// been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_peer( - operation: *mut psa_pake_operation_t, - peer_id: *const u8, - peer_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign_ext( + pk_type: mbedtls_pk_type_t, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the application role for a password-authenticated key exchange. + /// \brief Restartable version of \c mbedtls_pk_sign() /// - /// Not all PAKE algorithms need to differentiate the communicating entities. - /// It is optional to call this function for PAKEs that don't require a role - /// to be specified. For such PAKEs the application role parameter is ignored, - /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// \note Performs the same job as \c mbedtls_pk_sign(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_sign(). /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \param[in,out] operation The operation object to specify the - /// application's role for. It must have been set up - /// by psa_pake_setup() and not yet in use (neither - /// psa_pake_output() nor psa_pake_input() has been - /// called yet). It must be on operation for which - /// the application's role hasn't been specified - /// (psa_pake_set_role() hasn't been called yet). - /// \param role A value of type ::psa_pake_role_t indicating the - /// application's role in the PAKE the algorithm - /// that is being set up. For more information see - /// the documentation of \c PSA_PAKE_ROLE_XXX - /// constants. + /// \return See \c mbedtls_pk_sign(). + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_sign_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Decrypt message (including padding if relevant). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The \p role is not a valid PAKE role in the \p operation’s algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The \p role for this algorithm is not supported or is not valid. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_role( - operation: *mut psa_pake_operation_t, - role: psa_pake_role_t, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param input Input to decrypt + /// \param ilen Input size + /// \param output Decrypted output + /// \param olen Decrypted message length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. + /// + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_decrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get output for a step of a password-authenticated key exchange. + /// \brief Encrypt message (including padding if relevant). /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been set up. + /// \param input Message to encrypt + /// \param ilen Message size + /// \param output Encrypted output + /// \param olen Encrypted output length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \note \p f_rng is used for padding generation. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step of the algorithm for which the output is - /// requested. - /// \param[out] output Buffer where the output is to be written in the - /// format appropriate for this \p step. Refer to - /// the documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param output_size Size of the \p output buffer in bytes. This must - /// be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p - /// primitive, \p step) where \p alg and - /// \p primitive are the PAKE algorithm and primitive - /// in the operation's cipher suite, and \p step is - /// the output step. + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_encrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if a public-private pair of keys matches. /// - /// \param[out] output_length On success, the number of bytes of the returned - /// output. + /// \param pub Context holding a public key. + /// \param prv Context holding a private (and public) key. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p step is not compatible with the operation's algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step is not supported with the operation's algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_output( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success (keys were checked and match each other). + /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not + /// be checked - in that case they may or may not match. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. + /// \return Another non-zero value if the keys do not match. + pub fn mbedtls_pk_check_pair( + pub_: *const mbedtls_pk_context, + prv: *const mbedtls_pk_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Provide input for a step of a password-authenticated key exchange. + /// \brief Export debug information /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been initialized. + /// \param items Place to write debug items /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA + pub fn mbedtls_pk_debug( + ctx: *const mbedtls_pk_context, + items: *mut mbedtls_pk_debug_item, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Access the type name /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \param ctx The PK context to use. It must have been initialized. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step for which the input is provided. - /// \param[in] input Buffer containing the input in the format - /// appropriate for this \p step. Refer to the - /// documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param input_length Size of the \p input buffer in bytes. + /// \return Type name on success, or "invalid PK" + pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; +} +unsafe extern "C" { + /// \brief Get the key type /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p is not compatible with the \p operation’s algorithm, or the - /// \p input is not valid for the \p operation's algorithm, cipher suite - /// or \p step. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step p is not supported with the \p operation's algorithm, or the - /// \p input is not supported for the \p operation's algorithm, cipher - /// suite or \p step. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_input( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been initialized. + /// + /// \return Type on success. + /// \return #MBEDTLS_PK_NONE for a context that has not been set up. + pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; } unsafe extern "C" { - /// Get implicitly confirmed shared secret from a PAKE. + /// \ingroup pk_module */ + ////** + /// \brief Parse a private key in PEM or DER format /// - /// At this point there is a cryptographic guarantee that only the authenticated - /// party who used the same password is able to compute the key. But there is no - /// guarantee that the peer is the party it claims to be and was able to do so. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// That is, the authentication is only implicit. Since the peer is not - /// authenticated yet, no action should be taken yet that assumes that the peer - /// is who it claims to be. For example, do not access restricted files on the - /// peer's behalf until an explicit authentication has succeeded. + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// \param pwd Optional password for decryption. + /// Pass \c NULL if expecting a non-encrypted key. + /// Pass a string of \p pwdlen bytes if expecting an encrypted + /// key; a non-encrypted key will also be accepted. + /// The empty password is not supported. + /// \param pwdlen Size of the password in bytes. + /// Ignored if \p pwd is \c NULL. + /// \param f_rng RNG function, must not be \c NULL. Used for blinding. + /// \param p_rng RNG parameter /// - /// This function can be called after the key exchange phase of the operation - /// has completed. It imports the shared secret output of the PAKE into the - /// provided derivation operation. The input step - /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - /// material in the key derivation operation. + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note The key is also checked for correctness. /// - /// When this function returns successfully, \p operation becomes inactive. - /// If this function returns an error status, both \p operation - /// and \p key_derivation operations enter an error state and must be aborted by - /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \ingroup pk_module */ + ////** + /// \brief Parse a public key in PEM or DER format /// - /// \param[in,out] operation Active PAKE operation. - /// \param[out] output A key derivation operation that is ready - /// for an input step of type - /// #PSA_KEY_DERIVATION_INPUT_SECRET. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - /// algorithm in the \p output key derivation operation. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// Input from a PAKE is not supported by the algorithm in the \p output - /// key derivation operation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The PAKE operation state is not valid (it must be active, but beyond - /// that validity is specific to the algorithm), or - /// the library has not been previously initialized by psa_crypto_init(), - /// or the state of \p output is not valid for - /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - /// step is out of order or the application has done this step already - /// and it may not be repeated. - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_get_implicit_key( - operation: *mut psa_pake_operation_t, - output: *mut psa_key_derivation_operation_t, - ) -> psa_status_t; + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). + /// + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. + /// + /// \note The key is also checked for correctness. + /// + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_public_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a PAKE operation. + /// \brief Write a private key to a PKCS#1 or SEC1 DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_pake_setup() again. + /// \param ctx PK context which must contain a valid private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_pake_operation_t. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_key_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a SubjectPublicKeyInfo DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// In particular, calling psa_pake_abort() after the operation has been - /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - /// is safe and has no effect. + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// \param[in,out] operation The operation to abort. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_pubkey_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a PEM string /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_pubkey_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_pake_cipher_suite_s { - pub algorithm: psa_algorithm_t, - pub type_: psa_pake_primitive_type_t, - pub family: psa_pake_family_t, - pub bits: u16, - pub hash: psa_algorithm_t, +unsafe extern "C" { + /// \brief Write a private key to a PKCS#1 or SEC1 PEM string + /// + /// \param ctx PK context which must contain a valid private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_key_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_crypto_driver_pake_inputs_s { - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: psa_pake_role_t, - pub private_user: *mut u8, - pub private_user_len: usize, - pub private_peer: *mut u8, - pub private_peer_len: usize, - pub private_attributes: psa_key_attributes_t, - pub private_cipher_suite: psa_pake_cipher_suite_t, +unsafe extern "C" { + /// \brief Parse a SubjectPublicKeyInfo DER structure + /// + /// \param p the position in the ASN.1 data + /// \param end end of the buffer + /// \param pk The PK context to fill. It must have been initialized + /// but not set up. + /// + /// \return 0 if successful, or a specific PK error code + pub fn mbedtls_pk_parse_subpubkey( + p: *mut *mut ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -impl Default for psa_crypto_driver_pake_inputs_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Write a subjectPublicKey to ASN.1 data + /// Note: function works backwards in data buffer + /// + /// \param p reference to current position pointer + /// \param start start of the buffer (for bounds-checking) + /// \param key PK context which must contain a valid public or private key. + /// + /// \return the length written or a negative error code + pub fn mbedtls_pk_write_pubkey( + p: *mut *mut ::core::ffi::c_uchar, + start: *mut ::core::ffi::c_uchar, + key: *const mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -pub const psa_jpake_step_PSA_PAKE_STEP_INVALID: psa_jpake_step = 0; -pub const psa_jpake_step_PSA_PAKE_STEP_X1_X2: psa_jpake_step = 1; -pub const psa_jpake_step_PSA_PAKE_STEP_X2S: psa_jpake_step = 2; -pub const psa_jpake_step_PSA_PAKE_STEP_DERIVE: psa_jpake_step = 3; -pub type psa_jpake_step = ::core::ffi::c_uint; -pub use self::psa_jpake_step as psa_jpake_step_t; -pub const psa_jpake_state_PSA_PAKE_STATE_INVALID: psa_jpake_state = 0; -pub const psa_jpake_state_PSA_PAKE_STATE_SETUP: psa_jpake_state = 1; -pub const psa_jpake_state_PSA_PAKE_STATE_READY: psa_jpake_state = 2; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X1_X2: psa_jpake_state = 3; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X2S: psa_jpake_state = 4; -pub const psa_jpake_state_PSA_PAKE_INPUT_X1_X2: psa_jpake_state = 5; -pub const psa_jpake_state_PSA_PAKE_INPUT_X4S: psa_jpake_state = 6; -pub type psa_jpake_state = ::core::ffi::c_uint; -pub use self::psa_jpake_state as psa_jpake_state_t; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_INVALID: psa_jpake_sequence = 0; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_KEY_SHARE: psa_jpake_sequence = 1; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PUBLIC: psa_jpake_sequence = 2; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PROOF: psa_jpake_sequence = 3; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_KEY_SHARE: psa_jpake_sequence = 4; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PUBLIC: psa_jpake_sequence = 5; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PROOF: psa_jpake_sequence = 6; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_END: psa_jpake_sequence = 7; -pub type psa_jpake_sequence = ::core::ffi::c_uint; -pub use self::psa_jpake_sequence as psa_jpake_sequence_t; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = + 3; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + mbedtls_key_exchange_type_t = 4; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = + 8; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = + 9; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = 10; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = 11; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; -pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; -pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_jpake_computation_stage_s { - pub private_state: psa_jpake_state_t, - pub private_sequence: psa_jpake_sequence_t, - pub private_input_step: psa_jpake_step_t, - pub private_output_step: psa_jpake_step_t, -} -impl Default for psa_jpake_computation_stage_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_pake_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_stage: u8, - pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, - pub private_data: psa_pake_operation_s__bindgen_ty_2, -} +pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; +/// \brief This structure is used for storing ciphersuite information +/// +/// \note members are defined using integral types instead of enums +/// in order to pack structure and reduce memory usage by internal +/// \c ciphersuite_definitions[] #[repr(C)] #[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_jpake: psa_jpake_computation_stage_t, +pub struct mbedtls_ssl_ciphersuite_t { + pub private_id: ::core::ffi::c_int, + pub private_name: *const ::core::ffi::c_char, + pub private_cipher: u8, + pub private_mac: u8, + pub private_key_exchange: u8, + pub private_flags: u8, + pub private_min_tls_version: u16, + pub private_max_tls_version: u16, } -impl Default for psa_pake_operation_s__bindgen_ty_1 { +impl Default for mbedtls_ssl_ciphersuite_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -18651,29 +19851,23 @@ impl Default for psa_pake_operation_s__bindgen_ty_1 { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_2 { - pub private_ctx: psa_driver_pake_context_t, - pub private_inputs: psa_crypto_driver_pake_inputs_t, +unsafe extern "C" { + pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; } -impl Default for psa_pake_operation_s__bindgen_ty_2 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_string( + ciphersuite_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ssl_ciphersuite_t; } -impl Default for psa_pake_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_id( + ciphersuite_id: ::core::ffi::c_int, + ) -> *const mbedtls_ssl_ciphersuite_t; +} +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( + info: *const mbedtls_ssl_ciphersuite_t, + ) -> usize; } /// Type-length-value structure that allows for ASN1 using DER. pub type mbedtls_x509_buf = mbedtls_asn1_buf; @@ -18684,6 +19878,23 @@ pub type mbedtls_x509_bitstring = mbedtls_asn1_bitstring; pub type mbedtls_x509_name = mbedtls_asn1_named_data; /// Container for a sequence of ASN.1 items pub type mbedtls_x509_sequence = mbedtls_asn1_sequence; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_authority { + pub keyIdentifier: mbedtls_x509_buf, + pub authorityCertIssuer: mbedtls_x509_sequence, + pub authorityCertSerialNumber: mbedtls_x509_buf, + pub raw: mbedtls_x509_buf, +} +impl Default for mbedtls_x509_authority { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} /// Container for date and time (precision in seconds). #[repr(C)] #[derive(Default, Copy, Clone)] @@ -18775,9 +19986,9 @@ pub struct mbedtls_x509_subject_alternative_name { #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_x509_subject_alternative_name__bindgen_ty_1 { - ///< The otherName supported type. pub other_name: mbedtls_x509_san_other_name, - ///< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported + pub directory_name: mbedtls_x509_name, + ///< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. pub unstructured_name: mbedtls_x509_buf, } impl Default for mbedtls_x509_subject_alternative_name__bindgen_ty_1 { @@ -18798,6 +20009,21 @@ impl Default for mbedtls_x509_subject_alternative_name { } } } +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_san_list { + pub node: mbedtls_x509_subject_alternative_name, + pub next: *mut mbedtls_x509_san_list, +} +impl Default for mbedtls_x509_san_list { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { /// \brief Store the certificate DN in printable form into buf; /// no more than size characters will be written. @@ -18814,6 +20040,26 @@ unsafe extern "C" { dn: *const mbedtls_x509_name, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Convert the certificate DN string \p name into + /// a linked list of mbedtls_x509_name (equivalent to + /// mbedtls_asn1_named_data). + /// + /// \note This function allocates a linked list, and places the head + /// pointer in \p head. This list must later be freed by a + /// call to mbedtls_asn1_free_named_data_list(). + /// + /// \param[out] head Address in which to store the pointer to the head of the + /// allocated list of mbedtls_x509_name. Must point to NULL on + /// entry. + /// \param[in] name The string representation of a DN to convert + /// + /// \return 0 on success, or a negative error code. + pub fn mbedtls_x509_string_to_names( + head: *mut *mut mbedtls_asn1_named_data, + name: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Store the certificate serial in printable form into buf; /// no more than size characters will be written. @@ -18830,6 +20076,20 @@ unsafe extern "C" { serial: *const mbedtls_x509_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Compare pair of mbedtls_x509_time. + /// + /// \param t1 mbedtls_x509_time to compare + /// \param t2 mbedtls_x509_time to compare + /// + /// \return < 0 if t1 is before t2 + /// 0 if t1 equals t2 + /// > 0 if t1 is after t2 + pub fn mbedtls_x509_time_cmp( + t1: *const mbedtls_x509_time, + t2: *const mbedtls_x509_time, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Check a given mbedtls_x509_time against the system time /// and tell if it's in the past. @@ -18858,21 +20118,25 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief This function parses an item in the SubjectAlternativeNames - /// extension. + /// extension. Please note that this function might allocate + /// additional memory for a subject alternative name, thus + /// mbedtls_x509_free_subject_alt_name has to be called + /// to dispose of this additional memory afterwards. /// /// \param san_buf The buffer holding the raw data item of the subject /// alternative name. /// \param san The target structure to populate with the parsed presentation - /// of the subject alternative name encoded in \p san_raw. + /// of the subject alternative name encoded in \p san_buf. /// /// \note Supported GeneralName types, as defined in RFC 5280: - /// "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + /// "rfc822Name", "dnsName", "directoryName", + /// "uniformResourceIdentifier" and "hardware_module_name" /// of type "otherName", as defined in RFC 4108. /// /// \note This function should be called on a single raw data of /// subject alternative name. For example, after successful /// certificate parsing, one must iterate on every item in the - /// \p crt->subject_alt_names sequence, and pass it to + /// \c crt->subject_alt_names sequence, and pass it to /// this function. /// /// \warning The target structure contains pointers to the raw data of the @@ -18889,173 +20153,29 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \} addtogroup x509_module - pub fn mbedtls_x509_get_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - cur: *mut mbedtls_x509_name, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg_null( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - params: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_rsassa_pss_params( - params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - mgf_md: *mut mbedtls_md_type_t, - salt_len: *mut ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - sig: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig_alg( - sig_oid: *const mbedtls_x509_buf, - sig_params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - pk_alg: *mut mbedtls_pk_type_t, - sig_opts: *mut *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_time( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - t: *mut mbedtls_x509_time, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_serial( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - serial: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ext( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ext: *mut mbedtls_x509_buf, - tag: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_sig_alg_gets( - buf: *mut ::core::ffi::c_char, - size: usize, - sig_oid: *const mbedtls_x509_buf, - pk_alg: mbedtls_pk_type_t, - md_alg: mbedtls_md_type_t, - sig_opts: *const ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_key_size_helper( - buf: *mut ::core::ffi::c_char, - buf_size: usize, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_string_to_names( - head: *mut *mut mbedtls_asn1_named_data, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_set_extension( - head: *mut *mut mbedtls_asn1_named_data, - oid: *const ::core::ffi::c_char, - oid_len: usize, - critical: ::core::ffi::c_int, - val: *const ::core::ffi::c_uchar, - val_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_extensions( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_names( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_sig( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - oid: *const ::core::ffi::c_char, - oid_len: usize, - sig: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ns_cert_type( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ns_cert_type: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_key_usage( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - key_usage: *mut ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_subject_alt_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - subject_alt_name: *mut mbedtls_x509_sequence, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_subject_alt_name( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - subject_alt_name: *const mbedtls_x509_sequence, - prefix: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_cert_type( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - ns_cert_type: ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \brief Unallocate all data related to subject alternative name + /// + /// \param san SAN structure - extra memory owned by this structure will be freed + pub fn mbedtls_x509_free_subject_alt_name(san: *mut mbedtls_x509_subject_alternative_name); } unsafe extern "C" { - pub fn mbedtls_x509_info_key_usage( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - key_usage: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \brief This function parses a CN string as an IP address. + /// + /// \param cn The CN string to parse. CN string MUST be null-terminated. + /// \param dst The target buffer to populate with the binary IP address. + /// The buffer MUST be 16 bytes to save IPv6, and should be + /// 4-byte aligned if the result will be used as struct in_addr. + /// e.g. uint32_t dst[4] + /// + /// \note \p cn is parsed as an IPv6 address if string contains ':', + /// else \p cn is parsed as an IPv4 address. + /// + /// \return Length of binary IP address; num bytes written to target. + /// \return \c 0 on failure to parse CN string as an IP address. + pub fn mbedtls_x509_crt_parse_cn_inet_pton( + cn: *const ::core::ffi::c_char, + dst: *mut ::core::ffi::c_void, + ) -> usize; } /// Certificate revocation list entry. /// Contains the CA-specific serial numbers and revocation dates. @@ -19247,8 +20367,12 @@ pub struct mbedtls_x509_crt { pub subject_id: mbedtls_x509_buf, ///< Optional X.509 v3 extensions. pub v3_ext: mbedtls_x509_buf, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, + ///< Optional X.509 v3 extension subject key identifier. + pub subject_key_id: mbedtls_x509_buf, + ///< Optional X.509 v3 extension authority key identifier. + pub authority_key_id: mbedtls_x509_authority, ///< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). pub certificate_policies: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions @@ -19347,6 +20471,22 @@ impl Default for mbedtls_x509write_cert { } } } +unsafe extern "C" { + /// \brief Set Subject Alternative Name + /// + /// \param ctx Certificate context to use + /// \param san_list List of SAN values + /// + /// \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + /// + /// \note "dnsName", "uniformResourceIdentifier", "IP address", + /// "otherName", and "DirectoryName", as defined in RFC 5280, + /// are supported. + pub fn mbedtls_x509write_crt_set_subject_alternative_name( + ctx: *mut mbedtls_x509write_cert, + san_list: *const mbedtls_x509_san_list, + ) -> ::core::ffi::c_int; +} /// Item in a verification chain: cert and flags for it #[repr(C)] #[derive(Copy, Clone)] @@ -19685,8 +20825,12 @@ unsafe extern "C" { /// \param cn The expected Common Name. This will be checked to be /// present in the certificate's subjectAltNames extension or, /// if this extension is absent, as a CN component in its - /// Subject name. Currently only DNS names are supported. This - /// may be \c NULL if the CN need not be verified. + /// Subject name. DNS names and IP addresses are fully + /// supported, while the URI subtype is partially supported: + /// only exact matching, without any normalization procedures + /// described in 7.4 of RFC5280, will result in a positive + /// URI verification. + /// This may be \c NULL if the CN need not be verified. /// \param flags The address at which to store the result of the verification. /// If the verification couldn't be completed, the flag value is /// set to (uint32_t) -1. @@ -19917,6 +21061,16 @@ unsafe extern "C" { /// \param crt Certificate chain to free pub fn mbedtls_x509_crt_free(crt: *mut mbedtls_x509_crt); } +unsafe extern "C" { + /// \brief Access the ca_istrue field + /// + /// \param[in] crt Certificate to be queried, must not be \c NULL + /// + /// \return \c 1 if this a CA certificate \c 0 otherwise. + /// \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain + /// the Optional Basic Constraint extension. + pub fn mbedtls_x509_crt_get_ca_istrue(crt: *const mbedtls_x509_crt) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Initialize a CRT writing context /// @@ -19997,7 +21151,7 @@ unsafe extern "C" { /// \brief Set the issuer name for a Certificate /// Issuer names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS CA" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS CA" /// /// \param ctx CRT context to use /// \param issuer_name issuer name to set @@ -20013,7 +21167,7 @@ unsafe extern "C" { /// \brief Set the subject name for a Certificate /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CRT context to use /// \param subject_name subject name to set @@ -20183,13 +21337,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20209,13 +21357,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20336,13 +21478,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20415,13 +21551,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20455,13 +21585,7 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, output_size: usize, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20492,7 +21616,7 @@ unsafe extern "C" { /// initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p field is invalid. + /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid. /// \return An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails. pub fn mbedtls_dhm_get_value( ctx: *const mbedtls_dhm_context, @@ -20620,6 +21744,18 @@ impl Default for mbedtls_ecdh_context { } } } +unsafe extern "C" { + /// \brief Return the ECP group for provided context. + /// + /// \note To access group specific fields, users should use + /// `mbedtls_ecp_curve_info_from_grp_id` or + /// `mbedtls_ecp_group_load` on the extracted `group_id`. + /// + /// \param ctx The ECDH context to parse. This must not be \c NULL. + /// + /// \return The \c mbedtls_ecp_group_id of the context. + pub fn mbedtls_ecdh_get_grp_id(ctx: *mut mbedtls_ecdh_context) -> mbedtls_ecp_group_id; +} unsafe extern "C" { /// \brief Check whether a given group can be used for ECDH. /// @@ -20656,13 +21792,7 @@ unsafe extern "C" { grp: *mut mbedtls_ecp_group, d: *mut mbedtls_mpi, Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20701,13 +21831,7 @@ unsafe extern "C" { z: *mut mbedtls_mpi, Q: *const mbedtls_ecp_point, d: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20774,13 +21898,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20816,7 +21934,7 @@ unsafe extern "C" { /// \brief This function sets up an ECDH context from an EC key. /// /// It is used by clients and servers in place of the - /// ServerKeyEchange for static ECDH, and imports ECDH + /// ServerKeyExchange for static ECDH, and imports ECDH /// parameters from the EC key information of a certificate. /// /// \see ecp.h @@ -20865,13 +21983,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20932,19 +22044,14 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_ssl_premaster_secret { + pub dummy: ::core::ffi::c_uchar, pub _pms_rsa: [::core::ffi::c_uchar; 48usize], pub _pms_dhm: [::core::ffi::c_uchar; 1024usize], pub _pms_ecdh: [::core::ffi::c_uchar; 66usize], @@ -21216,6 +22323,8 @@ pub struct mbedtls_ssl_session { ///< MaxFragmentLength negotiated by peer pub private_mfl_code: ::core::ffi::c_uchar, pub private_exported: ::core::ffi::c_uchar, + ///< 0: client, 1: server + pub private_endpoint: u8, /// TLS version negotiated in the session. Used if and when renegotiating /// or resuming a session instead of the configured minor TLS version. pub private_tls_version: mbedtls_ssl_protocol_version, @@ -21234,15 +22343,13 @@ pub struct mbedtls_ssl_session { ///< RFC 5077 session ticket pub private_ticket: *mut ::core::ffi::c_uchar, ///< session ticket length - pub private_ticket_len: usize, - ///< ticket lifetime hint - pub private_ticket_lifetime: u32, - ///< 0: client, 1: server - pub private_endpoint: u8, - ///< Ticket flags - pub private_ticket_flags: u8, + pub private_ticket_len: usize, + ///< ticket lifetime hint + pub private_ticket_lifetime: u32, ///< Randomly generated value used to obscure the age of the ticket pub private_ticket_age_add: u32, + ///< Ticket flags + pub private_ticket_flags: u8, ///< resumption_key length pub private_resumption_key_len: u8, pub private_resumption_key: [::core::ffi::c_uchar; 48usize], @@ -21581,22 +22688,30 @@ pub struct mbedtls_ssl_context { ///number of retransmissions of request if ///renego_max_records is < 0 pub private_renego_records_seen: ::core::ffi::c_int, - /// Server: Negotiated TLS protocol version. - /// Client: Maximum TLS version to be negotiated, then negotiated TLS - /// version. - /// - /// It is initialized as the maximum TLS version to be negotiated in the - /// ClientHello writing preparation stage and used throughout the - /// ClientHello writing. For a fresh handshake not linked to any previous - /// handshake, it is initialized to the configured maximum TLS version - /// to be negotiated. When renegotiating or resuming a session, it is - /// initialized to the previously negotiated TLS version. - /// - /// Updated to the negotiated TLS version as soon as the ServerHello is - /// received. + /// Maximum TLS version to be negotiated, then negotiated TLS version. + /// + /// It is initialized as the configured maximum TLS version to be + /// negotiated by mbedtls_ssl_setup(). + /// + /// When renegotiating or resuming a session, it is overwritten in the + /// ClientHello writing preparation stage with the previously negotiated + /// TLS version. + /// + /// On client side, it is updated to the TLS version selected by the server + /// for the handshake when the ServerHello is received. + /// + /// On server side, it is updated to the TLS version the server selects for + /// the handshake when the ClientHello is received. pub private_tls_version: mbedtls_ssl_protocol_version, - ///< records with a bad MAC received - pub private_badmac_seen: ::core::ffi::c_uint, + /// Multipurpose field. + /// + /// - DTLS: records with a bad MAC received. + /// - TLS: accumulated length of handshake fragments (up to \c in_hslen). + /// + /// This field is multipurpose in order to preserve the ABI in the + /// Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS + /// and called `badmac_seen`. + pub private_badmac_seen_or_in_hsfraglen: ::core::ffi::c_uint, /// Callback to customize X.509 certificate chain verification pub private_f_vrfy: ::core::option::Option< unsafe extern "C" fn( @@ -21733,8 +22848,33 @@ pub struct mbedtls_ssl_context { pub private_cur_out_ctr: [::core::ffi::c_uchar; 8usize], ///< path mtu, used to fragment outgoing messages pub private_mtu: u16, - ///< expected peer CN for verification - ///(and SNI if available) + /// Expected peer CN for verification. + /// + /// Also used on clients for SNI, + /// and for TLS 1.3 session resumption using tickets. + /// + /// The value of this field can be: + /// - \p NULL in a newly initialized or reset context. + /// - A heap-allocated copy of the last value passed to + /// mbedtls_ssl_set_hostname(), if the last call had a non-null + /// \p hostname argument. + /// - A special value to indicate that mbedtls_ssl_set_hostname() + /// was called with \p NULL (as opposed to never having been called). + /// See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + /// + /// If this field contains the value \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is unset, on a TLS client, attempting to verify a server certificate + /// results in the error + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + /// + /// If this field contains the special value described above, or if + /// the value is \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is set, then the peer name verification is skipped, which may be + /// insecure, especially on a client. Furthermore, on a client, the + /// server_name extension is not sent, and the server name is ignored + /// in TLS 1.3 session resumption using tickets. pub private_hostname: *mut ::core::ffi::c_char, ///< negotiated protocol pub private_alpn_chosen: *const ::core::ffi::c_char, @@ -21830,6 +22970,14 @@ unsafe extern "C" { /// Calling mbedtls_ssl_setup again is not supported, even /// if no session is active. /// + /// \warning After setting up a client context, if certificate-based + /// authentication is enabled, you should call + /// mbedtls_ssl_set_hostname() to specifiy the expected + /// name of the server. Without this, in most scenarios, + /// the TLS connection is insecure. See + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more information. + /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. @@ -21933,18 +23081,16 @@ unsafe extern "C" { unsafe extern "C" { /// \brief Set the random number generator callback /// + /// \note The callback with its parameter must remain valid as + /// long as there is an SSL context that uses the + /// SSL configuration. + /// /// \param conf SSL configuration /// \param f_rng RNG function (mandatory) /// \param p_rng RNG parameter pub fn mbedtls_ssl_conf_rng( conf: *mut mbedtls_ssl_config, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ); } @@ -22047,10 +23193,10 @@ unsafe extern "C" { /// \param own_cid The address of the readable buffer holding the CID we want /// the peer to use when sending encrypted messages to us. /// This may be \c NULL if \p own_cid_len is \c 0. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// \param own_cid_len The length of \p own_cid. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// /// \note The value of \p own_cid_len must match the value of the @@ -22705,16 +23851,16 @@ unsafe extern "C" { /// a full handshake. /// /// \note This function can handle a variety of mechanisms for session - /// resumption: For TLS 1.2, both session ID-based resumption and - /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and loading - /// one or more sessions via this call will lead to their - /// corresponding tickets being advertised as resumption PSKs - /// by the client. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// resumption: For TLS 1.2, both session ID-based resumption + /// and ticket-based resumption will be considered. For TLS 1.3, + /// sessions equate to tickets, and loading one session by + /// calling this function will lead to its corresponding ticket + /// being advertised as resumption PSK by the client. This + /// depends on session tickets being enabled (see + /// #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + /// If session tickets are disabled, a call to this function + /// with a TLS 1.3 session, will not have any effect on the next + /// handshake for the SSL context \p ssl. /// /// \param ssl The SSL context representing the connection which should /// be attempted to be setup using session resumption. This @@ -22729,9 +23875,10 @@ unsafe extern "C" { /// /// \return \c 0 if successful. /// \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - /// could not be loaded because of an implementation limitation. - /// This error is non-fatal, and has no observable effect on - /// the SSL context or the session that was attempted to be loaded. + /// could not be loaded because one session has already been + /// loaded. This error is non-fatal, and has no observable + /// effect on the SSL context or the session that was attempted + /// to be loaded. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_get_session() @@ -22789,8 +23936,8 @@ unsafe extern "C" { /// /// \param session The session structure to be saved. /// \param buf The buffer to write the serialized data to. It must be a - /// writeable buffer of at least \p len bytes, or may be \c - /// NULL if \p len is \c 0. + /// writeable buffer of at least \p buf_len bytes, or may be \c + /// NULL if \p buf_len is \c 0. /// \param buf_len The number of bytes available for writing in \p buf. /// \param olen The size in bytes of the data that has been or would have /// been written. It must point to a valid \c size_t. @@ -22800,8 +23947,16 @@ unsafe extern "C" { /// to determine the necessary size by calling this function /// with \p buf set to \c NULL and \p buf_len to \c 0. /// + /// \note For TLS 1.3 sessions, this feature is supported only if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + /// as in TLS 1.3 session resumption is possible only with + /// tickets. + /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + /// and the session is a TLS 1.3 session. pub fn mbedtls_ssl_session_save( session: *const mbedtls_ssl_session, buf: *mut ::core::ffi::c_uchar, @@ -22927,7 +24082,7 @@ unsafe extern "C" { /// record headers. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len + /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len /// is too large. pub fn mbedtls_ssl_conf_cid( conf: *mut mbedtls_ssl_config, @@ -23254,6 +24409,8 @@ unsafe extern "C" { /// used for certificate signature are controlled by the /// verification profile, see \c mbedtls_ssl_conf_cert_profile(). /// + /// \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). + /// /// \note This list should be ordered by decreasing preference /// (preferred hash first). /// @@ -23278,27 +24435,43 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Configure allowed signature algorithms for use in TLS 1.3 + /// \brief Configure allowed signature algorithms for use in TLS /// /// \param conf The SSL configuration to use. /// \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - /// terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain - /// available throughout the lifetime of the conf object. Supported - /// values are available as \c MBEDTLS_TLS1_3_SIG_XXXX + /// terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain + /// available throughout the lifetime of the conf object. + /// - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be + /// used. + /// - For TLS 1.2, values should be given as + /// "(HashAlgorithm << 8) | SignatureAlgorithm". pub fn mbedtls_ssl_conf_sig_algs(conf: *mut mbedtls_ssl_config, sig_algs: *const u16); } unsafe extern "C" { /// \brief Set or reset the hostname to check against the received - /// server certificate. It sets the ServerName TLS extension, - /// too, if that extension is enabled. (client-side only) + /// peer certificate. On a client, this also sets the + /// ServerName TLS extension, if that extension is enabled. + /// On a TLS 1.3 client, this also sets the server name in + /// the session resumption ticket, if that feature is enabled. /// /// \param ssl SSL context - /// \param hostname the server hostname, may be NULL to clear hostname - /// - /// \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. - /// - /// \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - /// allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + /// \param hostname The server hostname. This may be \c NULL to clear + /// the hostname. + /// + /// \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + /// + /// \note If the hostname is \c NULL on a client, then the server + /// is not authenticated: it only needs to have a valid + /// certificate, not a certificate matching its name. + /// Therefore you should always call this function on a client, + /// unless the connection is set up to only allow + /// pre-shared keys, or in scenarios where server + /// impersonation is not a concern. See the documentation of + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more details. + /// + /// \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + /// allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on /// too long input hostname. /// /// Hostname set to the one provided on success (cleared @@ -23311,8 +24484,8 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief Retrieve SNI extension value for the current handshake. - /// Available in \p f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), - /// this is the same value passed to \p f_sni callback of + /// Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), + /// this is the same value passed to \c f_sni callback of /// \c mbedtls_ssl_conf_sni() and may be used instead of /// \c mbedtls_ssl_conf_sni(). /// @@ -23321,10 +24494,10 @@ unsafe extern "C" { /// 0 if SNI extension is not present or not yet processed. /// /// \return const pointer to SNI extension value. - /// - value is valid only when called in \p f_cert_cb + /// - value is valid only when called in \c f_cert_cb /// registered with \c mbedtls_ssl_conf_cert_cb(). /// - value is NULL if SNI extension is not present. - /// - value is not '\0'-terminated. Use \c name_len for len. + /// - value is not '\0'-terminated. Use \c name_len for len. /// - value must not be freed. pub fn mbedtls_ssl_get_hs_sni( ssl: *mut mbedtls_ssl_context, @@ -23574,6 +24747,10 @@ unsafe extern "C" { /// with \c mbedtls_ssl_read()), not handshake messages. /// With DTLS, this affects both ApplicationData and handshake. /// + /// \note Defragmentation of TLS handshake messages is supported + /// with some limitations. See the documentation of + /// mbedtls_ssl_handshake() for details. + /// /// \note This sets the maximum length for a record's payload, /// excluding record overhead that will be added to it, see /// \c mbedtls_ssl_get_record_expansion(). @@ -23607,19 +24784,48 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Enable / Disable session tickets (client only). - /// (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + /// \brief Enable / Disable TLS 1.2 session tickets (client only, + /// TLS 1.2 only). Enabled by default. /// /// \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). /// /// \param conf SSL configuration - /// \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - /// MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + /// \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) pub fn mbedtls_ssl_conf_session_tickets( conf: *mut mbedtls_ssl_config, use_tickets: ::core::ffi::c_int, ); } +unsafe extern "C" { + /// \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + /// (client only, TLS 1.3 only). + /// + /// The handling of TLS 1.3 NewSessionTicket messages is disabled by + /// default. + /// + /// In TLS 1.3, servers may send a NewSessionTicket message at any time, + /// and may send multiple NewSessionTicket messages. By default, TLS 1.3 + /// clients ignore NewSessionTicket messages. + /// + /// To support session tickets in TLS 1.3 clients, call this function + /// with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + /// this is enabled, when a client receives a NewSessionTicket message, + /// the next call to a message processing functions (notably + /// mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + /// call mbedtls_ssl_get_session() to retrieve the session ticket before + /// calling the same message processing function again. + /// + /// \param conf SSL configuration + /// \param signal_new_session_tickets Enable or disable + /// (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + pub fn mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf: *mut mbedtls_ssl_config, + signal_new_session_tickets: ::core::ffi::c_int, + ); +} unsafe extern "C" { /// \brief Number of NewSessionTicket messages for the server to send /// after handshake completion. @@ -23948,29 +25154,22 @@ unsafe extern "C" { /// \param ssl The SSL context representing the connection for which to /// to export a session structure for later resumption. /// \param session The target structure in which to store the exported session. - /// This must have been initialized with mbedtls_ssl_init_session() + /// This must have been initialized with mbedtls_ssl_session_init() /// but otherwise be unused. /// /// \note This function can handle a variety of mechanisms for session /// resumption: For TLS 1.2, both session ID-based resumption and /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and calling - /// this function multiple times will export the available - /// tickets one a time until no further tickets are available, - /// in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - /// be returned. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// sessions equate to tickets, and if session tickets are + /// enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + /// option), this function exports the last received ticket and + /// the exported session may be used to resume the TLS 1.3 + /// session. If session tickets are disabled, exported sessions + /// cannot be used to resume a TLS 1.3 session. /// /// \return \c 0 if successful. In this case, \p session can be used for /// session resumption by passing it to mbedtls_ssl_set_session(), /// and serialized for storage via mbedtls_ssl_session_save(). - /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - /// is available for export. - /// This error is a non-fatal, and has no observable effect on - /// the SSL context or the destination session. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_set_session() @@ -24002,6 +25201,17 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use /// and the client did not demonstrate reachability yet - in /// this case you must stop using the context (see below). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24010,7 +25220,9 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24030,10 +25242,31 @@ unsafe extern "C" { /// currently being processed might or might not contain further /// DTLS records. /// - /// \note If the context is configured to allow TLS 1.3, or if - /// #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. + /// Otherwise, the handshake may call psa_crypto_init() + /// if a negotiation involving TLS 1.3 takes place (this may + /// be the case even if TLS 1.3 is offered but eventually + /// not selected). + /// + /// \note In TLS, reception of fragmented handshake messages is + /// supported with some limitations (those limitations do + /// not apply to DTLS, where defragmentation is fully + /// supported): + /// - On an Mbed TLS server that only accepts TLS 1.2, + /// the initial ClientHello message must not be fragmented. + /// A TLS 1.2 ClientHello may be fragmented if the server + /// also accepts TLS 1.3 connections (meaning + /// that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + /// accepted versions have not been restricted with + /// mbedtls_ssl_conf_max_tls_version() or the like). + /// - The first fragment of a handshake message must be + /// at least 4 bytes long. + /// - Non-handshake records must not be interleaved between + /// the fragments of a handshake message. (This is permitted + /// in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + /// even in TLS 1.2.) pub fn mbedtls_ssl_handshake(ssl: *mut mbedtls_ssl_context) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -24062,8 +25295,10 @@ unsafe extern "C" { /// /// \warning If this function returns something other than \c 0, /// #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using /// the SSL context for reading or writing, and either free it /// or call \c mbedtls_ssl_session_reset() on it before /// re-using it for a new connection; the current connection @@ -24126,6 +25361,24 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server /// side of a DTLS connection and the client is initiating a /// new connection using the same source port. See below. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. + /// This error code is only returned on the client side. It is + /// only returned if handling of TLS 1.3 NewSessionTicket + /// messages has been enabled through + /// mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + /// This error code indicates that a TLS 1.3 NewSessionTicket + /// message has been received and parsed successfully by the + /// client. The ticket data can be retrieved from the SSL + /// context by calling mbedtls_ssl_get_session(). It remains + /// available until the next call to mbedtls_ssl_read(). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24134,8 +25387,10 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24202,6 +25457,17 @@ unsafe extern "C" { /// operation is in progress (see mbedtls_ecp_set_max_ops()) - /// in this case you must call this function again to complete /// the handshake when you're done attending other tasks. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24209,8 +25475,10 @@ unsafe extern "C" { /// a non-negative value, /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24451,381 +25719,64 @@ unsafe extern "C" { /// \brief Free an SSL configuration context /// /// \param conf SSL configuration context - pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); -} -unsafe extern "C" { - /// \brief Initialize SSL session structure - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief Free referenced items in an SSL session including the - /// peer certificate and clear memory - /// - /// \note A session object can be freed even if the SSL context - /// that was used to retrieve the session is still in use. - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief TLS-PRF function for key derivation. - /// - /// \param prf The tls_prf type function type to be used. - /// \param secret Secret for the key derivation function. - /// \param slen Length of the secret. - /// \param label String label for the key derivation function, - /// terminated with null character. - /// \param random Random bytes. - /// \param rlen Length of the random bytes buffer. - /// \param dstbuf The buffer holding the derived key. - /// \param dlen Length of the output buffer. - /// - /// \return 0 on success. An SSL specific error on failure. - pub fn mbedtls_ssl_tls_prf( - prf: mbedtls_tls_prf_types, - secret: *const ::core::ffi::c_uchar, - slen: usize, - label: *const ::core::ffi::c_char, - random: *const ::core::ffi::c_uchar, - rlen: usize, - dstbuf: *mut ::core::ffi::c_uchar, - dlen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the threshold error level to handle globally all debug output. - /// Debug messages that have a level over the threshold value are - /// discarded. - /// (Default value: 0 = No debug ) - /// - /// \param threshold threshold level of messages to filter on. Messages at a - /// higher level will be discarded. - /// - Debug levels - /// - 0 No debug - /// - 1 Error - /// - 2 State change - /// - 3 Informational - /// - 4 Verbose - pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); -} -unsafe extern "C" { - /// \brief Print a message to the debug output. This function is always used - /// through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - /// context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the message has occurred in - /// \param line line number the message has occurred at - /// \param format format specifier, in printf format - /// \param ... variables used by the format specifier - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_msg( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - format: *const ::core::ffi::c_char, - ... - ); -} -unsafe extern "C" { - /// \brief Print the return value of a function to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text the name of the function that returned the error - /// \param ret the return code value - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ret( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - ret: ::core::ffi::c_int, - ); -} -unsafe extern "C" { - /// \brief Output a buffer of size len bytes to the debug output. This function - /// is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the buffer being dumped. Normally the - /// variable or buffer name - /// \param buf the buffer to be outputted - /// \param len length of the buffer - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_buf( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - buf: *const ::core::ffi::c_uchar, - len: usize, - ); -} -unsafe extern "C" { - /// \brief Print a MPI variable to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the MPI being output. Normally the - /// variable name - /// \param X the MPI variable - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_mpi( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_mpi, - ); -} -unsafe extern "C" { - /// \brief Print an ECP point to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the ECP point being output. Normally the - /// variable name - /// \param X the ECP point - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ecp( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_ecp_point, - ); -} -unsafe extern "C" { - /// \brief Print a X.509 certificate structure to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the certificate being output - /// \param crt X.509 certificate structure - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_crt( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - crt: *const mbedtls_x509_crt, - ); -} -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Q: mbedtls_debug_ecdh_attr = 0; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_QP: mbedtls_debug_ecdh_attr = 1; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Z: mbedtls_debug_ecdh_attr = 2; -pub type mbedtls_debug_ecdh_attr = ::core::ffi::c_uint; -unsafe extern "C" { - /// \brief Print a field of the ECDH structure in the SSL context to the debug - /// output. This function is always used through the - /// MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - /// and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param ecdh the ECDH context - /// \param attr the identifier of the attribute being output - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_printf_ecdh( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - ecdh: *const mbedtls_ecdh_context, - attr: mbedtls_debug_ecdh_attr, - ); -} -/// \brief Entropy poll callback pointer -/// -/// \param data Callback-specific data pointer -/// \param output Data to fill -/// \param len Maximum size to provide -/// \param olen The actual amount of bytes put into the buffer (Can be 0) -/// -/// \return 0 if no critical failures occurred, -/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise -pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< - unsafe extern "C" fn( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - ) -> ::core::ffi::c_int, ->; -/// \brief Entropy source state -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_source_state { - ///< The entropy source callback - pub private_f_source: mbedtls_entropy_f_source_ptr, - ///< The callback data pointer - pub private_p_source: *mut ::core::ffi::c_void, - ///< Amount received in bytes - pub private_size: usize, - ///< Minimum bytes required before release - pub private_threshold: usize, - ///< Is the source strong? - pub private_strong: ::core::ffi::c_int, -} -impl Default for mbedtls_entropy_source_state { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief Entropy context structure -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_context { - pub private_accumulator_started: ::core::ffi::c_int, - pub __bindgen_padding_0: u64, - pub private_accumulator: mbedtls_sha512_context, - pub private_source_count: ::core::ffi::c_int, - pub private_source: [mbedtls_entropy_source_state; 20usize], -} -impl Default for mbedtls_entropy_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize the context - /// - /// \param ctx Entropy context to initialize - pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Free the data in the context - /// - /// \param ctx Entropy context to free - pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Adds an entropy source to poll - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context - /// \param f_source Entropy function - /// \param p_source Function data - /// \param threshold Minimum required from source before entropy is released - /// ( with mbedtls_entropy_func() ) (in bytes) - /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or - /// MBEDTLS_ENTROPY_SOURCE_WEAK. - /// At least one strong source needs to be added. - /// Weaker sources (such as the cycle counter) can be used as - /// a complement. - /// - /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES - pub fn mbedtls_entropy_add_source( - ctx: *mut mbedtls_entropy_context, - f_source: mbedtls_entropy_f_source_ptr, - p_source: *mut ::core::ffi::c_void, - threshold: usize, - strong: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); } unsafe extern "C" { - /// \brief Trigger an extra gather poll for the accumulator - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context + /// \brief Initialize SSL session structure /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Retrieve entropy from the accumulator - /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief Free referenced items in an SSL session including the + /// peer certificate and clear memory /// - /// \param data Entropy context - /// \param output Buffer to fill - /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE + /// \note A session object can be freed even if the SSL context + /// that was used to retrieve the session is still in use. /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_func( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Add data to the accumulator manually - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief TLS-PRF function for key derivation. /// - /// \param ctx Entropy context - /// \param data Data to add - /// \param len Length of data + /// \param prf The tls_prf type function type to be used. + /// \param secret Secret for the key derivation function. + /// \param slen Length of the secret. + /// \param label String label for the key derivation function, + /// terminated with null character. + /// \param random Random bytes. + /// \param rlen Length of the random bytes buffer. + /// \param dstbuf The buffer holding the derived key. + /// \param dlen Length of the output buffer. /// - /// \return 0 if successful - pub fn mbedtls_entropy_update_manual( - ctx: *mut mbedtls_entropy_context, - data: *const ::core::ffi::c_uchar, - len: usize, + /// \return 0 on success. An SSL specific error on failure. + pub fn mbedtls_ssl_tls_prf( + prf: mbedtls_tls_prf_types, + secret: *const ::core::ffi::c_uchar, + slen: usize, + label: *const ::core::ffi::c_char, + random: *const ::core::ffi::c_uchar, + rlen: usize, + dstbuf: *mut ::core::ffi::c_uchar, + dlen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Checkup routine - /// - /// This module self-test also calls the entropy self-test, - /// mbedtls_entropy_source_self_test(); + /// \brief Set the threshold error level to handle globally all debug output. + /// Debug messages that have a level over the threshold value are + /// discarded. + /// (Default value: 0 = No debug ) /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; + /// \param threshold threshold level of messages to filter on. Messages at a + /// higher level will be discarded. + /// - Debug levels + /// - 0 No debug + /// - 1 Error + /// - 2 State change + /// - 3 Informational + /// - 4 Verbose + pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); } unsafe extern "C" { /// \brief This is the HMAC-based Extract-and-Expand Key Derivation Function @@ -24994,8 +25945,8 @@ unsafe extern "C" { /// \param len The length of the personalization string. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 + /// where \c entropy_len is the entropy length /// described above. /// /// \return \c 0 if successful. @@ -25120,8 +26071,8 @@ unsafe extern "C" { /// \param len The length of the additional data. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length /// (see mbedtls_hmac_drbg_set_entropy_len()). /// /// \return \c 0 if successful. @@ -25604,6 +26555,28 @@ unsafe extern "C" { oid: *const mbedtls_asn1_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate a string containing a dotted-decimal + /// representation of an ASN.1 OID into its encoded form + /// (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D"). + /// On success, this function allocates oid->buf from the + /// heap. It must be freed by the caller using mbedtls_free(). + /// + /// \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID + /// \param oid_str string representation of the OID to parse + /// \param size length of the OID string, not including any null terminator + /// + /// \return 0 if successful + /// \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not + /// represent a valid OID + /// \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to + /// allocate oid->buf + pub fn mbedtls_oid_from_numeric_string( + oid: *mut mbedtls_asn1_buf, + oid_str: *const ::core::ffi::c_char, + size: usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate an X.509 extension OID into local values /// @@ -25681,6 +26654,34 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate AlgorithmIdentifier OID into an EC group identifier, + /// for curves that are directly encoded at this level + /// + /// \param oid OID to use + /// \param grp_id place to store group id + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_ec_grp_algid( + oid: *const mbedtls_asn1_buf, + grp_id: *mut mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Translate EC group identifier into AlgorithmIdentifier OID, + /// for curves that are directly encoded at this level + /// + /// \param grp_id EC group identifier + /// \param oid place to store ASN.1 OID string pointer + /// \param olen length of the OID + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_oid_by_ec_grp_algid( + grp_id: mbedtls_ecp_group_id, + oid: *mut *const ::core::ffi::c_char, + olen: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate SignatureAlgorithm OID into md_type and pk_type /// @@ -25848,11 +26849,11 @@ unsafe extern "C" { /// \param data source data to look in (must be nul-terminated) /// \param pwd password for decryption (can be NULL) /// \param pwdlen length of password - /// \param use_len destination for total length used (set after header is - /// correctly read, so unless you get + /// \param use_len destination for total length used from data buffer. It is + /// set after header is correctly read, so unless you get /// MBEDTLS_ERR_PEM_BAD_INPUT_DATA or /// MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - /// the length to skip) + /// the length to skip. /// /// \note Attempts to check password correctness by verifying if /// the decrypted text starts with an ASN.1 sequence of @@ -25917,13 +26918,40 @@ unsafe extern "C" { unsafe extern "C" { /// \brief PKCS#5 PBES2 function /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs5_pbes2_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params the ASN.1 algorithm parameters - /// \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT /// \param pwd password to use when generating key /// \param pwdlen length of password /// \param data data to process /// \param datalen length of data - /// \param output output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. pub fn mbedtls_pkcs5_pbes2( @@ -25936,6 +26964,50 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief PKCS#5 PBES2 function + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params the ASN.1 algorithm parameters + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT + /// \param pwd password to use when generating key + /// \param pwdlen length of password + /// \param data data to process + /// \param datalen length of data + /// \param output Output buffer. + /// On success, it contains the decrypted data. + /// On failure, the content is indetermidate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails. + pub fn mbedtls_pkcs5_pbes2_ext( + pbe_params: *const mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, + datalen: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context /// @@ -26167,6 +27239,25 @@ unsafe extern "C" { /// \brief PKCS12 Password Based function (encryption / decryption) /// for cipher-based and mbedtls_md-based PBE's /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs12_pbe_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or /// #MBEDTLS_PKCS12_PBE_DECRYPT @@ -26175,9 +27266,17 @@ unsafe extern "C" { /// \param pwd Latin1-encoded password used. This may only be \c NULL when /// \p pwdlen is 0. No null terminator should be used. /// \param pwdlen length of the password (may be 0) - /// \param input the input data + /// \param data the input data /// \param len data length - /// \param output the output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \return 0 if successful, or a MBEDTLS_ERR_XXX code pub fn mbedtls_pkcs12_pbe( @@ -26187,9 +27286,62 @@ unsafe extern "C" { md_type: mbedtls_md_type_t, pwd: *const ::core::ffi::c_uchar, pwdlen: usize, - input: *const ::core::ffi::c_uchar, + data: *const ::core::ffi::c_uchar, + len: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief PKCS12 Password Based function (encryption / decryption) + /// for cipher-based and mbedtls_md-based PBE's + /// + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + /// #MBEDTLS_PKCS12_PBE_DECRYPT + /// \param cipher_type the cipher used + /// \param md_type the mbedtls_md used + /// \param pwd Latin1-encoded password used. This may only be \c NULL when + /// \p pwdlen is 0. No null terminator should be used. + /// \param pwdlen length of the password (may be 0) + /// \param data the input data + /// \param len data length + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \return 0 if successful, or a MBEDTLS_ERR_XXX code + pub fn mbedtls_pkcs12_pbe_ext( + pbe_params: *mut mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + cipher_type: mbedtls_cipher_type_t, + md_type: mbedtls_md_type_t, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, len: usize, output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -26288,6 +27440,11 @@ unsafe extern "C" { /// \param session_id_len The length of \p session_id in bytes. /// \param session The address at which to store the session /// associated with \p session_id, if present. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is + /// no cache entry with specified session ID found, or + /// any other negative error code for other failures. pub fn mbedtls_ssl_cache_get( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26304,6 +27461,9 @@ unsafe extern "C" { /// associated to \p session. /// \param session_id_len The length of \p session_id in bytes. /// \param session The session to store. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_set( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26317,12 +27477,13 @@ unsafe extern "C" { /// /// \param data The SSL cache context to use. /// \param session_id The pointer to the buffer holding the session ID - /// associated to \p session. + /// associated to session. /// \param session_id_len The length of \p session_id in bytes. /// - /// \return 0: The cache entry for session with provided ID - /// is removed or does not exist. - /// Otherwise: fail. + /// \return \c 0 on success. This indicates the cache entry for + /// the session with provided ID is removed or does not + /// exist. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_remove( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26375,13 +27536,7 @@ unsafe extern "C" { /// \brief Setup cookie context (generate keys) pub fn mbedtls_ssl_cookie_setup( ctx: *mut mbedtls_ssl_cookie_ctx, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26427,6 +27582,9 @@ unsafe extern "C" { #[derive(Copy, Clone)] pub struct mbedtls_ssl_ticket_key { pub private_name: [::core::ffi::c_uchar; 4usize], + /// Lifetime of the key in seconds. This is also the lifetime of the + /// tickets created under that key. + pub private_lifetime: u32, ///< context for auth enc/decryption pub private_ctx: mbedtls_cipher_context_t, } @@ -26482,7 +27640,9 @@ unsafe extern "C" { /// /// \param ctx Context to be set up /// \param f_rng RNG callback function (mandatory) - /// \param p_rng RNG callback context + /// \param p_rng RNG callback context. + /// Note that the RNG callback must remain valid + /// until the ticket context is freed. /// \param cipher AEAD cipher to use for ticket protection. /// Recommended value: MBEDTLS_CIPHER_AES_256_GCM. /// \param lifetime Tickets lifetime in seconds @@ -26492,21 +27652,21 @@ unsafe extern "C" { /// least as strong as the strongest ciphersuite /// supported. Usually that means a 256-bit key. /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_setup( ctx: *mut mbedtls_ssl_ticket_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, cipher: mbedtls_cipher_type_t, lifetime: u32, @@ -26537,10 +27697,16 @@ unsafe extern "C" { /// \note \c klength must be sufficient for use by cipher specified /// to \c mbedtls_ssl_ticket_setup /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_rotate( @@ -26606,7 +27772,7 @@ pub struct mbedtls_x509_csr { pub key_usage: ::core::ffi::c_uint, ///< Optional Netscape certificate type extension value: See the values in x509.h pub ns_cert_type: ::core::ffi::c_uchar, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions pub private_ext_types: ::core::ffi::c_int, @@ -26646,25 +27812,12 @@ impl Default for mbedtls_x509write_csr { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_x509_san_list { - pub node: mbedtls_x509_subject_alternative_name, - pub next: *mut mbedtls_x509_san_list, -} -impl Default for mbedtls_x509_san_list { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR) in DER format /// - /// \note CSR attributes (if any) are currently silently ignored. + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the CSR is rejected. /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling @@ -26681,6 +27834,70 @@ unsafe extern "C" { buflen: usize, ) -> ::core::ffi::c_int; } +/// \brief The type of certificate extension callbacks. +/// +/// Callbacks of this type are passed to and used by the +/// mbedtls_x509_csr_parse_der_with_ext_cb() routine when +/// it encounters either an unsupported extension. +/// Future versions of the library may invoke the callback +/// in other cases, if and when the need arises. +/// +/// \param p_ctx An opaque context passed to the callback. +/// \param csr The CSR being parsed. +/// \param oid The OID of the extension. +/// \param critical Whether the extension is critical. +/// \param p Pointer to the start of the extension value +/// (the content of the OCTET STRING). +/// \param end End of extension value. +/// +/// \note The callback must fail and return a negative error code +/// if it can not parse or does not support the extension. +/// When the callback fails to parse a critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() also fails. +/// When the callback fails to parse a non critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() simply skips +/// the extension and continues parsing. +/// +/// \return \c 0 on success. +/// \return A negative error code on failure. +pub type mbedtls_x509_csr_ext_cb_t = ::core::option::Option< + unsafe extern "C" fn( + p_ctx: *mut ::core::ffi::c_void, + csr: *const mbedtls_x509_csr, + oid: *const mbedtls_x509_buf, + critical: ::core::ffi::c_int, + p: *const ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +unsafe extern "C" { + /// \brief Load a Certificate Signing Request (CSR) in DER format + /// + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the result of the callback function decides whether + /// CSR is rejected. + /// + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. + /// + /// \param csr CSR context to fill + /// \param buf buffer holding the CRL data + /// \param buflen size of the buffer + /// \param cb A callback invoked for every unsupported certificate + /// extension. + /// \param p_ctx An opaque context passed to the callback. + /// + /// \return 0 if successful, or a specific X509 error code + pub fn mbedtls_x509_csr_parse_der_with_ext_cb( + csr: *mut mbedtls_x509_csr, + buf: *const ::core::ffi::c_uchar, + buflen: usize, + cb: mbedtls_x509_csr_ext_cb_t, + p_ctx: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR), DER or PEM format /// @@ -26742,7 +27959,7 @@ unsafe extern "C" { /// \brief Set the subject name for a CSR /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CSR context to use /// \param subject_name subject name to set @@ -26873,13 +28090,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26900,13 +28111,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } diff --git a/esp-mbedtls-sys/src/include/xtensa-esp32-none-elf.rs b/esp-mbedtls-sys/src/include/xtensa-esp32-none-elf.rs index 8a8f52f3..f6ce94cd 100644 --- a/esp-mbedtls-sys/src/include/xtensa-esp32-none-elf.rs +++ b/esp-mbedtls-sys/src/include/xtensa-esp32-none-elf.rs @@ -137,6 +137,36 @@ where } } } +#[repr(C)] +#[derive(Default)] +pub struct __IncompleteArrayField(::core::marker::PhantomData, [T; 0]); +impl __IncompleteArrayField { + #[inline] + pub const fn new() -> Self { + __IncompleteArrayField(::core::marker::PhantomData, []) + } + #[inline] + pub fn as_ptr(&self) -> *const T { + self as *const _ as *const T + } + #[inline] + pub fn as_mut_ptr(&mut self) -> *mut T { + self as *mut _ as *mut T + } + #[inline] + pub unsafe fn as_slice(&self, len: usize) -> &[T] { + ::core::slice::from_raw_parts(self.as_ptr(), len) + } + #[inline] + pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] { + ::core::slice::from_raw_parts_mut(self.as_mut_ptr(), len) + } +} +impl ::core::fmt::Debug for __IncompleteArrayField { + fn fmt(&self, fmt: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { + fmt.write_str("__IncompleteArrayField") + } +} pub const MBEDTLS_CONFIG_FILE: &[u8; 9] = b"config.h\0"; pub const MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT: u32 = 0; pub const MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: u32 = 1024; @@ -144,14 +174,33 @@ pub const MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE: u32 = 6000; pub const MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH: u32 = 32; pub const MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS: u32 = 1; pub const MBEDTLS_VERSION_MAJOR: u32 = 3; -pub const MBEDTLS_VERSION_MINOR: u32 = 4; -pub const MBEDTLS_VERSION_PATCH: u32 = 0; -pub const MBEDTLS_VERSION_NUMBER: u32 = 50593792; -pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.4.0\0"; -pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"mbed TLS 3.4.0\0"; +pub const MBEDTLS_VERSION_MINOR: u32 = 6; +pub const MBEDTLS_VERSION_PATCH: u32 = 5; +pub const MBEDTLS_VERSION_NUMBER: u32 = 50726144; +pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.6.5\0"; +pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"Mbed TLS 3.6.5\0"; +pub const PSA_WANT_ALG_MD5: u32 = 1; +pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; +pub const PSA_WANT_ALG_SHA_1: u32 = 1; +pub const PSA_WANT_ALG_SHA_224: u32 = 1; +pub const PSA_WANT_ALG_SHA_256: u32 = 1; +pub const PSA_WANT_ALG_SHA_384: u32 = 1; +pub const PSA_WANT_ALG_SHA_512: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_256: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_384: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_512: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_255: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_448: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_224: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_256: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_384: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_521: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CCM: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CMAC: u32 = 1; pub const PSA_WANT_ALG_CMAC: u32 = 1; @@ -162,10 +211,40 @@ pub const PSA_WANT_ALG_ECDSA: u32 = 1; pub const PSA_WANT_ALG_ECDSA_ANY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA: u32 = 1; pub const PSA_WANT_ALG_DETERMINISTIC_ECDSA: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_ALG_FFDH: u32 = 1; +pub const PSA_WANT_DH_RFC7919_2048: u32 = 1; +pub const PSA_WANT_DH_RFC7919_3072: u32 = 1; +pub const PSA_WANT_DH_RFC7919_4096: u32 = 1; +pub const PSA_WANT_DH_RFC7919_6144: u32 = 1; +pub const PSA_WANT_DH_RFC7919_8192: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_FFDH: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_GCM: u32 = 1; pub const PSA_WANT_ALG_GCM: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HMAC: u32 = 1; @@ -176,17 +255,16 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXTRACT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXPAND: u32 = 1; +pub const PSA_WANT_KEY_TYPE_HMAC: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF: u32 = 1; pub const PSA_WANT_ALG_TLS12_PRF: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const PSA_WANT_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_MD5: u32 = 1; -pub const PSA_WANT_ALG_MD5: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_PAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_JPAKE: u32 = 1; pub const PSA_WANT_ALG_JPAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160: u32 = 1; -pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const PSA_WANT_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN: u32 = 1; @@ -196,20 +274,19 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP: u32 = 1; pub const PSA_WANT_ALG_RSA_OAEP: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS: u32 = 1; pub const PSA_WANT_ALG_RSA_PSS: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_1: u32 = 1; -pub const PSA_WANT_ALG_SHA_1: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_224: u32 = 1; -pub const PSA_WANT_ALG_SHA_224: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_256: u32 = 1; -pub const PSA_WANT_ALG_SHA_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_384: u32 = 1; -pub const PSA_WANT_ALG_SHA_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_512: u32 = 1; -pub const PSA_WANT_ALG_SHA_512: u32 = 1; pub const PSA_WANT_KEY_TYPE_AES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES: u32 = 1; pub const PSA_WANT_KEY_TYPE_ARIA: u32 = 1; @@ -221,8 +298,8 @@ pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_KEY_TYPE_CHACHA20: u32 = 1; -pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20: u32 = 1; +pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER: u32 = 1; pub const PSA_WANT_ALG_CHACHA20_POLY1305: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305: u32 = 1; @@ -250,8 +327,7 @@ pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256: u32 = 1; -pub const PSA_HAVE_FULL_ECDSA: u32 = 1; -pub const PSA_HAVE_FULL_JPAKE: u32 = 1; +pub const PSA_WANT_ALG_SOME_PAKE: u32 = 1; pub const PSA_WANT_KEY_TYPE_DERIVE: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD_HASH: u32 = 1; @@ -272,7 +348,7 @@ pub const MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: i32 = -12; pub const MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: i32 = -14; pub const MBEDTLS_ERR_MPI_ALLOC_FAILED: i32 = -16; pub const MBEDTLS_MPI_MAX_LIMBS: u32 = 10000; -pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 2; +pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 3; pub const MBEDTLS_MPI_MAX_SIZE: u32 = 1024; pub const MBEDTLS_MPI_MAX_BITS: u32 = 8192; pub const MBEDTLS_MPI_MAX_BITS_SCALE100: u32 = 819200; @@ -320,6 +396,8 @@ pub const MBEDTLS_CIPHER_VARIABLE_KEY_LEN: u32 = 2; pub const MBEDTLS_MAX_IV_LENGTH: u32 = 16; pub const MBEDTLS_MAX_BLOCK_LENGTH: u32 = 16; pub const MBEDTLS_MAX_KEY_LENGTH: u32 = 64; +pub const MBEDTLS_KEY_BITLEN_SHIFT: u32 = 6; +pub const MBEDTLS_IV_SIZE_SHIFT: u32 = 2; pub const MBEDTLS_CCM_DECRYPT: u32 = 0; pub const MBEDTLS_CCM_ENCRYPT: u32 = 1; pub const MBEDTLS_CCM_STAR_DECRYPT: u32 = 2; @@ -332,7 +410,26 @@ pub const MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: i32 = -84; pub const MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: i32 = -86; pub const MBEDTLS_AES_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_DES3_BLOCK_SIZE: u32 = 8; +pub const MBEDTLS_CMAC_MAX_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_CIPHER_BLKSIZE_MAX: u32 = 16; +pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; +pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; +pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; +pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; +pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; +pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; +pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; +pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; +pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; +pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; +pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; +pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; +pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; +pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; +pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; +pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; +pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; +pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: i32 = -52; pub const MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: i32 = -54; pub const MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: i32 = -56; @@ -367,12 +464,6 @@ pub const MBEDTLS_ECP_MAX_PT_LEN: u32 = 133; pub const MBEDTLS_ECP_PF_UNCOMPRESSED: u32 = 0; pub const MBEDTLS_ECP_PF_COMPRESSED: u32 = 1; pub const MBEDTLS_ECP_TLS_NAMED_CURVE: u32 = 3; -pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; -pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; -pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; -pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; -pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; -pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; pub const MBEDTLS_ERR_RSA_BAD_INPUT_DATA: i32 = -16512; pub const MBEDTLS_ERR_RSA_INVALID_PADDING: i32 = -16640; pub const MBEDTLS_ERR_RSA_KEY_GEN_FAILED: i32 = -16768; @@ -387,6 +478,55 @@ pub const MBEDTLS_RSA_PKCS_V21: u32 = 1; pub const MBEDTLS_RSA_SIGN: u32 = 1; pub const MBEDTLS_RSA_CRYPT: u32 = 2; pub const MBEDTLS_RSA_SALT_LEN_ANY: i32 = -1; +pub const MBEDTLS_RSA_GEN_KEY_MIN_BITS: u32 = 1024; +pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; +pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; +pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; +pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; +pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; +pub const PSA_HASH_MAX_SIZE: u32 = 64; +pub const PSA_MAC_MAX_SIZE: u32 = 64; +pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; +pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; +pub const PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: u32 = 1024; +pub const PSA_VENDOR_FFDH_MAX_KEY_BITS: u32 = 8192; +pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; +pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; +pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; +pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; +pub const PSA_VENDOR_PBKDF2_MAX_ITERATIONS: u32 = 4294967295; +pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; +pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_SIGNATURE_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_KEY_PAIR_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_PUBLIC_KEY_MAX_SIZE: u32 = 1; +pub const PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE: u32 = 1; +pub const PSA_CIPHER_MAX_KEY_LENGTH: u32 = 32; +pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; +pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; +pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; +pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; +pub const MBEDTLS_ERR_SHA3_BAD_INPUT_DATA: i32 = -118; +pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; +pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; +pub const MBEDTLS_GCM_DECRYPT: u32 = 0; +pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; +pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; +pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; +pub const MBEDTLS_GCM_HTABLE_SIZE: u32 = 16; +pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; +pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; +pub const PSA_MAX_KEY_BITS: u32 = 65528; +pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; +pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; +pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; +pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; +pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; +pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; +pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_ERR_PK_ALLOC_FAILED: i32 = -16256; pub const MBEDTLS_ERR_PK_TYPE_MISMATCH: i32 = -16128; pub const MBEDTLS_ERR_PK_BAD_INPUT_DATA: i32 = -16000; @@ -597,45 +737,6 @@ pub const MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256: u32 = 4869; pub const MBEDTLS_CIPHERSUITE_WEAK: u32 = 1; pub const MBEDTLS_CIPHERSUITE_SHORT_TAG: u32 = 2; pub const MBEDTLS_CIPHERSUITE_NODTLS: u32 = 4; -pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; -pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; -pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; -pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; -pub const PSA_HASH_MAX_SIZE: u32 = 64; -pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; -pub const PSA_MAC_MAX_SIZE: u32 = 64; -pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; -pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; -pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; -pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; -pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; -pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; -pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; -pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; -pub const MBEDTLS_GCM_DECRYPT: u32 = 0; -pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; -pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; -pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; -pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; -pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; -pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; -pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; -pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; -pub const PSA_MAX_KEY_BITS: u32 = 65528; -pub const MBEDTLS_PSA_KA_MASK_DUAL_USE: u32 = 0; -pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; -pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; -pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; -pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; -pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; -pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; -pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_X509_MAX_INTERMEDIATE_CA: u32 = 8; pub const MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: i32 = -8320; pub const MBEDTLS_ERR_X509_UNKNOWN_OID: i32 = -8448; @@ -743,7 +844,9 @@ pub const MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: i32 = -30848; pub const MBEDTLS_ERR_SSL_BAD_CERTIFICATE: i32 = -31232; pub const MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET: i32 = -31488; pub const MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA: i32 = -31616; -pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31872; +pub const MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND: i32 = -32384; pub const MBEDTLS_ERR_SSL_ALLOC_FAILED: i32 = -32512; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FAILED: i32 = -32640; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: i32 = -28544; @@ -770,6 +873,7 @@ pub const MBEDTLS_ERR_SSL_EARLY_MESSAGE: i32 = -25728; pub const MBEDTLS_ERR_SSL_UNEXPECTED_CID: i32 = -24576; pub const MBEDTLS_ERR_SSL_VERSION_MISMATCH: i32 = -24320; pub const MBEDTLS_ERR_SSL_BAD_CONFIG: i32 = -24192; +pub const MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME: i32 = -23936; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: u32 = 1; pub const MBEDTLS_SSL_IANA_TLS_GROUP_NONE: u32 = 0; @@ -841,6 +945,8 @@ pub const MBEDTLS_SSL_TRUNC_HMAC_ENABLED: u32 = 1; pub const MBEDTLS_SSL_TRUNCATED_HMAC_LEN: u32 = 10; pub const MBEDTLS_SSL_SESSION_TICKETS_DISABLED: u32 = 0; pub const MBEDTLS_SSL_SESSION_TICKETS_ENABLED: u32 = 1; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED: u32 = 0; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED: u32 = 1; pub const MBEDTLS_SSL_PRESET_DEFAULT: u32 = 0; pub const MBEDTLS_SSL_PRESET_SUITEB: u32 = 2; pub const MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED: u32 = 1; @@ -854,6 +960,9 @@ pub const MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN: u32 = 48; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN: u32 = 1000; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX: u32 = 60000; +pub const MBEDTLS_SSL_EARLY_DATA_NO_DISCARD: u32 = 0; +pub const MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD: u32 = 1; +pub const MBEDTLS_SSL_EARLY_DATA_DISCARD: u32 = 2; pub const MBEDTLS_SSL_IN_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_OUT_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_DTLS_MAX_BUFFERING: u32 = 32768; @@ -988,18 +1097,6 @@ pub const MBEDTLS_SSL_UNEXPECTED_CID_IGNORE: u32 = 0; pub const MBEDTLS_SSL_UNEXPECTED_CID_FAIL: u32 = 1; pub const MBEDTLS_PRINTF_SIZET: &[u8; 3] = b"zu\0"; pub const MBEDTLS_PRINTF_LONGLONG: &[u8; 4] = b"lld\0"; -pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; -pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; -pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; -pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; -pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; -pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; -pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; -pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; -pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; -pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; -pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; -pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_HKDF_BAD_INPUT_DATA: i32 = -24448; pub const MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: i32 = -3; pub const MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: i32 = -5; @@ -1041,6 +1138,7 @@ pub const MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS: u32 = 4096; pub const MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY: u32 = 8192; pub const MBEDTLS_OID_X509_EXT_FRESHEST_CRL: u32 = 16384; pub const MBEDTLS_OID_X509_EXT_NS_CERT_TYPE: u32 = 65536; +pub const MBEDTLS_OID_MAX_COMPONENTS: u32 = 128; pub const MBEDTLS_OID_ISO_MEMBER_BODIES: &[u8; 2] = b"*\0"; pub const MBEDTLS_OID_ISO_IDENTIFIED_ORG: &[u8; 2] = b"+\0"; pub const MBEDTLS_OID_ISO_CCITT_DS: &[u8; 2] = b"U\0"; @@ -1055,6 +1153,8 @@ pub const MBEDTLS_OID_ORG_OIW: &[u8; 2] = b"\x0E\0"; pub const MBEDTLS_OID_OIW_SECSIG: &[u8; 3] = b"\x0E\x03\0"; pub const MBEDTLS_OID_OIW_SECSIG_ALG: &[u8; 4] = b"\x0E\x03\x02\0"; pub const MBEDTLS_OID_OIW_SECSIG_SHA1: &[u8; 5] = b"\x0E\x03\x02\x1A\0"; +pub const MBEDTLS_OID_ORG_THAWTE: &[u8; 2] = b"e\0"; +pub const MBEDTLS_OID_THAWTE: &[u8; 3] = b"+e\0"; pub const MBEDTLS_OID_ORG_CERTICOM: &[u8; 3] = b"\x81\x04\0"; pub const MBEDTLS_OID_CERTICOM: &[u8; 4] = b"+\x81\x04\0"; pub const MBEDTLS_OID_ORG_TELETRUST: &[u8; 2] = b"$\0"; @@ -1153,14 +1253,26 @@ pub const MBEDTLS_OID_DIGEST_ALG_SHA256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x pub const MBEDTLS_OID_DIGEST_ALG_SHA384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x02\0"; pub const MBEDTLS_OID_DIGEST_ALG_SHA512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x03\0"; pub const MBEDTLS_OID_DIGEST_ALG_RIPEMD160: &[u8; 6] = b"+$\x03\x02\x01\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x07\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x08\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\t\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA1: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x07\0"; pub const MBEDTLS_OID_HMAC_SHA224: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x08\0"; pub const MBEDTLS_OID_HMAC_SHA256: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\t\0"; pub const MBEDTLS_OID_HMAC_SHA384: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA512: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x0B\0"; +pub const MBEDTLS_OID_HMAC_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\r\0"; +pub const MBEDTLS_OID_HMAC_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0E\0"; +pub const MBEDTLS_OID_HMAC_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0F\0"; +pub const MBEDTLS_OID_HMAC_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x10\0"; +pub const MBEDTLS_OID_HMAC_RIPEMD160: &[u8; 9] = b"+\x06\x01\x05\x05\x08\x01\x04\0"; pub const MBEDTLS_OID_DES_CBC: &[u8; 6] = b"+\x0E\x03\x02\x07\0"; pub const MBEDTLS_OID_DES_EDE3_CBC: &[u8; 9] = b"*\x86H\x86\xF7\r\x03\x07\0"; pub const MBEDTLS_OID_AES: &[u8; 9] = b"`\x86H\x01e\x03\x04\x01\0"; +pub const MBEDTLS_OID_AES_128_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x02\0"; +pub const MBEDTLS_OID_AES_192_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x16\0"; +pub const MBEDTLS_OID_AES_256_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01*\0"; pub const MBEDTLS_OID_AES128_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x05\0"; pub const MBEDTLS_OID_AES128_KWP: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x08\0"; pub const MBEDTLS_OID_AES192_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x19\0"; @@ -1213,6 +1325,10 @@ pub const MBEDTLS_OID_ECDSA_SHA224: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x01\0"; pub const MBEDTLS_OID_ECDSA_SHA256: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x02\0"; pub const MBEDTLS_OID_ECDSA_SHA384: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x03\0"; pub const MBEDTLS_OID_ECDSA_SHA512: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x04\0"; +pub const MBEDTLS_OID_X25519: &[u8; 4] = b"+en\0"; +pub const MBEDTLS_OID_X448: &[u8; 4] = b"+eo\0"; +pub const MBEDTLS_OID_ED25519: &[u8; 4] = b"+ep\0"; +pub const MBEDTLS_OID_ED448: &[u8; 4] = b"+eq\0"; pub const MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT: i32 = -4224; pub const MBEDTLS_ERR_PEM_INVALID_DATA: i32 = -4352; pub const MBEDTLS_ERR_PEM_ALLOC_FAILED: i32 = -4480; @@ -1226,8 +1342,6 @@ pub const MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA: i32 = -12160; pub const MBEDTLS_ERR_PKCS5_INVALID_FORMAT: i32 = -12032; pub const MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE: i32 = -11904; pub const MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH: i32 = -11776; -pub const MBEDTLS_PKCS5_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS5_ENCRYPT: u32 = 1; pub const MBEDTLS_ERR_PKCS7_INVALID_FORMAT: i32 = -21248; pub const MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE: i32 = -21376; pub const MBEDTLS_ERR_PKCS7_INVALID_VERSION: i32 = -21504; @@ -1248,8 +1362,6 @@ pub const MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH: i32 = -7680; pub const MBEDTLS_PKCS12_DERIVE_KEY: u32 = 1; pub const MBEDTLS_PKCS12_DERIVE_IV: u32 = 2; pub const MBEDTLS_PKCS12_DERIVE_MAC_KEY: u32 = 3; -pub const MBEDTLS_PKCS12_PBE_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS12_PBE_ENCRYPT: u32 = 1; pub const MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT: u32 = 86400; pub const MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES: u32 = 50; pub const MBEDTLS_SSL_COOKIE_TIMEOUT: u32 = 60; @@ -1373,6 +1485,59 @@ unsafe extern "C" { /// \param len Length of the buffer in bytes pub fn mbedtls_platform_zeroize(buf: *mut ::core::ffi::c_void, len: usize); } +/// \brief The type of custom random generator (RNG) callbacks. +/// +/// Many Mbed TLS functions take two parameters +/// `mbedtls_f_rng_t *f_rng, void *p_rng`. The +/// library will call \c f_rng to generate +/// random values. +/// +/// \note This is typically one of the following: +/// - mbedtls_ctr_drbg_random() with \c p_rng +/// pointing to a #mbedtls_ctr_drbg_context; +/// - mbedtls_hmac_drbg_random() with \c p_rng +/// pointing to a #mbedtls_hmac_drbg_context; +/// - mbedtls_psa_get_random() with +/// `prng = MBEDTLS_PSA_RANDOM_STATE`. +/// +/// \note Generally, given a call +/// `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback +/// and the context only need to remain valid until +/// the call to `mbedtls_foo` returns. However, there +/// are a few exceptions where the callback is stored +/// in for future use. Check the documentation of +/// the calling function. +/// +/// \warning In a multithreaded environment, calling the +/// function should be thread-safe. The standard +/// functions provided by the library are thread-safe +/// when #MBEDTLS_THREADING_C is enabled. +/// +/// \warning This function must either provide as many +/// bytes as requested of **cryptographic quality** +/// random data, or return a negative error code. +/// +/// \param p_rng The \c p_rng argument that was passed along \c f_rng. +/// The library always passes \c p_rng unchanged. +/// This is typically a pointer to the random generator +/// state, or \c NULL if the custom random generator +/// doesn't need a context-specific state. +/// \param[out] output On success, this must be filled with \p output_size +/// bytes of cryptographic-quality random data. +/// \param output_size The number of bytes to output. +/// +/// \return \c 0 on success, or a negative error code on failure. +/// Library functions will generally propagate this +/// error code, so \c MBEDTLS_ERR_xxx values are +/// recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is +/// typically sensible for RNG failures. +pub type mbedtls_f_rng_t = ::core::option::Option< + unsafe extern "C" fn( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + ) -> ::core::ffi::c_int, +>; /// \brief The AES context-type definition. #[repr(C)] #[derive(Copy, Clone)] @@ -1931,6 +2096,10 @@ pub type mbedtls_t_udbl = u64; #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_mpi { + /// Pointer to limbs. + /// + /// This may be \c NULL if \c n is 0. + pub private_p: *mut mbedtls_mpi_uint, /// Sign: -1 if the mpi is negative, 1 otherwise. /// /// The number 0 must be represented with `s = +1`. Although many library @@ -1941,13 +2110,9 @@ pub struct mbedtls_mpi { /// /// Note that this implies that calloc() or `... = {0}` does not create /// a valid MPI representation. You must call mbedtls_mpi_init(). - pub private_s: ::core::ffi::c_int, + pub private_s: ::core::ffi::c_short, /// Total number of limbs in \c p. - pub private_n: usize, - /// Pointer to limbs. - /// - /// This may be \c NULL if \c n is 0. - pub private_p: *mut mbedtls_mpi_uint, + pub private_n: ::core::ffi::c_ushort, } impl Default for mbedtls_mpi { fn default() -> Self { @@ -2222,7 +2387,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2239,7 +2404,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2294,6 +2459,8 @@ unsafe extern "C" { /// \brief Perform a left-shift on an MPI: X <<= count /// /// \param X The MPI to shift. This must point to an initialized MPI. + /// The MPI pointed by \p X may be resized to fit + /// the resulting number. /// \param count The number of bits to shift by. /// /// \return \c 0 if successful. @@ -2586,7 +2753,7 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Perform a sliding-window exponentiation: X = A^E mod N + /// \brief Perform a modular exponentiation: X = A^E mod N /// /// \param X The destination MPI. This must point to an initialized MPI. /// This must not alias E or N. @@ -2637,13 +2804,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_fill_random( X: *mut mbedtls_mpi, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2683,13 +2844,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, min: mbedtls_mpi_sint, N: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2697,6 +2852,7 @@ unsafe extern "C" { /// \brief Compute the greatest common divisor: G = gcd(A, B) /// /// \param G The destination MPI. This must point to an initialized MPI. + /// This will always be positive or 0. /// \param A The first operand. This must point to an initialized MPI. /// \param B The second operand. This must point to an initialized MPI. /// @@ -2713,17 +2869,19 @@ unsafe extern "C" { /// \brief Compute the modular inverse: X = A^-1 mod N /// /// \param X The destination MPI. This must point to an initialized MPI. + /// The value returned on success will be between [1, N-1]. /// \param A The MPI to calculate the modular inverse of. This must point - /// to an initialized MPI. + /// to an initialized MPI. This value can be negative, in which + /// case a positive answer will still be returned in \p X. /// \param N The base of the modular inversion. This must point to an - /// initialized MPI. + /// initialized MPI and be greater than one. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. /// \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than /// or equal to one. - /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse - /// with respect to \p N. + /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular + /// inverse with respect to \p N. pub fn mbedtls_mpi_inv_mod( X: *mut mbedtls_mpi, A: *const mbedtls_mpi, @@ -2746,7 +2904,7 @@ unsafe extern "C" { /// This must point to an initialized MPI. /// \param rounds The number of bases to perform the Miller-Rabin primality /// test for. The probability of returning 0 on a composite is - /// at most 2-2*\p rounds. + /// at most 2-2*\p rounds . /// \param f_rng The RNG function to use. This must not be \c NULL. /// \param p_rng The RNG parameter to be passed to \p f_rng. /// This may be \c NULL if \p f_rng doesn't use @@ -2759,13 +2917,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_is_prime_ext( X: *const mbedtls_mpi, rounds: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2802,13 +2954,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, nbits: usize, flags: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -3185,7 +3331,7 @@ unsafe extern "C" { /// on a successful invocation. /// \param end The end of the ASN.1 SEQUENCE container. /// \param tag_must_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_must_value. + /// the SEQUENCE before comparing to \p tag_must_val. /// \param tag_must_val The required value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_must_mask. /// Mismatching tags lead to an error. @@ -3194,7 +3340,7 @@ unsafe extern "C" { /// while a value of \c 0xFF for \p tag_must_mask means /// that \p tag_must_val is the only allowed tag. /// \param tag_may_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_may_value. + /// the SEQUENCE before comparing to \p tag_may_val. /// \param tag_may_val The desired value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_may_mask. /// Mismatching tags will be silently ignored. @@ -3487,6 +3633,30 @@ unsafe extern "C" { par_len: usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Write an AlgorithmIdentifier sequence in ASN.1 format. + /// + /// \note This function works backwards in data buffer. + /// + /// \param p The reference to the current position pointer. + /// \param start The start of the buffer, for bounds-checking. + /// \param oid The OID of the algorithm to write. + /// \param oid_len The length of the algorithm's OID. + /// \param par_len The length of the parameters, which must be already written. + /// \param has_par If there are any parameters. If 0, par_len must be 0. If 1 + /// and \p par_len is 0, NULL parameters are added. + /// + /// \return The number of bytes written to \p p on success. + /// \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_asn1_write_algorithm_identifier_ext( + p: *mut *mut ::core::ffi::c_uchar, + start: *const ::core::ffi::c_uchar, + oid: *const ::core::ffi::c_char, + oid_len: usize, + par_len: usize, + has_par: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value /// in ASN.1 format. @@ -3989,32 +4159,17 @@ pub struct mbedtls_cipher_base_t { /// mbedtls_cipher_info_from_type(), /// mbedtls_cipher_info_from_values(), /// mbedtls_cipher_info_from_psa(). +/// +/// \note Some fields store a value that has been right-shifted to save +/// code-size, so should not be used directly. The accessor +/// functions adjust for this and return the "natural" value. #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_cipher_info_t { - /// Full cipher identifier. For example, - /// MBEDTLS_CIPHER_AES_256_CBC. - pub private_type: mbedtls_cipher_type_t, - /// The cipher mode. For example, MBEDTLS_MODE_CBC. - pub private_mode: mbedtls_cipher_mode_t, - /// The cipher key length, in bits. This is the - /// default length for variable sized ciphers. - /// Includes parity bits for ciphers like DES. - pub private_key_bitlen: ::core::ffi::c_uint, /// Name of the cipher. pub private_name: *const ::core::ffi::c_char, - /// IV or nonce size, in Bytes. - /// For ciphers that accept variable IV sizes, - /// this is the recommended size. - pub private_iv_size: ::core::ffi::c_uint, - /// Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and - /// MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the - /// cipher supports variable IV or variable key sizes, respectively. - pub private_flags: ::core::ffi::c_int, - /// The block size, in Bytes. - pub private_block_size: ::core::ffi::c_uint, - /// Struct for base cipher information and functions. - pub private_base: *const mbedtls_cipher_base_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 4usize]>, } impl Default for mbedtls_cipher_info_t { fn default() -> Self { @@ -4025,46 +4180,321 @@ impl Default for mbedtls_cipher_info_t { } } } -/// Generic cipher context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_cipher_context_t { - /// Information about the associated cipher. - pub private_cipher_info: *const mbedtls_cipher_info_t, - /// Key length to use. - pub private_key_bitlen: ::core::ffi::c_int, - /// Operation that the key of the context has been - /// initialized for. - pub private_operation: mbedtls_operation_t, - /// Padding functions to use, if relevant for - /// the specific cipher mode. - pub private_add_padding: ::core::option::Option< - unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), - >, - pub private_get_padding: ::core::option::Option< - unsafe extern "C" fn( - input: *mut ::core::ffi::c_uchar, - ilen: usize, - data_len: *mut usize, - ) -> ::core::ffi::c_int, - >, - /// Buffer for input that has not been processed yet. - pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], - /// Number of Bytes that have not been processed yet. - pub private_unprocessed_len: usize, - /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number - /// for XTS-mode. - pub private_iv: [::core::ffi::c_uchar; 16usize], - /// IV size in Bytes, for ciphers with variable-length IVs. - pub private_iv_size: usize, - /// The cipher-specific context. - pub private_cipher_ctx: *mut ::core::ffi::c_void, - /// CMAC-specific context. - pub private_cmac_ctx: *mut mbedtls_cmac_context_t, -} -impl Default for mbedtls_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); +impl mbedtls_cipher_info_t { + #[inline] + pub fn private_block_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_block_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_block_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_block_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(5usize, 3u8) as u32) } + } + #[inline] + pub fn set_private_iv_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(5usize, 3u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 5usize, + 3u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 5usize, + 3u8, + val as u64, + ) + } + } + #[inline] + pub fn private_key_bitlen(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(8usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_key_bitlen(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(8usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_key_bitlen_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 8usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_key_bitlen_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 8usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_mode(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(12usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_mode(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(12usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_mode_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 12usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_mode_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 12usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_type(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(16usize, 8u8) as u32) } + } + #[inline] + pub fn set_private_type(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(16usize, 8u8, val as u64) + } + } + #[inline] + pub unsafe fn private_type_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 16usize, + 8u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_type_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 16usize, + 8u8, + val as u64, + ) + } + } + #[inline] + pub fn private_flags(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(24usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_flags(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(24usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_flags_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 24usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_flags_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 24usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_base_idx(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(26usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_base_idx(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(26usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_base_idx_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 26usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_base_idx_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 26usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_block_size: ::core::ffi::c_uint, + private_iv_size: ::core::ffi::c_uint, + private_key_bitlen: ::core::ffi::c_uint, + private_mode: ::core::ffi::c_uint, + private_type: ::core::ffi::c_uint, + private_flags: ::core::ffi::c_uint, + private_base_idx: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 4usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 4usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 5u8, { + let private_block_size: u32 = unsafe { ::core::mem::transmute(private_block_size) }; + private_block_size as u64 + }); + __bindgen_bitfield_unit.set(5usize, 3u8, { + let private_iv_size: u32 = unsafe { ::core::mem::transmute(private_iv_size) }; + private_iv_size as u64 + }); + __bindgen_bitfield_unit.set(8usize, 4u8, { + let private_key_bitlen: u32 = unsafe { ::core::mem::transmute(private_key_bitlen) }; + private_key_bitlen as u64 + }); + __bindgen_bitfield_unit.set(12usize, 4u8, { + let private_mode: u32 = unsafe { ::core::mem::transmute(private_mode) }; + private_mode as u64 + }); + __bindgen_bitfield_unit.set(16usize, 8u8, { + let private_type: u32 = unsafe { ::core::mem::transmute(private_type) }; + private_type as u64 + }); + __bindgen_bitfield_unit.set(24usize, 2u8, { + let private_flags: u32 = unsafe { ::core::mem::transmute(private_flags) }; + private_flags as u64 + }); + __bindgen_bitfield_unit.set(26usize, 5u8, { + let private_base_idx: u32 = unsafe { ::core::mem::transmute(private_base_idx) }; + private_base_idx as u64 + }); + __bindgen_bitfield_unit + } +} +/// Generic cipher context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_cipher_context_t { + /// Information about the associated cipher. + pub private_cipher_info: *const mbedtls_cipher_info_t, + /// Key length to use. + pub private_key_bitlen: ::core::ffi::c_int, + /// Operation that the key of the context has been + /// initialized for. + pub private_operation: mbedtls_operation_t, + /// Padding functions to use, if relevant for + /// the specific cipher mode. + pub private_add_padding: ::core::option::Option< + unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), + >, + pub private_get_padding: ::core::option::Option< + unsafe extern "C" fn( + input: *mut ::core::ffi::c_uchar, + ilen: usize, + data_len: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int, + >, + /// Buffer for input that has not been processed yet. + pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], + /// Number of Bytes that have not been processed yet. + pub private_unprocessed_len: usize, + /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number + /// for XTS-mode. + pub private_iv: [::core::ffi::c_uchar; 16usize], + /// IV size in Bytes, for ciphers with variable-length IVs. + pub private_iv_size: usize, + /// The cipher-specific context. + pub private_cipher_ctx: *mut ::core::ffi::c_void, + /// CMAC-specific context. + pub private_cmac_ctx: *mut mbedtls_cmac_context_t, +} +impl Default for mbedtls_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); s.assume_init() @@ -4132,7 +4562,7 @@ unsafe extern "C" { ) -> *const mbedtls_cipher_info_t; } unsafe extern "C" { - /// \brief This function initializes a \p cipher_context as NONE. + /// \brief This function initializes a \p ctx as NONE. /// /// \param ctx The context to be initialized. This must not be \c NULL. pub fn mbedtls_cipher_init(ctx: *mut mbedtls_cipher_context_t); @@ -4203,7 +4633,6 @@ unsafe extern "C" { /// \brief This function sets the padding mode, for cipher modes /// that use padding. /// - /// The default passing mode is PKCS7 padding. /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a cipher information structure. @@ -4253,23 +4682,24 @@ unsafe extern "C" { /// /// \note With non-AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update() one or more times - /// 4. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update() zero, one or more times; + /// 4. mbedtls_cipher_finish_padded() (recommended for decryption + /// if the mode uses padding) or mbedtls_cipher_finish(). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. /// /// \note With AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update_ad() - /// 4. mbedtls_cipher_update() one or more times - /// 5. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update_ad(); + /// 4. mbedtls_cipher_update() zero, one or more times; + /// 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded()); /// 6. mbedtls_cipher_check_tag() (for decryption) or - /// mbedtls_cipher_write_tag() (for encryption). + /// mbedtls_cipher_write_tag() (for encryption). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. @@ -4304,7 +4734,8 @@ unsafe extern "C" { /// many block-sized blocks of data as possible to output. /// Any data that cannot be written immediately is either /// added to the next block, or flushed when - /// mbedtls_cipher_finish() is called. + /// mbedtls_cipher_finish() or mbedtls_cipher_finish_padded() + /// is called. /// Exception: For MBEDTLS_MODE_ECB, expects a single block /// in size. For example, 16 Bytes for AES. /// @@ -4340,12 +4771,30 @@ unsafe extern "C" { /// contained in it is padded to the size of /// the last block, and written to the \p output buffer. /// + /// \warning This function reports invalid padding through an error + /// code. Adversaries may be able to decrypt encrypted + /// data if they can submit chosen ciphertexts and + /// detect whether it has valid padding or not, + /// either through direct observation or through a side + /// channel such as timing. This is known as a + /// padding oracle attack. + /// Therefore applications that call this function for + /// decryption with a cipher that involves padding + /// should take care around error handling. Preferably, + /// such applications should use + /// mbedtls_cipher_finish_padded() instead of this function. + /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a key. /// \param output The buffer to write data to. This needs to be a writable - /// buffer of at least \p block_size Bytes. + /// buffer of at least block_size Bytes. /// \param olen The length of the data written to the \p output buffer. /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// above), although less efficiently than through + /// the invalid-padding condition. /// /// \return \c 0 on success. /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -4353,7 +4802,8 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption /// expecting a full block but not receiving one. /// \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - /// while decrypting. + /// while decrypting. Note that invalid-padding errors + /// should be handled carefully; see the warning above. /// \return A cipher-specific error code on failure. pub fn mbedtls_cipher_finish( ctx: *mut mbedtls_cipher_context_t, @@ -4361,10 +4811,60 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief The generic cipher finalization function. If data still + /// needs to be flushed from an incomplete block, the data + /// contained in it is padded to the size of + /// the last block, and written to the \p output buffer. + /// + /// \note This function is similar to mbedtls_cipher_finish(). + /// The only difference is that it reports invalid padding + /// decryption differently, through the \p invalid_padding + /// parameter rather than an error code. + /// For encryption, and in modes without padding (including + /// all authenticated modes), this function is identical + /// to mbedtls_cipher_finish(). + /// + /// \param[in,out] ctx The generic cipher context. This must be initialized and + /// bound to a key. + /// \param[out] output The buffer to write data to. This needs to be a writable + /// buffer of at least block_size Bytes. + /// \param[out] olen The length of the data written to the \p output buffer. + /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// on mbedtls_cipher_finish()). + /// \param[out] invalid_padding + /// If this function returns \c 0 on decryption, + /// \p *invalid_padding is \c 0 if the ciphertext was + /// valid, and all-bits-one if the ciphertext had invalid + /// padding. + /// On encryption, or in a mode without padding (including + /// all authenticated modes), \p *invalid_padding is \c 0 + /// on success. + /// The value in \p *invalid_padding is unspecified if + /// this function returns a nonzero status. + /// + /// \return \c 0 on success. + /// Also \c 0 for decryption with invalid padding. + /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + /// parameter-verification failure. + /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption + /// expecting a full block but not receiving one. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_cipher_finish_padded( + ctx: *mut mbedtls_cipher_context_t, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief This function writes a tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized, /// bound to a key, and have just completed a cipher @@ -4385,7 +4885,8 @@ unsafe extern "C" { unsafe extern "C" { /// \brief This function checks the tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized. /// \param tag The buffer holding the tag. This must be a readable @@ -4570,8 +5071,6 @@ pub struct mbedtls_ccm_context { pub private_y: [::core::ffi::c_uchar; 16usize], ///< The counter buffer pub private_ctr: [::core::ffi::c_uchar; 16usize], - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Total plaintext length pub private_plaintext_len: usize, ///< Total authentication data length @@ -4586,16 +5085,17 @@ pub struct mbedtls_ccm_context { ///auth data input is finished. pub private_processed: usize, ///< The Q working value - pub private_q: ::core::ffi::c_uchar, + pub private_q: ::core::ffi::c_uint, ///< The operation to perform: ///#MBEDTLS_CCM_ENCRYPT or ///#MBEDTLS_CCM_DECRYPT or ///#MBEDTLS_CCM_STAR_ENCRYPT or ///#MBEDTLS_CCM_STAR_DECRYPT. - pub private_mode: ::core::ffi::c_uchar, + pub private_mode: ::core::ffi::c_uint, + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Working value holding context's - ///state. Used for chunked data - ///input + ///state. Used for chunked data input pub private_state: ::core::ffi::c_int, } impl Default for mbedtls_ccm_context { @@ -5838,47 +6338,59 @@ unsafe extern "C" { /// \return \c 1 on failure. pub fn mbedtls_cmac_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -/// \brief The CTR_DRBG context structure. +///< None. +pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; +///< The MD5 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 3; +///< The RIPEMD-160 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 4; +///< The SHA-1 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 5; +///< The SHA-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 8; +///< The SHA-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 9; +///< The SHA-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 10; +///< The SHA-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 11; +///< The SHA3-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_224: mbedtls_md_type_t = 16; +///< The SHA3-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_256: mbedtls_md_type_t = 17; +///< The SHA3-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_384: mbedtls_md_type_t = 18; +///< The SHA3-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_512: mbedtls_md_type_t = 19; +/// \brief Supported message digests. +/// +/// \warning MD5 and SHA-1 are considered weak message digests and +/// their use constitutes a security risk. We recommend considering +/// stronger message digests instead. +pub type mbedtls_md_type_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct mbedtls_ctr_drbg_context { - ///< The counter (V). - pub private_counter: [::core::ffi::c_uchar; 16usize], - ///< The reseed counter. - /// This is the number of requests that have - /// been made since the last (re)seeding, - /// minus one. - /// Before the initial seeding, this field - /// contains the amount of entropy in bytes - /// to use as a nonce for the initial seeding, - /// or -1 if no nonce length has been explicitly - /// set (see mbedtls_ctr_drbg_set_nonce_len()). - pub private_reseed_counter: ::core::ffi::c_int, - ///< This determines whether prediction - ///resistance is enabled, that is - ///whether to systematically reseed before - ///each random generation. - pub private_prediction_resistance: ::core::ffi::c_int, - ///< The amount of entropy grabbed on each - ///seed or reseed operation, in bytes. - pub private_entropy_len: usize, - ///< The reseed interval. - /// This is the maximum number of requests - /// that can be made between reseedings. - pub private_reseed_interval: ::core::ffi::c_int, - ///< The AES context. - pub private_aes_ctx: mbedtls_aes_context, - pub private_f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - ///< The context for the entropy function. - pub private_p_entropy: *mut ::core::ffi::c_void, +pub struct mbedtls_md_info_t { + _unused: [u8; 0], } -impl Default for mbedtls_ctr_drbg_context { +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; +/// Used internally to indicate whether a context uses legacy or PSA. +/// +/// Internal use only. +pub type mbedtls_md_engine_t = ::core::ffi::c_uint; +/// The generic message-digest context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md_context_t { + /// Information about the associated message digest. + pub private_md_info: *const mbedtls_md_info_t, + /// The digest-specific context (legacy) or the PSA operation. + pub private_md_ctx: *mut ::core::ffi::c_void, + /// The HMAC part of the context. + pub private_hmac_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_md_context_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -5888,4389 +6400,3745 @@ impl Default for mbedtls_ctr_drbg_context { } } unsafe extern "C" { - /// \brief This function initializes the CTR_DRBG context, - /// and prepares it for mbedtls_ctr_drbg_seed() - /// or mbedtls_ctr_drbg_free(). + /// \brief This function returns the message-digest information + /// associated with the given digest type. /// - /// \note The reseed interval is - /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. - /// You can override it by calling - /// mbedtls_ctr_drbg_set_reseed_interval(). + /// \param md_type The type of digest to search for. /// - /// \param ctx The CTR_DRBG context to initialize. - pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); + /// \return The message-digest information associated with \p md_type. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// - The \p custom string. - /// - /// \note To achieve the nominal security strength permitted - /// by CTR_DRBG, the entropy length must be: - /// - at least 16 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 32 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// In addition, if you do not pass a nonce in \p custom, - /// the sum of the entropy length - /// and the entropy nonce length must be: - /// - at least 24 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 48 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// \param ctx The CTR_DRBG context to seed. - /// It must have been initialized with - /// mbedtls_ctr_drbg_init(). - /// After a successful call to mbedtls_ctr_drbg_seed(), - /// you may not call mbedtls_ctr_drbg_seed() again on - /// the same context unless you call - /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() - /// again first. - /// After a failed call to mbedtls_ctr_drbg_seed(), - /// you must call mbedtls_ctr_drbg_free(). - /// \param f_entropy The entropy callback, taking as arguments the - /// \p p_entropy context, the buffer to fill, and the - /// length of the buffer. - /// \p f_entropy is always called with a buffer size - /// less than or equal to the entropy length. - /// \param p_entropy The entropy context to pass to \p f_entropy. - /// \param custom The personalization string. - /// This can be \c NULL, in which case the personalization - /// string is empty regardless of the value of \p len. - /// \param len The length of the personalization string. - /// This must be at most - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function initializes a message-digest context without + /// binding it to a particular message-digest algorithm. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_seed( - ctx: *mut mbedtls_ctr_drbg_context, - f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_entropy: *mut ::core::ffi::c_void, - custom: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// This function should always be called first. It prepares the + /// context for mbedtls_md_setup() for binding it to a + /// message-digest algorithm. + pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function resets CTR_DRBG context to the state immediately - /// after initial call of mbedtls_ctr_drbg_init(). + /// \brief This function clears the internal structure of \p ctx and + /// frees any embedded internal structure, but does not free + /// \p ctx itself. /// - /// \param ctx The CTR_DRBG context to clear. - pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); + /// If you have called mbedtls_md_setup() on \p ctx, you must + /// call mbedtls_md_free() when you are no longer using the + /// context. + /// Calling this function if you have previously + /// called mbedtls_md_init() and nothing else is optional. + /// You must not call this function if you have not called + /// mbedtls_md_init(). + pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function turns prediction resistance on or off. - /// The default value is off. + /// \brief This function selects the message digest algorithm to use, + /// and allocates internal structures. /// - /// \note If enabled, entropy is gathered at the beginning of - /// every call to mbedtls_ctr_drbg_random_with_add() - /// or mbedtls_ctr_drbg_random(). - /// Only use this if your entropy source has sufficient - /// throughput. + /// It should be called after mbedtls_md_init() or + /// mbedtls_md_free(). Makes it necessary to call + /// mbedtls_md_free() later. /// - /// \param ctx The CTR_DRBG context. - /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. - pub fn mbedtls_ctr_drbg_set_prediction_resistance( - ctx: *mut mbedtls_ctr_drbg_context, - resistance: ::core::ffi::c_int, - ); + /// \param ctx The context to set up. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), + /// or non-zero: HMAC is used with this context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. + pub fn mbedtls_md_setup( + ctx: *mut mbedtls_md_context_t, + md_info: *const mbedtls_md_info_t, + hmac: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed on each - /// seed or reseed. - /// - /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function clones the state of a message-digest + /// context. /// - /// \note The security strength of CTR_DRBG is bounded by the - /// entropy length. Thus: - /// - When using AES-256 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, - /// which is the default), - /// \p len must be at least 32 (in bytes) - /// to achieve a 256-bit strength. - /// - When using AES-128 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) - /// \p len must be at least 16 (in bytes) - /// to achieve a 128-bit strength. + /// \note You must call mbedtls_md_setup() on \c dst before calling + /// this function. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. - pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); -} -unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed - /// as a nonce for the initial seeding. + /// \note The two contexts must have the same type, + /// for example, both are SHA-256. /// - /// Call this function before calling mbedtls_ctr_drbg_seed() to read - /// a nonce from the entropy source during the initial seeding. + /// \warning This function clones the message-digest state, not the + /// HMAC state. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab for the nonce, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. + /// \param dst The destination context. + /// \param src The context to be cloned. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is - /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED - /// if the initial seeding has already taken place. - pub fn mbedtls_ctr_drbg_set_nonce_len( - ctx: *mut mbedtls_ctr_drbg_context, - len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. + /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are + /// not using the same engine. This can be avoided by moving + /// the call to psa_crypto_init() before the first call to + /// mbedtls_md_setup(). + pub fn mbedtls_md_clone( + dst: *mut mbedtls_md_context_t, + src: *const mbedtls_md_context_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the reseed interval. - /// - /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() - /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function - /// is called again. + /// \brief This function extracts the message-digest size from the + /// message-digest information structure. /// - /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param interval The reseed interval. - pub fn mbedtls_ctr_drbg_set_reseed_interval( - ctx: *mut mbedtls_ctr_drbg_context, - interval: ::core::ffi::c_int, - ); + /// \return The size of the message-digest output in Bytes. + pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; } unsafe extern "C" { - /// \brief This function reseeds the CTR_DRBG context, that is - /// extracts data from the entropy source. + /// \brief This function extracts the message-digest type from the + /// message-digest information structure. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param additional Additional data to add to the state. Can be \c NULL. - /// \param len The length of the additional data. - /// This must be less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \return The type of the message digest. + pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; +} +unsafe extern "C" { + /// \brief This function starts a message-digest computation. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_reseed( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// You must call this function after setting up the context + /// with mbedtls_md_setup(), and before passing data with + /// mbedtls_md_update(). + /// + /// \param ctx The generic message-digest context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates the state of the CTR_DRBG context. + /// \brief This function feeds an input buffer into an ongoing + /// message-digest computation. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// You must call mbedtls_md_starts() before calling this + /// function. You may call this function multiple times. + /// Afterwards, call mbedtls_md_finish(). /// - /// \param ctx The CTR_DRBG context. - /// \param additional The data to update the state with. This must not be - /// \c NULL unless \p add_len is \c 0. - /// \param add_len Length of \p additional in bytes. This must be at - /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \param ctx The generic message-digest context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if - /// \p add_len is more than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return An error from the underlying AES cipher on failure. - pub fn mbedtls_ctr_drbg_update( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - add_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates a CTR_DRBG instance with additional - /// data and uses it to generate random data. - /// - /// This function automatically reseeds if the reseed counter is exceeded - /// or prediction resistance is enabled. + /// \brief This function finishes the digest operation, + /// and writes the result to the output buffer. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// Call this function after a call to mbedtls_md_starts(), + /// followed by any number of calls to mbedtls_md_update(). + /// Afterwards, you may either clear the context with + /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse + /// the context for another digest operation with the same + /// algorithm. /// - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. - /// \param additional Additional data to update. Can be \c NULL, in which - /// case the additional data is empty regardless of - /// the value of \p add_len. - /// \param add_len The length of the additional data - /// if \p additional is not \c NULL. - /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT - /// and less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \param ctx The generic message-digest context. + /// \param output The buffer for the generic message-digest checksum result. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random_with_add( - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_finish( + ctx: *mut mbedtls_md_context_t, output: *mut ::core::ffi::c_uchar, - output_len: usize, - additional: *const ::core::ffi::c_uchar, - add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. + /// \brief This function calculates the message-digest of a buffer, + /// with respect to a configurable message-digest algorithm + /// in a single call. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random( - p_rng: *mut ::core::ffi::c_void, + /// The result is calculated as + /// Output = message_digest(input buffer). + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param input The buffer holding the data. + /// \param ilen The length of the input data. + /// \param output The generic message-digest checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md( + md_info: *const mbedtls_md_info_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, output: *mut ::core::ffi::c_uchar, - output_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The CTR_DRBG checkup routine. + /// \brief This function returns the list of digests supported by the + /// generic digest module. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< Curve not defined. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; -///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; -///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; -///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; -///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; -///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; -///< Domain parameters for 256-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; -///< Domain parameters for 384-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; -///< Domain parameters for 512-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; -///< Domain parameters for Curve25519. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; -///< Domain parameters for 192-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; -///< Domain parameters for 224-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; -///< Domain parameters for 256-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; -///< Domain parameters for Curve448. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; -/// Domain-parameter identifiers: curve, subgroup, and generator. -/// -/// \note Only curves over prime fields are supported. -/// -/// \warning This library does not support validation of arbitrary domain -/// parameters. Therefore, only standardized domain parameters from trusted -/// sources should be used. See mbedtls_ecp_group_load(). -pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; -pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_NONE: mbedtls_ecp_modulus_type = 0; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_COORDINATE: mbedtls_ecp_modulus_type = 1; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_SCALAR: mbedtls_ecp_modulus_type = 2; -pub type mbedtls_ecp_modulus_type = ::core::ffi::c_uint; -/// Curve information, for use by other modules. -/// -/// The fields of this structure are part of the public API and can be -/// accessed directly by applications. Future versions of the library may -/// add extra fields or reorder existing fields. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_curve_info { - ///< An internal identifier. - pub grp_id: mbedtls_ecp_group_id, - ///< The TLS NamedCurve identifier. - pub tls_id: u16, - ///< The curve size in bits. - pub bit_size: u16, - ///< A human-friendly name. - pub name: *const ::core::ffi::c_char, + /// \note The list starts with the strongest available hashes. + /// + /// \return A statically allocated array of digests. Each element + /// in the returned list is an integer belonging to the + /// message-digest enumeration #mbedtls_md_type_t. + /// The last entry is 0. + pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; } -impl Default for mbedtls_ecp_curve_info { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief This function returns the message-digest information + /// associated with the given digest name. + /// + /// \param md_name The name of the digest to search for. + /// + /// \return The message-digest information associated with \p md_name. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_string( + md_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_md_info_t; } -/// \brief The ECP point structure, in Jacobian coordinates. -/// -/// \note All functions expect and return points satisfying -/// the following condition: Z == 0 or -/// Z == 1. Other values of \p Z are -/// used only by internal functions. -/// The point is zero, or "at infinity", if Z == 0. -/// Otherwise, \p X and \p Y are its standard (affine) -/// coordinates. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_point { - ///< The X coordinate of the ECP point. - pub private_X: mbedtls_mpi, - ///< The Y coordinate of the ECP point. - pub private_Y: mbedtls_mpi, - ///< The Z coordinate of the ECP point. - pub private_Z: mbedtls_mpi, -} -impl Default for mbedtls_ecp_point { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief The ECP group structure. -/// -/// We consider two types of curve equations: -///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P -/// (SEC1 + RFC-4492)
    • -///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, -/// Curve448)
-/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. -/// -/// For Short Weierstrass, this subgroup is the whole curve, and its -/// cardinality is denoted by \p N. Our code requires that \p N is an -/// odd prime as mbedtls_ecp_mul() requires an odd number, and -/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. -/// -/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, -/// which is the quantity used in the formulas. Additionally, \p nbits is -/// not the size of \p N but the required size for private keys. -/// -/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. -/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the -/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer -/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits -/// in size, so that it may be efficiently brought in the 0..P-1 range by a few -/// additions or subtractions. Therefore, it is only an approximative modular -/// reduction. It must return 0 on success and non-zero on failure. -/// -/// \note Alternative implementations of the ECP module must obey the -/// following constraints. -/// * Group IDs must be distinct: if two group structures have -/// the same ID, then they must be identical. -/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, -/// \c pbits and \c nbits must have the same type and semantics -/// as in the built-in implementation. -/// They must be available for reading, but direct modification -/// of these fields does not need to be supported. -/// They do not need to be at the same offset in the structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_group { - ///< An internal group identifier. - pub id: mbedtls_ecp_group_id, - ///< The prime modulus of the base field. - pub P: mbedtls_mpi, - ///< For Short Weierstrass: \p A in the equation. For - ///Montgomery curves: (A + 2) / 4. - pub A: mbedtls_mpi, - ///< For Short Weierstrass: \p B in the equation. - ///For Montgomery curves: unused. - pub B: mbedtls_mpi, - ///< The generator of the subgroup used. - pub G: mbedtls_ecp_point, - ///< The order of \p G. - pub N: mbedtls_mpi, - ///< The number of bits in \p P. - pub pbits: usize, - ///< For Short Weierstrass: The number of bits in \p P. - ///For Montgomery curves: the number of bits in the - ///private keys. - pub nbits: usize, - ///< \internal 1 if the constants are static. - pub private_h: ::core::ffi::c_uint, - ///< The function for fast pseudo-reduction - ///mod \p P (see above). - pub private_modp: - ::core::option::Option ::core::ffi::c_int>, - ///< Unused. - pub private_t_pre: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_post: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_data: *mut ::core::ffi::c_void, - ///< Pre-computed points for ecp_mul_comb(). - pub private_T: *mut mbedtls_ecp_point, - ///< The number of dynamic allocated pre-computed points. - pub private_T_size: usize, -} -impl Default for mbedtls_ecp_group { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; -/// \brief The ECP key-pair structure. -/// -/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. -/// -/// \note Members are deliberately in the same order as in the -/// ::mbedtls_ecdsa_context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_keypair { - ///< Elliptic curve and base point - pub private_grp: mbedtls_ecp_group, - ///< our secret value - pub private_d: mbedtls_mpi, - ///< our public value - pub private_Q: mbedtls_ecp_point, -} -impl Default for mbedtls_ecp_keypair { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +unsafe extern "C" { + /// \brief This function returns the name of the message digest for + /// the message-digest information structure given. + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// + /// \return The name of the message digest. + pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; } unsafe extern "C" { - /// \brief This function retrieves the information defined in - /// mbedtls_ecp_curve_info() for all supported curves. + /// \brief This function returns the message-digest information + /// from the given context. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// \param ctx The context from which to extract the information. + /// This must be initialized (or \c NULL). /// - /// \return A statically allocated array. The last entry is 0. - pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; + /// \return The message-digest information associated with \p ctx. + /// \return \c NULL if \p ctx is \c NULL. + pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// \brief This function retrieves the list of internal group - /// identifiers of all supported curves in the order of - /// preference. + /// \brief This function sets the HMAC key and prepares to + /// authenticate a new message. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// Call this function after mbedtls_md_setup(), to use + /// the MD context for an HMAC calculation, then call + /// mbedtls_md_hmac_update() to provide the input data, and + /// mbedtls_md_hmac_finish() to get the HMAC value. /// - /// \return A statically allocated array, - /// terminated with MBEDTLS_ECP_DP_NONE. - pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC key in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_starts( + ctx: *mut mbedtls_md_context_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from an internal - /// group identifier. + /// \brief This function feeds an input buffer into an ongoing HMAC + /// computation. /// - /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + /// before calling this function. + /// You may call this function multiple times to pass the + /// input piecewise. + /// Afterwards, call mbedtls_md_hmac_finish(). /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_grp_id( - grp_id: mbedtls_ecp_group_id, - ) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a TLS - /// NamedCurve value. + /// \brief This function finishes the HMAC operation, and writes + /// the result to the output buffer. /// - /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call this function after mbedtls_md_hmac_starts() and + /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards + /// you may either call mbedtls_md_free() to clear the context, + /// or call mbedtls_md_hmac_reset() to reuse the context with + /// the same HMAC key. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param output The generic HMAC checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_finish( + ctx: *mut mbedtls_md_context_t, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a - /// human-readable name. + /// \brief This function prepares to authenticate a new message with + /// the same key as the previous HMAC operation. /// - /// \param name The human-readable name. + /// You may call this function after mbedtls_md_hmac_finish(). + /// Afterwards call mbedtls_md_hmac_update() to pass the new + /// input. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_name( - name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ecp_curve_info; -} -unsafe extern "C" { - /// \brief This function initializes a point as zero. + /// \param ctx The message digest context containing an embedded HMAC + /// context. /// - /// \param pt The point to initialize. - pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECP group context - /// without loading any domain parameters. + /// \brief This function calculates the full generic HMAC + /// on the input buffer with the provided key. /// - /// \note After this function is called, domain parameters - /// for various ECP groups can be loaded through the - /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() - /// functions. - pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); -} -unsafe extern "C" { - /// \brief This function initializes a key pair as an invalid one. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param key The key pair to initialize. - pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); -} -unsafe extern "C" { - /// \brief This function frees the components of a point. + /// The HMAC result is calculated as + /// output = generic HMAC(hmac key, input buffer). /// - /// \param pt The point to free. - pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); -} -unsafe extern "C" { - /// \brief This function frees the components of an ECP group. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC secret key in Bytes. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// \param output The generic HMAC result. /// - /// \param grp The group to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP group. - pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac( + md_info: *const mbedtls_md_info_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function frees the components of a key pair. - /// - /// \param key The key pair to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP key pair. - pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +/// \brief Entropy poll callback pointer +/// +/// \param data Callback-specific data pointer +/// \param output Data to fill +/// \param len Maximum size to provide +/// \param olen The actual amount of bytes put into the buffer (Can be 0) +/// +/// \return 0 if no critical failures occurred, +/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise +pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< + unsafe extern "C" fn( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + ) -> ::core::ffi::c_int, +>; +/// \brief Entropy source state +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_source_state { + ///< The entropy source callback + pub private_f_source: mbedtls_entropy_f_source_ptr, + ///< The callback data pointer + pub private_p_source: *mut ::core::ffi::c_void, + ///< Amount received in bytes + pub private_size: usize, + ///< Minimum bytes required before release + pub private_threshold: usize, + ///< Is the source strong? + pub private_strong: ::core::ffi::c_int, } -unsafe extern "C" { - /// \brief This function copies the contents of point \p Q into - /// point \p P. - /// - /// \param P The destination point. This must be initialized. - /// \param Q The source point. This must be initialized. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code for other kinds of failure. - pub fn mbedtls_ecp_copy( - P: *mut mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_entropy_source_state { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +/// \brief Entropy context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_context { + pub private_accumulator: mbedtls_md_context_t, + pub private_accumulator_started: ::core::ffi::c_int, + pub private_source_count: ::core::ffi::c_int, + pub private_source: [mbedtls_entropy_source_state; 20usize], +} +impl Default for mbedtls_entropy_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function copies the contents of group \p src into - /// group \p dst. - /// - /// \param dst The destination group. This must be initialized. - /// \param src The source group. This must be initialized. + /// \brief Initialize the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_copy( - dst: *mut mbedtls_ecp_group, - src: *const mbedtls_ecp_group, - ) -> ::core::ffi::c_int; + /// \param ctx Entropy context to initialize + pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function sets a point to the point at infinity. - /// - /// \param pt The point to set. This must be initialized. + /// \brief Free the data in the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \param ctx Entropy context to free + pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function checks if a point is the point at infinity. + /// \brief Adds an entropy source to poll + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param pt The point to test. This must be initialized. + /// \param ctx Entropy context + /// \param f_source Entropy function + /// \param p_source Function data + /// \param threshold Minimum required from source before entropy is released + /// ( with mbedtls_entropy_func() ) (in bytes) + /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or + /// MBEDTLS_ENTROPY_SOURCE_WEAK. + /// At least one strong source needs to be added. + /// Weaker sources (such as the cycle counter) can be used as + /// a complement. /// - /// \return \c 1 if the point is zero. - /// \return \c 0 if the point is non-zero. - /// \return A negative error code on failure. - pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES + pub fn mbedtls_entropy_add_source( + ctx: *mut mbedtls_entropy_context, + f_source: mbedtls_entropy_f_source_ptr, + p_source: *mut ::core::ffi::c_void, + threshold: usize, + strong: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function compares two points. - /// - /// \note This assumes that the points are normalized. Otherwise, - /// they may compare as "not equal" even if they are. + /// \brief Trigger an extra gather poll for the accumulator + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The first point to compare. This must be initialized. - /// \param Q The second point to compare. This must be initialized. + /// \param ctx Entropy context /// - /// \return \c 0 if the points are equal. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. - pub fn mbedtls_ecp_point_cmp( - P: *const mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a non-zero point from two ASCII - /// strings. + /// \brief Retrieve entropy from the accumulator + /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The destination point. This must be initialized. - /// \param radix The numeric base of the input. - /// \param x The first affine coordinate, as a null-terminated string. - /// \param y The second affine coordinate, as a null-terminated string. + /// \param data Entropy context + /// \param output Buffer to fill + /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. - pub fn mbedtls_ecp_point_read_string( - P: *mut mbedtls_ecp_point, - radix: ::core::ffi::c_int, - x: *const ::core::ffi::c_char, - y: *const ::core::ffi::c_char, + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_func( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point into unsigned binary data. + /// \brief Add data to the accumulator manually + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The point to export. This must be initialized. - /// \param format The point format. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// (For groups without these formats, this parameter is - /// ignored. But it still has to be either of the above - /// values.) - /// \param olen The address at which to store the length of - /// the output in Bytes. This must not be \c NULL. - /// \param buf The output buffer. This must be a writable buffer - /// of length \p buflen Bytes. - /// \param buflen The length of the output buffer \p buf in Bytes. + /// \param ctx Entropy context + /// \param data Data to add + /// \param len Length of data /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer - /// is too small to hold the point. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format - /// or the export for the given group is not implemented. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_point_write_binary( - grp: *const mbedtls_ecp_group, - P: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, + /// \return 0 if successful + pub fn mbedtls_entropy_update_manual( + ctx: *mut mbedtls_entropy_context, + data: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a point from unsigned binary data. + /// \brief Checkup routine /// - /// \note This function does not check that the point actually - /// belongs to the given group, see mbedtls_ecp_check_pubkey() - /// for that. + /// This module self-test also calls the entropy self-test, + /// mbedtls_entropy_source_self_test(); /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The CTR_DRBG context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ctr_drbg_context { + ///< The counter (V). + pub private_counter: [::core::ffi::c_uchar; 16usize], + ///< The reseed counter. + /// This is the number of requests that have + /// been made since the last (re)seeding, + /// minus one. + /// Before the initial seeding, this field + /// contains the amount of entropy in bytes + /// to use as a nonce for the initial seeding, + /// or -1 if no nonce length has been explicitly + /// set (see mbedtls_ctr_drbg_set_nonce_len()). + pub private_reseed_counter: ::core::ffi::c_int, + ///< This determines whether prediction + ///resistance is enabled, that is + ///whether to systematically reseed before + ///each random generation. + pub private_prediction_resistance: ::core::ffi::c_int, + ///< The amount of entropy grabbed on each + ///seed or reseed operation, in bytes. + pub private_entropy_len: usize, + ///< The reseed interval. + /// This is the maximum number of requests + /// that can be made between reseedings. + pub private_reseed_interval: ::core::ffi::c_int, + ///< The AES context. + pub private_aes_ctx: mbedtls_aes_context, + pub private_f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + ///< The context for the entropy function. + pub private_p_entropy: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_ctr_drbg_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes the CTR_DRBG context, + /// and prepares it for mbedtls_ctr_drbg_seed() + /// or mbedtls_ctr_drbg_free(). /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The destination context to import the point to. - /// This must be initialized. - /// \param buf The input buffer. This must be a readable buffer - /// of length \p ilen Bytes. - /// \param ilen The length of the input buffer \p buf in Bytes. + /// \note The reseed interval is + /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. + /// You can override it by calling + /// mbedtls_ctr_drbg_set_reseed_interval(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the - /// given group is not implemented. - pub fn mbedtls_ecp_point_read_binary( - grp: *const mbedtls_ecp_group, - P: *mut mbedtls_ecp_point, - buf: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to initialize. + pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function imports a point from a TLS ECPoint record. + /// - The \p custom string. /// - /// \note On function return, \p *buf is updated to point immediately - /// after the ECPoint record. + /// \note To achieve the nominal security strength permitted + /// by CTR_DRBG, the entropy length must be: + /// - at least 16 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 32 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The destination point. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the buffer. + /// In addition, if you do not pass a nonce in \p custom, + /// the sum of the entropy length + /// and the entropy nonce length must be: + /// - at least 24 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 48 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization - /// failure. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - pub fn mbedtls_ecp_tls_read_point( - grp: *const mbedtls_ecp_group, - pt: *mut mbedtls_ecp_point, - buf: *mut *const ::core::ffi::c_uchar, + /// \param ctx The CTR_DRBG context to seed. + /// It must have been initialized with + /// mbedtls_ctr_drbg_init(). + /// After a successful call to mbedtls_ctr_drbg_seed(), + /// you may not call mbedtls_ctr_drbg_seed() again on + /// the same context unless you call + /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + /// again first. + /// After a failed call to mbedtls_ctr_drbg_seed(), + /// you must call mbedtls_ctr_drbg_free(). + /// \param f_entropy The entropy callback, taking as arguments the + /// \p p_entropy context, the buffer to fill, and the + /// length of the buffer. + /// \p f_entropy is always called with a buffer size + /// less than or equal to the entropy length. + /// \param p_entropy The entropy context to pass to \p f_entropy. + /// \param custom The personalization string. + /// This can be \c NULL, in which case the personalization + /// string is empty regardless of the value of \p len. + /// \param len The length of the personalization string. + /// This must be at most + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_seed( + ctx: *mut mbedtls_ctr_drbg_context, + f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + p_entropy: *mut ::core::ffi::c_void, + custom: *const ::core::ffi::c_uchar, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point as a TLS ECPoint record - /// defined in RFC 4492, Section 5.4. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to be exported. This must be initialized. - /// \param format The point format to use. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// \param olen The address at which to store the length in Bytes - /// of the data written. - /// \param buf The target buffer. This must be a writable buffer of - /// length \p blen Bytes. - /// \param blen The length of the target buffer \p buf in Bytes. + /// \brief This function resets CTR_DRBG context to the state immediately + /// after initial call of mbedtls_ctr_drbg_init(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer - /// is too small to hold the exported point. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_point( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to clear. + pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function sets up an ECP group context - /// from a standardized set of domain parameters. - /// - /// \note The index should be a value of the NamedCurve enum, - /// as defined in RFC-4492: Elliptic Curve Cryptography - /// (ECC) Cipher Suites for Transport Layer Security (TLS), - /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. + /// \brief This function turns prediction resistance on or off. + /// The default value is off. /// - /// \param grp The group context to setup. This must be initialized. - /// \param id The identifier of the domain parameter set to load. + /// \note If enabled, entropy is gathered at the beginning of + /// every call to mbedtls_ctr_drbg_random_with_add() + /// or mbedtls_ctr_drbg_random(). + /// Only use this if your entropy source has sufficient + /// throughput. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_load( - grp: *mut mbedtls_ecp_group, - id: mbedtls_ecp_group_id, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. + pub fn mbedtls_ctr_drbg_set_prediction_resistance( + ctx: *mut mbedtls_ctr_drbg_context, + resistance: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function sets up an ECP group context from a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed on each + /// seed or reseed. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. /// - /// \param grp The group context to setup. This must be initialized. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \note The security strength of CTR_DRBG is bounded by the + /// entropy length. Thus: + /// - When using AES-256 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, + /// which is the default), + /// \p len must be at least 32 (in bytes) + /// to achieve a 256-bit strength. + /// - When using AES-128 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) + /// \p len must be at least 16 (in bytes) + /// to achieve a 128-bit strength. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group( - grp: *mut mbedtls_ecp_group, - buf: *mut *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. + pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); } unsafe extern "C" { - /// \brief This function extracts an elliptic curve group ID from a - /// TLS ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed + /// as a nonce for the initial seeding. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// Call this function before calling mbedtls_ctr_drbg_seed() to read + /// a nonce from the entropy source during the initial seeding. /// - /// \param grp The address at which to store the group id. - /// This must not be \c NULL. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab for the nonce, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group_id( - grp: *mut mbedtls_ecp_group_id, - buf: *mut *const ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is + /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + /// if the initial seeding has already taken place. + pub fn mbedtls_ctr_drbg_set_nonce_len( + ctx: *mut mbedtls_ctr_drbg_context, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports an elliptic curve as a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the reseed interval. /// - /// \param grp The ECP group to be exported. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param olen The address at which to store the number of Bytes written. - /// This must not be \c NULL. - /// \param buf The buffer to write to. This must be a writable buffer - /// of length \p blen Bytes. - /// \param blen The length of the output buffer \p buf in Bytes. + /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() + /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function + /// is called again. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output - /// buffer is too small to hold the exported group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_group( - grp: *const mbedtls_ecp_group, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// + /// \param ctx The CTR_DRBG context. + /// \param interval The reseed interval. + pub fn mbedtls_ctr_drbg_set_reseed_interval( + ctx: *mut mbedtls_ctr_drbg_context, + interval: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function performs a scalar multiplication of a point - /// by an integer: \p R = \p m * \p P. - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function reseeds the CTR_DRBG context, that is + /// extracts data from the entropy source. /// - /// \note To prevent timing attacks, this function - /// executes the exact same sequence of base-field - /// operations for any valid \p m. It avoids any if-branch or - /// array index depending on the value of \p m. It also uses - /// \p f_rng to randomize some intermediate results. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param ctx The CTR_DRBG context. + /// \param additional Additional data to add to the state. Can be \c NULL. + /// \param len The length of the additional data. + /// This must be less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_reseed( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication of a point by - /// an integer: \p R = \p m * \p P in a restartable way. - /// - /// \see mbedtls_ecp_mul() + /// \brief This function updates the state of the CTR_DRBG context. /// - /// \note This function does the same as \c mbedtls_ecp_mul(), but - /// it can return early and restart according to the limit set - /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. - /// \param rs_ctx The restart context (NULL disables restart). + /// \param ctx The CTR_DRBG context. + /// \param additional The data to update the state with. This must not be + /// \c NULL unless \p add_len is \c 0. + /// \param add_len Length of \p additional in bytes. This must be at + /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecp_restart_ctx, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if + /// \p add_len is more than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return An error from the underlying AES cipher on failure. + pub fn mbedtls_ctr_drbg_update( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function updates a CTR_DRBG instance with additional + /// data and uses it to generate random data. /// - /// \note In contrast to mbedtls_ecp_mul(), this function does not - /// guarantee a constant execution flow and timing. + /// This function automatically reseeds if the reseed counter is exceeded + /// or prediction resistance is enabled. /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. + /// \param additional Additional data to update. Can be \c NULL, in which + /// case the additional data is empty regardless of + /// the value of \p add_len. + /// \param add_len The length of the additional data + /// if \p additional is not \c NULL. + /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT + /// and less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random_with_add( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q in a - /// restartable way. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. /// - /// \see \c mbedtls_ecp_muladd() + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The CTR_DRBG checkup routine. /// - /// \note This function works the same as \c mbedtls_ecp_muladd(), - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. - /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. - /// \param rs_ctx The restart context (NULL disables restart). - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, - rs_ctx: *mut mbedtls_ecp_restart_ctx, - ) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function checks that a point is a valid public key - /// on this curve. - /// - /// It only checks that the point is non-zero, has - /// valid coordinates and lies on the curve. It does not verify - /// that it is indeed a multiple of \p G. This additional - /// check is computationally more expensive, is not required - /// by standards, and should not be necessary if the group - /// used has a small cofactor. In particular, it is useless for - /// the NIST groups which all have a cofactor of 1. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure, to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the point should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid public key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not - /// a valid public key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_pubkey( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +///< Curve not defined. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; +///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; +///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; +///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; +///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; +///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; +///< Domain parameters for 256-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; +///< Domain parameters for 384-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; +///< Domain parameters for 512-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; +///< Domain parameters for Curve25519. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; +///< Domain parameters for 192-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; +///< Domain parameters for 224-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; +///< Domain parameters for 256-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; +///< Domain parameters for Curve448. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; +/// Domain-parameter identifiers: curve, subgroup, and generator. +/// +/// \note Only curves over prime fields are supported. +/// +/// \warning This library does not support validation of arbitrary domain +/// parameters. Therefore, only standardized domain parameters from trusted +/// sources should be used. See mbedtls_ecp_group_load(). +pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; +pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; +/// Curve information, for use by other modules. +/// +/// The fields of this structure are part of the public API and can be +/// accessed directly by applications. Future versions of the library may +/// add extra fields or reorder existing fields. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_curve_info { + ///< An internal identifier. + pub grp_id: mbedtls_ecp_group_id, + ///< The TLS NamedCurve identifier. + pub tls_id: u16, + ///< The curve size in bits. + pub bit_size: u16, + ///< A human-friendly name. + pub name: *const ::core::ffi::c_char, } -unsafe extern "C" { - /// \brief This function checks that an \p mbedtls_mpi is a - /// valid private key for this curve. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the private key should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The integer to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid private key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid - /// private key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_privkey( - grp: *const mbedtls_ecp_group, - d: *const mbedtls_mpi, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_curve_info { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates a private key. - /// - /// \param grp The ECP group to generate a private key for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_privkey( - grp: *const mbedtls_ecp_group, - d: *mut mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +/// \brief The ECP point structure, in Jacobian coordinates. +/// +/// \note All functions expect and return points satisfying +/// the following condition: Z == 0 or +/// Z == 1. Other values of \p Z are +/// used only by internal functions. +/// The point is zero, or "at infinity", if Z == 0. +/// Otherwise, \p X and \p Y are its standard (affine) +/// coordinates. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_point { + ///< The X coordinate of the ECP point. + pub private_X: mbedtls_mpi, + ///< The Y coordinate of the ECP point. + pub private_Y: mbedtls_mpi, + ///< The Z coordinate of the ECP point. + pub private_Z: mbedtls_mpi, } -unsafe extern "C" { - /// \brief This function generates a keypair with a configurable base - /// point. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param G The base point to use. This must be initialized - /// and belong to \p grp. It replaces the default base - /// point \c grp->G used by mbedtls_ecp_gen_keypair(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair_base( - grp: *mut mbedtls_ecp_group, - G: *const mbedtls_ecp_point, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_point { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates an ECP keypair. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. +/// \brief The ECP group structure. +/// +/// We consider two types of curve equations: +///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P +/// (SEC1 + RFC-4492)
    • +///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, +/// Curve448)
+/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. +/// +/// For Short Weierstrass, this subgroup is the whole curve, and its +/// cardinality is denoted by \p N. Our code requires that \p N is an +/// odd prime as mbedtls_ecp_mul() requires an odd number, and +/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. +/// +/// The default implementation only initializes \p A without setting it to the +/// authentic value for curves with A = -3(SECP256R1, etc), in which +/// case you need to load \p A by yourself when using domain parameters directly, +/// for example: +/// \code +/// mbedtls_mpi_init(&A); +/// mbedtls_ecp_group_init(&grp); +/// CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); +/// if (mbedtls_ecp_group_a_is_minus_3(&grp)) { +/// CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); +/// } else { +/// CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); +/// } +/// +/// do_something_with_a(&A); +/// +/// cleanup: +/// mbedtls_mpi_free(&A); +/// mbedtls_ecp_group_free(&grp); +/// \endcode +/// +/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, +/// which is the quantity used in the formulas. Additionally, \p nbits is +/// not the size of \p N but the required size for private keys. +/// +/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. +/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the +/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer +/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits +/// in size, so that it may be efficiently brought in the 0..P-1 range by a few +/// additions or subtractions. Therefore, it is only an approximate modular +/// reduction. It must return 0 on success and non-zero on failure. +/// +/// \note Alternative implementations of the ECP module must obey the +/// following constraints. +/// * Group IDs must be distinct: if two group structures have +/// the same ID, then they must be identical. +/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, +/// \c pbits and \c nbits must have the same type and semantics +/// as in the built-in implementation. +/// They must be available for reading, but direct modification +/// of these fields does not need to be supported. +/// They do not need to be at the same offset in the structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_group { + ///< An internal group identifier. + pub id: mbedtls_ecp_group_id, + ///< The prime modulus of the base field. + pub P: mbedtls_mpi, + ///< For Short Weierstrass: \p A in the equation. Note that + ///\p A is not set to the authentic value in some cases. + ///Refer to detailed description of ::mbedtls_ecp_group if + ///using domain parameters in the structure. + ///For Montgomery curves: (A + 2) / 4. + pub A: mbedtls_mpi, + ///< For Short Weierstrass: \p B in the equation. + ///For Montgomery curves: unused. + pub B: mbedtls_mpi, + ///< The generator of the subgroup used. + pub G: mbedtls_ecp_point, + ///< The order of \p G. + pub N: mbedtls_mpi, + ///< The number of bits in \p P. + pub pbits: usize, + ///< For Short Weierstrass: The number of bits in \p P. + ///For Montgomery curves: the number of bits in the + ///private keys. + pub nbits: usize, + ///< \internal 1 if the constants are static. + pub private_h: ::core::ffi::c_uint, + ///< The function for fast pseudo-reduction + ///mod \p P (see above). + pub private_modp: + ::core::option::Option ::core::ffi::c_int>, + ///< Unused. + pub private_t_pre: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_post: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_data: *mut ::core::ffi::c_void, + ///< Pre-computed points for ecp_mul_comb(). + pub private_T: *mut mbedtls_ecp_point, + ///< The number of dynamic allocated pre-computed points. + pub private_T_size: usize, +} +impl Default for mbedtls_ecp_group { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; +/// \brief The ECP key-pair structure. +/// +/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. +/// +/// \note Members are deliberately in the same order as in the +/// ::mbedtls_ecdsa_context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_keypair { + ///< Elliptic curve and base point + pub private_grp: mbedtls_ecp_group, + ///< our secret value + pub private_d: mbedtls_mpi, + ///< our public value + pub private_Q: mbedtls_ecp_point, +} +impl Default for mbedtls_ecp_keypair { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +} +unsafe extern "C" { + /// \brief This function retrieves the information defined in + /// mbedtls_ecp_curve_info() for all supported curves. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair( - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. + /// + /// \return A statically allocated array. The last entry is 0. + pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function generates an ECP key. + /// \brief This function retrieves the list of internal group + /// identifiers of all supported curves in the order of + /// preference. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. This must be initialized. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_key( - grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return A statically allocated array, + /// terminated with MBEDTLS_ECP_DP_NONE. + pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function reads an elliptic curve private key. + /// \brief This function retrieves curve information from an internal + /// group identifier. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. - /// \param buf The buffer containing the binary representation of the - /// key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The length of the buffer in bytes. + /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is - /// invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_read_key( + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_grp_id( grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - buf: *const ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports an elliptic curve private key. + /// \brief This function retrieves curve information from a TLS + /// NamedCurve value. /// - /// \param key The private key. - /// \param buf The output buffer for containing the binary representation - /// of the key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The total length of the buffer in bytes. + /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - ///representation is larger than the available space in \p buf. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_write_key( - key: *mut mbedtls_ecp_keypair, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function checks that the keypair objects - /// \p pub and \p prv have the same group and the - /// same public point, and that the private key in - /// \p prv is consistent with the public key. + /// \brief This function retrieves curve information from a + /// human-readable name. /// - /// \param pub The keypair structure holding the public key. This - /// must be initialized. If it contains a private key, that - /// part is ignored. - /// \param prv The keypair structure holding the full keypair. - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param name The human-readable name. /// - /// \return \c 0 on success, meaning that the keys are valid and match. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. - /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX - /// error code on calculation failure. - pub fn mbedtls_ecp_check_pub_priv( - pub_: *const mbedtls_ecp_keypair, - prv: *const mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_name( + name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports generic key-pair parameters. - /// - /// \param key The key pair to export from. - /// \param grp Slot for exported ECP group. - /// It must point to an initialized ECP group. - /// \param d Slot for the exported secret value. - /// It must point to an initialized mpi. - /// \param Q Slot for the exported public value. - /// It must point to an initialized ECP point. + /// \brief This function initializes a point as zero. /// - /// \return \c 0 on success, - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_export( - key: *const mbedtls_ecp_keypair, - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \param pt The point to initialize. + pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief The ECP checkup routine. + /// \brief This function initializes an ECP group context + /// without loading any domain parameters. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< None. -pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; -///< The MD5 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 1; -///< The SHA-1 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 2; -///< The SHA-224 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 3; -///< The SHA-256 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 4; -///< The SHA-384 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 5; -///< The SHA-512 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 6; -///< The RIPEMD-160 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 7; -/// \brief Supported message digests. -/// -/// \warning MD5 and SHA-1 are considered weak message digests and -/// their use constitutes a security risk. We recommend considering -/// stronger message digests instead. -pub type mbedtls_md_type_t = ::core::ffi::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_info_t { - _unused: [u8; 0], -} -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; -/// Used internally to indicate whether a context uses legacy or PSA. -/// -/// Internal use only. -pub type mbedtls_md_engine_t = ::core::ffi::c_uint; -/// The generic message-digest context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_context_t { - /// Information about the associated message digest. - pub private_md_info: *const mbedtls_md_info_t, - /// The digest-specific context (legacy) or the PSA operation. - pub private_md_ctx: *mut ::core::ffi::c_void, - /// The HMAC part of the context. - pub private_hmac_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_md_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \note After this function is called, domain parameters + /// for various ECP groups can be loaded through the + /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() + /// functions. + pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest type. - /// - /// \param md_type The type of digest to search for. + /// \brief This function initializes a key pair as an invalid one. /// - /// \return The message-digest information associated with \p md_type. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; + /// \param key The key pair to initialize. + pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); } unsafe extern "C" { - /// \brief This function initializes a message-digest context without - /// binding it to a particular message-digest algorithm. + /// \brief This function frees the components of a point. /// - /// This function should always be called first. It prepares the - /// context for mbedtls_md_setup() for binding it to a - /// message-digest algorithm. - pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); + /// \param pt The point to free. + pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief This function clears the internal structure of \p ctx and - /// frees any embedded internal structure, but does not free - /// \p ctx itself. + /// \brief This function frees the components of an ECP group. /// - /// If you have called mbedtls_md_setup() on \p ctx, you must - /// call mbedtls_md_free() when you are no longer using the - /// context. - /// Calling this function if you have previously - /// called mbedtls_md_init() and nothing else is optional. - /// You must not call this function if you have not called - /// mbedtls_md_init(). - pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); + /// \param grp The group to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP group. + pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function selects the message digest algorithm to use, - /// and allocates internal structures. + /// \brief This function frees the components of a key pair. /// - /// It should be called after mbedtls_md_init() or - /// mbedtls_md_free(). Makes it necessary to call - /// mbedtls_md_free() later. + /// \param key The key pair to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP key pair. + pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +} +unsafe extern "C" { + /// \brief This function copies the contents of point \p Q into + /// point \p P. /// - /// \param ctx The context to set up. - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), - /// or non-zero: HMAC is used with this context. + /// \param P The destination point. This must be initialized. + /// \param Q The source point. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. - pub fn mbedtls_md_setup( - ctx: *mut mbedtls_md_context_t, - md_info: *const mbedtls_md_info_t, - hmac: ::core::ffi::c_int, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code for other kinds of failure. + pub fn mbedtls_ecp_copy( + P: *mut mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function clones the state of a message-digest - /// context. - /// - /// \note You must call mbedtls_md_setup() on \c dst before calling - /// this function. - /// - /// \note The two contexts must have the same type, - /// for example, both are SHA-256. - /// - /// \warning This function clones the message-digest state, not the - /// HMAC state. + /// \brief This function copies the contents of group \p src into + /// group \p dst. /// - /// \param dst The destination context. - /// \param src The context to be cloned. + /// \param dst The destination group. This must be initialized. + /// \param src The source group. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. - /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are - /// not using the same engine. This can be avoided by moving - /// the call to psa_crypto_init() before the first call to - /// mbedtls_md_setup(). - pub fn mbedtls_md_clone( - dst: *mut mbedtls_md_context_t, - src: *const mbedtls_md_context_t, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_copy( + dst: *mut mbedtls_ecp_group, + src: *const mbedtls_ecp_group, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest size from the - /// message-digest information structure. + /// \brief This function sets a point to the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to set. This must be initialized. /// - /// \return The size of the message-digest output in Bytes. - pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest type from the - /// message-digest information structure. + /// \brief This function checks if a point is the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to test. This must be initialized. /// - /// \return The type of the message digest. - pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; + /// \return \c 1 if the point is zero. + /// \return \c 0 if the point is non-zero. + /// \return A negative error code on failure. + pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function starts a message-digest computation. + /// \brief This function compares two points. /// - /// You must call this function after setting up the context - /// with mbedtls_md_setup(), and before passing data with - /// mbedtls_md_update(). + /// \note This assumes that the points are normalized. Otherwise, + /// they may compare as "not equal" even if they are. /// - /// \param ctx The generic message-digest context. + /// \param P The first point to compare. This must be initialized. + /// \param Q The second point to compare. This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return \c 0 if the points are equal. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. + pub fn mbedtls_ecp_point_cmp( + P: *const mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// message-digest computation. - /// - /// You must call mbedtls_md_starts() before calling this - /// function. You may call this function multiple times. - /// Afterwards, call mbedtls_md_finish(). + /// \brief This function imports a non-zero point from two ASCII + /// strings. /// - /// \param ctx The generic message-digest context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param P The destination point. This must be initialized. + /// \param radix The numeric base of the input. + /// \param x The first affine coordinate, as a null-terminated string. + /// \param y The second affine coordinate, as a null-terminated string. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. + pub fn mbedtls_ecp_point_read_string( + P: *mut mbedtls_ecp_point, + radix: ::core::ffi::c_int, + x: *const ::core::ffi::c_char, + y: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the digest operation, - /// and writes the result to the output buffer. - /// - /// Call this function after a call to mbedtls_md_starts(), - /// followed by any number of calls to mbedtls_md_update(). - /// Afterwards, you may either clear the context with - /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse - /// the context for another digest operation with the same - /// algorithm. + /// \brief This function exports a point into unsigned binary data. /// - /// \param ctx The generic message-digest context. - /// \param output The buffer for the generic message-digest checksum result. + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The point to export. This must be initialized. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_point_write_binary( + grp: *const mbedtls_ecp_group, + P: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the message-digest of a buffer, - /// with respect to a configurable message-digest algorithm - /// in a single call. + /// \brief This function imports a point from unsigned binary data. /// - /// The result is calculated as - /// Output = message_digest(input buffer). + /// \note This function does not check that the point actually + /// belongs to the given group, see mbedtls_ecp_check_pubkey() + /// for that. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param input The buffer holding the data. - /// \param ilen The length of the input data. - /// \param output The generic message-digest checksum result. + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md( - md_info: *const mbedtls_md_info_t, - input: *const ::core::ffi::c_uchar, + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The destination context to import the point to. + /// This must be initialized. + /// \param buf The input buffer. This must be a readable buffer + /// of length \p ilen Bytes. + /// \param ilen The length of the input buffer \p buf in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the + /// given group is not implemented. + pub fn mbedtls_ecp_point_read_binary( + grp: *const mbedtls_ecp_group, + P: *mut mbedtls_ecp_point, + buf: *const ::core::ffi::c_uchar, ilen: usize, - output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the list of digests supported by the - /// generic digest module. - /// - /// \note The list starts with the strongest available hashes. + /// \brief This function imports a point from a TLS ECPoint record. /// - /// \return A statically allocated array of digests. Each element - /// in the returned list is an integer belonging to the - /// message-digest enumeration #mbedtls_md_type_t. - /// The last entry is 0. - pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest name. + /// \note On function return, \p *buf is updated to point immediately + /// after the ECPoint record. /// - /// \param md_name The name of the digest to search for. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The destination point. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the buffer. /// - /// \return The message-digest information associated with \p md_name. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_string( - md_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_md_info_t; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization + /// failure. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + pub fn mbedtls_ecp_tls_read_point( + grp: *const mbedtls_ecp_group, + pt: *mut mbedtls_ecp_point, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest name from the - /// message-digest information structure. + /// \brief This function exports a point as a TLS ECPoint record + /// defined in RFC 4492, Section 5.4. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to be exported. This must be initialized. + /// \param format The point format to use. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// \param olen The address at which to store the length in Bytes + /// of the data written. + /// \param buf The target buffer. This must be a writable buffer of + /// length \p blen Bytes. + /// \param blen The length of the target buffer \p buf in Bytes. /// - /// \return The name of the message digest. - pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer + /// is too small to hold the exported point. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_point( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// from the given context. + /// \brief This function sets up an ECP group context + /// from a standardized set of domain parameters. /// - /// \param ctx The context from which to extract the information. - /// This must be initialized (or \c NULL). + /// \note The index should be a value of the NamedCurve enum, + /// as defined in RFC-4492: Elliptic Curve Cryptography + /// (ECC) Cipher Suites for Transport Layer Security (TLS), + /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. /// - /// \return The message-digest information associated with \p ctx. - /// \return \c NULL if \p ctx is \c NULL. - pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; + /// \param grp The group context to setup. This must be initialized. + /// \param id The identifier of the domain parameter set to load. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_load( + grp: *mut mbedtls_ecp_group, + id: mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the HMAC key and prepares to - /// authenticate a new message. + /// \brief This function sets up an ECP group context from a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_setup(), to use - /// the MD context for an HMAC calculation, then call - /// mbedtls_md_hmac_update() to provide the input data, and - /// mbedtls_md_hmac_finish() to get the HMAC value. + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC key in Bytes. + /// \param grp The group context to setup. This must be initialized. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_starts( - ctx: *mut mbedtls_md_context_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group( + grp: *mut mbedtls_ecp_group, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing HMAC - /// computation. + /// \brief This function extracts an elliptic curve group ID from a + /// TLS ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - /// before calling this function. - /// You may call this function multiple times to pass the - /// input piecewise. - /// Afterwards, call mbedtls_md_hmac_finish(). + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param grp The address at which to store the group id. + /// This must not be \c NULL. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group_id( + grp: *mut mbedtls_ecp_group_id, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the HMAC operation, and writes - /// the result to the output buffer. + /// \brief This function exports an elliptic curve as a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_hmac_starts() and - /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards - /// you may either call mbedtls_md_free() to clear the context, - /// or call mbedtls_md_hmac_reset() to reuse the context with - /// the same HMAC key. - /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param output The generic HMAC checksum result. + /// \param grp The ECP group to be exported. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param olen The address at which to store the number of Bytes written. + /// This must not be \c NULL. + /// \param buf The buffer to write to. This must be a writable buffer + /// of length \p blen Bytes. + /// \param blen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output + /// buffer is too small to hold the exported group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_group( + grp: *const mbedtls_ecp_group, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function prepares to authenticate a new message with - /// the same key as the previous HMAC operation. + /// \brief This function performs a scalar multiplication of a point + /// by an integer: \p R = \p m * \p P. /// - /// You may call this function after mbedtls_md_hmac_finish(). - /// Afterwards call mbedtls_md_hmac_update() to pass the new - /// input. + /// It is not thread-safe to use same group in multiple threads. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. + /// \note To prevent timing attacks, this function + /// executes the exact same sequence of base-field + /// operations for any valid \p m. It avoids any if-branch or + /// array index depending on the value of \p m. It also uses + /// \p f_rng to randomize some intermediate results. + /// + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the full generic HMAC - /// on the input buffer with the provided key. + /// \brief This function performs multiplication of a point by + /// an integer: \p R = \p m * \p P in a restartable way. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// \see mbedtls_ecp_mul() /// - /// The HMAC result is calculated as - /// output = generic HMAC(hmac key, input buffer). + /// \note This function does the same as \c mbedtls_ecp_mul(), but + /// it can return early and restart according to the limit set + /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC secret key in Bytes. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. - /// \param output The generic HMAC result. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac( - md_info: *const mbedtls_md_info_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecp_restart_ctx, ) -> ::core::ffi::c_int; } -/// \brief The RSA context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_rsa_context { - ///< Reserved for internal purposes. - /// Do not set this field in application - /// code. Its meaning might change without - /// notice. - pub private_ver: ::core::ffi::c_int, - ///< The size of \p N in Bytes. - pub private_len: usize, - ///< The public modulus. - pub private_N: mbedtls_mpi, - ///< The public exponent. - pub private_E: mbedtls_mpi, - ///< The private exponent. - pub private_D: mbedtls_mpi, - ///< The first prime factor. - pub private_P: mbedtls_mpi, - ///< The second prime factor. - pub private_Q: mbedtls_mpi, - ///< D % (P - 1). - pub private_DP: mbedtls_mpi, - ///< D % (Q - 1). - pub private_DQ: mbedtls_mpi, - ///< 1 / (Q % P). - pub private_QP: mbedtls_mpi, - ///< cached R^2 mod N. - pub private_RN: mbedtls_mpi, - ///< cached R^2 mod P. - pub private_RP: mbedtls_mpi, - ///< cached R^2 mod Q. - pub private_RQ: mbedtls_mpi, - ///< The cached blinding value. - pub private_Vi: mbedtls_mpi, - ///< The cached un-blinding value. - pub private_Vf: mbedtls_mpi, - ///< Selects padding mode: - ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. - pub private_padding: ::core::ffi::c_int, - ///< Hash identifier of mbedtls_md_type_t type, - ///as specified in md.h for use in the MGF - ///mask generating function used in the - ///EME-OAEP and EMSA-PSS encodings. - pub private_hash_id: ::core::ffi::c_int, -} -impl Default for mbedtls_rsa_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes an RSA context. - /// - /// \note This function initializes the padding and the hash - /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and - /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more - /// information about those parameters. - /// - /// \param ctx The RSA context to initialize. This must not be \c NULL. - pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); -} -unsafe extern "C" { - /// \brief This function sets padding for an already initialized RSA - /// context. - /// - /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP - /// encryption scheme and the RSASSA-PSS signature scheme. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q /// - /// \note The \p hash_id parameter is ignored when using - /// #MBEDTLS_RSA_PKCS_V15 padding. + /// It is not thread-safe to use same group in multiple threads. /// - /// \note The choice of padding mode is strictly enforced for private - /// key operations, since there might be security concerns in - /// mixing padding modes. For public key operations it is - /// a default value, which can be overridden by calling specific - /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx - /// functions. + /// \note In contrast to mbedtls_ecp_mul(), this function does not + /// guarantee a constant execution flow and timing. /// - /// \note The hash selected in \p hash_id is always used for OEAP - /// encryption. For PSS signatures, it is always used for - /// making signatures, but can be overridden for verifying them. - /// If set to #MBEDTLS_MD_NONE, it is always overridden. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \param ctx The initialized RSA context to be configured. - /// \param padding The padding mode to use. This must be either - /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is - /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this - /// function but may be not suitable for some operations. - /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - /// \p padding or \p hash_id is invalid. - pub fn mbedtls_rsa_set_padding( - ctx: *mut mbedtls_rsa_context, - padding: ::core::ffi::c_int, - hash_id: mbedtls_md_type_t, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves padding mode of initialized - /// RSA context. - /// - /// \param ctx The initialized RSA context. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q in a + /// restartable way. /// - /// \return RSA padding mode. - pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function retrieves hash identifier of mbedtls_md_type_t - /// type. + /// \see \c mbedtls_ecp_muladd() /// - /// \param ctx The initialized RSA context. + /// \note This function works the same as \c mbedtls_ecp_muladd(), + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return Hash identifier of mbedtls_md_type_t type. - pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function imports a set of core parameters into an - /// RSA context. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, + rs_ctx: *mut mbedtls_ecp_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function checks that a point is a valid public key + /// on this curve. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// It only checks that the point is non-zero, has + /// valid coordinates and lies on the curve. It does not verify + /// that it is indeed a multiple of \c G. This additional + /// check is computationally more expensive, is not required + /// by standards, and should not be necessary if the group + /// used has a small cofactor. In particular, it is useless for + /// the NIST groups which all have a cofactor of 1. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure, to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param E The public exponent. This may be \c NULL. + /// \param grp The ECP group the point should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to check. This must be initialized. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import( - ctx: *mut mbedtls_rsa_context, - N: *const mbedtls_mpi, - P: *const mbedtls_mpi, - Q: *const mbedtls_mpi, - D: *const mbedtls_mpi, - E: *const mbedtls_mpi, + /// \return \c 0 if the point is a valid public key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not + /// a valid public key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_pubkey( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports core RSA parameters, in raw big-endian - /// binary format, into an RSA context. - /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \brief This function checks that an \c mbedtls_mpi is a + /// valid private key for this curve. /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// \param grp The ECP group the private key should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The integer to check. This must be initialized. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \return \c 0 if the point is a valid private key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid + /// private key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_privkey( + grp: *const mbedtls_ecp_group, + d: *const mbedtls_mpi, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates a private key. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. - /// \param E The public exponent. This may be \c NULL. - /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// \param grp The ECP group to generate a private key for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import_raw( - ctx: *mut mbedtls_rsa_context, - N: *const ::core::ffi::c_uchar, - N_len: usize, - P: *const ::core::ffi::c_uchar, - P_len: usize, - Q: *const ::core::ffi::c_uchar, - Q_len: usize, - D: *const ::core::ffi::c_uchar, - D_len: usize, - E: *const ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_privkey( + grp: *const mbedtls_ecp_group, + d: *mut mbedtls_mpi, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function completes an RSA context from - /// a set of imported core parameters. - /// - /// To setup an RSA public key, precisely \p N and \p E - /// must have been imported. + /// \brief This function generates a keypair with a configurable base + /// point. /// - /// To setup an RSA private key, sufficient information must - /// be present for the other parameters to be derivable. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// The default implementation supports the following: - ///
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • - ///
  • Derive \p N, \p D from \p P, \p Q, \p E.
- /// Alternative implementations need not support these. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param G The base point to use. This must be initialized + /// and belong to \p grp. It replaces the default base + /// point \c grp->G used by mbedtls_ecp_gen_keypair(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// If this function runs successfully, it guarantees that - /// the RSA context can be used for RSA operations without - /// the risk of failure or crash. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair_base( + grp: *mut mbedtls_ecp_group, + G: *const mbedtls_ecp_point, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates an ECP keypair. /// - /// \warning This function need not perform consistency checks - /// for the imported parameters. In particular, parameters that - /// are not needed by the implementation might be silently - /// discarded and left unchecked. To check the consistency - /// of the key material, see mbedtls_rsa_check_privkey(). + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context holding imported parameters. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations - /// failed. - pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair( + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports the core parameters of an RSA key. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. - /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// - /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \brief This function generates an ECP key. /// - /// \param ctx The initialized RSA context. - /// \param N The MPI to hold the RSA modulus. - /// This may be \c NULL if this field need not be exported. - /// \param P The MPI to hold the first prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param Q The MPI to hold the second prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param D The MPI to hold the private exponent. - /// This may be \c NULL if this field need not be exported. - /// \param E The MPI to hold the public exponent. - /// This may be \c NULL if this field need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. This must be initialized. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export( - ctx: *const mbedtls_rsa_context, - N: *mut mbedtls_mpi, - P: *mut mbedtls_mpi, - Q: *mut mbedtls_mpi, - D: *mut mbedtls_mpi, - E: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports core parameters of an RSA key - /// in raw big-endian binary format. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. + /// \brief Set the public key in a key pair object. /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \note This function does not check that the point actually + /// belongs to the given group. Call mbedtls_ecp_check_pubkey() + /// on \p Q before calling this function to check that. /// - /// \note The length parameters are ignored if the corresponding - /// buffer pointers are NULL. + /// \note This function does not check that the public key matches + /// the private key that is already in \p key, if any. + /// To check the consistency of the resulting key pair object, + /// call mbedtls_ecp_check_pub_priv() after setting both + /// the public key and the private key. /// - /// \param ctx The initialized RSA context. - /// \param N The Byte array to store the RSA modulus, - /// or \c NULL if this field need not be exported. - /// \param N_len The size of the buffer for the modulus. - /// \param P The Byte array to hold the first prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param P_len The size of the buffer for the first prime factor. - /// \param Q The Byte array to hold the second prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param Q_len The size of the buffer for the second prime factor. - /// \param D The Byte array to hold the private exponent, - /// or \c NULL if this field need not be exported. - /// \param D_len The size of the buffer for the private exponent. - /// \param E The Byte array to hold the public exponent, - /// or \c NULL if this field need not be exported. - /// \param E_len The size of the buffer for the public exponent. + /// \param grp_id The ECP group identifier. + /// \param key The key pair object. It must be initialized. + /// If its group has already been set, it must match \p grp_id. + /// If its group has not been set, it will be set to \p grp_id. + /// If the public key has already been set, it is overwritten. + /// \param Q The public key to copy. This must be a point on the + /// curve indicated by \p grp_id. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export_raw( - ctx: *const mbedtls_rsa_context, - N: *mut ::core::ffi::c_uchar, - N_len: usize, - P: *mut ::core::ffi::c_uchar, - P_len: usize, - Q: *mut ::core::ffi::c_uchar, - Q_len: usize, - D: *mut ::core::ffi::c_uchar, - D_len: usize, - E: *mut ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not + /// match \p grp_id. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_public_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports CRT parameters of a private RSA key. + /// \brief This function reads an elliptic curve private key. /// - /// \note Alternative RSA implementations not using CRT-parameters - /// internally can implement this function based on - /// mbedtls_rsa_deduce_opt(). + /// \note This function does not set the public key in the + /// key pair object. Without a public key, the key pair object + /// cannot be used with operations that require the public key. + /// Call mbedtls_ecp_keypair_calc_public() to set the public + /// key from the private key. Alternatively, you can call + /// mbedtls_ecp_set_public_key() to set the public key part, + /// and then optionally mbedtls_ecp_check_pub_priv() to check + /// that the private and public parts are consistent. + /// + /// \note If a public key has already been set in the key pair + /// object, this function does not check that it is consistent + /// with the private key. Call mbedtls_ecp_check_pub_priv() + /// after setting both the public key and the private key + /// to make that check. /// - /// \param ctx The initialized RSA context. - /// \param DP The MPI to hold \c D modulo `P-1`, - /// or \c NULL if it need not be exported. - /// \param DQ The MPI to hold \c D modulo `Q-1`, - /// or \c NULL if it need not be exported. - /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, - /// or \c NULL if it need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. + /// \param buf The buffer containing the binary representation of the + /// key. (Big endian integer for Weierstrass curves, byte + /// string for Montgomery curves.) + /// \param buflen The length of the buffer in bytes. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_export_crt( - ctx: *const mbedtls_rsa_context, - DP: *mut mbedtls_mpi, - DQ: *mut mbedtls_mpi, - QP: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is + /// invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_read_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + buf: *const ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves the length of RSA modulus in Bytes. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context. + /// \deprecated Note that although this function accepts an output + /// buffer that is smaller or larger than the key, most key + /// import interfaces require the output to have exactly + /// key's nominal length. It is generally simplest to + /// pass the key's nominal length as \c buflen, after + /// checking that the output buffer is large enough. + /// See the description of the \p buflen parameter for + /// how to calculate the nominal length. + /// To avoid this difficulty, use mbedtls_ecp_write_key_ext() + /// instead. + /// mbedtls_ecp_write_key() is deprecated and will be + /// removed in a future version of the library. + /// + /// \note If the private key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \return The length of the RSA modulus in Bytes. - pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; + /// \param key The private key. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// For Weierstrass curves, this is the big-endian + /// representation, padded with null bytes at the beginning + /// to reach \p buflen bytes. + /// For Montgomery curves, this is the standard byte string + /// representation (which is little-endian), padded with + /// null bytes at the end to reach \p buflen bytes. + /// \param buflen The total length of the buffer in bytes. + /// The length of the output is + /// (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// For Weierstrass keys, if the output buffer is smaller, + /// leading zeros are trimmed to fit if possible. For + /// Montgomery keys, the output buffer must always be large + /// enough for the nominal length. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + /// #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key( + key: *mut mbedtls_ecp_keypair, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an RSA keypair. - /// - /// \note mbedtls_rsa_init() must be called before this function, - /// to set up the RSA context. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context used to hold the key. - /// \param f_rng The RNG function to be used for key generation. - /// This is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. - /// This may be \c NULL if \p f_rng doesn't need a context. - /// \param nbits The size of the public key in bits. - /// \param exponent The public exponent to use. For example, \c 65537. - /// This must be odd and greater than \c 1. + /// \param key The private key. + /// \param olen On success, the length of the private key. + /// This is always (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// \param buflen The total length of the buffer in bytes. + /// #MBEDTLS_ECP_MAX_BYTES is always sufficient. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_gen_key( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - nbits: ::core::ffi::c_uint, - exponent: ::core::ffi::c_int, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + /// set in \p key. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key_ext( + key: *const mbedtls_ecp_keypair, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains at least an RSA - /// public key. + /// \brief This function exports an elliptic curve public key. /// - /// If the function runs successfully, it is guaranteed that - /// enough information is present to perform an RSA public key - /// operation using mbedtls_rsa_public(). + /// \note If the public key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to check. + /// \param key The public key. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_write_public_key( + key: *const mbedtls_ecp_keypair, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains an RSA private key - /// and perform basic consistency checks. - /// - /// \note The consistency checks performed by this function not only - /// ensure that mbedtls_rsa_private() can be called successfully - /// on the given context, but that the various parameters are - /// mutually consistent with high probability, in the sense that - /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// \brief This function checks that the keypair objects + /// \p pub and \p prv have the same group and the + /// same public point, and that the private key in + /// \p prv is consistent with the public key. /// - /// \warning This function should catch accidental misconfigurations - /// like swapping of parameters, but it cannot establish full - /// trust in neither the quality nor the consistency of the key - /// material that was used to setup the given RSA context: - ///
  • Consistency: Imported parameters that are irrelevant - /// for the implementation might be silently dropped. If dropped, - /// the current function does not have access to them, - /// and therefore cannot check them. See mbedtls_rsa_complete(). - /// If you want to check the consistency of the entire - /// content of a PKCS1-encoded RSA private key, for example, you - /// should use mbedtls_rsa_validate_params() before setting - /// up the RSA context. - /// Additionally, if the implementation performs empirical checks, - /// these checks substantiate but do not guarantee consistency.
    • - ///
  • Quality: This function is not expected to perform - /// extended quality assessments like checking that the prime - /// factors are safe. Additionally, it is the responsibility of the - /// user to ensure the trustworthiness of the source of his RSA - /// parameters, which goes beyond what is effectively checkable - /// by the library.
- /// - /// \param ctx The initialized RSA context to check. + /// \param pub The keypair structure holding the public key. This + /// must be initialized. If it contains a private key, that + /// part is ignored. + /// \param prv The keypair structure holding the full keypair. + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success, meaning that the keys are valid and match. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_check_pub_priv( + pub_: *const mbedtls_ecp_keypair, + prv: *const mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks a public-private RSA key pair. - /// - /// It checks each of the contexts, and makes sure they match. + /// \brief Calculate the public key from a private key in a key pair. /// - /// \param pub The initialized RSA context holding the public key. - /// \param prv The initialized RSA context holding the private key. + /// \param key A keypair structure. It must have a private key set. + /// If the public key is set, it will be overwritten. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pub_priv( - pub_: *const mbedtls_rsa_context, - prv: *const mbedtls_rsa_context, + /// \return \c 0 on success. The key pair object can be used for + /// operations that require the public key. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_keypair_calc_public( + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs an RSA public key operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// - /// \note This function does not handle message padding. + /// \brief Query the group that a key pair belongs to. /// - /// \note Make sure to set \p input[0] = 0 or ensure that - /// input is smaller than \p N. + /// \param key The key pair to query. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_public( - ctx: *mut mbedtls_rsa_context, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The group ID for the group registered in the key pair + /// object. + /// This is \c MBEDTLS_ECP_DP_NONE if no group has been set + /// in the key pair object. + pub fn mbedtls_ecp_keypair_get_group_id( + key: *const mbedtls_ecp_keypair, + ) -> mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function performs an RSA private key operation. - /// - /// \note Blinding is used if and only if a PRNG is provided. + /// \brief This function exports generic key-pair parameters. /// - /// \note If blinding is used, both the base of exponentiation - /// and the exponent are blinded, providing protection - /// against some side-channel attacks. + /// Each of the output parameters can be a null pointer + /// if you do not need that parameter. /// - /// \warning It is deprecated and a security risk to not provide - /// a PRNG here and thereby prevent the use of blinding. - /// Future versions of the library may enforce the presence - /// of a PRNG. + /// \note If the private key or the public key was not set in \p key, + /// the corresponding output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function, used for blinding. It is mandatory. - /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param key The key pair to export from. + /// \param grp Slot for exported ECP group. + /// It must either be null or point to an initialized ECP group. + /// \param d Slot for the exported secret value. + /// It must either be null or point to an initialized mpi. + /// \param Q Slot for the exported public value. + /// It must either be null or point to an initialized ECP point. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_private( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_export( + key: *const mbedtls_ecp_keypair, + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function adds the message padding, then performs an RSA - /// operation. - /// - /// It is the generic wrapper for performing a PKCS#1 encryption - /// operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG to use. It is used for padding generation - /// and it is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. May be - /// \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \brief The ECP checkup routine. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return \c 1 on failure. + pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The RSA context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_rsa_context { + ///< Reserved for internal purposes. + /// Do not set this field in application + /// code. Its meaning might change without + /// notice. + pub private_ver: ::core::ffi::c_int, + ///< The size of \p N in Bytes. + pub private_len: usize, + ///< The public modulus. + pub private_N: mbedtls_mpi, + ///< The public exponent. + pub private_E: mbedtls_mpi, + ///< The private exponent. + pub private_D: mbedtls_mpi, + ///< The first prime factor. + pub private_P: mbedtls_mpi, + ///< The second prime factor. + pub private_Q: mbedtls_mpi, + ///< D % (P - 1). + pub private_DP: mbedtls_mpi, + ///< D % (Q - 1). + pub private_DQ: mbedtls_mpi, + ///< 1 / (Q % P). + pub private_QP: mbedtls_mpi, + ///< cached R^2 mod N. + pub private_RN: mbedtls_mpi, + ///< cached R^2 mod P. + pub private_RP: mbedtls_mpi, + ///< cached R^2 mod Q. + pub private_RQ: mbedtls_mpi, + ///< The cached blinding value. + pub private_Vi: mbedtls_mpi, + ///< The cached un-blinding value. + pub private_Vf: mbedtls_mpi, + ///< Selects padding mode: + ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. + pub private_padding: ::core::ffi::c_int, + ///< Hash identifier of mbedtls_md_type_t type, + ///as specified in md.h for use in the MGF + ///mask generating function used in the + ///EME-OAEP and EMSA-PSS encodings. + pub private_hash_id: ::core::ffi::c_int, +} +impl Default for mbedtls_rsa_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 encryption operation - /// (RSAES-PKCS1-v1_5-ENCRYPT). + /// \brief This function initializes an RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. It is mandatory and used for - /// padding generation. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note This function initializes the padding and the hash + /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + /// information about those parameters. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The RSA context to initialize. This must not be \c NULL. + pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP encryption - /// operation (RSAES-OAEP-ENCRYPT). - /// - /// \note The output buffer must be as large as the size - /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \brief This function sets padding for an already initialized RSA + /// context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is needed for padding - /// generation and is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param ilen The length of the plaintext buffer \p input in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + /// encryption scheme and the RSASSA-PSS signature scheme. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs an RSA operation, then removes the - /// message padding. + /// \note The \p hash_id parameter is ignored when using + /// #MBEDTLS_RSA_PKCS_V15 padding. /// - /// It is the generic wrapper for performing a PKCS#1 decryption - /// operation. + /// \note The choice of padding mode is strictly enforced for private + /// key operations, since there might be security concerns in + /// mixing padding modes. For public key operations it is + /// a default value, which can be overridden by calling specific + /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + /// functions. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N (for example, - /// 128 Bytes if RSA-1024 is used) to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note The hash selected in \p hash_id is always used for OEAP + /// encryption. For PSS signatures, it is always used for + /// making signatures, but can be overridden for verifying them. + /// If set to #MBEDTLS_MD_NONE, it is always overridden. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \param ctx The initialized RSA context to be configured. + /// \param padding The padding mode to use. This must be either + /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. + /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is + /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + /// function but may be not suitable for some operations. + /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_decrypt( + /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + /// \p padding or \p hash_id is invalid. + pub fn mbedtls_rsa_set_padding( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + padding: ::core::ffi::c_int, + hash_id: mbedtls_md_type_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 decryption - /// operation (RSAES-PKCS1-v1_5-DECRYPT). + /// \brief This function retrieves padding mode of initialized + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for example, - /// 128 Bytes if RSA-1024 is used, to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \param ctx The initialized RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \return RSA padding mode. + pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function retrieves hash identifier of mbedtls_md_type_t + /// type. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context. + /// + /// \return Hash identifier of mbedtls_md_type_t type. + pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP decryption - /// operation (RSAES-OAEP-DECRYPT). + /// \brief This function imports a set of core parameters into an + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for - /// example, 128 Bytes if RSA-1024 is used, to be able to - /// hold an arbitrary decrypted message. If it is not - /// large enough to hold the decryption of the particular - /// ciphertext provided, the function returns - /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. + /// + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. + /// + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. + /// + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param E The public exponent. This may be \c NULL. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_decrypt( + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + N: *const mbedtls_mpi, + P: *const mbedtls_mpi, + Q: *const mbedtls_mpi, + D: *const mbedtls_mpi, + E: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a private RSA operation to sign - /// a message digest using PKCS#1. + /// \brief This function imports core RSA parameters, in raw big-endian + /// binary format, into an RSA context. /// - /// It is the generic wrapper for performing a PKCS#1 - /// signature. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_sign() for details on - /// \p md_alg and \p hash_id. + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is mandatory and - /// must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_sign( + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. + /// \param E The public exponent. This may be \c NULL. + /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import_raw( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + N: *const ::core::ffi::c_uchar, + N_len: usize, + P: *const ::core::ffi::c_uchar, + P_len: usize, + Q: *const ::core::ffi::c_uchar, + Q_len: usize, + D: *const ::core::ffi::c_uchar, + D_len: usize, + E: *const ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 signature - /// operation (RSASSA-PKCS1-v1_5-SIGN). + /// \brief This function completes an RSA context from + /// a set of imported core parameters. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// To setup an RSA public key, precisely \c N and \c E + /// must have been imported. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// To setup an RSA private key, sufficient information must + /// be present for the other parameters to be derivable. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// The default implementation supports the following: + ///
  • Derive \c P, \c Q from \c N, \c D, \c E.
    • + ///
  • Derive \c N, \c D from \c P, \c Q, \c E.
+ /// Alternative implementations need not support these. /// - /// \note This function enforces that the provided salt length complies - /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 - /// step 3. The constraint is that the hash length plus the salt - /// length plus 2 bytes must be at most the key length. If this - /// constraint is not met, this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// If this function runs successfully, it guarantees that + /// the RSA context can be used for RSA operations without + /// the risk of failure or crash. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param saltlen The length of the salt that should be used. - /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use - /// the largest possible salt length up to the hash length, - /// which is the largest permitted by some standards including - /// FIPS 186-4 §5.5. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \warning This function need not perform consistency checks + /// for the imported parameters. In particular, parameters that + /// are not needed by the implementation might be silently + /// discarded and left unchecked. To check the consistency + /// of the key material, see mbedtls_rsa_check_privkey(). /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign_ext( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - saltlen: ::core::ffi::c_int, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context holding imported parameters. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations + /// failed. + pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// \brief This function exports the core parameters of an RSA key. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \note This function always uses the maximum possible salt size, - /// up to the length of the payload hash. This choice of salt - /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 - /// v2.2) §9.1.1 step 3. Furthermore this function enforces a - /// minimum salt size which is the hash size minus 2 bytes. If - /// this minimum size is too large given the key size (the salt - /// size, plus the hash size, plus 2 bytes must be no more than - /// the key size in bytes), this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
/// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param N The MPI to hold the RSA modulus. + /// This may be \c NULL if this field need not be exported. + /// \param P The MPI to hold the first prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param Q The MPI to hold the second prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param D The MPI to hold the private exponent. + /// This may be \c NULL if this field need not be exported. + /// \param E The MPI to hold the public exponent. + /// This may be \c NULL if this field need not be exported. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export( + ctx: *const mbedtls_rsa_context, + N: *mut mbedtls_mpi, + P: *mut mbedtls_mpi, + Q: *mut mbedtls_mpi, + D: *mut mbedtls_mpi, + E: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a public RSA operation and checks - /// the message digest. - /// - /// This is the generic wrapper for performing a PKCS#1 - /// verification. + /// \brief This function exports core parameters of an RSA key + /// in raw big-endian binary format. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_verify() about \p md_alg and - /// \p hash_id. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
+ /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \note The length parameters are ignored if the corresponding + /// buffer pointers are NULL. + /// + /// \param ctx The initialized RSA context. + /// \param N The Byte array to store the RSA modulus, + /// or \c NULL if this field need not be exported. + /// \param N_len The size of the buffer for the modulus. + /// \param P The Byte array to hold the first prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param P_len The size of the buffer for the first prime factor. + /// \param Q The Byte array to hold the second prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param Q_len The size of the buffer for the second prime factor. + /// \param D The Byte array to hold the private exponent, + /// or \c NULL if this field need not be exported. + /// \param D_len The size of the buffer for the private exponent. + /// \param E The Byte array to hold the public exponent, + /// or \c NULL if this field need not be exported. + /// \param E_len The size of the buffer for the public exponent. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export_raw( + ctx: *const mbedtls_rsa_context, + N: *mut ::core::ffi::c_uchar, + N_len: usize, + P: *mut ::core::ffi::c_uchar, + P_len: usize, + Q: *mut ::core::ffi::c_uchar, + Q_len: usize, + D: *mut ::core::ffi::c_uchar, + D_len: usize, + E: *mut ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 verification - /// operation (RSASSA-PKCS1-v1_5-VERIFY). + /// \brief This function exports CRT parameters of a private RSA key. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Alternative RSA implementations not using CRT-parameters + /// internally can implement this function based on + /// mbedtls_rsa_deduce_opt(). /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param DP The MPI to hold \c D modulo `P-1`, + /// or \c NULL if it need not be exported. + /// \param DQ The MPI to hold \c D modulo `Q-1`, + /// or \c NULL if it need not be exported. + /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, + /// or \c NULL if it need not be exported. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_export_crt( + ctx: *const mbedtls_rsa_context, + DP: *mut mbedtls_mpi, + DQ: *mut mbedtls_mpi, + QP: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). - /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. If the \c hash_id set in \p ctx by - /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg - /// parameter is used. + /// \brief This function retrieves the length of the RSA modulus in bits. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param ctx The initialized RSA context. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The length of the RSA modulus in bits. + pub fn mbedtls_rsa_get_bitlen(ctx: *const mbedtls_rsa_context) -> usize; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). + /// \brief This function retrieves the length of RSA modulus in Bytes. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \param ctx The initialized RSA context. /// - /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is - /// ignored. + /// \return The length of the RSA modulus in Bytes. + pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; +} +unsafe extern "C" { + /// \brief This function generates an RSA keypair. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param mgf1_hash_id The message digest algorithm used for the - /// verification operation and the mask generation - /// function (MGF1). For more details on the encoding - /// operation and the mask generation function, consult - /// RFC-3447: Public-Key Cryptography Standards - /// (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. - /// \param expected_salt_len The length of the salt used in padding. Use - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note mbedtls_rsa_init() must be called before this function, + /// to set up the RSA context. /// - /// \return \c 0 if the verify operation was successful. + /// \param ctx The initialized RSA context used to hold the key. + /// \param f_rng The RNG function to be used for key generation. + /// This is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. + /// This may be \c NULL if \p f_rng doesn't need a context. + /// \param nbits The size of the public key in bits. + /// \param exponent The public exponent to use. For example, \c 65537. + /// This must be odd and greater than \c 1. + /// + /// \return \c 0 on success. /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify_ext( + pub fn mbedtls_rsa_gen_key( ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - mgf1_hash_id: mbedtls_md_type_t, - expected_salt_len: ::core::ffi::c_int, - sig: *const ::core::ffi::c_uchar, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + nbits: ::core::ffi::c_uint, + exponent: ::core::ffi::c_int, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function copies the components of an RSA context. + /// \brief This function checks if a context contains at least an RSA + /// public key. /// - /// \param dst The destination context. This must be initialized. - /// \param src The source context. This must be initialized. + /// If the function runs successfully, it is guaranteed that + /// enough information is present to perform an RSA public key + /// operation using mbedtls_rsa_public(). + /// + /// \param ctx The initialized RSA context to check. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. - pub fn mbedtls_rsa_copy( - dst: *mut mbedtls_rsa_context, - src: *const mbedtls_rsa_context, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees the components of an RSA key. + /// \brief This function checks if a context contains an RSA private key + /// and perform basic consistency checks. /// - /// \param ctx The RSA context to free. May be \c NULL, in which case - /// this function is a no-op. If it is not \c NULL, it must - /// point to an initialized RSA context. - pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); + /// \note The consistency checks performed by this function not only + /// ensure that mbedtls_rsa_private() can be called successfully + /// on the given context, but that the various parameters are + /// mutually consistent with high probability, in the sense that + /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// + /// \warning This function should catch accidental misconfigurations + /// like swapping of parameters, but it cannot establish full + /// trust in neither the quality nor the consistency of the key + /// material that was used to setup the given RSA context: + ///
  • Consistency: Imported parameters that are irrelevant + /// for the implementation might be silently dropped. If dropped, + /// the current function does not have access to them, + /// and therefore cannot check them. See mbedtls_rsa_complete(). + /// If you want to check the consistency of the entire + /// content of a PKCS1-encoded RSA private key, for example, you + /// should use mbedtls_rsa_validate_params() before setting + /// up the RSA context. + /// Additionally, if the implementation performs empirical checks, + /// these checks substantiate but do not guarantee consistency.
    • + ///
  • Quality: This function is not expected to perform + /// extended quality assessments like checking that the prime + /// factors are safe. Additionally, it is the responsibility of the + /// user to ensure the trustworthiness of the source of his RSA + /// parameters, which goes beyond what is effectively checkable + /// by the library.
+ /// + /// \param ctx The initialized RSA context to check. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The RSA checkup routine. + /// \brief This function checks a public-private RSA key pair. + /// + /// It checks each of the contexts, and makes sure they match. + /// + /// \param pub The initialized RSA context holding the public key. + /// \param prv The initialized RSA context holding the private key. /// /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief The ECDSA context structure. -/// -/// \warning Performing multiple operations concurrently on the same -/// ECDSA context is not supported; objects of this type -/// should not be shared between multiple threads. -/// -/// \note pk_wrap module assumes that "ecdsa_context" is identical -/// to "ecp_keypair" (see for example structure -/// "mbedtls_eckey_info" where ECDSA sign/verify functions -/// are used also for EC key) -pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; -pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pub_priv( + pub_: *const mbedtls_rsa_context, + prv: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { - /// \brief This function checks whether a given group can be used - /// for ECDSA. + /// \brief This function performs an RSA public key operation. /// - /// \param gid The ECP group ID to check. + /// \param ctx The initialized RSA context to use. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 1 if the group can be used, \c 0 otherwise - pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; + /// \note This function does not handle message padding. + /// + /// \note Make sure to set \p input[0] = 0 or ensure that + /// input is smaller than \c N. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_public( + ctx: *mut mbedtls_rsa_context, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message. + /// \brief This function performs an RSA private key operation. /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_ext() is usually preferred. + /// \note Blinding is used if and only if a PRNG is provided. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated - /// as defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \note If blinding is used, both the base of exponentiation + /// and the exponent are blinded, providing protection + /// against some side-channel attacks. /// - /// \see ecp.h + /// \warning It is deprecated and a security risk to not provide + /// a PRNG here and thereby prevent the use of blinding. + /// Future versions of the library may enforce the presence + /// of a PRNG. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized. - /// \param buf The content to be signed. This is usually the hash of - /// the original data to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function, used for blinding. It is mandatory. + /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX - /// or \c MBEDTLS_MPI_XXX error code on failure. - pub fn mbedtls_ecdsa_sign( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_private( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, deterministic version. + /// \brief This function adds the message padding, then performs an RSA + /// operation. /// - /// For more information, see RFC-6979: Deterministic - /// Usage of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). + /// It is the generic wrapper for performing a PKCS#1 encryption + /// operation. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG to use. It is used for padding generation + /// and it is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. May be + /// \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \see ecp.h + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v1.5 encryption operation + /// (RSAES-PKCS1-v1_5-ENCRYPT). /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. It is mandatory and used for + /// padding generation. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_ext( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 OAEP encryption + /// operation (RSAES-OAEP-ENCRYPT). /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_restartable() is usually - /// preferred. + /// \note The output buffer must be as large as the size + /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \note This function is like \c mbedtls_ecdsa_sign() but - /// it can return early and restart according to the - /// limit set with \c mbedtls_ecp_set_max_ops() to - /// reduce blocking. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is needed for padding + /// generation and is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param ilen The length of the plaintext buffer \p input in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs an RSA operation, then removes the + /// message padding. /// - /// \see ecp.h + /// It is the generic wrapper for performing a PKCS#1 decryption + /// operation. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15, + /// mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an + /// inherently dangerous function (CWE-242). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N (for example, + /// 128 Bytes if RSA-1024 is used) to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. - /// - /// \note This function is like \c - /// mbedtls_ecdsa_sign_det_ext() but it can return - /// early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 decryption + /// operation (RSAES-PKCS1-v1_5-DECRYPT). /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \warning This is an inherently dangerous function (CWE-242). Unless + /// it is used in a side channel free and safe way (eg. + /// implementing the TLS protocol as per 7.4.7.1 of RFC 5246), + /// the calling code is vulnerable. /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for example, + /// 128 Bytes if RSA-1024 is used, to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message. - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \brief This function performs a PKCS#1 v2.1 OAEP decryption + /// operation (RSAES-OAEP-DECRYPT). /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for + /// example, 128 Bytes if RSA-1024 is used, to be able to + /// hold an arbitrary decrypted message. If it is not + /// large enough to hold the decryption of the particular + /// ciphertext provided, the function returns + /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message, in a restartable manner + /// \brief This function performs a private RSA operation to sign + /// a message digest using PKCS#1. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// It is the generic wrapper for performing a PKCS#1 + /// signature. /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify_restartable( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, serialized as defined in RFC-4492: - /// Elliptic Curve Cryptography (ECC) Cipher Suites for - /// Transport Layer Security (TLS). - /// - /// \warning It is not thread-safe to use the same context in - /// multiple threads. - /// - /// \note The deterministic version is used if - /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more - /// information, see RFC-6979: Deterministic Usage - /// of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. - /// - /// \see ecp.h + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_sign() for details on + /// \p md_alg and \p hash_id. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is used only for blinding and may be set to \c NULL, but - /// doing so is DEPRECATED. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is mandatory and + /// must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, in a restartable way. - /// - /// \see \c mbedtls_ecdsa_write_signature() - /// - /// \note This function is like \c mbedtls_ecdsa_write_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 signature + /// operation (RSASSA-PKCS1-v1_5-SIGN). /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is unused and may be set to \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \see ecp.h + /// \note This function enforces that the provided salt length complies + /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 + /// step 3. The constraint is that the hash length plus the salt + /// length plus 2 bytes must be at most the key length. If this + /// constraint is not met, this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param saltlen The length of the salt that should be used. + /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use + /// the largest possible salt length up to the hash length, + /// which is the largest permitted by some standards including + /// FIPS 186-4 §5.5. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign_ext( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, - sig: *const ::core::ffi::c_uchar, - slen: usize, + saltlen: ::core::ffi::c_int, + sig: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature, - /// in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \see \c mbedtls_ecdsa_read_signature() + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \note This function is like \c mbedtls_ecdsa_read_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function always uses the maximum possible salt size, + /// up to the length of the payload hash. This choice of salt + /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 + /// v2.2) §9.1.1 step 3. Furthermore this function enforces a + /// minimum salt size which is the hash size minus 2 bytes. If + /// this minimum size is too large given the key size (the salt + /// size, plus the hash size, plus 2 bytes must be no more than + /// the key size in bytes), this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a public RSA operation and checks + /// the message digest. + /// + /// This is the generic wrapper for performing a PKCS#1 + /// verification. + /// + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_verify() about \c md_alg and + /// \c hash_id. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *const ::core::ffi::c_uchar, - slen: usize, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an ECDSA keypair on the given curve. + /// \brief This function performs a PKCS#1 v1.5 verification + /// operation (RSASSA-PKCS1-v1_5-VERIFY). /// - /// \see ecp.h + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \param ctx The ECDSA context to store the keypair in. - /// This must be initialized. - /// \param gid The elliptic curve to use. One of the various - /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_genkey( - ctx: *mut mbedtls_ecdsa_context, - gid: mbedtls_ecp_group_id, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. If the \c hash_id set in \p ctx by + /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg + /// parameter is used. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets up an ECDSA context from an EC key pair. + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param ctx The ECDSA context to setup. This must be initialized. - /// \param key The EC key to use. This must be initialized and hold - /// a private-public key pair or a public key. In the former - /// case, the ECDSA context may be used for signature creation - /// and verification after this call. In the latter case, it - /// may be used for signature verification. + /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is + /// ignored. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_from_keypair( - ctx: *mut mbedtls_ecdsa_context, - key: *const mbedtls_ecp_keypair, + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param mgf1_hash_id The message digest algorithm used for the + /// verification operation and the mask generation + /// function (MGF1). For more details on the encoding + /// operation and the mask generation function, consult + /// RFC-3447: Public-Key Cryptography Standards + /// (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. + /// \param expected_salt_len The length of the salt used in padding. Use + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify_ext( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + mgf1_hash_id: mbedtls_md_type_t, + expected_salt_len: ::core::ffi::c_int, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECDSA context. + /// \brief This function copies the components of an RSA context. /// - /// \param ctx The ECDSA context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); + /// \param dst The destination context. This must be initialized. + /// \param src The source context. This must be initialized. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. + pub fn mbedtls_rsa_copy( + dst: *mut mbedtls_rsa_context, + src: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees an ECDSA context. + /// \brief This function frees the components of an RSA key. /// - /// \param ctx The ECDSA context to free. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must be initialized. - pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); + /// \param ctx The RSA context to free. May be \c NULL, in which case + /// this function is a no-op. If it is not \c NULL, it must + /// point to an initialized RSA context. + pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); } -pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; -pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; -/// \brief Public key types -pub type mbedtls_pk_type_t = ::core::ffi::c_uint; -/// \brief Options for RSASSA-PSS signature verification. -/// See \c mbedtls_rsa_rsassa_pss_verify_ext() -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_rsassa_pss_options { - /// The digest to use for MGF1 in PSS. +unsafe extern "C" { + /// \brief The RSA checkup routine. /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is - /// disabled, this must be equal to the \c md_alg argument passed - /// to mbedtls_pk_verify_ext(). In a future version of the library, - /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is - /// enabled regardless of the status of #MBEDTLS_RSA_C. - pub mgf1_hash_id: mbedtls_md_type_t, - /// The expected length of the salt, in bytes. This may be - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only - /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be - /// ignored (allowing any salt length). - pub expected_salt_len: ::core::ffi::c_int, -} -impl Default for mbedtls_pk_rsassa_pss_options { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; -/// \brief Types for interfacing with the debug module -pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; -/// \brief Item to send to the debug module -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_debug_item { - pub private_type: mbedtls_pk_debug_type, - pub private_name: *const ::core::ffi::c_char, - pub private_value: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_debug_item { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_info_t { - _unused: [u8; 0], -} -/// \brief Public key container -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_context { - ///< Public key information - pub private_pk_info: *const mbedtls_pk_info_t, - ///< Underlying public key context - pub private_pk_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; -/// \brief Types for RSA-alt abstraction -pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_key_len_func = - ::core::option::Option usize>; +/// \brief The ECDSA context structure. +/// +/// \warning Performing multiple operations concurrently on the same +/// ECDSA context is not supported; objects of this type +/// should not be shared between multiple threads. +/// +/// \note pk_wrap module assumes that "ecdsa_context" is identical +/// to "ecp_keypair" (see for example structure +/// "mbedtls_eckey_info" where ECDSA sign/verify functions +/// are used also for EC key) +pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; +pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; unsafe extern "C" { - /// \brief Return information associated with the given PK type - /// - /// \param pk_type PK type to search for. + /// \brief This function checks whether a given group can be used + /// for ECDSA. /// - /// \return The PK info associated with the type or NULL if not found. - pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; -} -unsafe extern "C" { - /// \brief Initialize a #mbedtls_pk_context (as NONE). + /// \param gid The ECP group ID to check. /// - /// \param ctx The context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); + /// \return \c 1 if the group can be used, \c 0 otherwise + pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Free the components of a #mbedtls_pk_context. + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message. /// - /// \param ctx The context to clear. It must have been initialized. - /// If this is \c NULL, this function does nothing. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_ext() is usually preferred. /// - /// \note For contexts that have been set up with - /// mbedtls_pk_setup_opaque(), this does not free the underlying - /// PSA key and you still need to call psa_destroy_key() - /// independently if you want to destroy that key. - pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); -} -unsafe extern "C" { - /// \brief Initialize a PK context with the information given - /// and allocates the type-specific PK subcontext. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated + /// as defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param info Information to use + /// \see ecp.h /// - /// \return 0 on success, - /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, - /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized. + /// \param buf The content to be signed. This is usually the hash of + /// the original data to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function, used both to generate the ECDSA nonce + /// and for blinding. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. /// - /// \note For contexts holding an RSA-alt key, use - /// \c mbedtls_pk_setup_rsa_alt() instead. - pub fn mbedtls_pk_setup( - ctx: *mut mbedtls_pk_context, - info: *const mbedtls_pk_info_t, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX + /// or \c MBEDTLS_MPI_XXX error code on failure. + pub fn mbedtls_ecdsa_sign( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Initialize an RSA-alt context + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, deterministic version. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param key RSA key pointer - /// \param decrypt_func Decryption function - /// \param sign_func Signing function - /// \param key_len_func Function returning key length in bytes + /// For more information, see RFC-6979: Deterministic + /// Usage of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the - /// context wasn't already initialized as RSA_ALT. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. - pub fn mbedtls_pk_setup_rsa_alt( - ctx: *mut mbedtls_pk_context, - key: *mut ::core::ffi::c_void, - decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, - sign_func: mbedtls_pk_rsa_alt_sign_func, - key_len_func: mbedtls_pk_rsa_alt_key_len_func, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Get the size in bits of the underlying key + /// \see ecp.h /// - /// \param ctx The context to query. It must have been initialized. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This + /// may be \c NULL if \p f_rng_blind doesn't need a context + /// parameter. /// - /// \return Key size in bits, or 0 on error - pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_ext( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + md_alg: mbedtls_md_type_t, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Tell if a context can do the operation given by type + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \param ctx The context to query. It must have been initialized. - /// \param type The desired type. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_restartable() is usually + /// preferred. /// - /// \return 1 if the context can do operations on the given type. - /// \return 0 if the context cannot do the operations on the given - /// type. This is always the case for a context that has - /// been initialized but not set up, or that has been - /// cleared with mbedtls_pk_free(). - pub fn mbedtls_pk_can_do( - ctx: *const mbedtls_pk_context, - type_: mbedtls_pk_type_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Verify signature (including padding if relevant). + /// \note This function is like \c mbedtls_ecdsa_sign() but + /// it can return early and restart according to the + /// limit set with \c mbedtls_ecp_set_max_ops() to + /// reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used. - /// This can be #MBEDTLS_MD_NONE if the signature algorithm - /// does not rely on a hash algorithm (non-deterministic - /// ECDSA, RSA PKCS#1 v1.5). - /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then - /// \p hash is the DigestInfo structure used by RFC 8017 - /// §9.2 steps 3–6. If \p md_alg is a valid hash - /// algorithm then \p hash is the digest itself, and this - /// function calculates the DigestInfo encoding internally. - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \see ecp.h /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - /// to verify RSASSA_PSS signatures. - pub fn mbedtls_pk_verify( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_verify() + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_verify(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_verify(). + /// \note This function is like \c + /// mbedtls_ecdsa_sign_det_ext() but it can return + /// early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length - /// \param rs_ctx Restart context (NULL to disable restart) + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return See \c mbedtls_pk_verify(), or - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_verify_restartable( - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This may be + /// \c NULL if \p f_rng_blind doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, - rs_ctx: *mut mbedtls_pk_restart_ctx, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify signature, with options. - /// (Includes verification of the padding depending on type.) - /// - /// \param type Signature type (inc. possible padding type) to verify - /// \param options Pointer to type-specific options, or NULL - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be - /// used for this type of signatures, - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note If hash_len is 0, then the length associated with md_alg - /// is used instead, or an error returned if it is invalid. + /// \see ecp.h /// - /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. /// - /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point - /// to a mbedtls_pk_rsassa_pss_options structure, - /// otherwise it must be NULL. Note that if - /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not - /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. - pub fn mbedtls_pk_verify_ext( - type_: mbedtls_pk_type_t, - options: *const ::core::ffi::c_void, - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature, including padding if relevant. - /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message, in a restartable manner /// - /// \return 0 on success, or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// There is no interface in the PK module to make RSASSA-PSS - /// signatures yet. + /// \see ecp.h /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify_restartable( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature given a signature type. + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, serialized as defined in RFC-4492: + /// Elliptic Curve Cryptography (ECC) Cipher Suites for + /// Transport Layer Security (TLS). /// - /// \param pk_type Signature type. - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \warning It is not thread-safe to use the same context in + /// multiple threads. /// - /// \return 0 on success, or a specific error code. + /// \note The deterministic version is used if + /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + /// information, see RFC-6979: Deterministic Usage + /// of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, - /// see #PSA_ALG_RSA_PSS for a description of PSS options used. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign_ext( - pk_type: mbedtls_pk_type_t, - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_sign() + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_sign(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_sign(). + /// \see \c mbedtls_ecdsa_write_signature() /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. + /// \note This function is like \c mbedtls_ecdsa_write_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// \param rs_ctx Restart context (NULL to disable restart) + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return See \c mbedtls_pk_sign(). + /// \return \c 0 on success. /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_sign_restartable( - ctx: *mut mbedtls_pk_context, + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_pk_restart_ctx, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Decrypt message (including padding if relevant). + /// \brief This function reads and verifies an ECDSA signature. /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param input Input to decrypt - /// \param ilen Input size - /// \param output Decrypted output - /// \param olen Decrypted message length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \see ecp.h /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_decrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Encrypt message (including padding if relevant). - /// - /// \param ctx The PK context to use. It must have been set up. - /// \param input Message to encrypt - /// \param ilen Message size - /// \param output Encrypted output - /// \param olen Encrypted output length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function reads and verifies an ECDSA signature, + /// in a restartable way. /// - /// \note \p f_rng is used for padding generation. + /// \see \c mbedtls_ecdsa_read_signature() /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \note This function is like \c mbedtls_ecdsa_read_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_encrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if a public-private pair of keys matches. - /// - /// \param pub Context holding a public key. - /// \param prv Context holding a private (and public) key. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// - /// \return \c 0 on success (keys were checked and match each other). - /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not - /// be checked - in that case they may or may not match. - /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. - /// \return Another non-zero value if the keys do not match. - pub fn mbedtls_pk_check_pair( - pub_: *const mbedtls_pk_context, - prv: *const mbedtls_pk_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Export debug information - /// - /// \param ctx The PK context to use. It must have been initialized. - /// \param items Place to write debug items + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA - pub fn mbedtls_pk_debug( - ctx: *const mbedtls_pk_context, - items: *mut mbedtls_pk_debug_item, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Access the type name - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type name on success, or "invalid PK" - pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; -} -unsafe extern "C" { - /// \brief Get the key type - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type on success. - /// \return #MBEDTLS_PK_NONE for a context that has not been set up. - pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a private key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// \param pwd Optional password for decryption. - /// Pass \c NULL if expecting a non-encrypted key. - /// Pass a string of \p pwdlen bytes if expecting an encrypted - /// key; a non-encrypted key will also be accepted. - /// The empty password is not supported. - /// \param pwdlen Size of the password in bytes. - /// Ignored if \p pwd is \c NULL. - /// \param f_rng RNG function, must not be \c NULL. Used for blinding. - /// \param p_rng RNG parameter + /// \brief This function generates an ECDSA keypair on the given curve. /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to store the keypair in. + /// This must be initialized. + /// \param gid The elliptic curve to use. One of the various + /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, - pwd: *const ::core::ffi::c_uchar, - pwdlen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_genkey( + ctx: *mut mbedtls_ecdsa_context, + gid: mbedtls_ecp_group_id, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a public key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \brief This function sets up an ECDSA context from an EC key pair. /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to setup. This must be initialized. + /// \param key The EC key to use. This must be initialized and hold + /// a private-public key pair or a public key. In the former + /// case, the ECDSA context may be used for signature creation + /// and verification after this call. In the latter case, it + /// may be used for signature verification. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_public_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_from_keypair( + ctx: *mut mbedtls_ecdsa_context, + key: *const mbedtls_ecp_keypair, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function initializes an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_key_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); } unsafe extern "C" { - /// \brief Write a public key to a SubjectPublicKeyInfo DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function frees an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_pubkey_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to free. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must be initialized. + pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); } -unsafe extern "C" { - /// \brief Write a public key to a PEM string - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_pubkey_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 PEM string - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_key_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Parse a SubjectPublicKeyInfo DER structure - /// - /// \param p the position in the ASN.1 data - /// \param end end of the buffer - /// \param pk The PK context to fill. It must have been initialized - /// but not set up. - /// - /// \return 0 if successful, or a specific PK error code - pub fn mbedtls_pk_parse_subpubkey( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - pk: *mut mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a subjectPublicKey to ASN.1 data - /// Note: function works backwards in data buffer - /// - /// \param p reference to current position pointer - /// \param start start of the buffer (for bounds-checking) - /// \param key PK context which must contain a valid public or private key. - /// - /// \return the length written or a negative error code - pub fn mbedtls_pk_write_pubkey( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - key: *const mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = - 3; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - mbedtls_key_exchange_type_t = 4; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = - 8; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = - 9; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = - 10; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = - 11; -pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; -/// \brief This structure is used for storing ciphersuite information -/// -/// \note members are defined using integral types instead of enums -/// in order to pack structure and reduce memory usage by internal -/// \c ciphersuite_definitions[] -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ssl_ciphersuite_t { - pub private_id: ::core::ffi::c_int, - pub private_name: *const ::core::ffi::c_char, - pub private_cipher: u8, - pub private_mac: u8, - pub private_key_exchange: u8, - pub private_flags: u8, - pub private_min_tls_version: u16, - pub private_max_tls_version: u16, -} -impl Default for mbedtls_ssl_ciphersuite_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_string( - ciphersuite_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_id( - ciphersuite_id: ::core::ffi::c_int, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_pk_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_ec( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_psk( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> usize; -} -/// The type of the context passed to mbedtls_psa_external_get_random(). -/// -/// Mbed TLS initializes the context to all-bits-zero before calling -/// mbedtls_psa_external_get_random() for the first time. -/// -/// The definition of this type in the Mbed TLS source code is for -/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() -/// are expected to replace it with a custom definition. -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_external_random_context_t { - pub private_opaque: [usize; 2usize], +/// The type of the context passed to mbedtls_psa_external_get_random(). +/// +/// Mbed TLS initializes the context to all-bits-zero before calling +/// mbedtls_psa_external_get_random() for the first time. +/// +/// The definition of this type in the Mbed TLS source code is for +/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() +/// are expected to replace it with a custom definition. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_external_random_context_t { + pub private_opaque: [usize; 2usize], } pub type psa_status_t = i32; /// \brief Encoding of a key type. @@ -10577,6478 +10445,7672 @@ pub type psa_key_attributes_t = psa_key_attributes_s; /// Values of this type are generally constructed by macros called /// `PSA_KEY_DERIVATION_INPUT_xxx`. pub type psa_key_derivation_step_t = u16; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following field: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// +/// Functions that take such a structure as input also take an associated +/// input buffer \c custom_data of length \c custom_data_length. +/// +/// The interpretation of this structure and the associated \c custom_data +/// parameter depend on the type of the created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c custom_data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_custom_key_parameters_t = psa_custom_key_parameters_s; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following fields: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// - \c data: a flexible array of bytes. +/// +/// The interpretation of this structure depend on the type of the +/// created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty or if the custom production parameters are omitted +/// altogether, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_key_production_parameters_t = psa_key_production_parameters_s; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; +/// For encrypt-decrypt functions, whether the operation is an encryption +/// or a decryption. +pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; +/// \brief MD5 context structure +/// +/// \warning MD5 is considered a weak message digest and its use +/// constitutes a security risk. We recommend considering +/// stronger message digests instead. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md5_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 4usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_md5_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { - /// \brief Library initialization. - /// - /// Applications must call this function before calling any other - /// function in this module. - /// - /// Applications may call this function more than once. Once a call - /// succeeds, subsequent calls are guaranteed to succeed. + /// \brief Initialize MD5 context /// - /// If the application calls other functions before calling psa_crypto_init(), - /// the behavior is undefined. Implementations are encouraged to either perform - /// the operation as if the library had been initialized or to return - /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, - /// implementations should not return a success status if the lack of - /// initialization may have security implications, for example due to improper - /// seeding of the random number generator. + /// \param ctx MD5 context to be initialized /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - pub fn psa_crypto_init() -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Retrieve the attributes of a key. - /// - /// This function first resets the attribute structure as with - /// psa_reset_key_attributes(). It then copies the attributes of - /// the given key into the given attribute structure. - /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \brief Clear MD5 context /// - /// \param[in] key Identifier of the key to query. - /// \param[in,out] attributes On success, the attributes of the key. - /// On failure, equivalent to a - /// freshly-initialized structure. + /// \param ctx MD5 context to be cleared /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_get_key_attributes( - key: mbedtls_svc_key_id_t, - attributes: *mut psa_key_attributes_t, - ) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Reset a key attribute structure to a freshly initialized state. - /// - /// You must initialize the attribute structure as described in the - /// documentation of the type #psa_key_attributes_t before calling this - /// function. Once the structure has been initialized, you may call this - /// function at any time. + /// \brief Clone (the state of) an MD5 context /// - /// This function frees any auxiliary resources that the structure - /// may contain. + /// \param dst The destination context + /// \param src The context to be cloned /// - /// \param[in,out] attributes The attribute structure to reset. - pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); } unsafe extern "C" { - /// Remove non-essential copies of key material from memory. + /// \brief MD5 context setup /// - /// If the key identifier designates a volatile key, this functions does not do - /// anything and returns successfully. - /// - /// If the key identifier designates a persistent key, then this function will - /// free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and the key can still be used. + /// \param ctx context to be initialized /// - /// \param key Identifier of the key to purge. + /// \return 0 if successful /// - /// \retval #PSA_SUCCESS - /// The key material will have been removed from memory if it is not - /// currently required. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid key identifier. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Make a copy of a key. + /// \brief MD5 process buffer /// - /// Copy key material from one location to another. + /// \param ctx MD5 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// This function is primarily useful to copy a key from one location - /// to another, since it populates a key using the material from - /// another key which may have a different lifetime. + /// \return 0 if successful /// - /// This function may be used to share a key with a different party, - /// subject to implementation-defined restrictions on key sharing. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_update( + ctx: *mut mbedtls_md5_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 final digest /// - /// The policy on the source key must have the usage flag - /// #PSA_KEY_USAGE_COPY set. - /// This flag is sufficient to permit the copy if the key has the lifetime - /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. - /// Some secure elements do not provide a way to copy a key without - /// making it extractable from the secure element. If a key is located - /// in such a secure element, then the key must have both usage flags - /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make - /// a copy of the key outside the secure element. + /// \param ctx MD5 context + /// \param output MD5 checksum result /// - /// The resulting key may only be used in a way that conforms to - /// both the policy of the original key and the policy specified in - /// the \p attributes parameter: - /// - The usage flags on the resulting key are the bitwise-and of the - /// usage flags on the source policy and the usage flags in \p attributes. - /// - If both allow the same algorithm or wildcard-based - /// algorithm policy, the resulting key has the same algorithm policy. - /// - If either of the policies allows an algorithm and the other policy - /// allows a wildcard-based algorithm policy that includes this algorithm, - /// the resulting key allows the same algorithm. - /// - If the policies do not allow any algorithm in common, this function - /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// \return 0 if successful /// - /// The effect of this function on implementation-defined attributes is - /// implementation-defined. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_finish( + ctx: *mut mbedtls_md5_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 process data block (internal use only) /// - /// \param source_key The key to copy. It must allow the usage - /// #PSA_KEY_USAGE_COPY. If a private or secret key is - /// being copied outside of a secure element it must - /// also allow #PSA_KEY_USAGE_EXPORT. - /// \param[in] attributes The attributes for the new key. - /// They are used as follows: - /// - The key type and size may be 0. If either is - /// nonzero, it must match the corresponding - /// attribute of the source key. - /// - The key location (the lifetime and, for - /// persistent keys, the key identifier) is - /// used directly. - /// - The policy constraints (usage flags and - /// algorithm policy) are combined from - /// the source key and \p attributes so that - /// both sets of restrictions apply, as - /// described in the documentation of this function. - /// \param[out] target_key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param ctx MD5 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p source_key is invalid. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The lifetime or identifier in \p attributes are invalid, or - /// the policy constraints on the source and specified in - /// \p attributes are incompatible, or - /// \p attributes specifies a key type or key size - /// which does not match the attributes of the source key. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or - /// the source key is not exportable and its lifetime does not - /// allow copying it to the target's lifetime. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_copy_key( - source_key: mbedtls_svc_key_id_t, - attributes: *const psa_key_attributes_t, - target_key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + /// + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_internal_md5_process( + ctx: *mut mbedtls_md5_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Destroy a key. + /// \brief Output = MD5( input buffer ) /// - /// This function destroys a key from both volatile - /// memory and, if applicable, non-volatile storage. Implementations shall - /// make a best effort to ensure that the key material cannot be recovered. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output MD5 checksum result /// - /// This function also erases any metadata such as policies and frees - /// resources associated with the key. + /// \return 0 if successful /// - /// If a key is currently in use in a multipart operation, then destroying the - /// key will cause the multipart operation to fail. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \param key Identifier of the key to erase. If this is \c 0, do nothing and - /// return #PSA_SUCCESS. + /// \return 0 if successful, or 1 if the test failed /// - /// \retval #PSA_SUCCESS - /// \p key was a valid identifier and the key material that it - /// referred to has been erased. Alternatively, \p key is \c 0. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key cannot be erased because it is - /// read-only, either due to a policy or due to physical restrictions. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p key is not a valid identifier nor \c 0. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE - /// There was a failure in communication with the cryptoprocessor. - /// The key material may still be present in the cryptoprocessor. - /// \retval #PSA_ERROR_DATA_INVALID - /// This error is typically a result of either storage corruption on a - /// cleartext storage backend, or an attempt to read data that was - /// written by an incompatible version of the library. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The storage is corrupted. Implementations shall make a best effort - /// to erase key material even in this stage, however applications - /// should be aware that it may be impossible to guarantee that the - /// key material is not recoverable in such cases. - /// \retval #PSA_ERROR_CORRUPTION_DETECTED - /// An unexpected condition which is not a storage corruption or - /// a communication failure occurred. The cryptoprocessor may have - /// been compromised. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief RIPEMD-160 context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ripemd160_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 5usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_ripemd160_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief Import a key in binary format. + /// \brief Initialize RIPEMD-160 context /// - /// This function supports any output from psa_export_key(). Refer to the - /// documentation of psa_export_public_key() for the format of public keys - /// and to the documentation of psa_export_key() for the format for - /// other key types. + /// \param ctx RIPEMD-160 context to be initialized + pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clear RIPEMD-160 context /// - /// The key data determines the key size. The attributes may optionally - /// specify a key size; in this case it must match the size determined - /// from the key data. A key size of 0 in \p attributes indicates that - /// the key size is solely determined by the key data. + /// \param ctx RIPEMD-160 context to be cleared + pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clone (the state of) a RIPEMD-160 context /// - /// Implementations must reject an attempt to import a key of size 0. + /// \param dst The destination context + /// \param src The context to be cloned + pub fn mbedtls_ripemd160_clone( + dst: *mut mbedtls_ripemd160_context, + src: *const mbedtls_ripemd160_context, + ); +} +unsafe extern "C" { + /// \brief RIPEMD-160 context setup /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. - /// - /// \param[in] attributes The attributes for the new key. - /// The key size is always determined from the - /// \p data buffer. - /// If the key size in \p attributes is nonzero, - /// it must be equal to the size from \p data. - /// \param[out] key On success, an identifier to the newly created key. - /// For persistent keys, this is the key identifier - /// defined in \p attributes. - /// \c 0 on failure. - /// \param[in] data Buffer containing the key data. The content of this - /// buffer is interpreted according to the type declared - /// in \p attributes. - /// All implementations must support at least the format - /// described in the documentation - /// of psa_export_key() or psa_export_public_key() for - /// the chosen type. Implementations may allow other - /// formats, but should be conservative: implementations - /// should err on the side of rejecting content if it - /// may be erroneous (e.g. wrong type or truncated data). - /// \param data_length Size of the \p data buffer in bytes. + /// \param ctx context to be initialized /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular persistent location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key attributes, as a whole, are invalid, or - /// the key data is not correctly formatted, or - /// the size in \p attributes is nonzero and does not match the size - /// of the key data. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_import_key( - attributes: *const psa_key_attributes_t, - data: *const u8, - data_length: usize, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a key in binary format. - /// - /// The output of this function can be passed to psa_import_key() to - /// create an equivalent object. + /// \brief RIPEMD-160 process buffer /// - /// If the implementation of psa_import_key() supports other formats - /// beyond the format specified here, the output from psa_export_key() - /// must use the representation specified here, not the original - /// representation. + /// \param ctx RIPEMD-160 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// For standard key types, the output format is as follows: + /// \return 0 if successful + pub fn mbedtls_ripemd160_update( + ctx: *mut mbedtls_ripemd160_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 final digest /// - /// - For symmetric keys (including MAC keys), the format is the - /// raw bytes of the key. - /// - For DES, the key data consists of 8 bytes. The parity bits must be - /// correct. - /// - For Triple-DES, the format is the concatenation of the - /// two or three DES keys. - /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format - /// is the non-encrypted DER encoding of the representation defined by - /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. - /// ``` - /// RSAPrivateKey ::= SEQUENCE { - /// version INTEGER, -- must be 0 - /// modulus INTEGER, -- n - /// publicExponent INTEGER, -- e - /// privateExponent INTEGER, -- d - /// prime1 INTEGER, -- p - /// prime2 INTEGER, -- q - /// exponent1 INTEGER, -- d mod (p-1) - /// exponent2 INTEGER, -- d mod (q-1) - /// coefficient INTEGER, -- (inverse of q) mod p - /// } - /// ``` - /// - For elliptic curve key pairs (key types for which - /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is - /// a representation of the private value as a `ceiling(m/8)`-byte string - /// where `m` is the bit size associated with the curve, i.e. the bit size - /// of the order of the curve's coordinate field. This byte string is - /// in little-endian order for Montgomery curves (curve types - /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass - /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` - /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). - /// For Weierstrass curves, this is the content of the `privateKey` field of - /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, - /// the format is defined by RFC 7748, and output is masked according to §5. - /// For twisted Edwards curves, the private key is as defined by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For Diffie-Hellman key exchange key pairs (key types for which - /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the - /// format is the representation of the private key `x` as a big-endian byte - /// string. The length of the byte string is the private key size in bytes - /// (leading zeroes are not stripped). - /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is - /// true), the format is the same as for psa_export_public_key(). + /// \param ctx RIPEMD-160 context + /// \param output RIPEMD-160 checksum result /// - /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// \return 0 if successful + pub fn mbedtls_ripemd160_finish( + ctx: *mut mbedtls_ripemd160_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 process data block (internal use only) /// - /// \param key Identifier of the key to export. It must allow the - /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public - /// key. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. + /// \param ctx RIPEMD-160 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_internal_ripemd160_process( + ctx: *mut mbedtls_ripemd160_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a public key or the public part of a key pair in binary format. + /// \brief Output = RIPEMD-160( input buffer ) /// - /// The output of this function can be passed to psa_import_key() to - /// create an object that is equivalent to the public key. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output RIPEMD-160 checksum result /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. + /// \return 0 if successful + pub fn mbedtls_ripemd160( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// For standard key types, the output format is as follows: - /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of - /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. - /// ``` - /// RSAPublicKey ::= SEQUENCE { - /// modulus INTEGER, -- n - /// publicExponent INTEGER } -- e - /// ``` - /// - For elliptic curve keys on a twisted Edwards curve (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY - /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined - /// by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For other elliptic curve public keys (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed - /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. - /// Let `m` be the bit size associated with the curve, i.e. the bit size of - /// `q` for a curve over `F_q`. The representation consists of: - /// - The byte 0x04; - /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; - /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. - /// - For Diffie-Hellman key exchange public keys (key types for which - /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), - /// the format is the representation of the public key `y = g^x mod p` as a - /// big-endian byte string. The length of the byte string is the length of the - /// base prime `p` in bytes. + /// \return 0 if successful, or 1 if the test failed + pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha1_context { + pub work_area: [::core::ffi::c_uchar; 208usize], +} +impl Default for mbedtls_sha1_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-1 context. /// - /// Exporting a public key object or the public part of a key pair is - /// always permitted, regardless of the key's usage flags. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param key Identifier of the key to export. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key is neither a public key nor a key pair. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_public_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message. - /// - /// \note To verify the hash of a message against an - /// expected value, use psa_hash_compare() instead. + /// \brief This function clears a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\p alg). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p hash_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compute( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it is + /// not \c NULL, it must point to an initialized + /// SHA-1 context. + pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message and compare it with a - /// reference value. + /// \brief This function clones the state of a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p input_length or \p hash_length do not match the hash size for \p alg - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compare( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \param dst The SHA-1 context to clone to. This must be initialized. + /// \param src The SHA-1 context to clone from. This must be initialized. + pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); } -/// The type of the state data structure for multipart hash operations. -/// -/// Before calling any function on a hash operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_hash_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_hash_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, -/// for example: -/// \code -/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_hash_operation_init() -/// to the structure, for example: -/// \code -/// psa_hash_operation_t operation; -/// operation = psa_hash_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_hash_operation_t = psa_hash_operation_s; unsafe extern "C" { - /// Set up a multipart hash operation. - /// - /// The sequence of operations to calculate a hash (message digest) - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. - /// -# Call psa_hash_setup() to specify the algorithm. - /// -# Call psa_hash_update() zero, one or more times, passing a fragment - /// of the message each time. The hash that is calculated is the hash - /// of the concatenation of these messages in order. - /// -# To calculate the hash, call psa_hash_finish(). - /// To compare the hash with an expected value, call psa_hash_verify(). - /// - /// If an error occurs at any step after a call to psa_hash_setup(), the - /// operation will need to be reset by a call to psa_hash_abort(). The - /// application may call psa_hash_abort() at any time after the operation - /// has been initialized. + /// \brief This function starts a SHA-1 checksum calculation. /// - /// After a successful call to psa_hash_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_hash_finish() or psa_hash_verify(). - /// - A call to psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_hash_operation_t and not yet in use. - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param ctx The SHA-1 context to initialize. This must be initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a hash algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_setup( - operation: *mut psa_hash_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart hash operation. - /// - /// The application must call psa_hash_setup() before calling this function. + /// \brief This function feeds an input buffer into an ongoing SHA-1 + /// checksum calculation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] input Buffer containing the message fragment to hash. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-1 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_update( - operation: *mut psa_hash_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_update( + ctx: *mut mbedtls_sha1_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message. + /// \brief This function finishes the SHA-1 operation, and writes + /// the result to the output buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \param ctx The SHA-1 context to use. This must be initialized and + /// have a hash operation started. + /// \param output The SHA-1 checksum result. This must be a writable + /// buffer of length \c 20 Bytes. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the hash. Call psa_hash_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// hash values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the hashed data which could allow an attacker to guess - /// a valid hash and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_finish( + ctx: *mut mbedtls_sha1_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief SHA-1 process data block (internal use only). /// - /// \param[in,out] operation Active hash operation. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\c alg) where \c alg is the - /// hash algorithm that is calculated. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p hash buffer is too small. You can determine a - /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) - /// where \c alg is the hash algorithm that is calculated. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_finish( - operation: *mut psa_hash_operation_t, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to use. This must be initialized. + /// \param data The data block being processed. This must be a + /// readable buffer of length \c 64 Bytes. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha1_process( + ctx: *mut mbedtls_sha1_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-1 checksum of a buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). It then - /// compares the calculated hash with the expected hash passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// The SHA-1 result is calculated as + /// output = SHA-1(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual hash and the expected hash is performed - /// in constant time. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. + /// \param output The SHA-1 checksum result. + /// This must be a writable buffer of length \c 20 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_verify( - operation: *mut psa_hash_operation_t, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a hash operation. + /// \brief The SHA-1 checkup routine. /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_hash_setup() again. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_hash_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha256_context { + pub work_area: [::core::ffi::c_uchar; 208usize], + pub is224: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha256_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-256 context. /// - /// In particular, calling psa_hash_abort() after the operation has been - /// terminated by a call to psa_hash_abort(), psa_hash_finish() or - /// psa_hash_verify() is safe and has no effect. + /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-256 context. /// - /// \param[in,out] operation Initialized hash operation. + /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-256 context. + pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-256 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha256_clone( + dst: *mut mbedtls_sha256_context, + src: *const mbedtls_sha256_context, + ); } unsafe extern "C" { - /// Clone a hash operation. + /// \brief This function starts a SHA-224 or SHA-256 checksum + /// calculation. /// - /// This function copies the state of an ongoing hash operation to - /// a new operation object. In other words, this function is equivalent - /// to calling psa_hash_setup() on \p target_operation with the same - /// algorithm that \p source_operation was set up for, then - /// psa_hash_update() on \p target_operation with the same input that - /// that was passed to \p source_operation. After this function returns, the - /// two objects are independent, i.e. subsequent calls involving one of - /// the objects do not affect the other object. + /// \param ctx The context to use. This must be initialized. + /// \param is224 This determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// \param[in] source_operation The active hash operation to clone. - /// \param[in,out] target_operation The operation object to set up. - /// It must be initialized but not active. + /// \note is224 must be defined accordingly to the enabled + /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The \p source_operation state is not valid (it must be active), or - /// the \p target_operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_clone( - source_operation: *const psa_hash_operation_t, - target_operation: *mut psa_hash_operation_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_starts( + ctx: *mut mbedtls_sha256_context, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC (message authentication code) of a message. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-256 checksum calculation. /// - /// \note To verify the MAC of a message against an - /// expected value, use psa_mac_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_update( + ctx: *mut mbedtls_sha256_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function finishes the SHA-256 operation, and writes + /// the result to the output buffer. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p mac_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_compute( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_finish( + ctx: *mut mbedtls_sha256_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC of a message and compare it with a reference value. + /// \brief This function processes a single data block within + /// the ongoing SHA-256 computation. This function is for + /// internal use only. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \param ctx The SHA-256 context. This must be initialized. + /// \param data The buffer holding one block of data. This must + /// be a readable buffer of length \c 64 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected value. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha256_process( + ctx: *mut mbedtls_sha256_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart MAC operations. -/// -/// Before calling any function on a MAC operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_mac_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_mac_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, -/// for example: -/// \code -/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_mac_operation_init() -/// to the structure, for example: -/// \code -/// psa_mac_operation_t operation; -/// operation = psa_mac_operation_init(); -/// \endcode -/// -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Set up a multipart MAC calculation operation. + /// \brief This function calculates the SHA-224 or SHA-256 + /// checksum of a buffer. /// - /// This function sets up the calculation of the MAC - /// (message authentication code) of a byte string. - /// To verify the MAC of a message against an - /// expected value, use psa_mac_verify_setup() instead. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// The sequence of operations to calculate a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_sign_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_sign_finish() to finish - /// calculating the MAC value and retrieve it. + /// The SHA-256 result is calculated as + /// output = SHA-256(input buffer). /// - /// If an error occurs at any step after a call to psa_mac_sign_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// \param is224 Determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// After a successful call to psa_mac_sign_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_sign_finish(). - /// - A call to psa_mac_abort(). + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-224 checkup routine. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-256 checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha512_context { + pub work_area: [::core::ffi::c_uchar; 304usize], + pub is384: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha512_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Set up a multipart MAC verification operation. + /// \brief This function initializes a SHA-512 context. /// - /// This function sets up the verification of the MAC - /// (message authentication code) of a byte string against an expected value. + /// \param ctx The SHA-512 context to initialize. This must + /// not be \c NULL. + pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-512 context. /// - /// The sequence of operations to verify a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_verify_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_verify_finish() to finish - /// calculating the actual MAC of the message and verify it against - /// the expected value. + /// \param ctx The SHA-512 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must point to an initialized + /// SHA-512 context. + pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-512 context. /// - /// If an error occurs at any step after a call to psa_mac_verify_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha512_clone( + dst: *mut mbedtls_sha512_context, + src: *const mbedtls_sha512_context, + ); +} +unsafe extern "C" { + /// \brief This function starts a SHA-384 or SHA-512 checksum + /// calculation. /// - /// After a successful call to psa_mac_verify_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_verify_finish(). - /// - A call to psa_mac_abort(). + /// \param ctx The SHA-512 context to use. This must be initialized. + /// \param is384 Determines which function to use. This must be + /// either \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage - /// PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \note is384 must be defined accordingly to the enabled + /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c key is not compatible with \c alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_starts( + ctx: *mut mbedtls_sha512_context, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart MAC operation. - /// - /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() - /// before calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \brief This function feeds an input buffer into an ongoing + /// SHA-512 checksum calculation. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] input Buffer containing the message fragment to add to - /// the MAC calculation. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. This must + /// be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_update( - operation: *mut psa_mac_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_update( + ctx: *mut mbedtls_sha512_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message. - /// - /// The application must call psa_mac_sign_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). + /// \brief This function finishes the SHA-512 operation, and writes + /// the result to the output buffer. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the MAC. Call psa_mac_verify_finish() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_finish( + ctx: *mut mbedtls_sha512_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function processes a single data block within + /// the ongoing SHA-512 computation. + /// This function is for internal use only. /// - /// \param[in,out] operation Active MAC operation. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. This is always - /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of the key and \c alg is the - /// MAC algorithm that is calculated. + /// \param ctx The SHA-512 context. This must be initialized. + /// \param data The buffer holding one block of data. This + /// must be a readable buffer of length \c 128 Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p mac buffer is too small. You can determine a - /// sufficient buffer size by calling PSA_MAC_LENGTH(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac sign - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_finish( - operation: *mut psa_mac_operation_t, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha512_process( + ctx: *mut mbedtls_sha512_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-512 or SHA-384 + /// checksum of a buffer. /// - /// The application must call psa_mac_verify_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). It then - /// compares the calculated MAC with the expected MAC passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// The SHA-512 result is calculated as + /// output = SHA-512(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual MAC and the expected MAC is performed - /// in constant time. + /// \param input The buffer holding the input data. This must be + /// a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. + /// \param is384 Determines which function to use. This must be either + /// \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \note is384 must be defined accordingly with the supported + /// symbols in the config file. If: + /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or + /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined + /// then the function will return + /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected MAC. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac verify - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_finish( - operation: *mut psa_mac_operation_t, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a MAC operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_mac_sign_setup() or psa_mac_verify_setup() again. + /// \brief The SHA-384 checkup routine. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_mac_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-512 checkup routine. /// - /// In particular, calling psa_mac_abort() after the operation has been - /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or - /// psa_mac_verify_finish() is safe and has no effect. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +///< Operation not defined. +pub const mbedtls_sha3_id_MBEDTLS_SHA3_NONE: mbedtls_sha3_id = 0; +///< SHA3-224 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_224: mbedtls_sha3_id = 1; +///< SHA3-256 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_256: mbedtls_sha3_id = 2; +///< SHA3-384 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_384: mbedtls_sha3_id = 3; +///< SHA3-512 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_512: mbedtls_sha3_id = 4; +/// SHA-3 family id. +/// +/// It identifies the family (SHA3-256, SHA3-512, etc.) +pub type mbedtls_sha3_id = ::core::ffi::c_uint; +/// \brief The SHA-3 context structure. +/// +/// The structure is used SHA-3 checksum calculations. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_sha3_context { + pub private_state: [u64; 25usize], + pub private_index: u32, + pub private_olen: u16, + pub private_max_block_size: u16, +} +unsafe extern "C" { + /// \brief This function initializes a SHA-3 context. /// - /// \param[in,out] operation Initialized MAC operation. + /// \param ctx The SHA-3 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha3_init(ctx: *mut mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-3 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; + /// \param ctx The SHA-3 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-3 context. + pub fn mbedtls_sha3_free(ctx: *mut mbedtls_sha3_context); } unsafe extern "C" { - /// Encrypt a message using a symmetric cipher. + /// \brief This function clones the state of a SHA-3 context. /// - /// This function encrypts a message with a random IV (initialization - /// vector). Use the multipart operation interface with a - /// #psa_cipher_operation_t object to provide other forms of IV. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha3_clone(dst: *mut mbedtls_sha3_context, src: *const mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function starts a SHA-3 checksum + /// calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// The output contains the IV followed by - /// the ciphertext proper. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The context to use. This must be initialized. + /// \param id The id of the SHA-3 family. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_starts( + ctx: *mut mbedtls_sha3_context, + id: mbedtls_sha3_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Decrypt a message using a symmetric cipher. - /// - /// This function decrypts a message encrypted with a symmetric cipher. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-3 checksum calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to decrypt. - /// This consists of the IV followed by the - /// ciphertext proper. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the plaintext is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_update( + ctx: *mut mbedtls_sha3_context, input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + ilen: usize, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart cipher operations. -/// -/// Before calling any function on a cipher operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_cipher_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_cipher_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, -/// for example: -/// \code -/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_cipher_operation_init() -/// to the structure, for example: -/// \code -/// psa_cipher_operation_t operation; -/// operation = psa_cipher_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// Set the key for a multipart symmetric encryption operation. + /// \brief This function finishes the SHA-3 operation, and writes + /// the result to the output buffer. /// - /// The sequence of operations to encrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. - /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to - /// generate or set the IV (initialization vector). You should use - /// psa_cipher_generate_iv() unless the protocol you are implementing - /// requires a specific IV value. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. /// - /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_finish( + ctx: *mut mbedtls_sha3_context, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function calculates the SHA-3 + /// checksum of a buffer. /// - /// After a successful call to psa_cipher_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// The SHA-3 result is calculated as + /// output = SHA-3(id, input buffer, d). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \param id The id of the SHA-3 family. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3( + id: mbedtls_sha3_id, + input: *const u8, + ilen: usize, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart symmetric decryption operation. + /// \brief Checkup routine for the algorithms implemented + /// by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512. /// - /// The sequence of operations to decrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. - /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the - /// decryption. If the IV is prepended to the ciphertext, you can call - /// psa_cipher_update() on a buffer containing the IV followed by the - /// beginning of the message. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). - /// - /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_cipher_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). - /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if the test failed. + pub fn mbedtls_sha3_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// Generate an IV for a symmetric encryption operation. - /// - /// This function generates a random IV (initialization vector), nonce - /// or initial counter value for the encryption operation as appropriate - /// for the chosen algorithm, key type and key size. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] iv Buffer where the generated IV is to be written. - /// \param iv_size Size of the \p iv buffer in bytes. - /// \param[out] iv_length On success, the number of bytes of the - /// generated IV. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p iv buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no IV set), - /// or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_generate_iv( - operation: *mut psa_cipher_operation_t, - iv: *mut u8, - iv_size: usize, - iv_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hash_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// Set the IV for a symmetric encryption or decryption operation. - /// - /// This function sets the IV (initialization vector), nonce - /// or initial counter value for the encryption or decryption operation. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \note When encrypting, applications should use psa_cipher_generate_iv() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] iv Buffer containing the IV to use. - /// \param iv_length Size of the IV in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p iv is not acceptable for the chosen algorithm, - /// or the chosen algorithm does not use an IV. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active cipher - /// encrypt operation, with no IV set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_set_iv( - operation: *mut psa_cipher_operation_t, - iv: *const u8, - iv_length: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub md5: mbedtls_md5_context, + pub ripemd160: mbedtls_ripemd160_context, + pub sha1: mbedtls_sha1_context, + pub sha256: mbedtls_sha256_context, + pub sha512: mbedtls_sha512_context, } -unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active cipher operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() - /// (recommended when encrypting) or psa_cipher_set_iv(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_update( - operation: *mut psa_cipher_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Finish encrypting or decrypting a message in a cipher operation. - /// - /// The application must call psa_cipher_encrypt_setup() or - /// psa_cipher_decrypt_setup() before calling this function. The choice - /// of setup function determines whether this function encrypts or - /// decrypts its input. - /// - /// This function finishes the encryption or decryption of the message - /// formed by concatenating the inputs passed to preceding calls to - /// psa_cipher_update(). - /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input size passed to this operation is not valid for - /// this particular algorithm. For example, the algorithm is a based - /// on block cipher and requires a whole number of blocks, but the - /// total input size is not a multiple of the block size. - /// \retval #PSA_ERROR_INVALID_PADDING - /// This is a decryption operation for an algorithm that includes - /// padding, and the ciphertext does not contain valid padding. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_finish( - operation: *mut psa_cipher_operation_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_cipher_operation_t { + pub private_alg: psa_algorithm_t, + pub private_iv_length: u8, + pub private_block_length: u8, + pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_cipher: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_cipher_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_hash_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_hash_operation_t, +} +impl Default for psa_driver_hash_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_cipher_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, +} +impl Default for psa_driver_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hash_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h. + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. the driver context is not active, in use). + pub private_id: ::core::ffi::c_uint, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_hash_context_t, +} +impl Default for psa_hash_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_cipher_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_default_iv_length: u8, + pub private_ctx: psa_driver_cipher_context_t, +} +impl Default for psa_cipher_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_cipher_operation_s { + #[inline] + pub fn private_iv_required(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_iv_required: ::core::ffi::c_uint, + private_iv_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; + private_iv_required as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; + private_iv_set as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The GCM context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_gcm_context { + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, + ///< Precalculated HTable. + pub private_H: [[u64; 2usize]; 16usize], + ///< The total length of the encrypted data. + pub private_len: u64, + ///< The total length of the additional data. + pub private_add_len: u64, + ///< The first ECTR for tag. + pub private_base_ectr: [::core::ffi::c_uchar; 16usize], + ///< The Y working value. + pub private_y: [::core::ffi::c_uchar; 16usize], + ///< The buf working value. + pub private_buf: [::core::ffi::c_uchar; 16usize], + ///< The operation to perform: + ///#MBEDTLS_GCM_ENCRYPT or + ///#MBEDTLS_GCM_DECRYPT. + pub private_mode: ::core::ffi::c_uchar, + ///< The acceleration to use. + pub private_acceleration: ::core::ffi::c_uchar, +} +impl Default for mbedtls_gcm_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Abort a cipher operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. - /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_cipher_operation_t. - /// - /// In particular, calling psa_cipher_abort() after the operation has been - /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() - /// is safe and has no effect. + /// \brief This function initializes the specified GCM context, + /// to make references valid, and prepares the context + /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). /// - /// \param[in,out] operation Initialized cipher operation. + /// The function does not bind the GCM context to a particular + /// cipher, nor set the key. For this purpose, use + /// mbedtls_gcm_setkey(). /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; + /// \param ctx The GCM context to initialize. This must not be \c NULL. + pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Process an authenticated encryption operation. + /// \brief This function associates a GCM context with a + /// cipher algorithm and a key. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that will be authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] plaintext Data that will be authenticated and - /// encrypted. - /// \param plaintext_length Size of \p plaintext in bytes. - /// \param[out] ciphertext Output buffer for the authenticated and - /// encrypted data. The additional data is not - /// part of this output. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate outputs, the - /// authentication tag is appended to the - /// encrypted data. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p plaintext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p - /// plaintext_length) evaluates to the maximum - /// ciphertext size of any supported AEAD - /// encryption. - /// \param[out] ciphertext_length On success, the size of the output - /// in the \p ciphertext buffer. + /// \param ctx The GCM context. This must be initialized. + /// \param cipher The 128-bit block cipher to use. + /// \param key The encryption key. This must be a readable buffer of at + /// least \p keybits bits. + /// \param keybits The key size in bits. Valid options are: + ///
  • 128 bits
    • + ///
  • 192 bits
    • + ///
  • 256 bits
/// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p ciphertext_size is too small. - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p plaintext_length) or - /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - plaintext: *const u8, - plaintext_length: usize, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_gcm_setkey( + ctx: *mut mbedtls_gcm_context, + cipher: mbedtls_cipher_id_t, + key: *const ::core::ffi::c_uchar, + keybits: ::core::ffi::c_uint, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Process an authenticated decryption operation. + /// \brief This function performs GCM encryption or decryption of a buffer. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that has been authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] ciphertext Data that has been authenticated and - /// encrypted. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate inputs, the buffer - /// must contain the encrypted data followed - /// by the authentication tag. - /// \param ciphertext_length Size of \p ciphertext in bytes. - /// \param[out] plaintext Output buffer for the decrypted data. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p ciphertext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p - /// ciphertext_length) evaluates to the maximum - /// plaintext size of any supported AEAD - /// decryption. - /// \param[out] plaintext_length On success, the size of the output - /// in the \p plaintext buffer. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The ciphertext is not authentic. - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p plaintext_size is too small. - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p ciphertext_length) or - /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used - /// to determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - ciphertext: *const u8, - ciphertext_length: usize, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - ) -> psa_status_t; + /// \warning When this function performs a decryption, it outputs the + /// authentication tag and does not verify that the data is + /// authentic. You should use this function to perform encryption + /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// + /// \param ctx The GCM context to use for encryption or decryption. This + /// must be initialized. + /// \param mode The operation to perform: + /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. + /// The ciphertext is written to \p output and the + /// authentication tag is written to \p tag. + /// - #MBEDTLS_GCM_DECRYPT to perform decryption. + /// The plaintext is written to \p output and the + /// authentication tag is written to \p tag. + /// Note that this mode is not recommended, because it does + /// not verify the authenticity of the data. For this reason, + /// you should use mbedtls_gcm_auth_decrypt() instead of + /// calling this function in decryption mode. + /// \param length The length of the input data, which is equal to the length + /// of the output data. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param input The buffer holding the input data. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size in Bytes. + /// \param output The buffer for holding the output data. If \p length is greater + /// than zero, this must be a writable buffer of at least that + /// size in Bytes. + /// \param tag_len The length of the tag to generate. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// + /// \return \c 0 if the encryption or decryption was performed + /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, + /// this does not indicate that the data is authentic. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the encryption + /// or decryption failed. + pub fn mbedtls_gcm_crypt_and_tag( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + tag_len: usize, + tag: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart AEAD operations. -/// -/// Before calling any function on an AEAD operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_aead_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_aead_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, -/// for example: -/// \code -/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_aead_operation_init() -/// to the structure, for example: -/// \code -/// psa_aead_operation_t operation; -/// operation = psa_aead_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// Set the key for a multipart authenticated encryption operation. + /// \brief This function performs a GCM authenticated decryption of a + /// buffer. /// - /// The sequence of operations to encrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to - /// generate or set the nonce. You should use - /// psa_aead_generate_nonce() unless the protocol you are implementing - /// requires a specific nonce value. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the message to encrypt each time. - /// -# Call psa_aead_finish(). - /// - /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_finish(). - /// - A call to psa_aead_abort(). + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param length The length of the ciphertext to decrypt, which is also + /// the length of the decrypted plaintext. + /// \param iv The initialization vector. This must be a readable buffer + /// of at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param tag The buffer holding the tag to verify. This must be a + /// readable buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to verify. + /// \param input The buffer holding the ciphertext. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size. + /// \param output The buffer for holding the decrypted plaintext. If \p length + /// is greater than zero, this must be a writable buffer of at + /// least that size. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 if successful and authenticated. + /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the decryption + /// failed. + pub fn mbedtls_gcm_auth_decrypt( + ctx: *mut mbedtls_gcm_context, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + tag: *const ::core::ffi::c_uchar, + tag_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart authenticated decryption operation. - /// - /// The sequence of operations to decrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call psa_aead_set_nonce() with the nonce for the decryption. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the ciphertext to decrypt each time. - /// -# Call psa_aead_verify(). - /// - /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_verify(). - /// - A call to psa_aead_abort(). + /// \brief This function starts a GCM encryption or decryption + /// operation. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + /// #MBEDTLS_GCM_DECRYPT. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_starts( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Generate a random nonce for an authenticated encryption operation. - /// - /// This function generates a random nonce for the authenticated encryption - /// operation with an appropriate size for the chosen algorithm, key type - /// and key size. - /// - /// The application must call psa_aead_encrypt_setup() before - /// calling this function. + /// \brief This function feeds an input buffer as associated data + /// (authenticated but not encrypted data) in a GCM + /// encryption or decryption operation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// Call this function after mbedtls_gcm_starts() to pass + /// the associated data. If the associated data is empty, + /// you do not need to call this function. You may not + /// call this function after calling mbedtls_cipher_update(). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] nonce Buffer where the generated nonce is to be - /// written. - /// \param nonce_size Size of the \p nonce buffer in bytes. - /// \param[out] nonce_length On success, the number of bytes of the - /// generated nonce. + /// \param ctx The GCM context. This must have been started with + /// mbedtls_gcm_starts() and must not have yet received + /// any input with mbedtls_gcm_update(). + /// \param add The buffer holding the additional data, or \c NULL + /// if \p add_len is \c 0. + /// \param add_len The length of the additional data. If \c 0, + /// \p add may be \c NULL. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p nonce buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active aead encrypt - /// operation, with no nonce set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_generate_nonce( - operation: *mut psa_aead_operation_t, - nonce: *mut u8, - nonce_size: usize, - nonce_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_update_ad( + ctx: *mut mbedtls_gcm_context, + add: *const ::core::ffi::c_uchar, + add_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the nonce for an authenticated encryption or decryption operation. + /// \brief This function feeds an input buffer into an ongoing GCM + /// encryption or decryption operation. /// - /// This function sets the nonce for the authenticated - /// encryption or decryption operation. + /// You may call this function zero, one or more times + /// to pass successive parts of the input: the plaintext to + /// encrypt, or the ciphertext (not including the tag) to + /// decrypt. After the last part of the input, call + /// mbedtls_gcm_finish(). /// - /// The application must call psa_aead_encrypt_setup() or - /// psa_aead_decrypt_setup() before calling this function. + /// This function may produce output in one of the following + /// ways: + /// - Immediate output: the output length is always equal + /// to the input length. + /// - Buffered output: the output consists of a whole number + /// of 16-byte blocks. If the total input length so far + /// (not including associated data) is 16 \* *B* + *A* + /// with *A* < 16 then the total output length is 16 \* *B*. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// In particular: + /// - It is always correct to call this function with + /// \p output_size >= \p input_length + 15. + /// - If \p input_length is a multiple of 16 for all the calls + /// to this function during an operation, then it is + /// correct to use \p output_size = \p input_length. /// - /// \note When encrypting, applications should use psa_aead_generate_nonce() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] nonce Buffer containing the nonce to use. - /// \param nonce_length Size of the nonce in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param input The buffer holding the input data. If \p input_length + /// is greater than zero, this must be a readable buffer + /// of at least \p input_length bytes. + /// \param input_length The length of the input data in bytes. + /// \param output The buffer for the output data. If \p output_size + /// is greater than zero, this must be a writable buffer of + /// of at least \p output_size bytes. + /// \param output_size The size of the output buffer in bytes. + /// See the function description regarding the output size. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p nonce is not acceptable for the chosen algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no nonce - /// set), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_nonce( - operation: *mut psa_aead_operation_t, - nonce: *const u8, - nonce_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// total input length too long, + /// unsupported input/output buffer overlap detected, + /// or \p output_size too small. + pub fn mbedtls_gcm_update( + ctx: *mut mbedtls_gcm_context, + input: *const ::core::ffi::c_uchar, + input_length: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Declare the lengths of the message and additional data for AEAD. - /// - /// The application must call this function before calling - /// psa_aead_update_ad() or psa_aead_update() if the algorithm for - /// the operation requires it. If the algorithm does not require it, - /// calling this function is optional, but if this function is called - /// then the implementation must enforce the lengths. - /// - /// You may call this function before or after setting the nonce with - /// psa_aead_set_nonce() or psa_aead_generate_nonce(). - /// - /// - For #PSA_ALG_CCM, calling this function is required. - /// - For the other AEAD algorithms defined in this specification, calling - /// this function is not required. - /// - For vendor-defined algorithm, refer to the vendor documentation. + /// \brief This function finishes the GCM operation and generates + /// the authentication tag. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// It wraps up the GCM stream, and generates the + /// tag. The tag can have a maximum length of 16 Bytes. /// - /// \param[in,out] operation Active AEAD operation. - /// \param ad_length Size of the non-encrypted additional - /// authenticated data in bytes. - /// \param plaintext_length Size of the plaintext to encrypt in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to generate. This must be at least + /// four. + /// \param output The buffer for the final output. + /// If \p output_size is nonzero, this must be a writable + /// buffer of at least \p output_size bytes. + /// \param output_size The size of the \p output buffer in bytes. + /// This must be large enough for the output that + /// mbedtls_gcm_update() has not produced. In particular: + /// - If mbedtls_gcm_update() produces immediate output, + /// or if the total input size is a multiple of \c 16, + /// then mbedtls_gcm_finish() never produces any output, + /// so \p output_size can be \c 0. + /// - \p output_size never needs to be more than \c 15. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// At least one of the lengths is not acceptable for the chosen - /// algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and - /// psa_aead_update_ad() and psa_aead_update() must not have been - /// called yet), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_lengths( - operation: *mut psa_aead_operation_t, - ad_length: usize, - plaintext_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// invalid value of \p tag_len, + /// or \p output_size too small. + pub fn mbedtls_gcm_finish( + ctx: *mut mbedtls_gcm_context, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + tag: *mut ::core::ffi::c_uchar, + tag_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Pass additional data to an active AEAD operation. - /// - /// Additional data is authenticated, but not encrypted. - /// - /// You may call this function multiple times to pass successive fragments - /// of the additional data. You may not call this function after passing - /// data to encrypt or decrypt with psa_aead_update(). - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, - /// treat the input as untrusted and prepare to undo any action that - /// depends on the input if psa_aead_verify() returns an error status. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the fragment of - /// additional data. - /// \param input_length Size of the \p input buffer in bytes. + /// \brief This function clears a GCM context and the underlying + /// cipher sub-context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input length overflows the additional data length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, have lengths set if required by the algorithm, and - /// psa_aead_update() must not have been called yet), or the library - /// has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update_ad( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The GCM context to clear. If this is \c NULL, the call has + /// no effect. Otherwise, this must be initialized. + pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active AEAD operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// 3. Call psa_aead_update_ad() to pass all the additional data. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: - /// - Do not use the output in any way other than storing it in a - /// confidential location. If you take any action that depends - /// on the tentative decrypted data, this action will need to be - /// undone if the input turns out not to be valid. Furthermore, - /// if an adversary can observe that this action took place - /// (for example through timing), they may be able to use this - /// fact as an oracle to decrypt any message encrypted with the - /// same key. - /// - In particular, do not copy the output anywhere but to a - /// memory or storage space that you have exclusive access to. - /// - /// This function does not require the input to be aligned to any - /// particular block boundary. If the implementation can only process - /// a whole block at a time, it must consume all the input provided, but - /// it may delay the end of the corresponding output until a subsequent - /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() - /// provides sufficient input. The amount of data that can be delayed - /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, - /// \c alg, \p input_length) where - /// \c key_type is the type of key and \c alg is - /// the algorithm that were used to set up the - /// operation. - /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p - /// input_length) evaluates to the maximum - /// output size of any supported AEAD - /// algorithm. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// \brief The GCM checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or - /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total input length overflows the plaintext length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, and have lengths set if required by the algorithm), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hmac_operation_t { + /// The HMAC algorithm in use + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + /// The hash context. + pub hash_ctx: psa_hash_operation_s, + /// The HMAC part of the context. + pub private_opad: [u8; 128usize], +} +impl Default for mbedtls_psa_hmac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_mac_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_hmac: mbedtls_psa_hmac_operation_t, + pub private_cmac: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_mac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_aead_operation_t { + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_tag_length: u8, + pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub private_ccm: mbedtls_ccm_context, + pub private_gcm: mbedtls_gcm_context, + pub private_chachapoly: mbedtls_chachapoly_context, +} +impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_aead_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl mbedtls_psa_aead_operation_t { + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_sign_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_verify_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +///< Client +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; +///< Server +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; +///< Undefined +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_NONE: mbedtls_ecjpake_role = 2; +/// Roles in the EC J-PAKE exchange +pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; +/// EC J-PAKE context structure. +/// +/// J-PAKE is a symmetric protocol, except for the identifiers used in +/// Zero-Knowledge Proofs, and the serialization of the second message +/// (KeyExchange) as defined by the Thread spec. +/// +/// In order to benefit from this symmetry, we choose a different naming +/// convention from the Thread v1.0 spec. Correspondence is indicated in the +/// description as a pair C: client name, S: server name +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecjpake_context { + ///< Hash to use + pub private_md_type: mbedtls_md_type_t, + ///< Elliptic curve + pub private_grp: mbedtls_ecp_group, + ///< Are we client or server? + pub private_role: mbedtls_ecjpake_role, + ///< Format for point export + pub private_point_format: ::core::ffi::c_int, + ///< My public key 1 C: X1, S: X3 + pub private_Xm1: mbedtls_ecp_point, + ///< My public key 2 C: X2, S: X4 + pub private_Xm2: mbedtls_ecp_point, + ///< Peer public key 1 C: X3, S: X1 + pub private_Xp1: mbedtls_ecp_point, + ///< Peer public key 2 C: X4, S: X2 + pub private_Xp2: mbedtls_ecp_point, + ///< Peer public key C: Xs, S: Xc + pub private_Xp: mbedtls_ecp_point, + ///< My private key 1 C: x1, S: x3 + pub private_xm1: mbedtls_mpi, + ///< My private key 2 C: x2, S: x4 + pub private_xm2: mbedtls_mpi, + ///< Pre-shared secret (passphrase) + pub private_s: mbedtls_mpi, +} +impl Default for mbedtls_ecjpake_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Finish encrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_encrypt_setup(). + /// \brief Initialize an ECJPAKE context. /// - /// This function finishes the authentication of the additional data - /// formed by concatenating the inputs passed to preceding calls to - /// psa_aead_update_ad() with the plaintext formed by concatenating the - /// inputs passed to preceding calls to psa_aead_update(). + /// \param ctx The ECJPAKE context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Set up an ECJPAKE context for use. /// - /// This function has two output buffers: - /// - \p ciphertext contains trailing ciphertext that was buffered from - /// preceding calls to psa_aead_update(). - /// - \p tag contains the authentication tag. + /// \note Currently the only values for hash/curve allowed by the + /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to set up. This must be initialized. + /// \param role The role of the caller. This must be either + /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. + /// \param hash The identifier of the hash function to use, + /// for example #MBEDTLS_MD_SHA256. + /// \param curve The identifier of the elliptic curve to use, + /// for example #MBEDTLS_ECP_DP_SECP256R1. + /// \param secret The pre-shared secret (passphrase). This must be + /// a readable not empty buffer of length \p len Bytes. It need + /// only be valid for the duration of this call. + /// \param len The length of the pre-shared secret \p secret. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] ciphertext Buffer where the last part of the ciphertext - /// is to be written. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] ciphertext_length On success, the number of bytes of - /// returned ciphertext. - /// \param[out] tag Buffer where the authentication tag is - /// to be written. - /// \param tag_size Size of the \p tag buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c - /// key_type, \c key_bits, \c alg) where - /// \c key_type and \c key_bits are the type and - /// bit-size of the key, and \c alg is the - /// algorithm that were used in the call to - /// psa_aead_encrypt_setup(). - /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the - /// maximum tag size of any supported AEAD - /// algorithm. - /// \param[out] tag_length On success, the number of bytes - /// that make up the returned tag. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p ciphertext or \p tag buffer is too small. - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the - /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, - /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to - /// determine the required \p tag buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active encryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_finish( - operation: *mut psa_aead_operation_t, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - tag: *mut u8, - tag_size: usize, - tag_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_setup( + ctx: *mut mbedtls_ecjpake_context, + role: mbedtls_ecjpake_role, + hash: mbedtls_md_type_t, + curve: mbedtls_ecp_group_id, + secret: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish authenticating and decrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_decrypt_setup(). - /// - /// This function finishes the authenticated decryption of the message - /// components: + /// \brief Set the point format for future reads and writes. /// - /// - The additional data consisting of the concatenation of the inputs - /// passed to preceding calls to psa_aead_update_ad(). - /// - The ciphertext consisting of the concatenation of the inputs passed to - /// preceding calls to psa_aead_update(). - /// - The tag passed to this function call. + /// \param ctx The ECJPAKE context to configure. + /// \param point_format The point format to use: + /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) + /// or #MBEDTLS_ECP_PF_COMPRESSED. /// - /// If the authentication tag is correct, this function outputs any remaining - /// plaintext and reports success. If the authentication tag is not correct, - /// this function returns #PSA_ERROR_INVALID_SIGNATURE. + /// \return \c 0 if successful. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format + /// is invalid. + pub fn mbedtls_ecjpake_set_point_format( + ctx: *mut mbedtls_ecjpake_context, + point_format: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if an ECJPAKE context is ready for use. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to check. This must be + /// initialized. /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual tag and the expected tag is performed - /// in constant time. + /// \return \c 0 if the context is ready for use. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. + pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] plaintext Buffer where the last part of the plaintext - /// is to be written. This is the remaining data - /// from previous calls to psa_aead_update() - /// that could not be processed until the end - /// of the input. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] plaintext_length On success, the number of bytes of - /// returned plaintext. - /// \param[in] tag Buffer containing the authentication tag. - /// \param tag_length Size of the \p tag buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be + /// initialized and set up. + /// \param buf The buffer to write the contents to. This must be a + /// writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number + /// of Bytes written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculations were successful, but the authentication tag is - /// not correct. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p plaintext buffer is too small. - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the - /// required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active decryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_verify( - operation: *mut psa_aead_operation_t, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - tag: *const u8, - tag_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort an AEAD operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// \brief Read and process the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_aead_operation_t. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up. + /// \param buf The buffer holding the first round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// In particular, calling psa_aead_abort() after the operation has been - /// terminated by a call to psa_aead_abort(), psa_aead_finish() or - /// psa_aead_verify() is safe and has no effect. + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \param[in,out] operation Initialized AEAD operation. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up, and already have performed round one. + /// \param buf The buffer to write the round two contents to. + /// This must be a writable buffer of length \p len Bytes. + /// \param len The size of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a message with a private key. For hash-and-sign algorithms, - /// this includes the hashing step. + /// \brief Read and process the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \note To perform a multi-part hash-and-sign signature algorithm, first use - /// a multi-part hash operation and then pass the resulting hash to - /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the - /// hash algorithm to use. - /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The input message to sign. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param[in] signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up and already have performed round one. + /// \param buf The buffer holding the second round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a message with a public key, using - /// a hash-and-sign verification algorithm. - /// - /// \note To perform a multi-part hash-and-sign signature verification - /// algorithm, first use a multi-part hash operation to hash the message - /// and then pass the resulting hash to psa_verify_hash(). - /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm - /// to use. + /// \brief Derive the shared secret + /// (TLS: Pre-Master Secret). /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The message whose signature is to be verified. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer containing the signature to verify. - /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed signature - /// is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_derive_secret( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a hash or short message with a private key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief Write the shared key material to be passed to a Key + /// Derivation Function as described in RFC8236. /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. - /// \param[out] signature_length On success, the number of bytes - /// that make up the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_shared_key( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a hash or short message using a public key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief This clears an ECJPAKE context and frees any + /// embedded data structure. /// - /// \param key Identifier of the key to use for the operation. It - /// must be a public key or an asymmetric key pair. The - /// key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message whose signature is to be - /// verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to free. This may be \c NULL, + /// in which case this function does nothing. If it is not + /// \c NULL, it must point to an initialized ECJPAKE context. + pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \retval #PSA_SUCCESS - /// The signature is valid. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief Encrypt a short message with a public key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the encrypted message is to - /// be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_pake_operation_t { + pub private_alg: psa_algorithm_t, + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_role: mbedtls_ecjpake_role, + pub private_buffer: [u8; 336usize], + pub private_buffer_length: usize, + pub private_buffer_offset: usize, + pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// \brief Decrypt a short message with a private key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. It must - /// allow the usage #PSA_KEY_USAGE_DECRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_jpake: mbedtls_ecjpake_context, } -/// The type of the state data structure for key derivation operations. -/// -/// Before calling any function on a key derivation operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_key_derivation_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, -/// for example: -/// \code -/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_key_derivation_operation_init() -/// to the structure, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// operation = psa_key_derivation_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_key_derivation_operation_t = psa_key_derivation_s; -unsafe extern "C" { - /// Set up a key derivation operation. - /// - /// A key derivation algorithm takes some inputs and uses them to generate - /// a byte stream in a deterministic way. - /// This byte stream can be used to produce keys and other - /// cryptographic material. - /// - /// To derive a key: - /// -# Start with an initialized object of type #psa_key_derivation_operation_t. - /// -# Call psa_key_derivation_setup() to select the algorithm. - /// -# Provide the inputs for the key derivation by calling - /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() - /// as appropriate. Which inputs are needed, in what order, and whether - /// they may be keys and if so of what type depends on the algorithm. - /// -# Optionally set the operation's maximum capacity with - /// psa_key_derivation_set_capacity(). You may do this before, in the middle - /// of or after providing inputs. For some algorithms, this step is mandatory - /// because the output depends on the maximum capacity. - /// -# To derive a key, call psa_key_derivation_output_key(). - /// To derive a byte string for a different purpose, call - /// psa_key_derivation_output_bytes(). - /// Successive calls to these functions use successive output bytes - /// calculated by the key derivation algorithm. - /// -# Clean up the key derivation operation object with - /// psa_key_derivation_abort(). - /// - /// If this function returns an error, the key derivation operation object is - /// not changed. - /// - /// If an error occurs at any step after a call to psa_key_derivation_setup(), - /// the operation will need to be reset by a call to psa_key_derivation_abort(). - /// - /// Implementations must reject an attempt to derive a key of size 0. - /// - /// \param[in,out] operation The key derivation operation object - /// to set up. It must - /// have been initialized but not set up yet. - /// \param alg The key derivation algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c alg is not a key derivation algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_setup( - operation: *mut psa_key_derivation_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Retrieve the current capacity of a key derivation operation. - /// - /// The capacity of a key derivation is the maximum number of bytes that it can - /// return. When you get *N* bytes of output from a key derivation operation, - /// this reduces its capacity by *N*. - /// - /// \param[in] operation The operation to query. - /// \param[out] capacity On success, the capacity of the operation. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_get_capacity( - operation: *const psa_key_derivation_operation_t, - capacity: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Set the maximum capacity of a key derivation operation. - /// - /// The capacity of a key derivation operation is the maximum number of bytes - /// that the key derivation operation can return from this point onwards. - /// - /// \param[in,out] operation The key derivation operation object to modify. - /// \param capacity The new capacity of the operation. - /// It must be less or equal to the operation's - /// current capacity. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p capacity is larger than the operation's current capacity. - /// In this case, the operation object remains valid and its capacity - /// remains unchanged. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_set_capacity( - operation: *mut psa_key_derivation_operation_t, - capacity: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_mac_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_mac_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function passes direct inputs, which is usually correct for - /// non-secret inputs. To pass a secret input, which should be in a key - /// object, call psa_key_derivation_input_key() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] data Input data to use. - /// \param data_length Size of the \p data buffer in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow direct inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_bytes( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - data: *const u8, - data_length: usize, - ) -> psa_status_t; +impl Default for psa_driver_mac_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Provide a numeric input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// However, when an algorithm requires a particular order, numeric inputs - /// usually come first as they tend to be configuration parameters. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function is used for inputs which are fixed-size non-negative - /// integers. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] value The value of the numeric input. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow numeric inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_integer( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - value: u64, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_aead_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_aead_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation in the form of a key. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function obtains input from a key object, which is usually correct for - /// secret inputs or for non-secret personalization strings kept in the key - /// store. To pass a non-secret parameter which is not in the key store, - /// call psa_key_derivation_input_bytes() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param key Identifier of the key. It must have an - /// appropriate type for step and must allow the - /// usage #PSA_KEY_USAGE_DERIVE or - /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) - /// and the algorithm used by the operation. - /// - /// \note Once all inputs steps are completed, the operations will allow: - /// - psa_key_derivation_output_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_output_key() if the input for step - /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was - /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_verify_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - /// - psa_key_derivation_verify_key() under the same conditions as - /// psa_key_derivation_verify_bytes(). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key allows neither #PSA_KEY_USAGE_DERIVE nor - /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this - /// algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow key inputs of the given type - /// or does not allow key inputs at all. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_key( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - key: mbedtls_svc_key_id_t, - ) -> psa_status_t; +impl Default for psa_driver_aead_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Perform a key agreement and use the shared secret as input to a key - /// derivation. - /// - /// A key agreement algorithm takes two inputs: a private key \p private_key - /// a public key \p peer_key. - /// The result of this function is passed as input to a key derivation. - /// The output of this key derivation can be extracted by reading from the - /// resulting operation to produce keys and other cryptographic material. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() with a - /// key agreement and derivation algorithm - /// \c alg (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true - /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) - /// is false). - /// The operation must be ready for an - /// input of the type given by \p step. - /// \param step Which step the input data is for. - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. The peer key must be in the - /// same format that psa_import_key() accepts for the - /// public key type corresponding to the type of - /// private_key. That is, this function performs the - /// equivalent of - /// #psa_import_key(..., - /// `peer_key`, `peer_key_length`) where - /// with key attributes indicating the public key - /// type corresponding to the type of `private_key`. - /// For example, for EC keys, this means that peer_key - /// is interpreted as a point on the curve that the - /// private key is on. The standard formats for public - /// keys are documented in the documentation of - /// psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_sign_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, +} +impl Default for psa_driver_sign_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_verify_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, +} +impl Default for psa_driver_verify_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_pake_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_pake_operation_t, +} +impl Default for psa_driver_pake_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_mac_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_mac_size: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_mac_context_t, +} +impl Default for psa_mac_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_mac_operation_s { + #[inline] + pub fn private_is_sign(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_sign: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; + private_is_sign as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_aead_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub private_ad_remaining: usize, + pub private_body_remaining: usize, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_ctx: psa_driver_aead_context_t, +} +impl Default for psa_aead_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_aead_operation_s { + #[inline] + pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_ad_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_body_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(3usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 3usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 3usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(4usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 4usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 4usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_nonce_set: ::core::ffi::c_uint, + private_lengths_set: ::core::ffi::c_uint, + private_ad_started: ::core::ffi::c_uint, + private_body_started: ::core::ffi::c_uint, + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; + private_nonce_set as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; + private_lengths_set as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; + private_ad_started as u64 + }); + __bindgen_bitfield_unit.set(3usize, 1u8, { + let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; + private_body_started as u64 + }); + __bindgen_bitfield_unit.set(4usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hkdf_key_derivation_t { + pub private_info: *mut u8, + pub private_info_length: usize, + pub private_offset_in_block: u8, + pub private_block_number: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_output_block: [u8; 64usize], + pub private_prk: [u8; 64usize], + pub __bindgen_padding_0: [u64; 0usize], + pub private_hmac: psa_mac_operation_s, +} +impl Default for psa_hkdf_key_derivation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_hkdf_key_derivation_t { + #[inline] + pub fn private_state(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_info_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_state: ::core::ffi::c_uint, + private_info_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 2u8, { + let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; + private_state as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; + private_info_set as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_tls12_ecjpake_to_pms_t { + pub private_data: [u8; 32usize], +} +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: + psa_tls12_prf_key_derivation_state_t = 0; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: + psa_tls12_prf_key_derivation_state_t = 1; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 2; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 3; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: + psa_tls12_prf_key_derivation_state_t = 4; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: + psa_tls12_prf_key_derivation_state_t = 5; +pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_tls12_prf_key_derivation_s { + pub private_left_in_block: u8, + pub private_block_number: u8, + pub private_state: psa_tls12_prf_key_derivation_state_t, + pub private_secret: *mut u8, + pub private_secret_length: usize, + pub private_seed: *mut u8, + pub private_seed_length: usize, + pub private_label: *mut u8, + pub private_label_length: usize, + pub private_other_secret: *mut u8, + pub private_other_secret_length: usize, + pub private_Ai: [u8; 64usize], + pub private_output_block: [u8; 64usize], +} +impl Default for psa_tls12_prf_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_key_derivation_context_t { + pub dummy: ::core::ffi::c_uint, + pub private_hkdf: psa_hkdf_key_derivation_t, + pub private_tls12_prf: psa_tls12_prf_key_derivation_t, + pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +} +impl Default for psa_driver_key_derivation_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_key_derivation_s { + pub private_alg: psa_algorithm_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_capacity: usize, + pub __bindgen_padding_0: [u64; 0usize], + pub private_ctx: psa_driver_key_derivation_context_t, +} +impl Default for psa_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_key_derivation_s { + #[inline] + pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_can_output_key: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_can_output_key: u32 = + unsafe { ::core::mem::transmute(private_can_output_key) }; + private_can_output_key as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_custom_key_parameters_s { + pub flags: u32, +} +#[repr(C)] +#[derive(Default)] +pub struct psa_key_production_parameters_s { + pub flags: u32, + pub data: __IncompleteArrayField, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_policy_s { + pub private_usage: psa_key_usage_t, + pub private_alg: psa_algorithm_t, + pub private_alg2: psa_algorithm_t, +} +pub type psa_key_policy_t = psa_key_policy_s; +pub type psa_key_bits_t = u16; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_attributes_s { + pub private_type: psa_key_type_t, + pub private_bits: psa_key_bits_t, + pub private_lifetime: psa_key_lifetime_t, + pub private_policy: psa_key_policy_t, + pub private_id: mbedtls_svc_key_id_t, +} +/// \brief The context for PSA interruptible hash signing. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_sign_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_sign_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_sign_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_sign_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The context for PSA interruptible hash verification. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_verify_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_verify_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_verify_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_verify_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +unsafe extern "C" { + /// \brief Library initialization. + /// + /// Applications must call this function before calling any other + /// function in this module. + /// + /// Applications may call this function more than once. Once a call + /// succeeds, subsequent calls are guaranteed to succeed. + /// + /// If the application calls other functions before calling psa_crypto_init(), + /// the behavior is undefined. Implementations are encouraged to either perform + /// the operation as if the library had been initialized or to return + /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, + /// implementations should not return a success status if the lack of + /// initialization may have security implications, for example due to improper + /// seeding of the random number generator. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + pub fn psa_crypto_init() -> psa_status_t; +} +unsafe extern "C" { + /// Retrieve the attributes of a key. + /// + /// This function first resets the attribute structure as with + /// psa_reset_key_attributes(). It then copies the attributes of + /// the given key into the given attribute structure. + /// + /// \note This function may allocate memory or other resources. + /// Once you have called this function on an attribute structure, + /// you must call psa_reset_key_attributes() to free these resources. + /// + /// \param[in] key Identifier of the key to query. + /// \param[in,out] attributes On success, the attributes of the key. + /// On failure, equivalent to a + /// freshly-initialized structure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_get_key_attributes( + key: mbedtls_svc_key_id_t, + attributes: *mut psa_key_attributes_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Reset a key attribute structure to a freshly initialized state. + /// + /// You must initialize the attribute structure as described in the + /// documentation of the type #psa_key_attributes_t before calling this + /// function. Once the structure has been initialized, you may call this + /// function at any time. + /// + /// This function frees any auxiliary resources that the structure + /// may contain. + /// + /// \param[in,out] attributes The attribute structure to reset. + pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); +} +unsafe extern "C" { + /// Remove non-essential copies of key material from memory. + /// + /// If the key identifier designates a volatile key, this functions does not do + /// anything and returns successfully. + /// + /// If the key identifier designates a persistent key, then this function will + /// free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and the key can still be used. + /// + /// \param key Identifier of the key to purge. + /// + /// \retval #PSA_SUCCESS + /// The key material will have been removed from memory if it is not + /// currently required. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid key identifier. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// Make a copy of a key. + /// + /// Copy key material from one location to another. + /// + /// This function is primarily useful to copy a key from one location + /// to another, since it populates a key using the material from + /// another key which may have a different lifetime. + /// + /// This function may be used to share a key with a different party, + /// subject to implementation-defined restrictions on key sharing. + /// + /// The policy on the source key must have the usage flag + /// #PSA_KEY_USAGE_COPY set. + /// This flag is sufficient to permit the copy if the key has the lifetime + /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. + /// Some secure elements do not provide a way to copy a key without + /// making it extractable from the secure element. If a key is located + /// in such a secure element, then the key must have both usage flags + /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make + /// a copy of the key outside the secure element. + /// + /// The resulting key may only be used in a way that conforms to + /// both the policy of the original key and the policy specified in + /// the \p attributes parameter: + /// - The usage flags on the resulting key are the bitwise-and of the + /// usage flags on the source policy and the usage flags in \p attributes. + /// - If both allow the same algorithm or wildcard-based + /// algorithm policy, the resulting key has the same algorithm policy. + /// - If either of the policies allows an algorithm and the other policy + /// allows a wildcard-based algorithm policy that includes this algorithm, + /// the resulting key allows the same algorithm. + /// - If the policies do not allow any algorithm in common, this function + /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// + /// The effect of this function on implementation-defined attributes is + /// implementation-defined. + /// + /// \param source_key The key to copy. It must allow the usage + /// #PSA_KEY_USAGE_COPY. If a private or secret key is + /// being copied outside of a secure element it must + /// also allow #PSA_KEY_USAGE_EXPORT. + /// \param[in] attributes The attributes for the new key. + /// They are used as follows: + /// - The key type and size may be 0. If either is + /// nonzero, it must match the corresponding + /// attribute of the source key. + /// - The key location (the lifetime and, for + /// persistent keys, the key identifier) is + /// used directly. + /// - The policy constraints (usage flags and + /// algorithm policy) are combined from + /// the source key and \p attributes so that + /// both sets of restrictions apply, as + /// described in the documentation of this function. + /// \param[out] target_key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p source_key is invalid. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The lifetime or identifier in \p attributes are invalid, or + /// the policy constraints on the source and specified in + /// \p attributes are incompatible, or + /// \p attributes specifies a key type or key size + /// which does not match the attributes of the source key. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or + /// the source key is not exportable and its lifetime does not + /// allow copying it to the target's lifetime. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_copy_key( + source_key: mbedtls_svc_key_id_t, + attributes: *const psa_key_attributes_t, + target_key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Destroy a key. + /// + /// This function destroys a key from both volatile + /// memory and, if applicable, non-volatile storage. Implementations shall + /// make a best effort to ensure that the key material cannot be recovered. + /// + /// This function also erases any metadata such as policies and frees + /// resources associated with the key. + /// + /// If a key is currently in use in a multipart operation, then destroying the + /// key will cause the multipart operation to fail. + /// + /// \warning We can only guarantee that the the key material will + /// eventually be wiped from memory. With threading enabled + /// and during concurrent execution, copies of the key material may + /// still exist until all threads have finished using the key. + /// + /// \param key Identifier of the key to erase. If this is \c 0, do nothing and + /// return #PSA_SUCCESS. + /// + /// \retval #PSA_SUCCESS + /// \p key was a valid identifier and the key material that it + /// referred to has been erased. Alternatively, \p key is \c 0. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key cannot be erased because it is + /// read-only, either due to a policy or due to physical restrictions. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p key is not a valid identifier nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE + /// There was a failure in communication with the cryptoprocessor. + /// The key material may still be present in the cryptoprocessor. + /// \retval #PSA_ERROR_DATA_INVALID + /// This error is typically a result of either storage corruption on a + /// cleartext storage backend, or an attempt to read data that was + /// written by an incompatible version of the library. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The storage is corrupted. Implementations shall make a best effort + /// to erase key material even in this stage, however applications + /// should be aware that it may be impossible to guarantee that the + /// key material is not recoverable in such cases. + /// \retval #PSA_ERROR_CORRUPTION_DETECTED + /// An unexpected condition which is not a storage corruption or + /// a communication failure occurred. The cryptoprocessor may have + /// been compromised. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Import a key in binary format. + /// + /// This function supports any output from psa_export_key(). Refer to the + /// documentation of psa_export_public_key() for the format of public keys + /// and to the documentation of psa_export_key() for the format for + /// other key types. + /// + /// The key data determines the key size. The attributes may optionally + /// specify a key size; in this case it must match the size determined + /// from the key data. A key size of 0 in \p attributes indicates that + /// the key size is solely determined by the key data. + /// + /// Implementations must reject an attempt to import a key of size 0. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// \param[in] attributes The attributes for the new key. + /// The key size is always determined from the + /// \p data buffer. + /// If the key size in \p attributes is nonzero, + /// it must be equal to the size from \p data. + /// \param[out] key On success, an identifier to the newly created key. + /// For persistent keys, this is the key identifier + /// defined in \p attributes. + /// \c 0 on failure. + /// \param[in] data Buffer containing the key data. The content of this + /// buffer is interpreted according to the type declared + /// in \p attributes. + /// All implementations must support at least the format + /// described in the documentation + /// of psa_export_key() or psa_export_public_key() for + /// the chosen type. Implementations may allow other + /// formats, but should be conservative: implementations + /// should err on the side of rejecting content if it + /// may be erroneous (e.g. wrong type or truncated data). + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular persistent location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key attributes, as a whole, are invalid, or + /// the key data is not correctly formatted, or + /// the size in \p attributes is nonzero and does not match the size + /// of the key data. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_import_key( + attributes: *const psa_key_attributes_t, + data: *const u8, + data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a key in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an equivalent object. + /// + /// If the implementation of psa_import_key() supports other formats + /// beyond the format specified here, the output from psa_export_key() + /// must use the representation specified here, not the original + /// representation. + /// + /// For standard key types, the output format is as follows: + /// + /// - For symmetric keys (including MAC keys), the format is the + /// raw bytes of the key. + /// - For DES, the key data consists of 8 bytes. The parity bits must be + /// correct. + /// - For Triple-DES, the format is the concatenation of the + /// two or three DES keys. + /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format + /// is the non-encrypted DER encoding of the representation defined by + /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. + /// ``` + /// RSAPrivateKey ::= SEQUENCE { + /// version INTEGER, -- must be 0 + /// modulus INTEGER, -- n + /// publicExponent INTEGER, -- e + /// privateExponent INTEGER, -- d + /// prime1 INTEGER, -- p + /// prime2 INTEGER, -- q + /// exponent1 INTEGER, -- d mod (p-1) + /// exponent2 INTEGER, -- d mod (q-1) + /// coefficient INTEGER, -- (inverse of q) mod p + /// } + /// ``` + /// - For elliptic curve key pairs (key types for which + /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is + /// a representation of the private value as a `ceiling(m/8)`-byte string + /// where `m` is the bit size associated with the curve, i.e. the bit size + /// of the order of the curve's coordinate field. This byte string is + /// in little-endian order for Montgomery curves (curve types + /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass + /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` + /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). + /// For Weierstrass curves, this is the content of the `privateKey` field of + /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, + /// the format is defined by RFC 7748, and output is masked according to §5. + /// For twisted Edwards curves, the private key is as defined by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For Diffie-Hellman key exchange key pairs (key types for which + /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the + /// format is the representation of the private key `x` as a big-endian byte + /// string. The length of the byte string is the private key size in bytes + /// (leading zeroes are not stripped). + /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is + /// true), the format is the same as for psa_export_public_key(). + /// + /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// + /// \param key Identifier of the key to export. It must allow the + /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public + /// key. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a public key or the public part of a key pair in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an object that is equivalent to the public key. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// For standard key types, the output format is as follows: + /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of + /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. + /// ``` + /// RSAPublicKey ::= SEQUENCE { + /// modulus INTEGER, -- n + /// publicExponent INTEGER } -- e + /// ``` + /// - For elliptic curve keys on a twisted Edwards curve (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY + /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined + /// by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For other elliptic curve public keys (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed + /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. + /// Let `m` be the bit size associated with the curve, i.e. the bit size of + /// `q` for a curve over `F_q`. The representation consists of: + /// - The byte 0x04; + /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; + /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. + /// - For Diffie-Hellman key exchange public keys (key types for which + /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), + /// the format is the representation of the public key `y = g^x mod p` as a + /// big-endian byte string. The length of the byte string is the length of the + /// base prime `p` in bytes. + /// + /// Exporting a public key object or the public part of a key pair is + /// always permitted, regardless of the key's usage flags. + /// + /// \param key Identifier of the key to export. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key is neither a public key nor a key pair. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_public_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message. + /// + /// \note To verify the hash of a message against an + /// expected value, use psa_hash_compare() instead. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\p alg). /// /// \retval #PSA_SUCCESS /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p hash_size is too small + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compute( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message and compare it with a + /// reference value. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the input. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c private_key is not compatible with \c alg, - /// or \p peer_key is not valid for \c alg or not compatible with - /// \c private_key, or \c step does not allow an input resulting - /// from a key agreement. + /// \p input_length or \p hash_length do not match the hash size for \p alg + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compare( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; +} +/// The type of the state data structure for multipart hash operations. +/// +/// Before calling any function on a hash operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_hash_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_hash_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, +/// for example: +/// \code +/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_hash_operation_init() +/// to the structure, for example: +/// \code +/// psa_hash_operation_t operation; +/// operation = psa_hash_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_hash_operation_t = psa_hash_operation_s; +unsafe extern "C" { + /// Set up a multipart hash operation. + /// + /// The sequence of operations to calculate a hash (message digest) + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. + /// -# Call psa_hash_setup() to specify the algorithm. + /// -# Call psa_hash_update() zero, one or more times, passing a fragment + /// of the message each time. The hash that is calculated is the hash + /// of the concatenation of these messages in order. + /// -# To calculate the hash, call psa_hash_finish(). + /// To compare the hash with an expected value, call psa_hash_verify(). + /// + /// If an error occurs at any step after a call to psa_hash_setup(), the + /// operation will need to be reset by a call to psa_hash_abort(). The + /// application may call psa_hash_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_hash_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_hash_finish() or psa_hash_verify(). + /// - A call to psa_hash_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_hash_operation_t and not yet in use. + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. + /// \p alg is not a supported hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a hash algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this key agreement \p step, - /// or the library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_key_agreement( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, + pub fn psa_hash_setup( + operation: *mut psa_hash_operation_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// Read some data from a key derivation operation. + /// Add a message fragment to a multipart hash operation. /// - /// This function calculates output bytes from a key derivation algorithm and - /// return those bytes. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the requested number of bytes from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. + /// The application must call psa_hash_setup() before calling this function. /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] output Buffer where the output will be written. - /// \param output_length Number of bytes to output. + /// \param[in,out] operation Active hash operation. + /// \param[in] input Buffer containing the message fragment to hash. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// no output is written to the output buffer. - /// The operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller output buffer. + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_update( + operation: *mut psa_hash_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \warning Applications should not call this function if they expect + /// a specific value for the hash. Call psa_hash_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// hash values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the hashed data which could allow an attacker to guess + /// a valid hash and thereby bypass security controls. + /// + /// \param[in,out] operation Active hash operation. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\c alg) where \c alg is the + /// hash algorithm that is calculated. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p hash buffer is too small. You can determine a + /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) + /// where \c alg is the hash algorithm that is calculated. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_finish( + operation: *mut psa_hash_operation_t, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message and compare it with + /// an expected value. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). It then + /// compares the calculated hash with the expected hash passed as a + /// parameter to this function. + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual hash and the expected hash is performed + /// in constant time. + /// + /// \param[in,out] operation Active hash operation. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_bytes( - operation: *mut psa_key_derivation_operation_t, - output: *mut u8, - output_length: usize, + pub fn psa_hash_verify( + operation: *mut psa_hash_operation_t, + hash: *const u8, + hash_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// Derive a key from an ongoing key derivation operation. - /// - /// This function calculates output bytes from a key derivation algorithm - /// and uses those bytes to generate a key deterministically. - /// The key's location, usage policy, type and size are taken from - /// \p attributes. - /// - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads as many bytes as required from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// How much output is produced and consumed from the operation, and how - /// the key is derived, depends on the key type and on the key size - /// (denoted \c bits below): - /// - /// - For key types for which the key is an arbitrary sequence of bytes - /// of a given size, this function is functionally equivalent to - /// calling #psa_key_derivation_output_bytes - /// and passing the resulting output to #psa_import_key. - /// However, this function has a security benefit: - /// if the implementation provides an isolation boundary then - /// the key material is not exposed outside the isolation boundary. - /// As a consequence, for these key types, this function always consumes - /// exactly (\c bits / 8) bytes from the operation. - /// The following key types defined in this specification follow this scheme: - /// - /// - #PSA_KEY_TYPE_AES; - /// - #PSA_KEY_TYPE_ARIA; - /// - #PSA_KEY_TYPE_CAMELLIA; - /// - #PSA_KEY_TYPE_DERIVE; - /// - #PSA_KEY_TYPE_HMAC; - /// - #PSA_KEY_TYPE_PASSWORD_HASH. - /// - /// - For ECC keys on a Montgomery elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Montgomery curve), this function always draws a byte string whose - /// length is determined by the curve, and sets the mandatory bits - /// accordingly. That is: + /// Abort a hash operation. /// - /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte - /// string and process it as specified in RFC 7748 §5. - /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte - /// string and process it as specified in RFC 7748 §5. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_hash_setup() again. /// - /// - For key types for which the key is represented by a single sequence of - /// \c bits bits with constraints as to which bit sequences are acceptable, - /// this function draws a byte string of length (\c bits / 8) bytes rounded - /// up to the nearest whole number of bytes. If the resulting byte string - /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. - /// This process is repeated until an acceptable byte string is drawn. - /// The byte string drawn from the operation is interpreted as specified - /// for the output produced by psa_export_key(). - /// The following key types defined in this specification follow this scheme: + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_hash_operation_t. /// - /// - #PSA_KEY_TYPE_DES. - /// Force-set the parity bits, but discard forbidden weak keys. - /// For 2-key and 3-key triple-DES, the three keys are generated - /// successively (for example, for 3-key triple-DES, - /// if the first 8 bytes specify a weak key and the next 8 bytes do not, - /// discard the first 8 bytes, use the next 8 bytes as the first key, - /// and continue reading output from the operation to derive the other - /// two keys). - /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) - /// where \c group designates any Diffie-Hellman group) and - /// ECC keys on a Weierstrass elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Weierstrass curve). - /// For these key types, interpret the byte string as integer - /// in big-endian order. Discard it if it is not in the range - /// [0, *N* - 2] where *N* is the boundary of the private key domain - /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, - /// or the order of the curve's base point for ECC). - /// Add 1 to the resulting integer and use this as the private key *x*. - /// This method allows compliance to NIST standards, specifically - /// the methods titled "key-pair generation by testing candidates" - /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, - /// in FIPS 186-4 §B.1.2 for DSA, and - /// in NIST SP 800-56A §5.6.1.2.2 or - /// FIPS 186-4 §B.4.2 for elliptic curve keys. + /// In particular, calling psa_hash_abort() after the operation has been + /// terminated by a call to psa_hash_abort(), psa_hash_finish() or + /// psa_hash_verify() is safe and has no effect. /// - /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, - /// the way in which the operation output is consumed is - /// implementation-defined. + /// \param[in,out] operation Initialized hash operation. /// - /// In all cases, the data that is read is discarded from the operation. - /// The operation's capacity is decreased by the number of bytes read. + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Clone a hash operation. /// - /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, - /// the input to that step must be provided with psa_key_derivation_input_key(). - /// Future versions of this specification may include additional restrictions - /// on the derived key based on the attributes and strength of the secret key. + /// This function copies the state of an ongoing hash operation to + /// a new operation object. In other words, this function is equivalent + /// to calling psa_hash_setup() on \p target_operation with the same + /// algorithm that \p source_operation was set up for, then + /// psa_hash_update() on \p target_operation with the same input that + /// that was passed to \p source_operation. After this function returns, the + /// two objects are independent, i.e. subsequent calls involving one of + /// the objects do not affect the other object. /// - /// \param[in] attributes The attributes for the new key. - /// If the key type to be created is - /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - /// the policy must be the same as in the current - /// operation. - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in] source_operation The active hash operation to clone. + /// \param[in,out] target_operation The operation object to set up. + /// It must be initialized but not active. /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// There was not enough data to create the desired key. - /// Note that in this case, no output is written to the output buffer. - /// The operation's capacity is set to 0, thus subsequent calls to - /// this function will not succeed, even with a smaller output buffer. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The provided key attributes are not valid for the operation. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The #PSA_KEY_DERIVATION_INPUT_SECRET or - /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - /// key; or one of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_SUCCESS \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The \p source_operation state is not valid (it must be active), or + /// the \p target_operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_key( - attributes: *const psa_key_attributes_t, - operation: *mut psa_key_derivation_operation_t, - key: *mut mbedtls_svc_key_id_t, + pub fn psa_hash_clone( + source_operation: *const psa_hash_operation_t, + target_operation: *mut psa_hash_operation_t, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value in constant time. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the expected number of bytes from the - /// stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to the following code: - /// \code - /// psa_key_derivation_output_bytes(operation, tmp, output_length); - /// if (memcmp(output, tmp, output_length) != 0) - /// return PSA_ERROR_INVALID_SIGNATURE; - /// \endcode - /// except (1) it works even if the key's policy does not allow outputting the - /// bytes, and (2) the comparison will be done in constant time. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC (message authentication code) of a message. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected_output Buffer containing the expected derivation output. - /// \param output_length Length of the expected output; this is also the - /// number of bytes that will be read. + /// \note To verify the MAC of a message against an + /// expected value, use psa_mac_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but it differs from the expected - /// output. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p mac_size is too small /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_bytes( - operation: *mut psa_key_derivation_operation_t, - expected_output: *const u8, - output_length: usize, + pub fn psa_mac_compute( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value - /// stored in a key object. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value, provided as key of type - /// #PSA_KEY_TYPE_PASSWORD_HASH. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the number of bytes corresponding to the - /// length of the expected value from the stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to exporting the key and calling - /// psa_key_derivation_verify_bytes() on the result, except that it - /// works even if the key cannot be exported. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC of a message and compare it with a reference value. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH - /// containing the expected output. Its policy must - /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag - /// and the permitted algorithm must match the - /// operation. The value of this key was likely - /// computed by a previous call to - /// psa_key_derivation_output_key(). + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the input. /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but if differs from the expected - /// output. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// The key passed as the expected value does not exist. + /// The MAC of the message was calculated successfully, but it + /// differs from the expected value. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key passed as the expected value has an invalid type. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key passed as the expected value does not allow this usage or - /// this algorithm; or one of the inputs was a key whose policy didn't - /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// the length of the expected value. In this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_key( - operation: *mut psa_key_derivation_operation_t, - expected: psa_key_id_t, + pub fn psa_mac_verify( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *const u8, + mac_length: usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart MAC operations. +/// +/// Before calling any function on a MAC operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_mac_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_mac_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, +/// for example: +/// \code +/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_mac_operation_init() +/// to the structure, for example: +/// \code +/// psa_mac_operation_t operation; +/// operation = psa_mac_operation_init(); +/// \endcode +/// +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Abort a key derivation operation. + /// Set up a multipart MAC calculation operation. /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_key_derivation_setup() again. + /// This function sets up the calculation of the MAC + /// (message authentication code) of a byte string. + /// To verify the MAC of a message against an + /// expected value, use psa_mac_verify_setup() instead. /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_key_derivation_operation_t. + /// The sequence of operations to calculate a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_sign_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_sign_finish() to finish + /// calculating the MAC value and retrieve it. /// - /// In particular, it is valid to call psa_key_derivation_abort() twice, or to - /// call psa_key_derivation_abort() on an operation that has not been set up. + /// If an error occurs at any step after a call to psa_mac_sign_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. /// - /// \param[in,out] operation The operation to abort. + /// After a successful call to psa_mac_sign_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_sign_finish(). + /// - A call to psa_mac_abort(). /// - /// \retval #PSA_SUCCESS \emptydescription + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) - -> psa_status_t; + pub fn psa_mac_sign_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Perform a key agreement and return the raw shared secret. + /// Set up a multipart MAC verification operation. /// - /// \warning The raw result of a key agreement algorithm such as finite-field - /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should - /// not be used directly as key material. It should instead be passed as - /// input to a key derivation algorithm. To chain a key agreement with - /// a key derivation, use psa_key_derivation_key_agreement() and other - /// functions from the key derivation interface. + /// This function sets up the verification of the MAC + /// (message authentication code) of a byte string against an expected value. /// - /// \param alg The key agreement algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) - /// is true). - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. It must be - /// in the same format that psa_import_key() - /// accepts. The standard formats for public - /// keys are documented in the documentation - /// of psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// The sequence of operations to verify a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_verify_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_verify_finish() to finish + /// calculating the actual MAC of the message and verify it against + /// the expected value. + /// + /// If an error occurs at any step after a call to psa_mac_verify_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_mac_verify_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_verify_finish(). + /// - A call to psa_mac_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage + /// PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). /// /// \retval #PSA_SUCCESS /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a key agreement algorithm, or - /// \p private_key is not compatible with \p alg, - /// or \p peer_key is not valid for \p alg or not compatible with - /// \p private_key. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p output_size is too small + /// \c key is not compatible with \c alg. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported key agreement algorithm. + /// \c alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_raw_key_agreement( + pub fn psa_mac_verify_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate random bytes. - /// - /// \warning This function **can** fail! Callers MUST check the return status - /// and MUST NOT use the content of the output buffer if the return - /// status is not #PSA_SUCCESS. - /// - /// \note To generate a key, use psa_generate_key() instead. - /// - /// \param[out] output Output buffer for the generated data. - /// \param output_size Number of bytes to generate and output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Generate a key or key pair. - /// - /// The key is generated randomly. - /// Its location, usage policy, type and size are taken from \p attributes. + /// Add a message fragment to a multipart MAC operation. /// - /// Implementations must reject an attempt to generate a key of size 0. + /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() + /// before calling this function. /// - /// The following type-specific considerations apply: - /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the public exponent is 65537. - /// The modulus is a product of two probabilistic primes - /// between 2^{n-1} and 2^n where n is the bit size specified in the - /// attributes. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param[in] attributes The attributes for the new key. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in,out] operation Active MAC operation. + /// \param[in] input Buffer containing the message fragment to add to + /// the MAC calculation. + /// \param input_length Size of the \p input buffer in bytes. /// /// \retval #PSA_SUCCESS /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_generate_key( - attributes: *const psa_key_attributes_t, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; -} -/// The type of the state data structure for interruptible hash -/// signing operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = -/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_sign_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// operation = psa_sign_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; -/// The type of the state data structure for interruptible hash -/// verification operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = -/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_verify_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// operation = psa_verify_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; -unsafe extern "C" { - /// \brief Set the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note The time taken to execute a single op is - /// implementation specific and depends on - /// software, hardware, the algorithm, key type and - /// curve chosen. Even within a single operation, - /// successive ops can take differing amounts of - /// time. The only guarantee is that lower values - /// for \p max_ops means functions will block for a - /// lesser maximum amount of time. The functions - /// \c psa_sign_interruptible_get_num_ops() and - /// \c psa_verify_interruptible_get_num_ops() are - /// provided to help with tuning this value. - /// - /// \note This value defaults to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which - /// means the whole operation will be done in one - /// go, regardless of the number of ops required. - /// - /// \note If more ops are needed to complete a - /// computation, #PSA_OPERATION_INCOMPLETE will be - /// returned by the function performing the - /// computation. It is then the caller's - /// responsibility to either call again with the - /// same operation context until it returns 0 or an - /// error code; or to call the relevant abort - /// function if the answer is no longer required. - /// - /// \note The interpretation of \p max_ops is also - /// implementation defined. On a hard real time - /// system, this can indicate a hard deadline, as a - /// real-time system needs a guarantee of not - /// spending more than X time, however care must be - /// taken in such an implementation to avoid the - /// situation whereby calls just return, not being - /// able to do any actual work within the allotted - /// time. On a non-real-time system, the - /// implementation can be more relaxed, but again - /// whether this number should be interpreted as as - /// hard or soft limit or even whether a less than - /// or equals as regards to ops executed in a - /// single call is implementation defined. - /// - /// \note For keys in local storage when no accelerator - /// driver applies, please see also the - /// documentation for \c mbedtls_ecp_set_max_ops(), - /// which is the internal implementation in these - /// cases. - /// - /// \warning With implementations that interpret this number - /// as a hard limit, setting this number too small - /// may result in an infinite loop, whereby each - /// call results in immediate return with no ops - /// done (as there is not enough time to execute - /// any), and thus no result will ever be achieved. - /// - /// \note This only applies to functions whose - /// documentation mentions they may return - /// #PSA_OPERATION_INCOMPLETE. - /// - /// \param max_ops The maximum number of ops to be executed in a - /// single call. This can be a number from 0 to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 - /// is the least amount of work done per call. - pub fn psa_interruptible_set_max_ops(max_ops: u32); -} -unsafe extern "C" { - /// \brief Get the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. This will return the last - /// value set by - /// \c psa_interruptible_set_max_ops() or - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if - /// that function has never been called. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \return Maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - pub fn psa_interruptible_get_max_ops() -> u32; + pub fn psa_mac_update( + operation: *mut psa_mac_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash signing - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling - /// \c psa_sign_hash_interruptible_abort() on - /// the operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message. /// - /// \note This interface is guaranteed re-entrant and - /// thus may be called from driver code. + /// The application must call psa_mac_sign_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// \warning Applications should not call this function if they expect + /// a specific value for the MAC. Call psa_mac_verify_finish() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \param operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// \param[in,out] operation Active MAC operation. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. This is always + /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of the key and \c alg is the + /// MAC algorithm that is calculated. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_sign_hash_get_num_ops( - operation: *const psa_sign_hash_interruptible_operation_t, - ) -> u32; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p mac buffer is too small. You can determine a + /// sufficient buffer size by calling PSA_MAC_LENGTH(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac sign + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_sign_finish( + operation: *mut psa_mac_operation_t, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash verification - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling \c - /// psa_verify_hash_interruptible_abort() on the - /// operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message and compare it with + /// an expected value. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// The application must call psa_mac_verify_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). It then + /// compares the calculated MAC with the expected MAC passed as a + /// parameter to this function. /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param operation The \c - /// psa_verify_hash_interruptible_operation_t to - /// use. This must be initialized first. + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual MAC and the expected MAC is performed + /// in constant time. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_verify_hash_get_num_ops( - operation: *const psa_verify_hash_interruptible_operation_t, - ) -> u32; + /// \param[in,out] operation Active MAC operation. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The MAC of the message was calculated successfully, but it + /// differs from the expected MAC. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac verify + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_verify_finish( + operation: *mut psa_mac_operation_t, + mac: *const u8, + mac_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start signing a hash or short message with a - /// private key, in an interruptible manner. + /// Abort a MAC operation. /// - /// \see \c psa_sign_hash_complete() + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_mac_sign_setup() or psa_mac_verify_setup() again. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_mac_operation_t. /// - /// \note This function combined with \c - /// psa_sign_hash_complete() is equivalent to - /// \c psa_sign_hash() but - /// \c psa_sign_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// In particular, calling psa_mac_abort() after the operation has been + /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or + /// psa_mac_verify_finish() is safe and has no effect. /// - /// \note Users should call \c psa_sign_hash_complete() - /// repeatedly on the same context after a - /// successful call to this function until \c - /// psa_sign_hash_complete() either returns 0 or an - /// error. \c psa_sign_hash_complete() will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// \param[in,out] operation Initialized MAC operation. /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_sign_hash_abort(). + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Encrypt a message using a symmetric cipher. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// This function encrypts a message with a random IV (initialization + /// vector). Use the multipart operation interface with a + /// #psa_cipher_operation_t object to provide other forms of IV. /// /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. + /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// The output contains the IV followed by + /// the ciphertext proper. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. /// /// \retval #PSA_SUCCESS - /// The operation started successfully - call \c psa_sign_hash_complete() - /// with the same context to complete the operation - /// + /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does - /// not permit the requested algorithm. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// An operation has previously been started on this context, and is - /// still in progress. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Decrypt a message using a symmetric cipher. + /// + /// This function decrypts a message encrypted with a symmetric cipher. + /// + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to decrypt. + /// This consists of the IV followed by the + /// ciphertext proper. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the plaintext is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_start( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt( key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart cipher operations. +/// +/// Before calling any function on a cipher operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_cipher_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_cipher_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, +/// for example: +/// \code +/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_cipher_operation_init() +/// to the structure, for example: +/// \code +/// psa_cipher_operation_t operation; +/// operation = psa_cipher_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// signing a hash or short message with a private - /// key, in an interruptible manner. - /// - /// \see \c psa_sign_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_sign_hash_start() is equivalent to - /// \c psa_sign_hash() but this function can return - /// early and resume according to the limit set with - /// \c psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// Set the key for a multipart symmetric encryption operation. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// The sequence of operations to encrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. + /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to + /// generate or set the IV (initialization vector). You should use + /// psa_cipher_generate_iv() unless the protocol you are implementing + /// requires a specific IV value. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_sign_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_sign_hash_start() called with it - /// first. + /// After a successful call to psa_cipher_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c - /// key_bits, \c alg) where \c key_type and \c - /// key_bits are the type and bit-size - /// respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// Operation completed successfully - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_sign_hash_start(). - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_sign_hash_start() with this operation object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_sign_hash_complete( - operation: *mut psa_sign_hash_interruptible_operation_t, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Abort a sign hash operation. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function is the only function that clears - /// the number of ops completed as part of the - /// operation. Please ensure you copy this value via - /// \c psa_sign_hash_get_num_ops() if required - /// before calling. - /// - /// \note Aborting an operation frees all associated - /// resources except for the \p operation structure - /// itself. Once aborted, the operation object can - /// be reused for another operation by calling \c - /// psa_sign_hash_start() again. - /// - /// \note You may call this function any time after the - /// operation object has been initialized. In - /// particular, calling \c psa_sign_hash_abort() - /// after the operation has already been terminated - /// by a call to \c psa_sign_hash_abort() or - /// psa_sign_hash_complete() is safe. - /// - /// \param[in,out] operation Initialized sign hash operation. - /// - /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_abort( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_encrypt_setup( + operation: *mut psa_cipher_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start reading and verifying a hash or short - /// message, in an interruptible manner. - /// - /// \see \c psa_verify_hash_complete() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_verify_hash_complete() is equivalent to - /// \c psa_verify_hash() but \c - /// psa_verify_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function. + /// Set the key for a multipart symmetric decryption operation. /// - /// \note Users should call \c psa_verify_hash_complete() - /// repeatedly on the same operation object after a - /// successful call to this function until \c - /// psa_verify_hash_complete() either returns 0 or - /// an error. \c psa_verify_hash_complete() will - /// return #PSA_OPERATION_INCOMPLETE if there is - /// more work to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The sequence of operations to decrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. + /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the + /// decryption. If the IV is prepended to the ciphertext, you can call + /// psa_cipher_update() on a buffer containing the IV followed by the + /// beginning of the message. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_verify_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// After a successful call to psa_cipher_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. /// \param key Identifier of the key to use for the operation. - /// The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash whose signature is to be verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// The operation started successfully - please call \c - /// psa_verify_hash_complete() with the same context to complete the - /// operation. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// Another operation has already been started on this context, and is - /// still in progress. - /// - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does - /// not permit the requested algorithm. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_start( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt_setup( + operation: *mut psa_cipher_operation_t, key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// reading and verifying a hash or short message - /// signed with a private key, in an interruptible - /// manner. - /// - /// \see \c psa_verify_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// Generate an IV for a symmetric encryption operation. /// - /// \note This function combined with \c - /// psa_verify_hash_start() is equivalent to - /// \c psa_verify_hash() but this function can - /// return early and resume according to the limit - /// set with \c psa_interruptible_set_max_ops() to - /// reduce the maximum time spent in a function - /// call. + /// This function generates a random IV (initialization vector), nonce + /// or initial counter value for the encryption operation as appropriate + /// for the chosen algorithm, key type and key size. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_verify_hash_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_verify_hash_start() called with it - /// first. + /// \param[in,out] operation Active cipher operation. + /// \param[out] iv Buffer where the generated IV is to be written. + /// \param iv_size Size of the \p iv buffer in bytes. + /// \param[out] iv_length On success, the number of bytes of the + /// generated IV. /// /// \retval #PSA_SUCCESS - /// Operation completed successfully, and the passed signature is valid. - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_verify_hash_start(). - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p iv buffer is too small. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_verify_hash_start() on this object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_verify_hash_complete( - operation: *mut psa_verify_hash_interruptible_operation_t, + /// The operation state is not valid (it must be active, with no IV set), + /// or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_generate_iv( + operation: *mut psa_cipher_operation_t, + iv: *mut u8, + iv_size: usize, + iv_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Abort a verify hash operation. + /// Set the IV for a symmetric encryption or decryption operation. /// - /// \warning This is a beta API, and thus subject to change at - /// any point. It is not bound by the usual interface - /// stability promises. + /// This function sets the IV (initialization vector), nonce + /// or initial counter value for the encryption or decryption operation. /// - /// \note This function is the only function that clears the - /// number of ops completed as part of the operation. - /// Please ensure you copy this value via - /// \c psa_verify_hash_get_num_ops() if required - /// before calling. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note Aborting an operation frees all associated - /// resources except for the operation structure - /// itself. Once aborted, the operation object can be - /// reused for another operation by calling \c - /// psa_verify_hash_start() again. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \note You may call this function any time after the - /// operation object has been initialized. - /// In particular, calling \c psa_verify_hash_abort() - /// after the operation has already been terminated by - /// a call to \c psa_verify_hash_abort() or - /// psa_verify_hash_complete() is safe. + /// \note When encrypting, applications should use psa_cipher_generate_iv() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \param[in,out] operation Initialized verify hash operation. + /// \param[in,out] operation Active cipher operation. + /// \param[in] iv Buffer containing the IV to use. + /// \param iv_length Size of the IV in bytes. /// /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p iv is not acceptable for the chosen algorithm, + /// or the chosen algorithm does not use an IV. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be an active cipher + /// encrypt operation, with no IV set), or the library has not been + /// previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_abort( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_set_iv( + operation: *mut psa_cipher_operation_t, + iv: *const u8, + iv_length: usize, ) -> psa_status_t; } -/// \brief The GCM context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_gcm_context { - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, - ///< Precalculated HTable low. - pub private_HL: [u64; 16usize], - ///< Precalculated HTable high. - pub private_HH: [u64; 16usize], - ///< The total length of the encrypted data. - pub private_len: u64, - ///< The total length of the additional data. - pub private_add_len: u64, - ///< The first ECTR for tag. - pub private_base_ectr: [::core::ffi::c_uchar; 16usize], - ///< The Y working value. - pub private_y: [::core::ffi::c_uchar; 16usize], - ///< The buf working value. - pub private_buf: [::core::ffi::c_uchar; 16usize], - ///< The operation to perform: - ///#MBEDTLS_GCM_ENCRYPT or - ///#MBEDTLS_GCM_DECRYPT. - pub private_mode: ::core::ffi::c_int, -} -impl Default for mbedtls_gcm_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes the specified GCM context, - /// to make references valid, and prepares the context - /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). + /// Encrypt or decrypt a message fragment in an active cipher operation. /// - /// The function does not bind the GCM context to a particular - /// cipher, nor set the key. For this purpose, use - /// mbedtls_gcm_setkey(). + /// Before calling this function, you must: + /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() + /// (recommended when encrypting) or psa_cipher_set_iv(). /// - /// \param ctx The GCM context to initialize. This must not be \c NULL. - pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief This function associates a GCM context with a - /// cipher algorithm and a key. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param cipher The 128-bit block cipher to use. - /// \param key The encryption key. This must be a readable buffer of at - /// least \p keybits bits. - /// \param keybits The key size in bits. Valid options are: - ///
  • 128 bits
    • - ///
  • 192 bits
    • - ///
  • 256 bits
+ /// \param[in,out] operation Active cipher operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A cipher-specific error code on failure. - pub fn mbedtls_gcm_setkey( - ctx: *mut mbedtls_gcm_context, - cipher: mbedtls_cipher_id_t, - key: *const ::core::ffi::c_uchar, - keybits: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_update( + operation: *mut psa_cipher_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs GCM encryption or decryption of a buffer. + /// Finish encrypting or decrypting a message in a cipher operation. /// - /// \note For encryption, the output buffer can be the same as the - /// input buffer. For decryption, the output buffer cannot be - /// the same as input buffer. If the buffers overlap, the output - /// buffer must trail at least 8 Bytes behind the input buffer. + /// The application must call psa_cipher_encrypt_setup() or + /// psa_cipher_decrypt_setup() before calling this function. The choice + /// of setup function determines whether this function encrypts or + /// decrypts its input. /// - /// \warning When this function performs a decryption, it outputs the - /// authentication tag and does not verify that the data is - /// authentic. You should use this function to perform encryption - /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// This function finishes the encryption or decryption of the message + /// formed by concatenating the inputs passed to preceding calls to + /// psa_cipher_update(). /// - /// \param ctx The GCM context to use for encryption or decryption. This - /// must be initialized. - /// \param mode The operation to perform: - /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. - /// The ciphertext is written to \p output and the - /// authentication tag is written to \p tag. - /// - #MBEDTLS_GCM_DECRYPT to perform decryption. - /// The plaintext is written to \p output and the - /// authentication tag is written to \p tag. - /// Note that this mode is not recommended, because it does - /// not verify the authenticity of the data. For this reason, - /// you should use mbedtls_gcm_auth_decrypt() instead of - /// calling this function in decryption mode. - /// \param length The length of the input data, which is equal to the length - /// of the output data. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param input The buffer holding the input data. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size in Bytes. - /// \param output The buffer for holding the output data. If \p length is greater - /// than zero, this must be a writable buffer of at least that - /// size in Bytes. - /// \param tag_len The length of the tag to generate. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \return \c 0 if the encryption or decryption was performed - /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, - /// this does not indicate that the data is authentic. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the encryption - /// or decryption failed. - pub fn mbedtls_gcm_crypt_and_tag( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - tag_len: usize, - tag: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active cipher operation. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input size passed to this operation is not valid for + /// this particular algorithm. For example, the algorithm is a based + /// on block cipher and requires a whole number of blocks, but the + /// total input size is not a multiple of the block size. + /// \retval #PSA_ERROR_INVALID_PADDING + /// This is a decryption operation for an algorithm that includes + /// padding, and the ciphertext does not contain valid padding. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_finish( + operation: *mut psa_cipher_operation_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs a GCM authenticated decryption of a - /// buffer. + /// Abort a cipher operation. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. /// - /// \param ctx The GCM context. This must be initialized. - /// \param length The length of the ciphertext to decrypt, which is also - /// the length of the decrypted plaintext. - /// \param iv The initialization vector. This must be a readable buffer - /// of at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param tag The buffer holding the tag to verify. This must be a - /// readable buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to verify. - /// \param input The buffer holding the ciphertext. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size. - /// \param output The buffer for holding the decrypted plaintext. If \p length - /// is greater than zero, this must be a writable buffer of at - /// least that size. + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_cipher_operation_t. /// - /// \return \c 0 if successful and authenticated. - /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the decryption - /// failed. - pub fn mbedtls_gcm_auth_decrypt( - ctx: *mut mbedtls_gcm_context, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - tag: *const ::core::ffi::c_uchar, - tag_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// In particular, calling psa_cipher_abort() after the operation has been + /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() + /// is safe and has no effect. + /// + /// \param[in,out] operation Initialized cipher operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a GCM encryption or decryption - /// operation. + /// Process an authenticated encryption operation. /// - /// \param ctx The GCM context. This must be initialized. - /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or - /// #MBEDTLS_GCM_DECRYPT. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that will be authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] plaintext Data that will be authenticated and + /// encrypted. + /// \param plaintext_length Size of \p plaintext in bytes. + /// \param[out] ciphertext Output buffer for the authenticated and + /// encrypted data. The additional data is not + /// part of this output. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate outputs, the + /// authentication tag is appended to the + /// encrypted data. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p plaintext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p + /// plaintext_length) evaluates to the maximum + /// ciphertext size of any supported AEAD + /// encryption. + /// \param[out] ciphertext_length On success, the size of the output + /// in the \p ciphertext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_starts( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p ciphertext_size is too small. + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p plaintext_length) or + /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + plaintext: *const u8, + plaintext_length: usize, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer as associated data - /// (authenticated but not encrypted data) in a GCM - /// encryption or decryption operation. - /// - /// Call this function after mbedtls_gcm_starts() to pass - /// the associated data. If the associated data is empty, - /// you do not need to call this function. You may not - /// call this function after calling mbedtls_cipher_update(). + /// Process an authenticated decryption operation. /// - /// \param ctx The GCM context. This must have been started with - /// mbedtls_gcm_starts() and must not have yet received - /// any input with mbedtls_gcm_update(). - /// \param add The buffer holding the additional data, or \c NULL - /// if \p add_len is \c 0. - /// \param add_len The length of the additional data. If \c 0, - /// \p add may be \c NULL. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that has been authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] ciphertext Data that has been authenticated and + /// encrypted. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate inputs, the buffer + /// must contain the encrypted data followed + /// by the authentication tag. + /// \param ciphertext_length Size of \p ciphertext in bytes. + /// \param[out] plaintext Output buffer for the decrypted data. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p ciphertext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p + /// ciphertext_length) evaluates to the maximum + /// plaintext size of any supported AEAD + /// decryption. + /// \param[out] plaintext_length On success, the size of the output + /// in the \p plaintext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_update_ad( - ctx: *mut mbedtls_gcm_context, - add: *const ::core::ffi::c_uchar, - add_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The ciphertext is not authentic. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p plaintext_size is too small. + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p ciphertext_length) or + /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used + /// to determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + ciphertext: *const u8, + ciphertext_length: usize, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for multipart AEAD operations. +/// +/// Before calling any function on an AEAD operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_aead_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_aead_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, +/// for example: +/// \code +/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_aead_operation_init() +/// to the structure, for example: +/// \code +/// psa_aead_operation_t operation; +/// operation = psa_aead_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing GCM - /// encryption or decryption operation. - /// - /// You may call this function zero, one or more times - /// to pass successive parts of the input: the plaintext to - /// encrypt, or the ciphertext (not including the tag) to - /// decrypt. After the last part of the input, call - /// mbedtls_gcm_finish(). + /// Set the key for a multipart authenticated encryption operation. /// - /// This function may produce output in one of the following - /// ways: - /// - Immediate output: the output length is always equal - /// to the input length. - /// - Buffered output: the output consists of a whole number - /// of 16-byte blocks. If the total input length so far - /// (not including associated data) is 16 \* *B* + *A* - /// with *A* < 16 then the total output length is 16 \* *B*. + /// The sequence of operations to encrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to + /// generate or set the nonce. You should use + /// psa_aead_generate_nonce() unless the protocol you are implementing + /// requires a specific nonce value. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the message to encrypt each time. + /// -# Call psa_aead_finish(). /// - /// In particular: - /// - It is always correct to call this function with - /// \p output_size >= \p input_length + 15. - /// - If \p input_length is a multiple of 16 for all the calls - /// to this function during an operation, then it is - /// correct to use \p output_size = \p input_length. + /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// After a successful call to psa_aead_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_finish(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param input The buffer holding the input data. If \p input_length - /// is greater than zero, this must be a readable buffer - /// of at least \p input_length bytes. - /// \param input_length The length of the input data in bytes. - /// \param output The buffer for the output data. If \p output_size - /// is greater than zero, this must be a writable buffer of - /// of at least \p output_size bytes. - /// \param output_size The size of the output buffer in bytes. - /// See the function description regarding the output size. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// total input length too long, - /// unsupported input/output buffer overlap detected, - /// or \p output_size too small. - pub fn mbedtls_gcm_update( - ctx: *mut mbedtls_gcm_context, - input: *const ::core::ffi::c_uchar, - input_length: usize, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the GCM operation and generates - /// the authentication tag. + /// Set the key for a multipart authenticated decryption operation. /// - /// It wraps up the GCM stream, and generates the - /// tag. The tag can have a maximum length of 16 Bytes. + /// The sequence of operations to decrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call psa_aead_set_nonce() with the nonce for the decryption. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the ciphertext to decrypt each time. + /// -# Call psa_aead_verify(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to generate. This must be at least - /// four. - /// \param output The buffer for the final output. - /// If \p output_size is nonzero, this must be a writable - /// buffer of at least \p output_size bytes. - /// \param output_size The size of the \p output buffer in bytes. - /// This must be large enough for the output that - /// mbedtls_gcm_update() has not produced. In particular: - /// - If mbedtls_gcm_update() produces immediate output, - /// or if the total input size is a multiple of \c 16, - /// then mbedtls_gcm_finish() never produces any output, - /// so \p output_size can be \c 0. - /// - \p output_size never needs to be more than \c 15. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// invalid value of \p tag_len, - /// or \p output_size too small. - pub fn mbedtls_gcm_finish( - ctx: *mut mbedtls_gcm_context, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - tag: *mut ::core::ffi::c_uchar, - tag_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function clears a GCM context and the underlying - /// cipher sub-context. + /// After a successful call to psa_aead_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_verify(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context to clear. If this is \c NULL, the call has - /// no effect. Otherwise, this must be initialized. - pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief The GCM checkup routine. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; -/// For encrypt-decrypt functions, whether the operation is an encryption -/// or a decryption. -pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; -/// \brief MD5 context structure -/// -/// \warning MD5 is considered a weak message digest and its use -/// constitutes a security risk. We recommend considering -/// stronger message digests instead. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md5_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 4usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_md5_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize MD5 context + /// Generate a random nonce for an authenticated encryption operation. /// - /// \param ctx MD5 context to be initialized + /// This function generates a random nonce for the authenticated encryption + /// operation with an appropriate size for the chosen algorithm, key type + /// and key size. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief Clear MD5 context + /// The application must call psa_aead_encrypt_setup() before + /// calling this function. /// - /// \param ctx MD5 context to be cleared + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); + /// \param[in,out] operation Active AEAD operation. + /// \param[out] nonce Buffer where the generated nonce is to be + /// written. + /// \param nonce_size Size of the \p nonce buffer in bytes. + /// \param[out] nonce_length On success, the number of bytes of the + /// generated nonce. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p nonce buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active aead encrypt + /// operation, with no nonce set), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_generate_nonce( + operation: *mut psa_aead_operation_t, + nonce: *mut u8, + nonce_size: usize, + nonce_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) an MD5 context + /// Set the nonce for an authenticated encryption or decryption operation. /// - /// \param dst The destination context - /// \param src The context to be cloned + /// This function sets the nonce for the authenticated + /// encryption or decryption operation. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief MD5 context setup + /// The application must call psa_aead_encrypt_setup() or + /// psa_aead_decrypt_setup() before calling this function. /// - /// \param ctx context to be initialized + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \note When encrypting, applications should use psa_aead_generate_nonce() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] nonce Buffer containing the nonce to use. + /// \param nonce_length Size of the nonce in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p nonce is not acceptable for the chosen algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with no nonce + /// set), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_nonce( + operation: *mut psa_aead_operation_t, + nonce: *const u8, + nonce_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process buffer + /// Declare the lengths of the message and additional data for AEAD. /// - /// \param ctx MD5 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// The application must call this function before calling + /// psa_aead_update_ad() or psa_aead_update() if the algorithm for + /// the operation requires it. If the algorithm does not require it, + /// calling this function is optional, but if this function is called + /// then the implementation must enforce the lengths. /// - /// \return 0 if successful + /// You may call this function before or after setting the nonce with + /// psa_aead_set_nonce() or psa_aead_generate_nonce(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_update( - ctx: *mut mbedtls_md5_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief MD5 final digest + /// - For #PSA_ALG_CCM, calling this function is required. + /// - For the other AEAD algorithms defined in this specification, calling + /// this function is not required. + /// - For vendor-defined algorithm, refer to the vendor documentation. /// - /// \param ctx MD5 context - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \param[in,out] operation Active AEAD operation. + /// \param ad_length Size of the non-encrypted additional + /// authenticated data in bytes. + /// \param plaintext_length Size of the plaintext to encrypt in bytes. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_finish( - ctx: *mut mbedtls_md5_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// At least one of the lengths is not acceptable for the chosen + /// algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and + /// psa_aead_update_ad() and psa_aead_update() must not have been + /// called yet), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_lengths( + operation: *mut psa_aead_operation_t, + ad_length: usize, + plaintext_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process data block (internal use only) + /// Pass additional data to an active AEAD operation. /// - /// \param ctx MD5 context - /// \param data buffer holding one block of data + /// Additional data is authenticated, but not encrypted. /// - /// \return 0 if successful + /// You may call this function multiple times to pass successive fragments + /// of the additional data. You may not call this function after passing + /// data to encrypt or decrypt with psa_aead_update(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_internal_md5_process( - ctx: *mut mbedtls_md5_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = MD5( input buffer ) + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, + /// treat the input as untrusted and prepare to undo any action that + /// depends on the input if psa_aead_verify() returns an error status. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the fragment of + /// additional data. + /// \param input_length Size of the \p input buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input length overflows the additional data length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, have lengths set if required by the algorithm, and + /// psa_aead_update() must not have been called yet), or the library + /// has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update_ad( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Encrypt or decrypt a message fragment in an active AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). + /// 3. Call psa_aead_update_ad() to pass all the additional data. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief RIPEMD-160 context structure -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ripemd160_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 5usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_ripemd160_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize RIPEMD-160 context + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \param ctx RIPEMD-160 context to be initialized - pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); -} -unsafe extern "C" { - /// \brief Clear RIPEMD-160 context + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: + /// - Do not use the output in any way other than storing it in a + /// confidential location. If you take any action that depends + /// on the tentative decrypted data, this action will need to be + /// undone if the input turns out not to be valid. Furthermore, + /// if an adversary can observe that this action took place + /// (for example through timing), they may be able to use this + /// fact as an oracle to decrypt any message encrypted with the + /// same key. + /// - In particular, do not copy the output anywhere but to a + /// memory or storage space that you have exclusive access to. /// - /// \param ctx RIPEMD-160 context to be cleared - pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); + /// This function does not require the input to be aligned to any + /// particular block boundary. If the implementation can only process + /// a whole block at a time, it must consume all the input provided, but + /// it may delay the end of the corresponding output until a subsequent + /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() + /// provides sufficient input. The amount of data that can be delayed + /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, + /// \c alg, \p input_length) where + /// \c key_type is the type of key and \c alg is + /// the algorithm that were used to set up the + /// operation. + /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p + /// input_length) evaluates to the maximum + /// output size of any supported AEAD + /// algorithm. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or + /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total input length overflows the plaintext length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, and have lengths set if required by the algorithm), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) a RIPEMD-160 context + /// Finish encrypting a message in an AEAD operation. /// - /// \param dst The destination context - /// \param src The context to be cloned - pub fn mbedtls_ripemd160_clone( - dst: *mut mbedtls_ripemd160_context, - src: *const mbedtls_ripemd160_context, - ); -} -unsafe extern "C" { - /// \brief RIPEMD-160 context setup + /// The operation must have been set up with psa_aead_encrypt_setup(). /// - /// \param ctx context to be initialized + /// This function finishes the authentication of the additional data + /// formed by concatenating the inputs passed to preceding calls to + /// psa_aead_update_ad() with the plaintext formed by concatenating the + /// inputs passed to preceding calls to psa_aead_update(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process buffer + /// This function has two output buffers: + /// - \p ciphertext contains trailing ciphertext that was buffered from + /// preceding calls to psa_aead_update(). + /// - \p tag contains the authentication tag. /// - /// \param ctx RIPEMD-160 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_update( - ctx: *mut mbedtls_ripemd160_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[out] ciphertext Buffer where the last part of the ciphertext + /// is to be written. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] ciphertext_length On success, the number of bytes of + /// returned ciphertext. + /// \param[out] tag Buffer where the authentication tag is + /// to be written. + /// \param tag_size Size of the \p tag buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c + /// key_type, \c key_bits, \c alg) where + /// \c key_type and \c key_bits are the type and + /// bit-size of the key, and \c alg is the + /// algorithm that were used in the call to + /// psa_aead_encrypt_setup(). + /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the + /// maximum tag size of any supported AEAD + /// algorithm. + /// \param[out] tag_length On success, the number of bytes + /// that make up the returned tag. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p ciphertext or \p tag buffer is too small. + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the + /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, + /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to + /// determine the required \p tag buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active encryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_finish( + operation: *mut psa_aead_operation_t, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + tag: *mut u8, + tag_size: usize, + tag_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief RIPEMD-160 final digest + /// Finish authenticating and decrypting a message in an AEAD operation. /// - /// \param ctx RIPEMD-160 context - /// \param output RIPEMD-160 checksum result + /// The operation must have been set up with psa_aead_decrypt_setup(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_finish( - ctx: *mut mbedtls_ripemd160_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process data block (internal use only) + /// This function finishes the authenticated decryption of the message + /// components: /// - /// \param ctx RIPEMD-160 context - /// \param data buffer holding one block of data + /// - The additional data consisting of the concatenation of the inputs + /// passed to preceding calls to psa_aead_update_ad(). + /// - The ciphertext consisting of the concatenation of the inputs passed to + /// preceding calls to psa_aead_update(). + /// - The tag passed to this function call. /// - /// \return 0 if successful - pub fn mbedtls_internal_ripemd160_process( - ctx: *mut mbedtls_ripemd160_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = RIPEMD-160( input buffer ) + /// If the authentication tag is correct, this function outputs any remaining + /// plaintext and reports success. If the authentication tag is not correct, + /// this function returns #PSA_ERROR_INVALID_SIGNATURE. /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output RIPEMD-160 checksum result + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual tag and the expected tag is performed + /// in constant time. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[out] plaintext Buffer where the last part of the plaintext + /// is to be written. This is the remaining data + /// from previous calls to psa_aead_update() + /// that could not be processed until the end + /// of the input. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] plaintext_length On success, the number of bytes of + /// returned plaintext. + /// \param[in] tag Buffer containing the authentication tag. + /// \param tag_length Size of the \p tag buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculations were successful, but the authentication tag is + /// not correct. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p plaintext buffer is too small. + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the + /// required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active decryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_verify( + operation: *mut psa_aead_operation_t, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + tag: *const u8, + tag_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Abort an AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed - pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha1_context { - pub work_area: [::core::ffi::c_uchar; 208usize], -} -impl Default for mbedtls_sha1_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_aead_operation_t. + /// + /// In particular, calling psa_aead_abort() after the operation has been + /// terminated by a call to psa_aead_abort(), psa_aead_finish() or + /// psa_aead_verify() is safe and has no effect. + /// + /// \param[in,out] operation Initialized AEAD operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-1 context. - /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \brief Sign a message with a private key. For hash-and-sign algorithms, + /// this includes the hashing step. /// - /// \param ctx The SHA-1 context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-1 context. + /// \note To perform a multi-part hash-and-sign signature algorithm, first use + /// a multi-part hash operation and then pass the resulting hash to + /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the + /// hash algorithm to use. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in] key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The input message to sign. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param[in] signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. /// - /// \param ctx The SHA-1 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it is - /// not \c NULL, it must point to an initialized - /// SHA-1 context. - pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-1 context. + /// \brief Verify the signature of a message with a public key, using + /// a hash-and-sign verification algorithm. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \note To perform a multi-part hash-and-sign signature verification + /// algorithm, first use a multi-part hash operation to hash the message + /// and then pass the resulting hash to psa_verify_hash(). + /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm + /// to use. /// - /// \param dst The SHA-1 context to clone to. This must be initialized. - /// \param src The SHA-1 context to clone from. This must be initialized. - pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); + /// \param[in] key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The message whose signature is to be verified. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed signature + /// is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-1 checksum calculation. + /// \brief Sign a hash or short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context to initialize. This must be initialized. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. + /// \param[out] signature_length On success, the number of bytes + /// that make up the returned signature value. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing SHA-1 - /// checksum calculation. + /// \brief Verify the signature of a hash or short message using a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. + /// \param key Identifier of the key to use for the operation. It + /// must be a public key or an asymmetric key pair. The + /// key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message whose signature is to be + /// verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_update( - ctx: *mut mbedtls_sha1_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// The signature is valid. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the SHA-1 operation, and writes - /// the result to the output buffer. + /// \brief Encrypt a short message with a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized and - /// have a hash operation started. - /// \param output The SHA-1 checksum result. This must be a writable - /// buffer of length \c 20 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the encrypted message is to + /// be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_finish( - ctx: *mut mbedtls_sha1_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief SHA-1 process data block (internal use only). + /// \brief Decrypt a short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. It must + /// allow the usage #PSA_KEY_USAGE_DECRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized. - /// \param data The data block being processed. This must be a - /// readable buffer of length \c 64 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha1_process( - ctx: *mut mbedtls_sha1_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for key derivation operations. +/// +/// Before calling any function on a key derivation operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_key_derivation_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, +/// for example: +/// \code +/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_key_derivation_operation_init() +/// to the structure, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// operation = psa_key_derivation_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_key_derivation_operation_t = psa_key_derivation_s; unsafe extern "C" { - /// \brief This function calculates the SHA-1 checksum of a buffer. + /// Set up a key derivation operation. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// A key derivation algorithm takes some inputs and uses them to generate + /// a byte stream in a deterministic way. + /// This byte stream can be used to produce keys and other + /// cryptographic material. /// - /// The SHA-1 result is calculated as - /// output = SHA-1(input buffer). + /// To derive a key: + /// -# Start with an initialized object of type #psa_key_derivation_operation_t. + /// -# Call psa_key_derivation_setup() to select the algorithm. + /// -# Provide the inputs for the key derivation by calling + /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() + /// as appropriate. Which inputs are needed, in what order, and whether + /// they may be keys and if so of what type depends on the algorithm. + /// -# Optionally set the operation's maximum capacity with + /// psa_key_derivation_set_capacity(). You may do this before, in the middle + /// of or after providing inputs. For some algorithms, this step is mandatory + /// because the output depends on the maximum capacity. + /// -# To derive a key, call psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// To derive a byte string for a different purpose, call + /// psa_key_derivation_output_bytes(). + /// Successive calls to these functions use successive output bytes + /// calculated by the key derivation algorithm. + /// -# Clean up the key derivation operation object with + /// psa_key_derivation_abort(). /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// If this function returns an error, the key derivation operation object is + /// not changed. /// - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. - /// \param output The SHA-1 checksum result. - /// This must be a writable buffer of length \c 20 Bytes. + /// If an error occurs at any step after a call to psa_key_derivation_setup(), + /// the operation will need to be reset by a call to psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-1 checkup routine. + /// Implementations must reject an attempt to derive a key of size 0. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in,out] operation The key derivation operation object + /// to set up. It must + /// have been initialized but not set up yet. + /// \param alg The key derivation algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha256_context { - pub work_area: [::core::ffi::c_uchar; 208usize], - pub is224: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha256_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c alg is not a key derivation algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_setup( + operation: *mut psa_key_derivation_operation_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-256 context. + /// Retrieve the current capacity of a key derivation operation. /// - /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. - pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-256 context. + /// The capacity of a key derivation is the maximum number of bytes that it can + /// return. When you get *N* bytes of output from a key derivation operation, + /// this reduces its capacity by *N*. /// - /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which - /// case this function returns immediately. If it is not \c NULL, - /// it must point to an initialized SHA-256 context. - pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clones the state of a SHA-256 context. + /// \param[in] operation The operation to query. + /// \param[out] capacity On success, the capacity of the operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha256_clone( - dst: *mut mbedtls_sha256_context, - src: *const mbedtls_sha256_context, - ); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_get_capacity( + operation: *const psa_key_derivation_operation_t, + capacity: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-224 or SHA-256 checksum - /// calculation. + /// Set the maximum capacity of a key derivation operation. /// - /// \param ctx The context to use. This must be initialized. - /// \param is224 This determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// The capacity of a key derivation operation is the maximum number of bytes + /// that the key derivation operation can return from this point onwards. /// - /// \note is224 must be defined accordingly to the enabled - /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to modify. + /// \param capacity The new capacity of the operation. + /// It must be less or equal to the operation's + /// current capacity. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_starts( - ctx: *mut mbedtls_sha256_context, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p capacity is larger than the operation's current capacity. + /// In this case, the operation object remains valid and its capacity + /// remains unchanged. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_set_capacity( + operation: *mut psa_key_derivation_operation_t, + capacity: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-256 checksum calculation. + /// Provide an input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_update( - ctx: *mut mbedtls_sha256_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-256 operation, and writes - /// the result to the output buffer. + /// This function passes direct inputs, which is usually correct for + /// non-secret inputs. To pass a secret input, which should be in a key + /// object, call psa_key_derivation_input_key() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_finish( - ctx: *mut mbedtls_sha256_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] data Input data to use. + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow direct inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_bytes( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + data: *const u8, + data_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-256 computation. This function is for - /// internal use only. + /// Provide a numeric input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized. - /// \param data The buffer holding one block of data. This must - /// be a readable buffer of length \c 64 Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// However, when an algorithm requires a particular order, numeric inputs + /// usually come first as they tend to be configuration parameters. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha256_process( - ctx: *mut mbedtls_sha256_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// This function is used for inputs which are fixed-size non-negative + /// integers. + /// + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] value The value of the numeric input. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow numeric inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_integer( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + value: u64, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function calculates the SHA-224 or SHA-256 - /// checksum of a buffer. + /// Provide an input for key derivation in the form of a key. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// The SHA-256 result is calculated as - /// output = SHA-256(input buffer). + /// This function obtains input from a key object, which is usually correct for + /// secret inputs or for non-secret personalization strings kept in the key + /// store. To pass a non-secret parameter which is not in the key store, + /// call psa_key_derivation_input_bytes() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. - /// \param is224 Determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param key Identifier of the key. It must have an + /// appropriate type for step and must allow the + /// usage #PSA_KEY_USAGE_DERIVE or + /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + /// and the algorithm used by the operation. + /// + /// \note Once all inputs steps are completed, the operations will allow: + /// - psa_key_derivation_output_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() + /// if the input for step + /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_verify_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + /// - psa_key_derivation_verify_key() under the same conditions as + /// psa_key_derivation_verify_bytes(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key allows neither #PSA_KEY_USAGE_DERIVE nor + /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + /// algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow key inputs of the given type + /// or does not allow key inputs at all. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_key( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + key: mbedtls_svc_key_id_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief The SHA-224 checkup routine. + /// Perform a key agreement and use the shared secret as input to a key + /// derivation. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-256 checkup routine. + /// A key agreement algorithm takes two inputs: a private key \p private_key + /// a public key \p peer_key. + /// The result of this function is passed as input to a key derivation. + /// The output of this key derivation can be extracted by reading from the + /// resulting operation to produce keys and other cryptographic material. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha512_context { - pub work_area: [::core::ffi::c_uchar; 304usize], - pub is384: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha512_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief This function initializes a SHA-512 context. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \param ctx The SHA-512 context to initialize. This must - /// not be \c NULL. - pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-512 context. + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() with a + /// key agreement and derivation algorithm + /// \c alg (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true + /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) + /// is false). + /// The operation must be ready for an + /// input of the type given by \p step. + /// \param step Which step the input data is for. + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. The peer key must be in the + /// same format that psa_import_key() accepts for the + /// public key type corresponding to the type of + /// private_key. That is, this function performs the + /// equivalent of + /// #psa_import_key(..., + /// `peer_key`, `peer_key_length`) where + /// with key attributes indicating the public key + /// type corresponding to the type of `private_key`. + /// For example, for EC keys, this means that peer_key + /// is interpreted as a point on the curve that the + /// private key is on. The standard formats for public + /// keys are documented in the documentation of + /// psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. /// - /// \param ctx The SHA-512 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must point to an initialized - /// SHA-512 context. - pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c private_key is not compatible with \c alg, + /// or \p peer_key is not valid for \c alg or not compatible with + /// \c private_key, or \c step does not allow an input resulting + /// from a key agreement. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this key agreement \p step, + /// or the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_key_agreement( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-512 context. + /// Read some data from a key derivation operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha512_clone( - dst: *mut mbedtls_sha512_context, - src: *const mbedtls_sha512_context, - ); -} -unsafe extern "C" { - /// \brief This function starts a SHA-384 or SHA-512 checksum - /// calculation. + /// This function calculates output bytes from a key derivation algorithm and + /// return those bytes. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the requested number of bytes from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context to use. This must be initialized. - /// \param is384 Determines which function to use. This must be - /// either \c 0 for SHA-512, or \c 1 for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \note is384 must be defined accordingly to the enabled - /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] output Buffer where the output will be written. + /// \param output_length Number of bytes to output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_starts( - ctx: *mut mbedtls_sha512_context, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// no output is written to the output buffer. + /// The operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_bytes( + operation: *mut psa_key_derivation_operation_t, + output: *mut u8, + output_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-512 checksum calculation. + /// Derive a key from an ongoing key derivation operation. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. This must - /// be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// This function calculates output bytes from a key derivation algorithm + /// and uses those bytes to generate a key deterministically. + /// The key's location, usage policy, type and size are taken from + /// \p attributes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_update( - ctx: *mut mbedtls_sha512_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-512 operation, and writes - /// the result to the output buffer. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads as many bytes as required from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_finish( - ctx: *mut mbedtls_sha512_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-512 computation. - /// This function is for internal use only. + /// How much output is produced and consumed from the operation, and how + /// the key is derived, depends on the key type and on the key size + /// (denoted \c bits below): /// - /// \param ctx The SHA-512 context. This must be initialized. - /// \param data The buffer holding one block of data. This - /// must be a readable buffer of length \c 128 Bytes. + /// - For key types for which the key is an arbitrary sequence of bytes + /// of a given size, this function is functionally equivalent to + /// calling #psa_key_derivation_output_bytes + /// and passing the resulting output to #psa_import_key. + /// However, this function has a security benefit: + /// if the implementation provides an isolation boundary then + /// the key material is not exposed outside the isolation boundary. + /// As a consequence, for these key types, this function always consumes + /// exactly (\c bits / 8) bytes from the operation. + /// The following key types defined in this specification follow this scheme: /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha512_process( - ctx: *mut mbedtls_sha512_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function calculates the SHA-512 or SHA-384 - /// checksum of a buffer. + /// - #PSA_KEY_TYPE_AES; + /// - #PSA_KEY_TYPE_ARIA; + /// - #PSA_KEY_TYPE_CAMELLIA; + /// - #PSA_KEY_TYPE_DERIVE; + /// - #PSA_KEY_TYPE_HMAC; + /// - #PSA_KEY_TYPE_PASSWORD_HASH. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// - For ECC keys on a Montgomery elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Montgomery curve), this function always draws a byte string whose + /// length is determined by the curve, and sets the mandatory bits + /// accordingly. That is: /// - /// The SHA-512 result is calculated as - /// output = SHA-512(input buffer). + /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte + /// string and process it as specified in RFC 7748 §5. + /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte + /// string and process it as specified in RFC 7748 §5. /// - /// \param input The buffer holding the input data. This must be - /// a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. - /// \param is384 Determines which function to use. This must be either - /// \c 0 for SHA-512, or \c 1 for SHA-384. + /// - For key types for which the key is represented by a single sequence of + /// \c bits bits with constraints as to which bit sequences are acceptable, + /// this function draws a byte string of length (\c bits / 8) bytes rounded + /// up to the nearest whole number of bytes. If the resulting byte string + /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. + /// This process is repeated until an acceptable byte string is drawn. + /// The byte string drawn from the operation is interpreted as specified + /// for the output produced by psa_export_key(). + /// The following key types defined in this specification follow this scheme: /// - /// \note is384 must be defined accordingly with the supported - /// symbols in the config file. If: - /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or - /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined - /// then the function will return - /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// - #PSA_KEY_TYPE_DES. + /// Force-set the parity bits, but discard forbidden weak keys. + /// For 2-key and 3-key triple-DES, the three keys are generated + /// successively (for example, for 3-key triple-DES, + /// if the first 8 bytes specify a weak key and the next 8 bytes do not, + /// discard the first 8 bytes, use the next 8 bytes as the first key, + /// and continue reading output from the operation to derive the other + /// two keys). + /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) + /// where \c group designates any Diffie-Hellman group) and + /// ECC keys on a Weierstrass elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Weierstrass curve). + /// For these key types, interpret the byte string as integer + /// in big-endian order. Discard it if it is not in the range + /// [0, *N* - 2] where *N* is the boundary of the private key domain + /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, + /// or the order of the curve's base point for ECC). + /// Add 1 to the resulting integer and use this as the private key *x*. + /// This method allows compliance to NIST standards, specifically + /// the methods titled "key-pair generation by testing candidates" + /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, + /// in FIPS 186-4 §B.1.2 for DSA, and + /// in NIST SP 800-56A §5.6.1.2.2 or + /// FIPS 186-4 §B.4.2 for elliptic curve keys. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-384 checkup routine. + /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, + /// the way in which the operation output is consumed is + /// implementation-defined. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-512 checkup routine. + /// In all cases, the data that is read is discarded from the operation. + /// The operation's capacity is decreased by the number of bytes read. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hash_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub md5: mbedtls_md5_context, - pub ripemd160: mbedtls_ripemd160_context, - pub sha1: mbedtls_sha1_context, - pub sha256: mbedtls_sha256_context, - pub sha512: mbedtls_sha512_context, -} -impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_hash_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_cipher_operation_t { - pub private_alg: psa_algorithm_t, - pub private_iv_length: u8, - pub private_block_length: u8, - pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_cipher: mbedtls_cipher_context_t, -} -impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_cipher_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_hash_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_hash_operation_t, -} -impl Default for psa_driver_hash_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_cipher_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, -} -impl Default for psa_driver_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_hash_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h. - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. the driver context is not active, in use). - pub private_id: ::core::ffi::c_uint, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_hash_context_t, -} -impl Default for psa_hash_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_cipher_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_default_iv_length: u8, - pub private_ctx: psa_driver_cipher_context_t, + /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, + /// the input to that step must be provided with psa_key_derivation_input_key(). + /// Future versions of this specification may include additional restrictions + /// on the derived key based on the attributes and strength of the secret key. + /// + /// \note This function is equivalent to calling + /// psa_key_derivation_output_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for psa_cipher_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// See the description of psa_key_derivation_out_key() for the operation of + /// this function with the default production parameters. + /// Mbed TLS currently does not currently support any non-default production + /// parameters. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_custom( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl psa_cipher_operation_s { - #[inline] - pub fn private_iv_required(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_iv_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_iv_required: ::core::ffi::c_uint, - private_iv_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; - private_iv_required as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; - private_iv_set as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] params Customization parameters for the key derivation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// Mbed TLS currently only supports the default + /// production parameters, i.e. + /// #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + /// for all key types. + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_ext( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hmac_operation_t { - /// The HMAC algorithm in use - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - /// The hash context. - pub hash_ctx: psa_hash_operation_s, - /// The HMAC part of the context. - pub private_opad: [u8; 128usize], +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value in constant time. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the expected number of bytes from the + /// stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to the following code: + /// \code + /// psa_key_derivation_output_bytes(operation, tmp, output_length); + /// if (memcmp(output, tmp, output_length) != 0) + /// return PSA_ERROR_INVALID_SIGNATURE; + /// \endcode + /// except (1) it works even if the key's policy does not allow outputting the + /// bytes, and (2) the comparison will be done in constant time. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected Buffer containing the expected derivation output. + /// \param expected_length Length of the expected output; this is also the + /// number of bytes that will be read. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but it differs from the expected + /// output. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_bytes( + operation: *mut psa_key_derivation_operation_t, + expected: *const u8, + expected_length: usize, + ) -> psa_status_t; } -impl Default for mbedtls_psa_hmac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value + /// stored in a key object. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value, provided as key of type + /// #PSA_KEY_TYPE_PASSWORD_HASH. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the number of bytes corresponding to the + /// length of the expected value from the stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to exporting the key and calling + /// psa_key_derivation_verify_bytes() on the result, except that it + /// works even if the key cannot be exported. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + /// containing the expected output. Its policy must + /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + /// and the permitted algorithm must match the + /// operation. The value of this key was likely + /// computed by a previous call to + /// psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but if differs from the expected + /// output. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// The key passed as the expected value does not exist. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key passed as the expected value has an invalid type. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key passed as the expected value does not allow this usage or + /// this algorithm; or one of the inputs was a key whose policy didn't + /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// the length of the expected value. In this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_key( + operation: *mut psa_key_derivation_operation_t, + expected: psa_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_mac_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// Abort a key derivation operation. + /// + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_key_derivation_setup() again. + /// + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_key_derivation_operation_t. + /// + /// In particular, it is valid to call psa_key_derivation_abort() twice, or to + /// call psa_key_derivation_abort() on an operation that has not been set up. + /// + /// \param[in,out] operation The operation to abort. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) + -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_hmac: mbedtls_psa_hmac_operation_t, - pub private_cmac: mbedtls_cipher_context_t, +unsafe extern "C" { + /// Perform a key agreement and return the raw shared secret. + /// + /// \warning The raw result of a key agreement algorithm such as finite-field + /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should + /// not be used directly as key material. It should instead be passed as + /// input to a key derivation algorithm. To chain a key agreement with + /// a key derivation, use psa_key_derivation_key_agreement() and other + /// functions from the key derivation interface. + /// + /// \param alg The key agreement algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) + /// is true). + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. It must be + /// in the same format that psa_import_key() + /// accepts. The standard formats for public + /// keys are documented in the documentation + /// of psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a key agreement algorithm, or + /// \p private_key is not compatible with \p alg, + /// or \p peer_key is not valid for \p alg or not compatible with + /// \p private_key. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p output_size is too small + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not a supported key agreement algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_raw_key_agreement( + alg: psa_algorithm_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Generate random bytes. + /// + /// \warning This function **can** fail! Callers MUST check the return status + /// and MUST NOT use the content of the output buffer if the return + /// status is not #PSA_SUCCESS. + /// + /// \note To generate a key, use psa_generate_key() instead. + /// + /// \param[out] output Output buffer for the generated data. + /// \param output_size Number of bytes to generate and output. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair. + /// + /// The key is generated randomly. + /// Its location, usage policy, type and size are taken from \p attributes. + /// + /// Implementations must reject an attempt to generate a key of size 0. + /// + /// The following type-specific considerations apply: + /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), + /// the public exponent is 65537. + /// The modulus is a product of two probabilistic primes + /// between 2^{n-1} and 2^n where n is the bit size specified in the + /// attributes. + /// + /// \note This function is equivalent to calling psa_generate_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key( + attributes: *const psa_key_attributes_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// See the description of psa_generate_key() for the operation of this + /// function with the default production parameters. In addition, this function + /// supports the following production customizations, described in more detail + /// in the documentation of ::psa_custom_key_parameters_t: + /// + /// - RSA keys: generation with a custom public exponent. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_custom( + attributes: *const psa_key_attributes_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_aead_operation_t { - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_tag_length: u8, - pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] params Customization parameters for the key generation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_ext( + attributes: *const psa_key_attributes_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub private_ccm: mbedtls_ccm_context, - pub private_gcm: mbedtls_gcm_context, - pub private_chachapoly: mbedtls_chachapoly_context, +/// The type of the state data structure for interruptible hash +/// signing operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = +/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_sign_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// operation = psa_sign_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; +/// The type of the state data structure for interruptible hash +/// verification operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = +/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_verify_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// operation = psa_verify_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; +unsafe extern "C" { + /// \brief Set the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note The time taken to execute a single op is + /// implementation specific and depends on + /// software, hardware, the algorithm, key type and + /// curve chosen. Even within a single operation, + /// successive ops can take differing amounts of + /// time. The only guarantee is that lower values + /// for \p max_ops means functions will block for a + /// lesser maximum amount of time. The functions + /// \c psa_sign_interruptible_get_num_ops() and + /// \c psa_verify_interruptible_get_num_ops() are + /// provided to help with tuning this value. + /// + /// \note This value defaults to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + /// means the whole operation will be done in one + /// go, regardless of the number of ops required. + /// + /// \note If more ops are needed to complete a + /// computation, #PSA_OPERATION_INCOMPLETE will be + /// returned by the function performing the + /// computation. It is then the caller's + /// responsibility to either call again with the + /// same operation context until it returns 0 or an + /// error code; or to call the relevant abort + /// function if the answer is no longer required. + /// + /// \note The interpretation of \p max_ops is also + /// implementation defined. On a hard real time + /// system, this can indicate a hard deadline, as a + /// real-time system needs a guarantee of not + /// spending more than X time, however care must be + /// taken in such an implementation to avoid the + /// situation whereby calls just return, not being + /// able to do any actual work within the allotted + /// time. On a non-real-time system, the + /// implementation can be more relaxed, but again + /// whether this number should be interpreted as as + /// hard or soft limit or even whether a less than + /// or equals as regards to ops executed in a + /// single call is implementation defined. + /// + /// \note For keys in local storage when no accelerator + /// driver applies, please see also the + /// documentation for \c mbedtls_ecp_set_max_ops(), + /// which is the internal implementation in these + /// cases. + /// + /// \warning With implementations that interpret this number + /// as a hard limit, setting this number too small + /// may result in an infinite loop, whereby each + /// call results in immediate return with no ops + /// done (as there is not enough time to execute + /// any), and thus no result will ever be achieved. + /// + /// \note This only applies to functions whose + /// documentation mentions they may return + /// #PSA_OPERATION_INCOMPLETE. + /// + /// \param max_ops The maximum number of ops to be executed in a + /// single call. This can be a number from 0 to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + /// is the least amount of work done per call. + pub fn psa_interruptible_set_max_ops(max_ops: u32); } -impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. This will return the last + /// value set by + /// \c psa_interruptible_set_max_ops() or + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + /// that function has never been called. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \return Maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + pub fn psa_interruptible_get_max_ops() -> u32; } -impl Default for mbedtls_psa_aead_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash signing + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling + /// \c psa_sign_hash_interruptible_abort() on + /// the operation, a value of 0 will be returned. + /// + /// \note This interface is guaranteed re-entrant and + /// thus may be called from driver code. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_sign_hash_get_num_ops( + operation: *const psa_sign_hash_interruptible_operation_t, + ) -> u32; } -impl mbedtls_psa_aead_operation_t { - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash verification + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling \c + /// psa_verify_hash_interruptible_abort() on the + /// operation, a value of 0 will be returned. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c + /// psa_verify_hash_interruptible_operation_t to + /// use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_verify_hash_get_num_ops( + operation: *const psa_verify_hash_interruptible_operation_t, + ) -> u32; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_sign_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Start signing a hash or short message with a + /// private key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_complete() is equivalent to + /// \c psa_sign_hash() but + /// \c psa_sign_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call \c psa_sign_hash_complete() + /// repeatedly on the same context after a + /// successful call to this function until \c + /// psa_sign_hash_complete() either returns 0 or an + /// error. \c psa_sign_hash_complete() will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - call \c psa_sign_hash_complete() + /// with the same context to complete the operation + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + /// not permit the requested algorithm. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation has previously been started on this context, and is + /// still in progress. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_start( + operation: *mut psa_sign_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_verify_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Continue and eventually complete the action of + /// signing a hash or short message with a private + /// key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_start() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_start() is equivalent to + /// \c psa_sign_hash() but this function can return + /// early and resume according to the limit set with + /// \c psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_sign_hash_start() called with it + /// first. + /// + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + /// key_bits, \c alg) where \c key_type and \c + /// key_bits are the type and bit-size + /// respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. + /// + /// \retval #PSA_SUCCESS + /// Operation completed successfully + /// + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \c key. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_sign_hash_start(). + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_sign_hash_start() with this operation object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_sign_hash_complete( + operation: *mut psa_sign_hash_interruptible_operation_t, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } -///< Client -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; -///< Server -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; -/// Roles in the EC J-PAKE exchange -pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; -/// EC J-PAKE context structure. -/// -/// J-PAKE is a symmetric protocol, except for the identifiers used in -/// Zero-Knowledge Proofs, and the serialization of the second message -/// (KeyExchange) as defined by the Thread spec. -/// -/// In order to benefit from this symmetry, we choose a different naming -/// convention from the Thread v1.0 spec. Correspondence is indicated in the -/// description as a pair C: client name, S: server name -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecjpake_context { - ///< Hash to use - pub private_md_type: mbedtls_md_type_t, - ///< Elliptic curve - pub private_grp: mbedtls_ecp_group, - ///< Are we client or server? - pub private_role: mbedtls_ecjpake_role, - ///< Format for point export - pub private_point_format: ::core::ffi::c_int, - ///< My public key 1 C: X1, S: X3 - pub private_Xm1: mbedtls_ecp_point, - ///< My public key 2 C: X2, S: X4 - pub private_Xm2: mbedtls_ecp_point, - ///< Peer public key 1 C: X3, S: X1 - pub private_Xp1: mbedtls_ecp_point, - ///< Peer public key 2 C: X4, S: X2 - pub private_Xp2: mbedtls_ecp_point, - ///< Peer public key C: Xs, S: Xc - pub private_Xp: mbedtls_ecp_point, - ///< My private key 1 C: x1, S: x3 - pub private_xm1: mbedtls_mpi, - ///< My private key 2 C: x2, S: x4 - pub private_xm2: mbedtls_mpi, - ///< Pre-shared secret (passphrase) - pub private_s: mbedtls_mpi, +unsafe extern "C" { + /// \brief Abort a sign hash operation. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function is the only function that clears + /// the number of ops completed as part of the + /// operation. Please ensure you copy this value via + /// \c psa_sign_hash_get_num_ops() if required + /// before calling. + /// + /// \note Aborting an operation frees all associated + /// resources except for the \p operation structure + /// itself. Once aborted, the operation object can + /// be reused for another operation by calling \c + /// psa_sign_hash_start() again. + /// + /// \note You may call this function any time after the + /// operation object has been initialized. In + /// particular, calling \c psa_sign_hash_abort() + /// after the operation has already been terminated + /// by a call to \c psa_sign_hash_abort() or + /// psa_sign_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized sign hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_abort( + operation: *mut psa_sign_hash_interruptible_operation_t, + ) -> psa_status_t; } -impl Default for mbedtls_ecjpake_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Start reading and verifying a hash or short + /// message, in an interruptible manner. + /// + /// \see \c psa_verify_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_verify_hash_complete() is equivalent to + /// \c psa_verify_hash() but \c + /// psa_verify_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function. + /// + /// \note Users should call \c psa_verify_hash_complete() + /// repeatedly on the same operation object after a + /// successful call to this function until \c + /// psa_verify_hash_complete() either returns 0 or + /// an error. \c psa_verify_hash_complete() will + /// return #PSA_OPERATION_INCOMPLETE if there is + /// more work to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_verify_hash_abort(). + /// + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash whose signature is to be verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - please call \c + /// psa_verify_hash_complete() with the same context to complete the + /// operation. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// Another operation has already been started on this context, and is + /// still in progress. + /// + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + /// not permit the requested algorithm. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_start( + operation: *mut psa_verify_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize an ECJPAKE context. + /// \brief Continue and eventually complete the action of + /// reading and verifying a hash or short message + /// signed with a private key, in an interruptible + /// manner. /// - /// \param ctx The ECJPAKE context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); -} -unsafe extern "C" { - /// \brief Set up an ECJPAKE context for use. + /// \see \c psa_verify_hash_start() /// - /// \note Currently the only values for hash/curve allowed by the - /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. /// - /// \param ctx The ECJPAKE context to set up. This must be initialized. - /// \param role The role of the caller. This must be either - /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. - /// \param hash The identifier of the hash function to use, - /// for example #MBEDTLS_MD_SHA256. - /// \param curve The identifier of the elliptic curve to use, - /// for example #MBEDTLS_ECP_DP_SECP256R1. - /// \param secret The pre-shared secret (passphrase). This must be - /// a readable not empty buffer of length \p len Bytes. It need - /// only be valid for the duration of this call. - /// \param len The length of the pre-shared secret \p secret. + /// \note This function combined with \c + /// psa_verify_hash_start() is equivalent to + /// \c psa_verify_hash() but this function can + /// return early and resume according to the limit + /// set with \c psa_interruptible_set_max_ops() to + /// reduce the maximum time spent in a function + /// call. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_setup( - ctx: *mut mbedtls_ecjpake_context, - role: mbedtls_ecjpake_role, - hash: mbedtls_md_type_t, - curve: mbedtls_ecp_group_id, - secret: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the point format for future reads and writes. + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. /// - /// \param ctx The ECJPAKE context to configure. - /// \param point_format The point format to use: - /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) - /// or #MBEDTLS_ECP_PF_COMPRESSED. + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_verify_hash_abort(). /// - /// \return \c 0 if successful. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format - /// is invalid. - pub fn mbedtls_ecjpake_set_point_format( - ctx: *mut mbedtls_ecjpake_context, - point_format: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if an ECJPAKE context is ready for use. + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_verify_hash_start() called with it + /// first. /// - /// \param ctx The ECJPAKE context to check. This must be - /// initialized. + /// \retval #PSA_SUCCESS + /// Operation completed successfully, and the passed signature is valid. /// - /// \return \c 0 if the context is ready for use. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. - pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_verify_hash_start(). + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_verify_hash_start() on this object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_verify_hash_complete( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate and write the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \brief Abort a verify hash operation. /// - /// \param ctx The ECJPAKE context to use. This must be - /// initialized and set up. - /// \param buf The buffer to write the contents to. This must be a - /// writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number - /// of Bytes written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \warning This is a beta API, and thus subject to change at + /// any point. It is not bound by the usual interface + /// stability promises. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Read and process the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \note This function is the only function that clears the + /// number of ops completed as part of the operation. + /// Please ensure you copy this value via + /// \c psa_verify_hash_get_num_ops() if required + /// before calling. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up. - /// \param buf The buffer holding the first round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// \note Aborting an operation frees all associated + /// resources except for the operation structure + /// itself. Once aborted, the operation object can be + /// reused for another operation by calling \c + /// psa_verify_hash_start() again. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \note You may call this function any time after the + /// operation object has been initialized. + /// In particular, calling \c psa_verify_hash_abort() + /// after the operation has already been terminated by + /// a call to \c psa_verify_hash_abort() or + /// psa_verify_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized verify hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_abort( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } +pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// \brief Generate and write the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Open a handle to an existing persistent key. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up, and already have performed round one. - /// \param buf The buffer to write the round two contents to. - /// This must be a writable buffer of length \p len Bytes. - /// \param len The size of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Open a handle to a persistent key. A key is persistent if it was created + /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key + /// always has a nonzero key identifier, set with psa_set_key_id() when + /// creating the key. Implementations may provide additional pre-provisioned + /// keys that can be opened with psa_open_key(). Such keys have an application + /// key identifier in the vendor range, as documented in the description of + /// #psa_key_id_t. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// The application must eventually close the handle with psa_close_key() or + /// psa_destroy_key() to release associated resources. If the application dies + /// without calling one of these functions, the implementation should perform + /// the equivalent of a call to psa_close_key(). + /// + /// Some implementations permit an application to open the same key multiple + /// times. If this is successful, each call to psa_open_key() will return a + /// different key handle. + /// + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. + /// + /// \note Applications that rely on opening a key multiple times will not be + /// portable to implementations that only permit a single key handle to be + /// opened. See also :ref:\`key-handles\`. + /// + /// + /// \param key The persistent identifier of the key. + /// \param[out] handle On success, a handle to the key. + /// + /// \retval #PSA_SUCCESS + /// Success. The application can now use the value of `*handle` + /// to access the key. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY + /// The implementation does not have sufficient resources to open the + /// key. This can be due to reaching an implementation limit on the + /// number of open keys, the number of open key handles, or available + /// memory. + /// \retval #PSA_ERROR_DOES_NOT_EXIST + /// There is no persistent key with key identifier \p key. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid persistent key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The specified key exists, but the application does not have the + /// permission to access it. Note that this specification does not + /// define any way to create such a key, but it may be possible + /// through implementation-specific means. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Read and process the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Close a key handle. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up and already have performed round one. - /// \param buf The buffer holding the second round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// If the handle designates a volatile key, this will destroy the key material + /// and free all associated resources, just like psa_destroy_key(). /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Derive the shared secret - /// (TLS: Pre-Master Secret). + /// If this is the last open handle to a persistent key, then closing the handle + /// will free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and can be opened again later + /// with a call to psa_open_key(). /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Closing the key handle makes the handle invalid, and the key handle + /// must not be used again by the application. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_derive_secret( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write the shared key material to be passed to a Key - /// Derivation Function as described in RFC8236. + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \note If the key handle was used to set up an active + /// :ref:\`multipart operation \`, then closing the + /// key handle can cause the multipart operation to fail. Applications should + /// maintain the key handle until after the multipart operation has finished. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_shared_key( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This clears an ECJPAKE context and frees any - /// embedded data structure. + /// \param handle The key handle to close. + /// If this is \c 0, do nothing and return \c PSA_SUCCESS. /// - /// \param ctx The ECJPAKE context to free. This may be \c NULL, - /// in which case this function does nothing. If it is not - /// \c NULL, it must point to an initialized ECJPAKE context. - pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); + /// \retval #PSA_SUCCESS + /// \p handle was a valid handle or \c 0. It is now closed. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p handle is not a valid handle nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// \brief Library deinitialization. /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_pake_operation_t { - pub private_alg: psa_algorithm_t, - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: u8, - pub private_buffer: [u8; 336usize], - pub private_buffer_length: usize, - pub private_buffer_offset: usize, - pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_jpake: mbedtls_ecjpake_context, -} -impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_pake_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_mac_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_mac_operation_t, -} -impl Default for psa_driver_mac_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_aead_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_aead_operation_t, -} -impl Default for psa_driver_aead_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_sign_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, -} -impl Default for psa_driver_sign_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_verify_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, -} -impl Default for psa_driver_verify_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_pake_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_pake_operation_t, -} -impl Default for psa_driver_pake_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// This function clears all data associated with the PSA layer, + /// including the whole key store. + /// This function is not thread safe, it wipes every key slot regardless of + /// state and reader count. It should only be called when no slot is in use. + /// + /// This is an Mbed TLS extension. + pub fn mbedtls_psa_crypto_free(); } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. #[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_mac_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_mac_size: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_mac_context_t, +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_stats_s { + /// Number of slots containing key material for a volatile key. + pub private_volatile_slots: usize, + /// Number of slots containing key material for a key which is in + /// internal persistent storage. + pub private_persistent_slots: usize, + /// Number of slots containing a reference to a key in a + /// secure element. + pub private_external_slots: usize, + /// Number of slots which are occupied, but do not contain + /// key material yet. + pub private_half_filled_slots: usize, + /// Number of slots that contain cache data. + pub private_cache_slots: usize, + /// Number of slots that are not used for anything. + pub private_empty_slots: usize, + /// Number of slots that are locked. + pub private_locked_slots: usize, + /// Largest key id value among open keys in internal persistent storage. + pub private_max_open_internal_key_id: psa_key_id_t, + /// Largest key id value among open keys in secure elements. + pub private_max_open_external_key_id: psa_key_id_t, } -impl Default for psa_mac_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. +pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; +unsafe extern "C" { + /// \brief Get statistics about + /// resource consumption related to the PSA keystore. + /// + /// \note When Mbed TLS is built as part of a service, with isolation + /// between the application and the keystore, the service may or + /// may not expose this function. + pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); } -impl psa_mac_operation_s { - #[inline] - pub fn private_is_sign(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_sign: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; - private_is_sign as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Inject an initial entropy seed for the random generator into + /// secure storage. + /// + /// This function injects data to be used as a seed for the random generator + /// used by the PSA Crypto implementation. On devices that lack a trusted + /// entropy source (preferably a hardware random number generator), + /// the Mbed PSA Crypto implementation uses this value to seed its + /// random generator. + /// + /// On devices without a trusted entropy source, this function must be + /// called exactly once in the lifetime of the device. On devices with + /// a trusted entropy source, calling this function is optional. + /// In all cases, this function may only be called before calling any + /// other function in the PSA Crypto API, including psa_crypto_init(). + /// + /// When this function returns successfully, it populates a file in + /// persistent storage. Once the file has been created, this function + /// can no longer succeed. + /// + /// If any error occurs, this function does not change the system state. + /// You can call this function again after correcting the reason for the + /// error if possible. + /// + /// \warning This function **can** fail! Callers MUST check the return status. + /// + /// \warning If you use this function, you should use it as part of a + /// factory provisioning process. The value of the injected seed + /// is critical to the security of the device. It must be + /// *secret*, *unpredictable* and (statistically) *unique per device*. + /// You should be generate it randomly using a cryptographically + /// secure random generator seeded from trusted entropy sources. + /// You should transmit it securely to the device and ensure + /// that its value is not leaked or stored anywhere beyond the + /// needs of transmitting it from the point of generation to + /// the call of this function, and erase all copies of the value + /// once this function returns. + /// + /// This is an Mbed TLS extension. + /// + /// \note This function is only available on the following platforms: + /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. + /// Note that you must provide compatible implementations of + /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. + /// * In a client-server integration of PSA Cryptography, on the client side, + /// if the server supports this feature. + /// \param[in] seed Buffer containing the seed value to inject. + /// \param[in] seed_size Size of the \p seed buffer. + /// The size of the seed in bytes must be greater + /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE + /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM + /// in `library/entropy_poll.h` in the Mbed TLS source + /// code. + /// It must be less or equal to + /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. + /// + /// \retval #PSA_SUCCESS + /// The seed value was injected successfully. The random generator + /// of the PSA Crypto implementation is now ready for use. + /// You may now call psa_crypto_init() and use the PSA Crypto + /// implementation. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p seed_size is out of range. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// There was a failure reading or writing from storage. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The library has already been initialized. It is no longer + /// possible to call this function. + pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_aead_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub private_ad_remaining: usize, - pub private_body_remaining: usize, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_ctx: psa_driver_aead_context_t, +unsafe extern "C" { + /// External random generator function, implemented by the platform. + /// + /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, + /// this function replaces Mbed TLS's entropy and DRBG modules for all + /// random generation triggered via PSA crypto interfaces. + /// + /// \note This random generator must deliver random numbers with cryptographic + /// quality and high performance. It must supply unpredictable numbers + /// with a uniform distribution. The implementation of this function + /// is responsible for ensuring that the random generator is seeded + /// with sufficient entropy. If you have a hardware TRNG which is slow + /// or delivers non-uniform output, declare it as an entropy source + /// with mbedtls_entropy_add_source() instead of enabling this option. + /// + /// \param[in,out] context Pointer to the random generator context. + /// This is all-bits-zero on the first call + /// and preserved between successive calls. + /// \param[out] output Output buffer. On success, this buffer + /// contains random data with a uniform + /// distribution. + /// \param output_size The size of the \p output buffer in bytes. + /// \param[out] output_length On success, set this value to \p output_size. + /// + /// \retval #PSA_SUCCESS + /// Success. The output buffer contains \p output_size bytes of + /// cryptographic-quality random data, and \c *output_length is + /// set to \p output_size. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + /// The random generator requires extra entropy and there is no + /// way to obtain entropy under current environment conditions. + /// This error should not happen under normal circumstances since + /// this function is responsible for obtaining as much entropy as + /// it needs. However implementations of this function may return + /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain + /// entropy without blocking indefinitely. + /// \retval #PSA_ERROR_HARDWARE_FAILURE + /// A failure of the random generator hardware that isn't covered + /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. + pub fn mbedtls_psa_external_get_random( + context: *mut mbedtls_psa_external_random_context_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_aead_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// A slot number identifying a key in a driver. +/// +/// Values of this type are used to identify built-in keys. +pub type psa_drv_slot_number_t = u64; +unsafe extern "C" { + /// Check if PSA is capable of handling the specified hash algorithm. + /// + /// This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + /// set and that psa_crypto_init has already been called. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the algorithm. + /// This might be improved in the future. + /// + /// \param hash_alg The hash algorithm. + /// + /// \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + pub fn psa_can_do_hash(hash_alg: psa_algorithm_t) -> ::core::ffi::c_int; } -impl psa_aead_operation_s { - #[inline] - pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_ad_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_body_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(3usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 3usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 3usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(4usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 4usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 4usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_nonce_set: ::core::ffi::c_uint, - private_lengths_set: ::core::ffi::c_uint, - private_ad_started: ::core::ffi::c_uint, - private_body_started: ::core::ffi::c_uint, - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; - private_nonce_set as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; - private_lengths_set as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; - private_ad_started as u64 - }); - __bindgen_bitfield_unit.set(3usize, 1u8, { - let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; - private_body_started as u64 - }); - __bindgen_bitfield_unit.set(4usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Tell if PSA is ready for this cipher. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the key type and algorithm. + /// This might be improved in the future. + /// + /// \param key_type The key type. + /// \param cipher_alg The cipher algorithm. + /// + /// \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. + pub fn psa_can_do_cipher( + key_type: psa_key_type_t, + cipher_alg: psa_algorithm_t, + ) -> ::core::ffi::c_int; +} +/// \brief Encoding of the application role of PAKE +/// +/// Encodes the application's role in the algorithm is being executed. For more +/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX +/// constants. +pub type psa_pake_role_t = u8; +/// Encoding of input and output indicators for PAKE. +/// +/// Some PAKE algorithms need to exchange more data than just a single key share. +/// This type is for encoding additional input and output data for such +/// algorithms. +pub type psa_pake_step_t = u8; +/// Encoding of the type of the PAKE's primitive. +/// +/// Values defined by this standard will never be in the range 0x80-0xff. +/// Vendors who define additional types must use an encoding in this range. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_primitive_type_t = u8; +/// \brief Encoding of the family of the primitive associated with the PAKE. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_family_t = u8; +/// \brief Encoding of the primitive associated with the PAKE. +/// +/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. +pub type psa_pake_primitive_t = u32; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_pake_cipher_suite_s { + pub algorithm: psa_algorithm_t, + pub type_: psa_pake_primitive_type_t, + pub family: psa_pake_family_t, + pub bits: u16, + pub hash: psa_algorithm_t, } #[repr(C)] -#[repr(align(16))] #[derive(Copy, Clone)] -pub struct psa_hkdf_key_derivation_t { - pub private_info: *mut u8, - pub private_info_length: usize, - pub private_offset_in_block: u8, - pub private_block_number: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_output_block: [u8; 64usize], - pub private_prk: [u8; 64usize], - pub __bindgen_padding_0: [u64; 0usize], - pub private_hmac: psa_mac_operation_s, +pub struct psa_crypto_driver_pake_inputs_s { + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_user: *mut u8, + pub private_user_len: usize, + pub private_peer: *mut u8, + pub private_peer_len: usize, + pub private_attributes: psa_key_attributes_t, + pub private_cipher_suite: psa_pake_cipher_suite_s, } -impl Default for psa_hkdf_key_derivation_t { +impl Default for psa_crypto_driver_pake_inputs_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17057,126 +18119,97 @@ impl Default for psa_hkdf_key_derivation_t { } } } -impl psa_hkdf_key_derivation_t { - #[inline] - pub fn private_state(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } - } - #[inline] - pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 2u8, val as u64) - } - } - #[inline] - pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 2u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 2u8, - val as u64, - ) - } - } - #[inline] - pub fn private_info_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { +pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = + 10; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = + 11; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; +pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; +pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; +pub const psa_jpake_round_PSA_JPAKE_FIRST: psa_jpake_round = 0; +pub const psa_jpake_round_PSA_JPAKE_SECOND: psa_jpake_round = 1; +pub const psa_jpake_round_PSA_JPAKE_FINISHED: psa_jpake_round = 2; +pub type psa_jpake_round = ::core::ffi::c_uint; +pub use self::psa_jpake_round as psa_jpake_round_t; +pub const psa_jpake_io_mode_PSA_JPAKE_INPUT: psa_jpake_io_mode = 0; +pub const psa_jpake_io_mode_PSA_JPAKE_OUTPUT: psa_jpake_io_mode = 1; +pub type psa_jpake_io_mode = ::core::ffi::c_uint; +pub use self::psa_jpake_io_mode as psa_jpake_io_mode_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_jpake_computation_stage_s { + pub private_round: psa_jpake_round_t, + pub private_io_mode: psa_jpake_io_mode_t, + pub private_inputs: u8, + pub private_outputs: u8, + pub private_step: psa_pake_step_t, +} +impl Default for psa_jpake_computation_stage_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_pake_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_primitive: psa_pake_primitive_t, + pub private_stage: u8, + pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, + pub private_data: psa_pake_operation_s__bindgen_ty_2, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_pake_operation_s__bindgen_ty_1 { + pub private_dummy: u8, + pub private_jpake: psa_jpake_computation_stage_s, +} +impl Default for psa_pake_operation_s__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub fn new_bitfield_1( - private_state: ::core::ffi::c_uint, - private_info_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 2u8, { - let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; - private_state as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; - private_info_set as u64 - }); - __bindgen_bitfield_unit - } -} -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_tls12_ecjpake_to_pms_t { - pub private_data: [u8; 32usize], } -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: - psa_tls12_prf_key_derivation_state_t = 0; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: - psa_tls12_prf_key_derivation_state_t = 1; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 2; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 3; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: - psa_tls12_prf_key_derivation_state_t = 4; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: - psa_tls12_prf_key_derivation_state_t = 5; -pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct psa_tls12_prf_key_derivation_s { - pub private_left_in_block: u8, - pub private_block_number: u8, - pub private_state: psa_tls12_prf_key_derivation_state_t, - pub private_secret: *mut u8, - pub private_secret_length: usize, - pub private_seed: *mut u8, - pub private_seed_length: usize, - pub private_label: *mut u8, - pub private_label_length: usize, - pub private_other_secret: *mut u8, - pub private_other_secret_length: usize, - pub private_Ai: [u8; 64usize], - pub private_output_block: [u8; 64usize], +pub union psa_pake_operation_s__bindgen_ty_2 { + pub private_ctx: psa_driver_pake_context_t, + pub private_inputs: psa_crypto_driver_pake_inputs_s, } -impl Default for psa_tls12_prf_key_derivation_s { +impl Default for psa_pake_operation_s__bindgen_ty_2 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for psa_pake_operation_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17185,1462 +18218,1629 @@ impl Default for psa_tls12_prf_key_derivation_s { } } } -pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_key_derivation_s { - pub private_alg: psa_algorithm_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_capacity: usize, - pub __bindgen_padding_0: [u64; 0usize], - pub private_ctx: psa_key_derivation_s__bindgen_ty_1, +/// The type of the data structure for PAKE cipher suites. +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; +/// The type of the state data structure for PAKE operations. +/// +/// Before calling any function on a PAKE operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_pake_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_pake_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, +/// for example: +/// \code +/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_pake_operation_init() +/// to the structure, for example: +/// \code +/// psa_pake_operation_t operation; +/// operation = psa_pake_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_operation_t = psa_pake_operation_s; +/// The type of input values for PAKE operations. +pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; +/// The type of computation stage for J-PAKE operations. +pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; +unsafe extern "C" { + /// Get the length of the password in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] password_len Password length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + password_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the password from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] buffer Return buffer for password. + /// \param buffer_size Size of the return buffer in bytes. + /// \param[out] buffer_length Actual size of the password in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password( + inputs: *const psa_crypto_driver_pake_inputs_t, + buffer: *mut u8, + buffer_size: usize, + buffer_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the user id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_len User id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_user_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the peer id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_len Peer id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_peer_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_len: *mut usize, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_key_derivation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_hkdf: psa_hkdf_key_derivation_t, - pub private_tls12_prf: psa_tls12_prf_key_derivation_t, - pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +unsafe extern "C" { + /// Get the user id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_id User id. + /// \param user_id_size Size of \p user_id in bytes. + /// \param[out] user_id_len Size of the user id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p user_id is too small. + pub fn psa_crypto_driver_pake_get_user( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_id: *mut u8, + user_id_size: usize, + user_id_len: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the peer id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_id Peer id. + /// \param peer_id_size Size of \p peer_id in bytes. + /// \param[out] peer_id_length Size of the peer id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p peer_id is too small. + pub fn psa_crypto_driver_pake_get_peer( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_id: *mut u8, + peer_id_size: usize, + peer_id_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the cipher suite from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] cipher_suite Return buffer for role. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Cipher_suite hasn't been set yet. + pub fn psa_crypto_driver_pake_get_cipher_suite( + inputs: *const psa_crypto_driver_pake_inputs_t, + cipher_suite: *mut psa_pake_cipher_suite_t, + ) -> psa_status_t; } -impl psa_key_derivation_s { - #[inline] - pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_can_output_key: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_can_output_key: u32 = - unsafe { ::core::mem::transmute(private_can_output_key) }; - private_can_output_key as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Set the session information for a password-authenticated key exchange. + /// + /// The sequence of operations to set up a password-authenticated key exchange + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_pake_operation_t, e.g. + /// #PSA_PAKE_OPERATION_INIT. + /// -# Call psa_pake_setup() to specify the cipher suite. + /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the + /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + /// to be called depends on the algorithm in use. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// A typical sequence of calls to perform a password-authenticated key + /// exchange: + /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + /// key share that needs to be sent to the peer. + /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + /// the key share that was received from the peer. + /// -# Depending on the algorithm additional calls to psa_pake_output() and + /// psa_pake_input() might be necessary. + /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// If an error occurs at any step after a call to psa_pake_setup(), + /// the operation will need to be reset by a call to psa_pake_abort(). The + /// application may call psa_pake_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_pake_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A call to psa_pake_abort(). + /// - A successful call to psa_pake_get_implicit_key(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized but not set up yet. + /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + /// characterizes a PAKE algorithm and determines + /// the algorithm as well.) + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the + /// PAKE primitive in \p cipher_suite is not compatible with the + /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + /// or not compatible with the PAKE algorithm and primitive. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, + /// or the PAKE primitive in \p cipher_suite is not supported or not + /// compatible with the PAKE algorithm, or the hash algorithm in + /// \p cipher_suite is not supported or not compatible with the PAKE + /// algorithm and primitive. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_setup( + operation: *mut psa_pake_operation_t, + cipher_suite: *const psa_pake_cipher_suite_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_key_policy_s { - pub private_usage: psa_key_usage_t, - pub private_alg: psa_algorithm_t, - pub private_alg2: psa_algorithm_t, +unsafe extern "C" { + /// Set the password for a password-authenticated key exchange from key ID. + /// + /// Call this function when the password, or a value derived from the password, + /// is already present in the key store. + /// + /// \param[in,out] operation The operation object to set the password for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the password hasn't + /// been set yet (psa_pake_set_password_key() + /// hasn't been called yet). + /// \param password Identifier of the key holding the password or a + /// value derived from the password (eg. by a + /// memory-hard function). It must remain valid + /// until the operation terminates. It must be of + /// type #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + /// the usage #PSA_KEY_USAGE_DERIVE. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p password is not a valid key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + /// permit the \p operation's algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + /// the \p operation's cipher suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size of \p password is not supported with the + /// \p operation's cipher suite. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must have been set up.), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_password_key( + operation: *mut psa_pake_operation_t, + password: mbedtls_svc_key_id_t, + ) -> psa_status_t; } -pub type psa_key_policy_t = psa_key_policy_s; -pub type psa_key_bits_t = u16; -/// A mask of flags that can be stored in key attributes. -/// -/// This type is also used internally to store flags in slots. Internal -/// flags are defined in library/psa_crypto_core.h. Internal flags may have -/// the same value as external flags if they are properly handled during -/// key creation and in psa_get_key_attributes. -pub type psa_key_attributes_flag_t = u16; -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_core_key_attributes_t { - pub private_type: psa_key_type_t, - pub private_bits: psa_key_bits_t, - pub private_lifetime: psa_key_lifetime_t, - pub private_id: mbedtls_svc_key_id_t, - pub private_policy: psa_key_policy_t, - pub private_flags: psa_key_attributes_flag_t, +unsafe extern "C" { + /// Set the user ID for a password-authenticated key exchange. + /// + /// Call this function to set the user ID. For PAKE algorithms that associate a + /// user identifier with each side of the session you need to call + /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single + /// user identifier with the session, call psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the user ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the user ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the user ID hasn't + /// been set (psa_pake_set_user() hasn't been + /// called yet). + /// \param[in] user_id The user ID to authenticate with. + /// \param user_id_len Size of the \p user_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p user_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The value of \p user_id is not supported by the implementation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_user( + operation: *mut psa_pake_operation_t, + user_id: *const u8, + user_id_len: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_key_attributes_s { - pub private_core: psa_core_key_attributes_t, - pub private_domain_parameters: *mut ::core::ffi::c_void, - pub private_domain_parameters_size: usize, +unsafe extern "C" { + /// Set the peer ID for a password-authenticated key exchange. + /// + /// Call this function in addition to psa_pake_set_user() for PAKE algorithms + /// that associate a user identifier with each side of the session. For PAKE + /// algorithms that associate a single user identifier with the session, call + /// psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the peer ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the peer ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the peer ID hasn't + /// been set (psa_pake_set_peer() hasn't been + /// called yet). + /// \param[in] peer_id The peer's ID to authenticate. + /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p peer_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm doesn't associate a second identity with the session. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// Calling psa_pake_set_peer() is invalid with the \p operation's + /// algorithm, the operation state is not valid, or the library has not + /// been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_peer( + operation: *mut psa_pake_operation_t, + peer_id: *const u8, + peer_id_len: usize, + ) -> psa_status_t; } -impl Default for psa_key_attributes_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Set the application role for a password-authenticated key exchange. + /// + /// Not all PAKE algorithms need to differentiate the communicating entities. + /// It is optional to call this function for PAKEs that don't require a role + /// to be specified. For such PAKEs the application role parameter is ignored, + /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \param[in,out] operation The operation object to specify the + /// application's role for. It must have been set up + /// by psa_pake_setup() and not yet in use (neither + /// psa_pake_output() nor psa_pake_input() has been + /// called yet). It must be on operation for which + /// the application's role hasn't been specified + /// (psa_pake_set_role() hasn't been called yet). + /// \param role A value of type ::psa_pake_role_t indicating the + /// application's role in the PAKE the algorithm + /// that is being set up. For more information see + /// the documentation of \c PSA_PAKE_ROLE_XXX + /// constants. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The \p role is not a valid PAKE role in the \p operation’s algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The \p role for this algorithm is not supported or is not valid. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_role( + operation: *mut psa_pake_operation_t, + role: psa_pake_role_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Set domain parameters for a key. + /// Get output for a step of a password-authenticated key exchange. /// - /// Some key types require additional domain parameters in addition to - /// the key type identifier and the key size. Use this function instead - /// of psa_set_key_type() when you need to specify domain parameters. + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. /// - /// The format for the required domain parameters varies based on the key type. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the domain parameter data consists of the public exponent, - /// represented as a big-endian integer with no leading zeros. - /// This information is used when generating an RSA key pair. - /// When importing a key, the public exponent is read from the imported - /// key data and the exponent recorded in the attribute structure is ignored. - /// As an exception, the public exponent 65537 is represented by an empty - /// byte string. - /// - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR), - /// the `Dss-Params` format as defined by RFC 3279 §2.3.2. - /// ``` - /// Dss-Params ::= SEQUENCE { - /// p INTEGER, - /// q INTEGER, - /// g INTEGER - /// } - /// ``` - /// - For Diffie-Hellman key exchange keys - /// (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - /// #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the - /// `DomainParameters` format as defined by RFC 3279 §2.3.3. - /// ``` - /// DomainParameters ::= SEQUENCE { - /// p INTEGER, -- odd prime, p=jq +1 - /// g INTEGER, -- generator, g - /// q INTEGER, -- factor of p-1 - /// j INTEGER OPTIONAL, -- subgroup factor - /// validationParams ValidationParams OPTIONAL - /// } - /// ValidationParams ::= SEQUENCE { - /// seed BIT STRING, - /// pgenCounter INTEGER - /// } - /// ``` + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step of the algorithm for which the output is + /// requested. + /// \param[out] output Buffer where the output is to be written in the + /// format appropriate for this \p step. Refer to + /// the documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param output_size Size of the \p output buffer in bytes. This must + /// be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c + /// primitive, \p output_step) where \c alg and + /// \p primitive are the PAKE algorithm and primitive + /// in the operation's cipher suite, and \p step is + /// the output step. + /// + /// \param[out] output_length On success, the number of bytes of the returned + /// output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p step is not compatible with the operation's algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step is not supported with the operation's algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_output( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Provide input for a step of a password-authenticated key exchange. + /// + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. + /// + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \param[in,out] attributes Attribute structure where the specified domain - /// parameters will be stored. - /// If this function fails, the content of - /// \p attributes is not modified. - /// \param type Key type (a \c PSA_KEY_TYPE_XXX value). - /// \param[in] data Buffer containing the key domain parameters. - /// The content of this buffer is interpreted - /// according to \p type as described above. - /// \param data_length Size of the \p data buffer in bytes. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step for which the input is provided. + /// \param[in] input Buffer containing the input in the format + /// appropriate for this \p step. Refer to the + /// documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p input_length is not compatible with the \p operation’s algorithm, + /// or the \p input is not valid for the \p operation's algorithm, + /// cipher suite or \p step. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step p is not supported with the \p operation's algorithm, or the + /// \p input is not supported for the \p operation's algorithm, cipher + /// suite or \p step. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - pub fn psa_set_key_domain_parameters( - attributes: *mut psa_key_attributes_t, - type_: psa_key_type_t, - data: *const u8, - data_length: usize, + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_input( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + input: *const u8, + input_length: usize, ) -> psa_status_t; } -/// \brief The context for PSA interruptible hash signing. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_sign_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_sign_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_sign_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_sign_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -/// \brief The context for PSA interruptible hash verification. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_verify_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_verify_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_verify_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_verify_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// Open a handle to an existing persistent key. - /// - /// Open a handle to a persistent key. A key is persistent if it was created - /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key - /// always has a nonzero key identifier, set with psa_set_key_id() when - /// creating the key. Implementations may provide additional pre-provisioned - /// keys that can be opened with psa_open_key(). Such keys have an application - /// key identifier in the vendor range, as documented in the description of - /// #psa_key_id_t. + /// Get implicitly confirmed shared secret from a PAKE. /// - /// The application must eventually close the handle with psa_close_key() or - /// psa_destroy_key() to release associated resources. If the application dies - /// without calling one of these functions, the implementation should perform - /// the equivalent of a call to psa_close_key(). + /// At this point there is a cryptographic guarantee that only the authenticated + /// party who used the same password is able to compute the key. But there is no + /// guarantee that the peer is the party it claims to be and was able to do so. /// - /// Some implementations permit an application to open the same key multiple - /// times. If this is successful, each call to psa_open_key() will return a - /// different key handle. + /// That is, the authentication is only implicit. Since the peer is not + /// authenticated yet, no action should be taken yet that assumes that the peer + /// is who it claims to be. For example, do not access restricted files on the + /// peer's behalf until an explicit authentication has succeeded. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function can be called after the key exchange phase of the operation + /// has completed. It imports the shared secret output of the PAKE into the + /// provided derivation operation. The input step + /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + /// material in the key derivation operation. /// - /// \note Applications that rely on opening a key multiple times will not be - /// portable to implementations that only permit a single key handle to be - /// opened. See also :ref:\`key-handles\`. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// + /// When this function returns successfully, \p operation becomes inactive. + /// If this function returns an error status, both \p operation + /// and \c key_derivation operations enter an error state and must be aborted by + /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. /// - /// \param key The persistent identifier of the key. - /// \param[out] handle On success, a handle to the key. + /// \param[in,out] operation Active PAKE operation. + /// \param[out] output A key derivation operation that is ready + /// for an input step of type + /// #PSA_KEY_DERIVATION_INPUT_SECRET. /// /// \retval #PSA_SUCCESS - /// Success. The application can now use the value of `*handle` - /// to access the key. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY - /// The implementation does not have sufficient resources to open the - /// key. This can be due to reaching an implementation limit on the - /// number of open keys, the number of open key handles, or available - /// memory. - /// \retval #PSA_ERROR_DOES_NOT_EXIST - /// There is no persistent key with key identifier \p key. + /// Success. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid persistent key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The specified key exists, but the application does not have the - /// permission to access it. Note that this specification does not - /// define any way to create such a key, but it may be possible - /// through implementation-specific means. + /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + /// algorithm in the \p output key derivation operation. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// Input from a PAKE is not supported by the algorithm in the \p output + /// key derivation operation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The PAKE operation state is not valid (it must be active, but beyond + /// that validity is specific to the algorithm), or + /// the library has not been previously initialized by psa_crypto_init(), + /// or the state of \p output is not valid for + /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + /// step is out of order or the application has done this step already + /// and it may not be repeated. /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_get_implicit_key( + operation: *mut psa_pake_operation_t, + output: *mut psa_key_derivation_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Close a key handle. - /// - /// If the handle designates a volatile key, this will destroy the key material - /// and free all associated resources, just like psa_destroy_key(). - /// - /// If this is the last open handle to a persistent key, then closing the handle - /// will free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and can be opened again later - /// with a call to psa_open_key(). + /// Abort a PAKE operation. /// - /// Closing the key handle makes the handle invalid, and the key handle - /// must not be used again by the application. + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_pake_setup() again. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_pake_operation_t. /// - /// \note If the key handle was used to set up an active - /// :ref:\`multipart operation \`, then closing the - /// key handle can cause the multipart operation to fail. Applications should - /// maintain the key handle until after the multipart operation has finished. + /// In particular, calling psa_pake_abort() after the operation has been + /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + /// is safe and has no effect. /// - /// \param handle The key handle to close. - /// If this is \c 0, do nothing and return \c PSA_SUCCESS. + /// \param[in,out] operation The operation to abort. /// /// \retval #PSA_SUCCESS - /// \p handle was a valid handle or \c 0. It is now closed. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p handle is not a valid handle nor \c 0. + /// Success. /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; } -unsafe extern "C" { - /// \brief Library deinitialization. +pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; +pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; +/// \brief Public key types +pub type mbedtls_pk_type_t = ::core::ffi::c_uint; +/// \brief Options for RSASSA-PSS signature verification. +/// See \c mbedtls_rsa_rsassa_pss_verify_ext() +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_rsassa_pss_options { + /// The digest to use for MGF1 in PSS. /// - /// This function clears all data associated with the PSA layer, - /// including the whole key store. + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is + /// disabled, this must be equal to the \c md_alg argument passed + /// to mbedtls_pk_verify_ext(). In a future version of the library, + /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is + /// enabled regardless of the status of #MBEDTLS_RSA_C. + pub mgf1_hash_id: mbedtls_md_type_t, + /// The expected length of the salt, in bytes. This may be + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. /// - /// This is an Mbed TLS extension. - pub fn mbedtls_psa_crypto_free(); + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only + /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be + /// ignored (allowing any salt length). + pub expected_salt_len: ::core::ffi::c_int, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. +impl Default for mbedtls_pk_rsassa_pss_options { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_PSA_EC: mbedtls_pk_debug_type = 3; +/// \brief Types for interfacing with the debug module +pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; +/// \brief Item to send to the debug module #[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_stats_s { - /// Number of slots containing key material for a volatile key. - pub private_volatile_slots: usize, - /// Number of slots containing key material for a key which is in - /// internal persistent storage. - pub private_persistent_slots: usize, - /// Number of slots containing a reference to a key in a - /// secure element. - pub private_external_slots: usize, - /// Number of slots which are occupied, but do not contain - /// key material yet. - pub private_half_filled_slots: usize, - /// Number of slots that contain cache data. - pub private_cache_slots: usize, - /// Number of slots that are not used for anything. - pub private_empty_slots: usize, - /// Number of slots that are locked. - pub private_locked_slots: usize, - /// Largest key id value among open keys in internal persistent storage. - pub private_max_open_internal_key_id: psa_key_id_t, - /// Largest key id value among open keys in secure elements. - pub private_max_open_external_key_id: psa_key_id_t, +#[derive(Copy, Clone)] +pub struct mbedtls_pk_debug_item { + pub private_type: mbedtls_pk_debug_type, + pub private_name: *const ::core::ffi::c_char, + pub private_value: *mut ::core::ffi::c_void, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. -pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; -unsafe extern "C" { - /// \brief Get statistics about - /// resource consumption related to the PSA keystore. - /// - /// \note When Mbed Crypto is built as part of a service, with isolation - /// between the application and the keystore, the service may or - /// may not expose this function. - pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); +impl Default for mbedtls_pk_debug_item { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief Inject an initial entropy seed for the random generator into - /// secure storage. - /// - /// This function injects data to be used as a seed for the random generator - /// used by the PSA Crypto implementation. On devices that lack a trusted - /// entropy source (preferably a hardware random number generator), - /// the Mbed PSA Crypto implementation uses this value to seed its - /// random generator. - /// - /// On devices without a trusted entropy source, this function must be - /// called exactly once in the lifetime of the device. On devices with - /// a trusted entropy source, calling this function is optional. - /// In all cases, this function may only be called before calling any - /// other function in the PSA Crypto API, including psa_crypto_init(). - /// - /// When this function returns successfully, it populates a file in - /// persistent storage. Once the file has been created, this function - /// can no longer succeed. - /// - /// If any error occurs, this function does not change the system state. - /// You can call this function again after correcting the reason for the - /// error if possible. - /// - /// \warning This function **can** fail! Callers MUST check the return status. - /// - /// \warning If you use this function, you should use it as part of a - /// factory provisioning process. The value of the injected seed - /// is critical to the security of the device. It must be - /// *secret*, *unpredictable* and (statistically) *unique per device*. - /// You should be generate it randomly using a cryptographically - /// secure random generator seeded from trusted entropy sources. - /// You should transmit it securely to the device and ensure - /// that its value is not leaked or stored anywhere beyond the - /// needs of transmitting it from the point of generation to - /// the call of this function, and erase all copies of the value - /// once this function returns. - /// - /// This is an Mbed TLS extension. - /// - /// \note This function is only available on the following platforms: - /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. - /// Note that you must provide compatible implementations of - /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. - /// * In a client-server integration of PSA Cryptography, on the client side, - /// if the server supports this feature. - /// \param[in] seed Buffer containing the seed value to inject. - /// \param[in] seed_size Size of the \p seed buffer. - /// The size of the seed in bytes must be greater - /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE - /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM - /// in `library/entropy_poll.h` in the Mbed TLS source - /// code. - /// It must be less or equal to - /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. - /// - /// \retval #PSA_SUCCESS - /// The seed value was injected successfully. The random generator - /// of the PSA Crypto implementation is now ready for use. - /// You may now call psa_crypto_init() and use the PSA Crypto - /// implementation. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p seed_size is out of range. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// There was a failure reading or writing from storage. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The library has already been initialized. It is no longer - /// possible to call this function. - pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_info_t { + _unused: [u8; 0], } -unsafe extern "C" { - /// \brief Get domain parameters for a key. - /// - /// Get the domain parameters for a key with this function, if any. The format - /// of the domain parameters written to \p data is specified in the - /// documentation for psa_set_key_domain_parameters(). - /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. - /// - /// \param[in] attributes The key attribute structure to query. - /// \param[out] data On success, the key domain parameters. - /// \param data_size Size of the \p data buffer in bytes. - /// The buffer is guaranteed to be large - /// enough if its size in bytes is at least - /// the value given by - /// PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - /// \param[out] data_length On success, the number of bytes - /// that make up the key domain parameters data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - pub fn psa_get_key_domain_parameters( - attributes: *const psa_key_attributes_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; +/// \brief Public key container +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_context { + ///< Public key information + pub private_pk_info: *const mbedtls_pk_info_t, + ///< Underlying public key context + pub private_pk_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_pk_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } +pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; +/// \brief Types for RSA-alt abstraction +pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_key_len_func = + ::core::option::Option usize>; unsafe extern "C" { - /// Convert an ECC curve identifier from the PSA encoding to Mbed TLS. - /// - /// \note This function is provided solely for the convenience of - /// Mbed TLS and may be removed at any time without notice. + /// \brief Return information associated with the given PK type /// - /// \param curve A PSA elliptic curve identifier - /// (`PSA_ECC_FAMILY_xxx`). - /// \param bits The bit-length of a private key on \p curve. - /// \param bits_is_sloppy If true, \p bits may be the bit-length rounded up - /// to the nearest multiple of 8. This allows the caller - /// to infer the exact curve from the length of a key - /// which is supplied as a byte string. + /// \param pk_type PK type to search for. /// - /// \return The corresponding Mbed TLS elliptic curve identifier - /// (`MBEDTLS_ECP_DP_xxx`). - /// \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized. - /// \return #MBEDTLS_ECP_DP_NONE if \p bits is not - /// correct for \p curve. - pub fn mbedtls_ecc_group_of_psa( - curve: psa_ecc_family_t, - bits: usize, - bits_is_sloppy: ::core::ffi::c_int, - ) -> mbedtls_ecp_group_id; + /// \return The PK info associated with the type or NULL if not found. + pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; } unsafe extern "C" { - /// External random generator function, implemented by the platform. - /// - /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, - /// this function replaces Mbed TLS's entropy and DRBG modules for all - /// random generation triggered via PSA crypto interfaces. - /// - /// \note This random generator must deliver random numbers with cryptographic - /// quality and high performance. It must supply unpredictable numbers - /// with a uniform distribution. The implementation of this function - /// is responsible for ensuring that the random generator is seeded - /// with sufficient entropy. If you have a hardware TRNG which is slow - /// or delivers non-uniform output, declare it as an entropy source - /// with mbedtls_entropy_add_source() instead of enabling this option. - /// - /// \param[in,out] context Pointer to the random generator context. - /// This is all-bits-zero on the first call - /// and preserved between successive calls. - /// \param[out] output Output buffer. On success, this buffer - /// contains random data with a uniform - /// distribution. - /// \param output_size The size of the \p output buffer in bytes. - /// \param[out] output_length On success, set this value to \p output_size. + /// \brief Initialize a #mbedtls_pk_context (as NONE). /// - /// \retval #PSA_SUCCESS - /// Success. The output buffer contains \p output_size bytes of - /// cryptographic-quality random data, and \c *output_length is - /// set to \p output_size. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - /// The random generator requires extra entropy and there is no - /// way to obtain entropy under current environment conditions. - /// This error should not happen under normal circumstances since - /// this function is responsible for obtaining as much entropy as - /// it needs. However implementations of this function may return - /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain - /// entropy without blocking indefinitely. - /// \retval #PSA_ERROR_HARDWARE_FAILURE - /// A failure of the random generator hardware that isn't covered - /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. - pub fn mbedtls_psa_external_get_random( - context: *mut mbedtls_psa_external_random_context_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); } -/// A slot number identifying a key in a driver. -/// -/// Values of this type are used to identify built-in keys. -pub type psa_drv_slot_number_t = u64; -/// \brief Encoding of the application role of PAKE -/// -/// Encodes the application's role in the algorithm is being executed. For more -/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX -/// constants. -pub type psa_pake_role_t = u8; -/// Encoding of input and output indicators for PAKE. -/// -/// Some PAKE algorithms need to exchange more data than just a single key share. -/// This type is for encoding additional input and output data for such -/// algorithms. -pub type psa_pake_step_t = u8; -/// Encoding of the type of the PAKE's primitive. -/// -/// Values defined by this standard will never be in the range 0x80-0xff. -/// Vendors who define additional types must use an encoding in this range. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_primitive_type_t = u8; -/// \brief Encoding of the family of the primitive associated with the PAKE. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_family_t = u8; -/// \brief Encoding of the primitive associated with the PAKE. -/// -/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. -pub type psa_pake_primitive_t = u32; -/// The type of the data structure for PAKE cipher suites. -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; -/// The type of the state data structure for PAKE operations. -/// -/// Before calling any function on a PAKE operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_pake_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_pake_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, -/// for example: -/// \code -/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_pake_operation_init() -/// to the structure, for example: -/// \code -/// psa_pake_operation_t operation; -/// operation = psa_pake_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_operation_t = psa_pake_operation_s; -/// The type of input values for PAKE operations. -pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; -/// The type of computation stage for J-PAKE operations. -pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; unsafe extern "C" { - /// Get the length of the password in bytes from given inputs. + /// \brief Free the components of a #mbedtls_pk_context. /// - /// \param[in] inputs Operation inputs. - /// \param[out] password_len Password length. + /// \param ctx The context to clear. It must have been initialized. + /// If this is \c NULL, this function does nothing. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - password_len: *mut usize, - ) -> psa_status_t; + /// \note For contexts that have been set up with + /// mbedtls_pk_setup_opaque(), this does not free the underlying + /// PSA key and you still need to call psa_destroy_key() + /// independently if you want to destroy that key. + pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); } unsafe extern "C" { - /// Get the password from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] buffer Return buffer for password. - /// \param buffer_size Size of the return buffer in bytes. - /// \param[out] buffer_length Actual size of the password in bytes. + /// \brief Initialize a PK context with the information given + /// and allocates the type-specific PK subcontext. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password( - inputs: *const psa_crypto_driver_pake_inputs_t, - buffer: *mut u8, - buffer_size: usize, - buffer_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// Get the role from given inputs. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param info Information to use /// - /// \param[in] inputs Operation inputs. - /// \param[out] role Return buffer for role. + /// \return 0 on success, + /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, + /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Role hasn't been set yet. - pub fn psa_crypto_driver_pake_get_role( - inputs: *const psa_crypto_driver_pake_inputs_t, - role: *mut psa_pake_role_t, - ) -> psa_status_t; + /// \note For contexts holding an RSA-alt key, use + /// \c mbedtls_pk_setup_rsa_alt() instead. + pub fn mbedtls_pk_setup( + ctx: *mut mbedtls_pk_context, + info: *const mbedtls_pk_info_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the user id in bytes from given inputs. + /// \brief Initialize an RSA-alt context /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_len User id length. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param key RSA key pointer + /// \param decrypt_func Decryption function + /// \param sign_func Signing function + /// \param key_len_func Function returning key length in bytes /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_user_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_len: *mut usize, - ) -> psa_status_t; + /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the + /// context wasn't already initialized as RSA_ALT. + /// + /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. + pub fn mbedtls_pk_setup_rsa_alt( + ctx: *mut mbedtls_pk_context, + key: *mut ::core::ffi::c_void, + decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, + sign_func: mbedtls_pk_rsa_alt_sign_func, + key_len_func: mbedtls_pk_rsa_alt_key_len_func, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the peer id in bytes from given inputs. + /// \brief Get the size in bits of the underlying key /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_len Peer id length. + /// \param ctx The context to query. It must have been initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_peer_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_len: *mut usize, - ) -> psa_status_t; + /// \return Key size in bits, or 0 on error + pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; } unsafe extern "C" { - /// Get the user id from given inputs. + /// \brief Tell if a context can do the operation given by type /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_id User id. - /// \param user_id_size Size of \p user_id in bytes. - /// \param[out] user_id_len Size of the user id in bytes. + /// \param ctx The context to query. It must have been initialized. + /// \param type The desired type. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p user_id is too small. - pub fn psa_crypto_driver_pake_get_user( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_id: *mut u8, - user_id_size: usize, - user_id_len: *mut usize, - ) -> psa_status_t; + /// \return 1 if the context can do operations on the given type. + /// \return 0 if the context cannot do the operations on the given + /// type. This is always the case for a context that has + /// been initialized but not set up, or that has been + /// cleared with mbedtls_pk_free(). + pub fn mbedtls_pk_can_do( + ctx: *const mbedtls_pk_context, + type_: mbedtls_pk_type_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the peer id from given inputs. + /// \brief Determine valid PSA attributes that can be used to + /// import a key into PSA. /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_id Peer id. - /// \param peer_id_size Size of \p peer_id in bytes. - /// \param[out] peer_id_length Size of the peer id in bytes. + /// The attributes determined by this function are suitable + /// for calling mbedtls_pk_import_into_psa() to create + /// a PSA key with the same key material. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p peer_id is too small. - pub fn psa_crypto_driver_pake_get_peer( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_id: *mut u8, - peer_id_size: usize, - peer_id_length: *mut usize, - ) -> psa_status_t; + /// The typical flow of operations involving this function is + /// ``` + /// psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + /// int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + /// if (ret != 0) ...; // error handling omitted + /// // Tweak attributes if desired + /// psa_key_id_t key_id = 0; + /// ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + /// if (ret != 0) ...; // error handling omitted + /// ``` + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + /// - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_ENCRYPT as well as + /// #PSA_KEY_USAGE_DECRYPT. + /// - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type. + /// - #PSA_KEY_USAGE_ENCRYPT: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_HASH as well as + /// #PSA_KEY_USAGE_SIGN_HASH. + /// - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + /// #PSA_KEY_USAGE_SIGN_MESSAGE. + /// - #PSA_KEY_USAGE_VERIFY_HASH: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + /// \p attributes will contain a public key type. + /// \param[out] attributes + /// On success, valid attributes to import the key into PSA. + /// - The lifetime and key identifier are unchanged. If the + /// attribute structure was initialized or reset before + /// calling this function, this will result in a volatile + /// key. Call psa_set_key_identifier() before or after this + /// function if you wish to create a persistent key. Call + /// psa_set_key_lifetime() before or after this function if + /// you wish to import the key in a secure element. + /// - The key type and bit-size are determined by the contents + /// of the PK context. If the PK context contains a key + /// pair, the key type can be either a key pair type or + /// the corresponding public key type, depending on + /// \p usage. If the PK context contains a public key, + /// the key type is a public key type. + /// - The key's policy is determined by the key type and + /// the \p usage parameter. The usage always allows + /// \p usage, exporting and copying the key, and + /// possibly other permissions as documented for the + /// \p usage parameter. + /// The permitted algorithm policy is determined as follows + /// based on the #mbedtls_pk_type_t type of \p pk, + /// the chosen \p usage and other factors: + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V15: + /// #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_PKCS1V15_CRYPT + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V21 and the digest type + /// corresponding to the PSA algorithm \c hash: + /// #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_OAEP(\c hash) + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA_ALT: not supported. + /// - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + /// if \p usage is SIGN/VERIFY: + /// #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + /// if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + /// otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + /// - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + /// if \p usage is DERIVE: + /// #PSA_ALG_ECDH. + /// - #MBEDTLS_PK_OPAQUE: same as the primary algorithm + /// set for the underlying PSA key, except that + /// sign/decrypt flags are removed if the type is + /// set to a public key type. + /// The underlying key must allow \p usage. + /// Note that the enrollment algorithm set with + /// psa_set_key_enrollment_algorithm() is not copied. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_get_psa_attributes( + pk: *const mbedtls_pk_context, + usage: psa_key_usage_t, + attributes: *mut psa_key_attributes_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the cipher suite from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] cipher_suite Return buffer for role. + /// \brief Import a key into the PSA key store. + /// + /// This function is equivalent to calling psa_import_key() + /// with the key material from \p pk. + /// + /// The typical way to use this function is: + /// -# Call mbedtls_pk_get_psa_attributes() to obtain + /// attributes for the given key. + /// -# If desired, modify the attributes, for example: + /// - To create a persistent key, call + /// psa_set_key_identifier() and optionally + /// psa_set_key_lifetime(). + /// - To import only the public part of a key pair: + /// + /// psa_set_key_type(&attributes, + /// PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + /// psa_get_key_type(&attributes))); + /// - Restrict the key usage if desired. + /// -# Call mbedtls_pk_import_into_psa(). + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param[in] attributes + /// The attributes to use for the new key. They must be + /// compatible with \p pk. In particular, the key type + /// must match the content of \p pk. + /// If \p pk contains a key pair, the key type in + /// attributes can be either the key pair type or the + /// corresponding public key type (to import only the + /// public part). + /// \param[out] key_id + /// On success, the identifier of the newly created key. + /// On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_import_into_psa( + pk: *const mbedtls_pk_context, + attributes: *const psa_key_attributes_t, + key_id: *mut mbedtls_svc_key_id_t, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Create a PK context starting from a key stored in PSA. + /// This key: + /// - must be exportable and + /// - must be an RSA or EC key pair or public key (FFDH is not supported in PK). + /// + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. + /// + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_sign(), mbedtls_pk_verify(), + /// mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. + /// * For ECDSA, the choice of deterministic vs randomized will + /// be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. + /// * For an RSA key, the output PK context will allow both + /// encrypt/decrypt and sign/verify regardless of the original + /// key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. + /// + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Cipher_suite hasn't been set yet. - pub fn psa_crypto_driver_pake_get_cipher_suite( - inputs: *const psa_crypto_driver_pake_inputs_t, - cipher_suite: *mut psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the session information for a password-authenticated key exchange. + /// \brief Create a PK context for the public key of a PSA key. /// - /// The sequence of operations to set up a password-authenticated key exchange - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_pake_operation_t, e.g. - /// #PSA_PAKE_OPERATION_INIT. - /// -# Call psa_pake_setup() to specify the cipher suite. - /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the - /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - /// to be called depends on the algorithm in use. + /// The key must be an RSA or ECC key. It can be either a + /// public key or a key pair, and only the public key is copied. + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_verify() or + /// mbedtls_pk_encrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. /// - /// A typical sequence of calls to perform a password-authenticated key - /// exchange: - /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - /// key share that needs to be sent to the peer. - /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - /// the key share that was received from the peer. - /// -# Depending on the algorithm additional calls to psa_pake_output() and - /// psa_pake_input() might be necessary. - /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// For an RSA key, the output PK context will allow both + /// encrypt and verify regardless of the original key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// If an error occurs at any step after a call to psa_pake_setup(), - /// the operation will need to be reset by a call to psa_pake_abort(). The - /// application may call psa_pake_abort() at any time after the operation - /// has been initialized. + /// \return 0 on success. + /// \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_public_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature (including padding if relevant). /// - /// After a successful call to psa_pake_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A call to psa_pake_abort(). - /// - A successful call to psa_pake_get_implicit_key(). + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used. + /// This can be #MBEDTLS_MD_NONE if the signature algorithm + /// does not rely on a hash algorithm (non-deterministic + /// ECDSA, RSA PKCS#1 v1.5). + /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + /// \p hash is the DigestInfo structure used by RFC 8017 + /// §9.2 steps 3–6. If \p md_alg is a valid hash + /// algorithm then \p hash is the digest itself, and this + /// function calculates the DigestInfo encoding internally. + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Signature to verify + /// \param sig_len Signature length /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized but not set up yet. - /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - /// characterizes a PAKE algorithm and determines - /// the algorithm as well.) + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (accepting any salt length), + /// depending on the padding mode in the underlying RSA context. + /// For a pk object constructed by parsing, this is PKCS#1 v1.5 + /// by default. Use mbedtls_pk_verify_ext() to explicitly select + /// a different algorithm. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the - /// PAKE primitive in \p cipher_suite is not compatible with the - /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - /// or not compatible with the PAKE algorithm and primitive. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, - /// or the PAKE primitive in \p cipher_suite is not supported or not - /// compatible with the PAKE algorithm, or the hash algorithm in - /// \p cipher_suite is not supported or not compatible with the PAKE - /// algorithm and primitive. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_setup( - operation: *mut psa_pake_operation_t, - cipher_suite: *const psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + pub fn mbedtls_pk_verify( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the password for a password-authenticated key exchange from key ID. + /// \brief Restartable version of \c mbedtls_pk_verify() /// - /// Call this function when the password, or a value derived from the password, - /// is already present in the key store. + /// \note Performs the same job as \c mbedtls_pk_verify(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_verify(). /// - /// \param[in,out] operation The operation object to set the password for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the password hasn't - /// been set yet (psa_pake_set_password_key() - /// hasn't been called yet). - /// \param password Identifier of the key holding the password or a - /// value derived from the password (eg. by a - /// memory-hard function). It must remain valid - /// until the operation terminates. It must be of - /// type #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - /// the usage #PSA_KEY_USAGE_DERIVE. + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p password is not a valid key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - /// permit the \p operation's algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - /// the \p operation's cipher suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size of \p password is not supported with the - /// \p operation's cipher suite. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must have been set up.), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_password_key( - operation: *mut psa_pake_operation_t, - password: mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return See \c mbedtls_pk_verify(), or + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_verify_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature, with options. + /// (Includes verification of the padding depending on type.) + /// + /// \param type Signature type (inc. possible padding type) to verify + /// \param options Pointer to type-specific options, or NULL + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be + /// used for this type of signatures, + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + /// + /// \note If hash_len is 0, then the length associated with md_alg + /// is used instead, or an error returned if it is invalid. + /// + /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// + /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point + /// to a mbedtls_pk_rsassa_pss_options structure, + /// otherwise it must be NULL. Note that if + /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not + /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. + pub fn mbedtls_pk_verify_ext( + type_: mbedtls_pk_type_t, + options: *const ::core::ffi::c_void, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the user ID for a password-authenticated key exchange. + /// \brief Make signature, including padding if relevant. /// - /// Call this function to set the user ID. For PAKE algorithms that associate a - /// user identifier with each side of the session you need to call - /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single - /// user identifier with the session, call psa_pake_set_user() only. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (using the largest possible salt + /// length up to the hash length), depending on the padding mode + /// in the underlying RSA context. For a pk object constructed + /// by parsing, this is PKCS#1 v1.5 by default. Use + /// mbedtls_pk_verify_ext() to explicitly select a different + /// algorithm. /// - /// \param[in,out] operation The operation object to set the user ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the user ID hasn't - /// been set (psa_pake_set_user() hasn't been - /// called yet). - /// \param[in] user_id The user ID to authenticate with. - /// (temporary limitation: "client" or "server" only) - /// \param user_id_len Size of the \p user_id buffer in bytes. + /// \return 0 on success, or a specific error code. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The value of \p user_id is not supported by the implementation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_user( - operation: *mut psa_pake_operation_t, - user_id: *const u8, - user_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the peer ID for a password-authenticated key exchange. + /// \brief Make signature given a signature type. /// - /// Call this function in addition to psa_pake_set_user() for PAKE algorithms - /// that associate a user identifier with each side of the session. For PAKE - /// algorithms that associate a single user identifier with the session, call - /// psa_pake_set_user() only. + /// \param pk_type Signature type. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \return 0 on success, or a specific error code. /// - /// \param[in,out] operation The operation object to set the peer ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the peer ID hasn't - /// been set (psa_pake_set_peer() hasn't been - /// called yet). - /// \param[in] peer_id The peer's ID to authenticate. - /// (temporary limitation: "client" or "server" only) - /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, + /// see #PSA_ALG_RSA_PSS for a description of PSS options used. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm doesn't associate a second identity with the session. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// Calling psa_pake_set_peer() is invalid with the \p operation's - /// algorithm, the operation state is not valid, or the library has not - /// been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_peer( - operation: *mut psa_pake_operation_t, - peer_id: *const u8, - peer_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign_ext( + pk_type: mbedtls_pk_type_t, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the application role for a password-authenticated key exchange. + /// \brief Restartable version of \c mbedtls_pk_sign() /// - /// Not all PAKE algorithms need to differentiate the communicating entities. - /// It is optional to call this function for PAKEs that don't require a role - /// to be specified. For such PAKEs the application role parameter is ignored, - /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// \note Performs the same job as \c mbedtls_pk_sign(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_sign(). /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \param[in,out] operation The operation object to specify the - /// application's role for. It must have been set up - /// by psa_pake_setup() and not yet in use (neither - /// psa_pake_output() nor psa_pake_input() has been - /// called yet). It must be on operation for which - /// the application's role hasn't been specified - /// (psa_pake_set_role() hasn't been called yet). - /// \param role A value of type ::psa_pake_role_t indicating the - /// application's role in the PAKE the algorithm - /// that is being set up. For more information see - /// the documentation of \c PSA_PAKE_ROLE_XXX - /// constants. + /// \return See \c mbedtls_pk_sign(). + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_sign_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Decrypt message (including padding if relevant). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The \p role is not a valid PAKE role in the \p operation’s algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The \p role for this algorithm is not supported or is not valid. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_role( - operation: *mut psa_pake_operation_t, - role: psa_pake_role_t, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param input Input to decrypt + /// \param ilen Input size + /// \param output Decrypted output + /// \param olen Decrypted message length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. + /// + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_decrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get output for a step of a password-authenticated key exchange. + /// \brief Encrypt message (including padding if relevant). /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been set up. + /// \param input Message to encrypt + /// \param ilen Message size + /// \param output Encrypted output + /// \param olen Encrypted output length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \note \p f_rng is used for padding generation. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step of the algorithm for which the output is - /// requested. - /// \param[out] output Buffer where the output is to be written in the - /// format appropriate for this \p step. Refer to - /// the documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param output_size Size of the \p output buffer in bytes. This must - /// be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p - /// primitive, \p step) where \p alg and - /// \p primitive are the PAKE algorithm and primitive - /// in the operation's cipher suite, and \p step is - /// the output step. + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_encrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if a public-private pair of keys matches. /// - /// \param[out] output_length On success, the number of bytes of the returned - /// output. + /// \param pub Context holding a public key. + /// \param prv Context holding a private (and public) key. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p step is not compatible with the operation's algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step is not supported with the operation's algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_output( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success (keys were checked and match each other). + /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not + /// be checked - in that case they may or may not match. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. + /// \return Another non-zero value if the keys do not match. + pub fn mbedtls_pk_check_pair( + pub_: *const mbedtls_pk_context, + prv: *const mbedtls_pk_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Provide input for a step of a password-authenticated key exchange. + /// \brief Export debug information /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been initialized. + /// \param items Place to write debug items /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA + pub fn mbedtls_pk_debug( + ctx: *const mbedtls_pk_context, + items: *mut mbedtls_pk_debug_item, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Access the type name /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \param ctx The PK context to use. It must have been initialized. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step for which the input is provided. - /// \param[in] input Buffer containing the input in the format - /// appropriate for this \p step. Refer to the - /// documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param input_length Size of the \p input buffer in bytes. + /// \return Type name on success, or "invalid PK" + pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; +} +unsafe extern "C" { + /// \brief Get the key type /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p is not compatible with the \p operation’s algorithm, or the - /// \p input is not valid for the \p operation's algorithm, cipher suite - /// or \p step. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step p is not supported with the \p operation's algorithm, or the - /// \p input is not supported for the \p operation's algorithm, cipher - /// suite or \p step. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_input( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been initialized. + /// + /// \return Type on success. + /// \return #MBEDTLS_PK_NONE for a context that has not been set up. + pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; } unsafe extern "C" { - /// Get implicitly confirmed shared secret from a PAKE. + /// \ingroup pk_module */ + ////** + /// \brief Parse a private key in PEM or DER format /// - /// At this point there is a cryptographic guarantee that only the authenticated - /// party who used the same password is able to compute the key. But there is no - /// guarantee that the peer is the party it claims to be and was able to do so. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// That is, the authentication is only implicit. Since the peer is not - /// authenticated yet, no action should be taken yet that assumes that the peer - /// is who it claims to be. For example, do not access restricted files on the - /// peer's behalf until an explicit authentication has succeeded. + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// \param pwd Optional password for decryption. + /// Pass \c NULL if expecting a non-encrypted key. + /// Pass a string of \p pwdlen bytes if expecting an encrypted + /// key; a non-encrypted key will also be accepted. + /// The empty password is not supported. + /// \param pwdlen Size of the password in bytes. + /// Ignored if \p pwd is \c NULL. + /// \param f_rng RNG function, must not be \c NULL. Used for blinding. + /// \param p_rng RNG parameter /// - /// This function can be called after the key exchange phase of the operation - /// has completed. It imports the shared secret output of the PAKE into the - /// provided derivation operation. The input step - /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - /// material in the key derivation operation. + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note The key is also checked for correctness. /// - /// When this function returns successfully, \p operation becomes inactive. - /// If this function returns an error status, both \p operation - /// and \p key_derivation operations enter an error state and must be aborted by - /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \ingroup pk_module */ + ////** + /// \brief Parse a public key in PEM or DER format /// - /// \param[in,out] operation Active PAKE operation. - /// \param[out] output A key derivation operation that is ready - /// for an input step of type - /// #PSA_KEY_DERIVATION_INPUT_SECRET. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - /// algorithm in the \p output key derivation operation. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// Input from a PAKE is not supported by the algorithm in the \p output - /// key derivation operation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The PAKE operation state is not valid (it must be active, but beyond - /// that validity is specific to the algorithm), or - /// the library has not been previously initialized by psa_crypto_init(), - /// or the state of \p output is not valid for - /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - /// step is out of order or the application has done this step already - /// and it may not be repeated. - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_get_implicit_key( - operation: *mut psa_pake_operation_t, - output: *mut psa_key_derivation_operation_t, - ) -> psa_status_t; + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). + /// + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. + /// + /// \note The key is also checked for correctness. + /// + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_public_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a PAKE operation. + /// \brief Write a private key to a PKCS#1 or SEC1 DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_pake_setup() again. + /// \param ctx PK context which must contain a valid private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_pake_operation_t. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_key_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a SubjectPublicKeyInfo DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// In particular, calling psa_pake_abort() after the operation has been - /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - /// is safe and has no effect. + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// \param[in,out] operation The operation to abort. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_pubkey_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a PEM string /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_pubkey_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_pake_cipher_suite_s { - pub algorithm: psa_algorithm_t, - pub type_: psa_pake_primitive_type_t, - pub family: psa_pake_family_t, - pub bits: u16, - pub hash: psa_algorithm_t, +unsafe extern "C" { + /// \brief Write a private key to a PKCS#1 or SEC1 PEM string + /// + /// \param ctx PK context which must contain a valid private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_key_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_crypto_driver_pake_inputs_s { - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: psa_pake_role_t, - pub private_user: *mut u8, - pub private_user_len: usize, - pub private_peer: *mut u8, - pub private_peer_len: usize, - pub private_attributes: psa_key_attributes_t, - pub private_cipher_suite: psa_pake_cipher_suite_t, +unsafe extern "C" { + /// \brief Parse a SubjectPublicKeyInfo DER structure + /// + /// \param p the position in the ASN.1 data + /// \param end end of the buffer + /// \param pk The PK context to fill. It must have been initialized + /// but not set up. + /// + /// \return 0 if successful, or a specific PK error code + pub fn mbedtls_pk_parse_subpubkey( + p: *mut *mut ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -impl Default for psa_crypto_driver_pake_inputs_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Write a subjectPublicKey to ASN.1 data + /// Note: function works backwards in data buffer + /// + /// \param p reference to current position pointer + /// \param start start of the buffer (for bounds-checking) + /// \param key PK context which must contain a valid public or private key. + /// + /// \return the length written or a negative error code + pub fn mbedtls_pk_write_pubkey( + p: *mut *mut ::core::ffi::c_uchar, + start: *mut ::core::ffi::c_uchar, + key: *const mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -pub const psa_jpake_step_PSA_PAKE_STEP_INVALID: psa_jpake_step = 0; -pub const psa_jpake_step_PSA_PAKE_STEP_X1_X2: psa_jpake_step = 1; -pub const psa_jpake_step_PSA_PAKE_STEP_X2S: psa_jpake_step = 2; -pub const psa_jpake_step_PSA_PAKE_STEP_DERIVE: psa_jpake_step = 3; -pub type psa_jpake_step = ::core::ffi::c_uint; -pub use self::psa_jpake_step as psa_jpake_step_t; -pub const psa_jpake_state_PSA_PAKE_STATE_INVALID: psa_jpake_state = 0; -pub const psa_jpake_state_PSA_PAKE_STATE_SETUP: psa_jpake_state = 1; -pub const psa_jpake_state_PSA_PAKE_STATE_READY: psa_jpake_state = 2; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X1_X2: psa_jpake_state = 3; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X2S: psa_jpake_state = 4; -pub const psa_jpake_state_PSA_PAKE_INPUT_X1_X2: psa_jpake_state = 5; -pub const psa_jpake_state_PSA_PAKE_INPUT_X4S: psa_jpake_state = 6; -pub type psa_jpake_state = ::core::ffi::c_uint; -pub use self::psa_jpake_state as psa_jpake_state_t; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_INVALID: psa_jpake_sequence = 0; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_KEY_SHARE: psa_jpake_sequence = 1; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PUBLIC: psa_jpake_sequence = 2; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PROOF: psa_jpake_sequence = 3; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_KEY_SHARE: psa_jpake_sequence = 4; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PUBLIC: psa_jpake_sequence = 5; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PROOF: psa_jpake_sequence = 6; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_END: psa_jpake_sequence = 7; -pub type psa_jpake_sequence = ::core::ffi::c_uint; -pub use self::psa_jpake_sequence as psa_jpake_sequence_t; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = + 3; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + mbedtls_key_exchange_type_t = 4; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = + 8; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = + 9; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = 10; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = 11; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; -pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; -pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_jpake_computation_stage_s { - pub private_state: psa_jpake_state_t, - pub private_sequence: psa_jpake_sequence_t, - pub private_input_step: psa_jpake_step_t, - pub private_output_step: psa_jpake_step_t, -} -impl Default for psa_jpake_computation_stage_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_pake_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_stage: u8, - pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, - pub private_data: psa_pake_operation_s__bindgen_ty_2, -} +pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; +/// \brief This structure is used for storing ciphersuite information +/// +/// \note members are defined using integral types instead of enums +/// in order to pack structure and reduce memory usage by internal +/// \c ciphersuite_definitions[] #[repr(C)] #[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_jpake: psa_jpake_computation_stage_t, +pub struct mbedtls_ssl_ciphersuite_t { + pub private_id: ::core::ffi::c_int, + pub private_name: *const ::core::ffi::c_char, + pub private_cipher: u8, + pub private_mac: u8, + pub private_key_exchange: u8, + pub private_flags: u8, + pub private_min_tls_version: u16, + pub private_max_tls_version: u16, } -impl Default for psa_pake_operation_s__bindgen_ty_1 { +impl Default for mbedtls_ssl_ciphersuite_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -18649,29 +19849,23 @@ impl Default for psa_pake_operation_s__bindgen_ty_1 { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_2 { - pub private_ctx: psa_driver_pake_context_t, - pub private_inputs: psa_crypto_driver_pake_inputs_t, +unsafe extern "C" { + pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; } -impl Default for psa_pake_operation_s__bindgen_ty_2 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_string( + ciphersuite_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ssl_ciphersuite_t; } -impl Default for psa_pake_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_id( + ciphersuite_id: ::core::ffi::c_int, + ) -> *const mbedtls_ssl_ciphersuite_t; +} +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( + info: *const mbedtls_ssl_ciphersuite_t, + ) -> usize; } /// Type-length-value structure that allows for ASN1 using DER. pub type mbedtls_x509_buf = mbedtls_asn1_buf; @@ -18682,6 +19876,23 @@ pub type mbedtls_x509_bitstring = mbedtls_asn1_bitstring; pub type mbedtls_x509_name = mbedtls_asn1_named_data; /// Container for a sequence of ASN.1 items pub type mbedtls_x509_sequence = mbedtls_asn1_sequence; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_authority { + pub keyIdentifier: mbedtls_x509_buf, + pub authorityCertIssuer: mbedtls_x509_sequence, + pub authorityCertSerialNumber: mbedtls_x509_buf, + pub raw: mbedtls_x509_buf, +} +impl Default for mbedtls_x509_authority { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} /// Container for date and time (precision in seconds). #[repr(C)] #[derive(Default, Copy, Clone)] @@ -18773,9 +19984,9 @@ pub struct mbedtls_x509_subject_alternative_name { #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_x509_subject_alternative_name__bindgen_ty_1 { - ///< The otherName supported type. pub other_name: mbedtls_x509_san_other_name, - ///< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported + pub directory_name: mbedtls_x509_name, + ///< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. pub unstructured_name: mbedtls_x509_buf, } impl Default for mbedtls_x509_subject_alternative_name__bindgen_ty_1 { @@ -18796,6 +20007,21 @@ impl Default for mbedtls_x509_subject_alternative_name { } } } +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_san_list { + pub node: mbedtls_x509_subject_alternative_name, + pub next: *mut mbedtls_x509_san_list, +} +impl Default for mbedtls_x509_san_list { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { /// \brief Store the certificate DN in printable form into buf; /// no more than size characters will be written. @@ -18812,6 +20038,26 @@ unsafe extern "C" { dn: *const mbedtls_x509_name, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Convert the certificate DN string \p name into + /// a linked list of mbedtls_x509_name (equivalent to + /// mbedtls_asn1_named_data). + /// + /// \note This function allocates a linked list, and places the head + /// pointer in \p head. This list must later be freed by a + /// call to mbedtls_asn1_free_named_data_list(). + /// + /// \param[out] head Address in which to store the pointer to the head of the + /// allocated list of mbedtls_x509_name. Must point to NULL on + /// entry. + /// \param[in] name The string representation of a DN to convert + /// + /// \return 0 on success, or a negative error code. + pub fn mbedtls_x509_string_to_names( + head: *mut *mut mbedtls_asn1_named_data, + name: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Store the certificate serial in printable form into buf; /// no more than size characters will be written. @@ -18828,6 +20074,20 @@ unsafe extern "C" { serial: *const mbedtls_x509_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Compare pair of mbedtls_x509_time. + /// + /// \param t1 mbedtls_x509_time to compare + /// \param t2 mbedtls_x509_time to compare + /// + /// \return < 0 if t1 is before t2 + /// 0 if t1 equals t2 + /// > 0 if t1 is after t2 + pub fn mbedtls_x509_time_cmp( + t1: *const mbedtls_x509_time, + t2: *const mbedtls_x509_time, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Check a given mbedtls_x509_time against the system time /// and tell if it's in the past. @@ -18856,21 +20116,25 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief This function parses an item in the SubjectAlternativeNames - /// extension. + /// extension. Please note that this function might allocate + /// additional memory for a subject alternative name, thus + /// mbedtls_x509_free_subject_alt_name has to be called + /// to dispose of this additional memory afterwards. /// /// \param san_buf The buffer holding the raw data item of the subject /// alternative name. /// \param san The target structure to populate with the parsed presentation - /// of the subject alternative name encoded in \p san_raw. + /// of the subject alternative name encoded in \p san_buf. /// /// \note Supported GeneralName types, as defined in RFC 5280: - /// "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + /// "rfc822Name", "dnsName", "directoryName", + /// "uniformResourceIdentifier" and "hardware_module_name" /// of type "otherName", as defined in RFC 4108. /// /// \note This function should be called on a single raw data of /// subject alternative name. For example, after successful /// certificate parsing, one must iterate on every item in the - /// \p crt->subject_alt_names sequence, and pass it to + /// \c crt->subject_alt_names sequence, and pass it to /// this function. /// /// \warning The target structure contains pointers to the raw data of the @@ -18887,173 +20151,29 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \} addtogroup x509_module - pub fn mbedtls_x509_get_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - cur: *mut mbedtls_x509_name, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg_null( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - params: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_rsassa_pss_params( - params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - mgf_md: *mut mbedtls_md_type_t, - salt_len: *mut ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - sig: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig_alg( - sig_oid: *const mbedtls_x509_buf, - sig_params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - pk_alg: *mut mbedtls_pk_type_t, - sig_opts: *mut *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_time( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - t: *mut mbedtls_x509_time, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_serial( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - serial: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ext( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ext: *mut mbedtls_x509_buf, - tag: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_sig_alg_gets( - buf: *mut ::core::ffi::c_char, - size: usize, - sig_oid: *const mbedtls_x509_buf, - pk_alg: mbedtls_pk_type_t, - md_alg: mbedtls_md_type_t, - sig_opts: *const ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_key_size_helper( - buf: *mut ::core::ffi::c_char, - buf_size: usize, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_string_to_names( - head: *mut *mut mbedtls_asn1_named_data, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_set_extension( - head: *mut *mut mbedtls_asn1_named_data, - oid: *const ::core::ffi::c_char, - oid_len: usize, - critical: ::core::ffi::c_int, - val: *const ::core::ffi::c_uchar, - val_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_extensions( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_names( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_sig( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - oid: *const ::core::ffi::c_char, - oid_len: usize, - sig: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ns_cert_type( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ns_cert_type: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_key_usage( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - key_usage: *mut ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_subject_alt_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - subject_alt_name: *mut mbedtls_x509_sequence, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_subject_alt_name( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - subject_alt_name: *const mbedtls_x509_sequence, - prefix: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_cert_type( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - ns_cert_type: ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \brief Unallocate all data related to subject alternative name + /// + /// \param san SAN structure - extra memory owned by this structure will be freed + pub fn mbedtls_x509_free_subject_alt_name(san: *mut mbedtls_x509_subject_alternative_name); } unsafe extern "C" { - pub fn mbedtls_x509_info_key_usage( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - key_usage: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \brief This function parses a CN string as an IP address. + /// + /// \param cn The CN string to parse. CN string MUST be null-terminated. + /// \param dst The target buffer to populate with the binary IP address. + /// The buffer MUST be 16 bytes to save IPv6, and should be + /// 4-byte aligned if the result will be used as struct in_addr. + /// e.g. uint32_t dst[4] + /// + /// \note \p cn is parsed as an IPv6 address if string contains ':', + /// else \p cn is parsed as an IPv4 address. + /// + /// \return Length of binary IP address; num bytes written to target. + /// \return \c 0 on failure to parse CN string as an IP address. + pub fn mbedtls_x509_crt_parse_cn_inet_pton( + cn: *const ::core::ffi::c_char, + dst: *mut ::core::ffi::c_void, + ) -> usize; } /// Certificate revocation list entry. /// Contains the CA-specific serial numbers and revocation dates. @@ -19245,8 +20365,12 @@ pub struct mbedtls_x509_crt { pub subject_id: mbedtls_x509_buf, ///< Optional X.509 v3 extensions. pub v3_ext: mbedtls_x509_buf, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, + ///< Optional X.509 v3 extension subject key identifier. + pub subject_key_id: mbedtls_x509_buf, + ///< Optional X.509 v3 extension authority key identifier. + pub authority_key_id: mbedtls_x509_authority, ///< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). pub certificate_policies: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions @@ -19345,6 +20469,22 @@ impl Default for mbedtls_x509write_cert { } } } +unsafe extern "C" { + /// \brief Set Subject Alternative Name + /// + /// \param ctx Certificate context to use + /// \param san_list List of SAN values + /// + /// \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + /// + /// \note "dnsName", "uniformResourceIdentifier", "IP address", + /// "otherName", and "DirectoryName", as defined in RFC 5280, + /// are supported. + pub fn mbedtls_x509write_crt_set_subject_alternative_name( + ctx: *mut mbedtls_x509write_cert, + san_list: *const mbedtls_x509_san_list, + ) -> ::core::ffi::c_int; +} /// Item in a verification chain: cert and flags for it #[repr(C)] #[derive(Copy, Clone)] @@ -19683,8 +20823,12 @@ unsafe extern "C" { /// \param cn The expected Common Name. This will be checked to be /// present in the certificate's subjectAltNames extension or, /// if this extension is absent, as a CN component in its - /// Subject name. Currently only DNS names are supported. This - /// may be \c NULL if the CN need not be verified. + /// Subject name. DNS names and IP addresses are fully + /// supported, while the URI subtype is partially supported: + /// only exact matching, without any normalization procedures + /// described in 7.4 of RFC5280, will result in a positive + /// URI verification. + /// This may be \c NULL if the CN need not be verified. /// \param flags The address at which to store the result of the verification. /// If the verification couldn't be completed, the flag value is /// set to (uint32_t) -1. @@ -19915,6 +21059,16 @@ unsafe extern "C" { /// \param crt Certificate chain to free pub fn mbedtls_x509_crt_free(crt: *mut mbedtls_x509_crt); } +unsafe extern "C" { + /// \brief Access the ca_istrue field + /// + /// \param[in] crt Certificate to be queried, must not be \c NULL + /// + /// \return \c 1 if this a CA certificate \c 0 otherwise. + /// \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain + /// the Optional Basic Constraint extension. + pub fn mbedtls_x509_crt_get_ca_istrue(crt: *const mbedtls_x509_crt) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Initialize a CRT writing context /// @@ -19995,7 +21149,7 @@ unsafe extern "C" { /// \brief Set the issuer name for a Certificate /// Issuer names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS CA" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS CA" /// /// \param ctx CRT context to use /// \param issuer_name issuer name to set @@ -20011,7 +21165,7 @@ unsafe extern "C" { /// \brief Set the subject name for a Certificate /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CRT context to use /// \param subject_name subject name to set @@ -20181,13 +21335,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20207,13 +21355,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20334,13 +21476,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20413,13 +21549,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20453,13 +21583,7 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, output_size: usize, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20490,7 +21614,7 @@ unsafe extern "C" { /// initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p field is invalid. + /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid. /// \return An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails. pub fn mbedtls_dhm_get_value( ctx: *const mbedtls_dhm_context, @@ -20618,6 +21742,18 @@ impl Default for mbedtls_ecdh_context { } } } +unsafe extern "C" { + /// \brief Return the ECP group for provided context. + /// + /// \note To access group specific fields, users should use + /// `mbedtls_ecp_curve_info_from_grp_id` or + /// `mbedtls_ecp_group_load` on the extracted `group_id`. + /// + /// \param ctx The ECDH context to parse. This must not be \c NULL. + /// + /// \return The \c mbedtls_ecp_group_id of the context. + pub fn mbedtls_ecdh_get_grp_id(ctx: *mut mbedtls_ecdh_context) -> mbedtls_ecp_group_id; +} unsafe extern "C" { /// \brief Check whether a given group can be used for ECDH. /// @@ -20654,13 +21790,7 @@ unsafe extern "C" { grp: *mut mbedtls_ecp_group, d: *mut mbedtls_mpi, Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20699,13 +21829,7 @@ unsafe extern "C" { z: *mut mbedtls_mpi, Q: *const mbedtls_ecp_point, d: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20772,13 +21896,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20814,7 +21932,7 @@ unsafe extern "C" { /// \brief This function sets up an ECDH context from an EC key. /// /// It is used by clients and servers in place of the - /// ServerKeyEchange for static ECDH, and imports ECDH + /// ServerKeyExchange for static ECDH, and imports ECDH /// parameters from the EC key information of a certificate. /// /// \see ecp.h @@ -20863,13 +21981,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20930,19 +22042,14 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_ssl_premaster_secret { + pub dummy: ::core::ffi::c_uchar, pub _pms_rsa: [::core::ffi::c_uchar; 48usize], pub _pms_dhm: [::core::ffi::c_uchar; 1024usize], pub _pms_ecdh: [::core::ffi::c_uchar; 66usize], @@ -21214,6 +22321,8 @@ pub struct mbedtls_ssl_session { ///< MaxFragmentLength negotiated by peer pub private_mfl_code: ::core::ffi::c_uchar, pub private_exported: ::core::ffi::c_uchar, + ///< 0: client, 1: server + pub private_endpoint: u8, /// TLS version negotiated in the session. Used if and when renegotiating /// or resuming a session instead of the configured minor TLS version. pub private_tls_version: mbedtls_ssl_protocol_version, @@ -21232,15 +22341,13 @@ pub struct mbedtls_ssl_session { ///< RFC 5077 session ticket pub private_ticket: *mut ::core::ffi::c_uchar, ///< session ticket length - pub private_ticket_len: usize, - ///< ticket lifetime hint - pub private_ticket_lifetime: u32, - ///< 0: client, 1: server - pub private_endpoint: u8, - ///< Ticket flags - pub private_ticket_flags: u8, + pub private_ticket_len: usize, + ///< ticket lifetime hint + pub private_ticket_lifetime: u32, ///< Randomly generated value used to obscure the age of the ticket pub private_ticket_age_add: u32, + ///< Ticket flags + pub private_ticket_flags: u8, ///< resumption_key length pub private_resumption_key_len: u8, pub private_resumption_key: [::core::ffi::c_uchar; 48usize], @@ -21579,22 +22686,30 @@ pub struct mbedtls_ssl_context { ///number of retransmissions of request if ///renego_max_records is < 0 pub private_renego_records_seen: ::core::ffi::c_int, - /// Server: Negotiated TLS protocol version. - /// Client: Maximum TLS version to be negotiated, then negotiated TLS - /// version. - /// - /// It is initialized as the maximum TLS version to be negotiated in the - /// ClientHello writing preparation stage and used throughout the - /// ClientHello writing. For a fresh handshake not linked to any previous - /// handshake, it is initialized to the configured maximum TLS version - /// to be negotiated. When renegotiating or resuming a session, it is - /// initialized to the previously negotiated TLS version. - /// - /// Updated to the negotiated TLS version as soon as the ServerHello is - /// received. + /// Maximum TLS version to be negotiated, then negotiated TLS version. + /// + /// It is initialized as the configured maximum TLS version to be + /// negotiated by mbedtls_ssl_setup(). + /// + /// When renegotiating or resuming a session, it is overwritten in the + /// ClientHello writing preparation stage with the previously negotiated + /// TLS version. + /// + /// On client side, it is updated to the TLS version selected by the server + /// for the handshake when the ServerHello is received. + /// + /// On server side, it is updated to the TLS version the server selects for + /// the handshake when the ClientHello is received. pub private_tls_version: mbedtls_ssl_protocol_version, - ///< records with a bad MAC received - pub private_badmac_seen: ::core::ffi::c_uint, + /// Multipurpose field. + /// + /// - DTLS: records with a bad MAC received. + /// - TLS: accumulated length of handshake fragments (up to \c in_hslen). + /// + /// This field is multipurpose in order to preserve the ABI in the + /// Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS + /// and called `badmac_seen`. + pub private_badmac_seen_or_in_hsfraglen: ::core::ffi::c_uint, /// Callback to customize X.509 certificate chain verification pub private_f_vrfy: ::core::option::Option< unsafe extern "C" fn( @@ -21731,8 +22846,33 @@ pub struct mbedtls_ssl_context { pub private_cur_out_ctr: [::core::ffi::c_uchar; 8usize], ///< path mtu, used to fragment outgoing messages pub private_mtu: u16, - ///< expected peer CN for verification - ///(and SNI if available) + /// Expected peer CN for verification. + /// + /// Also used on clients for SNI, + /// and for TLS 1.3 session resumption using tickets. + /// + /// The value of this field can be: + /// - \p NULL in a newly initialized or reset context. + /// - A heap-allocated copy of the last value passed to + /// mbedtls_ssl_set_hostname(), if the last call had a non-null + /// \p hostname argument. + /// - A special value to indicate that mbedtls_ssl_set_hostname() + /// was called with \p NULL (as opposed to never having been called). + /// See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + /// + /// If this field contains the value \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is unset, on a TLS client, attempting to verify a server certificate + /// results in the error + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + /// + /// If this field contains the special value described above, or if + /// the value is \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is set, then the peer name verification is skipped, which may be + /// insecure, especially on a client. Furthermore, on a client, the + /// server_name extension is not sent, and the server name is ignored + /// in TLS 1.3 session resumption using tickets. pub private_hostname: *mut ::core::ffi::c_char, ///< negotiated protocol pub private_alpn_chosen: *const ::core::ffi::c_char, @@ -21828,6 +22968,14 @@ unsafe extern "C" { /// Calling mbedtls_ssl_setup again is not supported, even /// if no session is active. /// + /// \warning After setting up a client context, if certificate-based + /// authentication is enabled, you should call + /// mbedtls_ssl_set_hostname() to specifiy the expected + /// name of the server. Without this, in most scenarios, + /// the TLS connection is insecure. See + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more information. + /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. @@ -21931,18 +23079,16 @@ unsafe extern "C" { unsafe extern "C" { /// \brief Set the random number generator callback /// + /// \note The callback with its parameter must remain valid as + /// long as there is an SSL context that uses the + /// SSL configuration. + /// /// \param conf SSL configuration /// \param f_rng RNG function (mandatory) /// \param p_rng RNG parameter pub fn mbedtls_ssl_conf_rng( conf: *mut mbedtls_ssl_config, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ); } @@ -22045,10 +23191,10 @@ unsafe extern "C" { /// \param own_cid The address of the readable buffer holding the CID we want /// the peer to use when sending encrypted messages to us. /// This may be \c NULL if \p own_cid_len is \c 0. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// \param own_cid_len The length of \p own_cid. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// /// \note The value of \p own_cid_len must match the value of the @@ -22703,16 +23849,16 @@ unsafe extern "C" { /// a full handshake. /// /// \note This function can handle a variety of mechanisms for session - /// resumption: For TLS 1.2, both session ID-based resumption and - /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and loading - /// one or more sessions via this call will lead to their - /// corresponding tickets being advertised as resumption PSKs - /// by the client. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// resumption: For TLS 1.2, both session ID-based resumption + /// and ticket-based resumption will be considered. For TLS 1.3, + /// sessions equate to tickets, and loading one session by + /// calling this function will lead to its corresponding ticket + /// being advertised as resumption PSK by the client. This + /// depends on session tickets being enabled (see + /// #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + /// If session tickets are disabled, a call to this function + /// with a TLS 1.3 session, will not have any effect on the next + /// handshake for the SSL context \p ssl. /// /// \param ssl The SSL context representing the connection which should /// be attempted to be setup using session resumption. This @@ -22727,9 +23873,10 @@ unsafe extern "C" { /// /// \return \c 0 if successful. /// \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - /// could not be loaded because of an implementation limitation. - /// This error is non-fatal, and has no observable effect on - /// the SSL context or the session that was attempted to be loaded. + /// could not be loaded because one session has already been + /// loaded. This error is non-fatal, and has no observable + /// effect on the SSL context or the session that was attempted + /// to be loaded. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_get_session() @@ -22787,8 +23934,8 @@ unsafe extern "C" { /// /// \param session The session structure to be saved. /// \param buf The buffer to write the serialized data to. It must be a - /// writeable buffer of at least \p len bytes, or may be \c - /// NULL if \p len is \c 0. + /// writeable buffer of at least \p buf_len bytes, or may be \c + /// NULL if \p buf_len is \c 0. /// \param buf_len The number of bytes available for writing in \p buf. /// \param olen The size in bytes of the data that has been or would have /// been written. It must point to a valid \c size_t. @@ -22798,8 +23945,16 @@ unsafe extern "C" { /// to determine the necessary size by calling this function /// with \p buf set to \c NULL and \p buf_len to \c 0. /// + /// \note For TLS 1.3 sessions, this feature is supported only if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + /// as in TLS 1.3 session resumption is possible only with + /// tickets. + /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + /// and the session is a TLS 1.3 session. pub fn mbedtls_ssl_session_save( session: *const mbedtls_ssl_session, buf: *mut ::core::ffi::c_uchar, @@ -22925,7 +24080,7 @@ unsafe extern "C" { /// record headers. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len + /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len /// is too large. pub fn mbedtls_ssl_conf_cid( conf: *mut mbedtls_ssl_config, @@ -23252,6 +24407,8 @@ unsafe extern "C" { /// used for certificate signature are controlled by the /// verification profile, see \c mbedtls_ssl_conf_cert_profile(). /// + /// \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). + /// /// \note This list should be ordered by decreasing preference /// (preferred hash first). /// @@ -23276,27 +24433,43 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Configure allowed signature algorithms for use in TLS 1.3 + /// \brief Configure allowed signature algorithms for use in TLS /// /// \param conf The SSL configuration to use. /// \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - /// terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain - /// available throughout the lifetime of the conf object. Supported - /// values are available as \c MBEDTLS_TLS1_3_SIG_XXXX + /// terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain + /// available throughout the lifetime of the conf object. + /// - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be + /// used. + /// - For TLS 1.2, values should be given as + /// "(HashAlgorithm << 8) | SignatureAlgorithm". pub fn mbedtls_ssl_conf_sig_algs(conf: *mut mbedtls_ssl_config, sig_algs: *const u16); } unsafe extern "C" { /// \brief Set or reset the hostname to check against the received - /// server certificate. It sets the ServerName TLS extension, - /// too, if that extension is enabled. (client-side only) + /// peer certificate. On a client, this also sets the + /// ServerName TLS extension, if that extension is enabled. + /// On a TLS 1.3 client, this also sets the server name in + /// the session resumption ticket, if that feature is enabled. /// /// \param ssl SSL context - /// \param hostname the server hostname, may be NULL to clear hostname - /// - /// \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. - /// - /// \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - /// allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + /// \param hostname The server hostname. This may be \c NULL to clear + /// the hostname. + /// + /// \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + /// + /// \note If the hostname is \c NULL on a client, then the server + /// is not authenticated: it only needs to have a valid + /// certificate, not a certificate matching its name. + /// Therefore you should always call this function on a client, + /// unless the connection is set up to only allow + /// pre-shared keys, or in scenarios where server + /// impersonation is not a concern. See the documentation of + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more details. + /// + /// \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + /// allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on /// too long input hostname. /// /// Hostname set to the one provided on success (cleared @@ -23309,8 +24482,8 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief Retrieve SNI extension value for the current handshake. - /// Available in \p f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), - /// this is the same value passed to \p f_sni callback of + /// Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), + /// this is the same value passed to \c f_sni callback of /// \c mbedtls_ssl_conf_sni() and may be used instead of /// \c mbedtls_ssl_conf_sni(). /// @@ -23319,10 +24492,10 @@ unsafe extern "C" { /// 0 if SNI extension is not present or not yet processed. /// /// \return const pointer to SNI extension value. - /// - value is valid only when called in \p f_cert_cb + /// - value is valid only when called in \c f_cert_cb /// registered with \c mbedtls_ssl_conf_cert_cb(). /// - value is NULL if SNI extension is not present. - /// - value is not '\0'-terminated. Use \c name_len for len. + /// - value is not '\0'-terminated. Use \c name_len for len. /// - value must not be freed. pub fn mbedtls_ssl_get_hs_sni( ssl: *mut mbedtls_ssl_context, @@ -23572,6 +24745,10 @@ unsafe extern "C" { /// with \c mbedtls_ssl_read()), not handshake messages. /// With DTLS, this affects both ApplicationData and handshake. /// + /// \note Defragmentation of TLS handshake messages is supported + /// with some limitations. See the documentation of + /// mbedtls_ssl_handshake() for details. + /// /// \note This sets the maximum length for a record's payload, /// excluding record overhead that will be added to it, see /// \c mbedtls_ssl_get_record_expansion(). @@ -23605,19 +24782,48 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Enable / Disable session tickets (client only). - /// (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + /// \brief Enable / Disable TLS 1.2 session tickets (client only, + /// TLS 1.2 only). Enabled by default. /// /// \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). /// /// \param conf SSL configuration - /// \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - /// MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + /// \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) pub fn mbedtls_ssl_conf_session_tickets( conf: *mut mbedtls_ssl_config, use_tickets: ::core::ffi::c_int, ); } +unsafe extern "C" { + /// \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + /// (client only, TLS 1.3 only). + /// + /// The handling of TLS 1.3 NewSessionTicket messages is disabled by + /// default. + /// + /// In TLS 1.3, servers may send a NewSessionTicket message at any time, + /// and may send multiple NewSessionTicket messages. By default, TLS 1.3 + /// clients ignore NewSessionTicket messages. + /// + /// To support session tickets in TLS 1.3 clients, call this function + /// with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + /// this is enabled, when a client receives a NewSessionTicket message, + /// the next call to a message processing functions (notably + /// mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + /// call mbedtls_ssl_get_session() to retrieve the session ticket before + /// calling the same message processing function again. + /// + /// \param conf SSL configuration + /// \param signal_new_session_tickets Enable or disable + /// (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + pub fn mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf: *mut mbedtls_ssl_config, + signal_new_session_tickets: ::core::ffi::c_int, + ); +} unsafe extern "C" { /// \brief Number of NewSessionTicket messages for the server to send /// after handshake completion. @@ -23946,29 +25152,22 @@ unsafe extern "C" { /// \param ssl The SSL context representing the connection for which to /// to export a session structure for later resumption. /// \param session The target structure in which to store the exported session. - /// This must have been initialized with mbedtls_ssl_init_session() + /// This must have been initialized with mbedtls_ssl_session_init() /// but otherwise be unused. /// /// \note This function can handle a variety of mechanisms for session /// resumption: For TLS 1.2, both session ID-based resumption and /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and calling - /// this function multiple times will export the available - /// tickets one a time until no further tickets are available, - /// in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - /// be returned. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// sessions equate to tickets, and if session tickets are + /// enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + /// option), this function exports the last received ticket and + /// the exported session may be used to resume the TLS 1.3 + /// session. If session tickets are disabled, exported sessions + /// cannot be used to resume a TLS 1.3 session. /// /// \return \c 0 if successful. In this case, \p session can be used for /// session resumption by passing it to mbedtls_ssl_set_session(), /// and serialized for storage via mbedtls_ssl_session_save(). - /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - /// is available for export. - /// This error is a non-fatal, and has no observable effect on - /// the SSL context or the destination session. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_set_session() @@ -24000,6 +25199,17 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use /// and the client did not demonstrate reachability yet - in /// this case you must stop using the context (see below). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24008,7 +25218,9 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24028,10 +25240,31 @@ unsafe extern "C" { /// currently being processed might or might not contain further /// DTLS records. /// - /// \note If the context is configured to allow TLS 1.3, or if - /// #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. + /// Otherwise, the handshake may call psa_crypto_init() + /// if a negotiation involving TLS 1.3 takes place (this may + /// be the case even if TLS 1.3 is offered but eventually + /// not selected). + /// + /// \note In TLS, reception of fragmented handshake messages is + /// supported with some limitations (those limitations do + /// not apply to DTLS, where defragmentation is fully + /// supported): + /// - On an Mbed TLS server that only accepts TLS 1.2, + /// the initial ClientHello message must not be fragmented. + /// A TLS 1.2 ClientHello may be fragmented if the server + /// also accepts TLS 1.3 connections (meaning + /// that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + /// accepted versions have not been restricted with + /// mbedtls_ssl_conf_max_tls_version() or the like). + /// - The first fragment of a handshake message must be + /// at least 4 bytes long. + /// - Non-handshake records must not be interleaved between + /// the fragments of a handshake message. (This is permitted + /// in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + /// even in TLS 1.2.) pub fn mbedtls_ssl_handshake(ssl: *mut mbedtls_ssl_context) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -24060,8 +25293,10 @@ unsafe extern "C" { /// /// \warning If this function returns something other than \c 0, /// #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using /// the SSL context for reading or writing, and either free it /// or call \c mbedtls_ssl_session_reset() on it before /// re-using it for a new connection; the current connection @@ -24124,6 +25359,24 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server /// side of a DTLS connection and the client is initiating a /// new connection using the same source port. See below. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. + /// This error code is only returned on the client side. It is + /// only returned if handling of TLS 1.3 NewSessionTicket + /// messages has been enabled through + /// mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + /// This error code indicates that a TLS 1.3 NewSessionTicket + /// message has been received and parsed successfully by the + /// client. The ticket data can be retrieved from the SSL + /// context by calling mbedtls_ssl_get_session(). It remains + /// available until the next call to mbedtls_ssl_read(). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24132,8 +25385,10 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24200,6 +25455,17 @@ unsafe extern "C" { /// operation is in progress (see mbedtls_ecp_set_max_ops()) - /// in this case you must call this function again to complete /// the handshake when you're done attending other tasks. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24207,8 +25473,10 @@ unsafe extern "C" { /// a non-negative value, /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24449,381 +25717,64 @@ unsafe extern "C" { /// \brief Free an SSL configuration context /// /// \param conf SSL configuration context - pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); -} -unsafe extern "C" { - /// \brief Initialize SSL session structure - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief Free referenced items in an SSL session including the - /// peer certificate and clear memory - /// - /// \note A session object can be freed even if the SSL context - /// that was used to retrieve the session is still in use. - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief TLS-PRF function for key derivation. - /// - /// \param prf The tls_prf type function type to be used. - /// \param secret Secret for the key derivation function. - /// \param slen Length of the secret. - /// \param label String label for the key derivation function, - /// terminated with null character. - /// \param random Random bytes. - /// \param rlen Length of the random bytes buffer. - /// \param dstbuf The buffer holding the derived key. - /// \param dlen Length of the output buffer. - /// - /// \return 0 on success. An SSL specific error on failure. - pub fn mbedtls_ssl_tls_prf( - prf: mbedtls_tls_prf_types, - secret: *const ::core::ffi::c_uchar, - slen: usize, - label: *const ::core::ffi::c_char, - random: *const ::core::ffi::c_uchar, - rlen: usize, - dstbuf: *mut ::core::ffi::c_uchar, - dlen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the threshold error level to handle globally all debug output. - /// Debug messages that have a level over the threshold value are - /// discarded. - /// (Default value: 0 = No debug ) - /// - /// \param threshold threshold level of messages to filter on. Messages at a - /// higher level will be discarded. - /// - Debug levels - /// - 0 No debug - /// - 1 Error - /// - 2 State change - /// - 3 Informational - /// - 4 Verbose - pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); -} -unsafe extern "C" { - /// \brief Print a message to the debug output. This function is always used - /// through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - /// context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the message has occurred in - /// \param line line number the message has occurred at - /// \param format format specifier, in printf format - /// \param ... variables used by the format specifier - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_msg( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - format: *const ::core::ffi::c_char, - ... - ); -} -unsafe extern "C" { - /// \brief Print the return value of a function to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text the name of the function that returned the error - /// \param ret the return code value - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ret( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - ret: ::core::ffi::c_int, - ); -} -unsafe extern "C" { - /// \brief Output a buffer of size len bytes to the debug output. This function - /// is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the buffer being dumped. Normally the - /// variable or buffer name - /// \param buf the buffer to be outputted - /// \param len length of the buffer - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_buf( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - buf: *const ::core::ffi::c_uchar, - len: usize, - ); -} -unsafe extern "C" { - /// \brief Print a MPI variable to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the MPI being output. Normally the - /// variable name - /// \param X the MPI variable - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_mpi( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_mpi, - ); -} -unsafe extern "C" { - /// \brief Print an ECP point to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the ECP point being output. Normally the - /// variable name - /// \param X the ECP point - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ecp( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_ecp_point, - ); -} -unsafe extern "C" { - /// \brief Print a X.509 certificate structure to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the certificate being output - /// \param crt X.509 certificate structure - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_crt( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - crt: *const mbedtls_x509_crt, - ); -} -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Q: mbedtls_debug_ecdh_attr = 0; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_QP: mbedtls_debug_ecdh_attr = 1; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Z: mbedtls_debug_ecdh_attr = 2; -pub type mbedtls_debug_ecdh_attr = ::core::ffi::c_uint; -unsafe extern "C" { - /// \brief Print a field of the ECDH structure in the SSL context to the debug - /// output. This function is always used through the - /// MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - /// and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param ecdh the ECDH context - /// \param attr the identifier of the attribute being output - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_printf_ecdh( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - ecdh: *const mbedtls_ecdh_context, - attr: mbedtls_debug_ecdh_attr, - ); -} -/// \brief Entropy poll callback pointer -/// -/// \param data Callback-specific data pointer -/// \param output Data to fill -/// \param len Maximum size to provide -/// \param olen The actual amount of bytes put into the buffer (Can be 0) -/// -/// \return 0 if no critical failures occurred, -/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise -pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< - unsafe extern "C" fn( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - ) -> ::core::ffi::c_int, ->; -/// \brief Entropy source state -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_source_state { - ///< The entropy source callback - pub private_f_source: mbedtls_entropy_f_source_ptr, - ///< The callback data pointer - pub private_p_source: *mut ::core::ffi::c_void, - ///< Amount received in bytes - pub private_size: usize, - ///< Minimum bytes required before release - pub private_threshold: usize, - ///< Is the source strong? - pub private_strong: ::core::ffi::c_int, -} -impl Default for mbedtls_entropy_source_state { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief Entropy context structure -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_context { - pub private_accumulator_started: ::core::ffi::c_int, - pub __bindgen_padding_0: u64, - pub private_accumulator: mbedtls_sha512_context, - pub private_source_count: ::core::ffi::c_int, - pub private_source: [mbedtls_entropy_source_state; 20usize], -} -impl Default for mbedtls_entropy_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize the context - /// - /// \param ctx Entropy context to initialize - pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Free the data in the context - /// - /// \param ctx Entropy context to free - pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Adds an entropy source to poll - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context - /// \param f_source Entropy function - /// \param p_source Function data - /// \param threshold Minimum required from source before entropy is released - /// ( with mbedtls_entropy_func() ) (in bytes) - /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or - /// MBEDTLS_ENTROPY_SOURCE_WEAK. - /// At least one strong source needs to be added. - /// Weaker sources (such as the cycle counter) can be used as - /// a complement. - /// - /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES - pub fn mbedtls_entropy_add_source( - ctx: *mut mbedtls_entropy_context, - f_source: mbedtls_entropy_f_source_ptr, - p_source: *mut ::core::ffi::c_void, - threshold: usize, - strong: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); } unsafe extern "C" { - /// \brief Trigger an extra gather poll for the accumulator - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context + /// \brief Initialize SSL session structure /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Retrieve entropy from the accumulator - /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief Free referenced items in an SSL session including the + /// peer certificate and clear memory /// - /// \param data Entropy context - /// \param output Buffer to fill - /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE + /// \note A session object can be freed even if the SSL context + /// that was used to retrieve the session is still in use. /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_func( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Add data to the accumulator manually - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief TLS-PRF function for key derivation. /// - /// \param ctx Entropy context - /// \param data Data to add - /// \param len Length of data + /// \param prf The tls_prf type function type to be used. + /// \param secret Secret for the key derivation function. + /// \param slen Length of the secret. + /// \param label String label for the key derivation function, + /// terminated with null character. + /// \param random Random bytes. + /// \param rlen Length of the random bytes buffer. + /// \param dstbuf The buffer holding the derived key. + /// \param dlen Length of the output buffer. /// - /// \return 0 if successful - pub fn mbedtls_entropy_update_manual( - ctx: *mut mbedtls_entropy_context, - data: *const ::core::ffi::c_uchar, - len: usize, + /// \return 0 on success. An SSL specific error on failure. + pub fn mbedtls_ssl_tls_prf( + prf: mbedtls_tls_prf_types, + secret: *const ::core::ffi::c_uchar, + slen: usize, + label: *const ::core::ffi::c_char, + random: *const ::core::ffi::c_uchar, + rlen: usize, + dstbuf: *mut ::core::ffi::c_uchar, + dlen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Checkup routine - /// - /// This module self-test also calls the entropy self-test, - /// mbedtls_entropy_source_self_test(); + /// \brief Set the threshold error level to handle globally all debug output. + /// Debug messages that have a level over the threshold value are + /// discarded. + /// (Default value: 0 = No debug ) /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; + /// \param threshold threshold level of messages to filter on. Messages at a + /// higher level will be discarded. + /// - Debug levels + /// - 0 No debug + /// - 1 Error + /// - 2 State change + /// - 3 Informational + /// - 4 Verbose + pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); } unsafe extern "C" { /// \brief This is the HMAC-based Extract-and-Expand Key Derivation Function @@ -24992,8 +25943,8 @@ unsafe extern "C" { /// \param len The length of the personalization string. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 + /// where \c entropy_len is the entropy length /// described above. /// /// \return \c 0 if successful. @@ -25118,8 +26069,8 @@ unsafe extern "C" { /// \param len The length of the additional data. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length /// (see mbedtls_hmac_drbg_set_entropy_len()). /// /// \return \c 0 if successful. @@ -25602,6 +26553,28 @@ unsafe extern "C" { oid: *const mbedtls_asn1_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate a string containing a dotted-decimal + /// representation of an ASN.1 OID into its encoded form + /// (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D"). + /// On success, this function allocates oid->buf from the + /// heap. It must be freed by the caller using mbedtls_free(). + /// + /// \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID + /// \param oid_str string representation of the OID to parse + /// \param size length of the OID string, not including any null terminator + /// + /// \return 0 if successful + /// \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not + /// represent a valid OID + /// \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to + /// allocate oid->buf + pub fn mbedtls_oid_from_numeric_string( + oid: *mut mbedtls_asn1_buf, + oid_str: *const ::core::ffi::c_char, + size: usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate an X.509 extension OID into local values /// @@ -25679,6 +26652,34 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate AlgorithmIdentifier OID into an EC group identifier, + /// for curves that are directly encoded at this level + /// + /// \param oid OID to use + /// \param grp_id place to store group id + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_ec_grp_algid( + oid: *const mbedtls_asn1_buf, + grp_id: *mut mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Translate EC group identifier into AlgorithmIdentifier OID, + /// for curves that are directly encoded at this level + /// + /// \param grp_id EC group identifier + /// \param oid place to store ASN.1 OID string pointer + /// \param olen length of the OID + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_oid_by_ec_grp_algid( + grp_id: mbedtls_ecp_group_id, + oid: *mut *const ::core::ffi::c_char, + olen: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate SignatureAlgorithm OID into md_type and pk_type /// @@ -25846,11 +26847,11 @@ unsafe extern "C" { /// \param data source data to look in (must be nul-terminated) /// \param pwd password for decryption (can be NULL) /// \param pwdlen length of password - /// \param use_len destination for total length used (set after header is - /// correctly read, so unless you get + /// \param use_len destination for total length used from data buffer. It is + /// set after header is correctly read, so unless you get /// MBEDTLS_ERR_PEM_BAD_INPUT_DATA or /// MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - /// the length to skip) + /// the length to skip. /// /// \note Attempts to check password correctness by verifying if /// the decrypted text starts with an ASN.1 sequence of @@ -25915,13 +26916,40 @@ unsafe extern "C" { unsafe extern "C" { /// \brief PKCS#5 PBES2 function /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs5_pbes2_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params the ASN.1 algorithm parameters - /// \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT /// \param pwd password to use when generating key /// \param pwdlen length of password /// \param data data to process /// \param datalen length of data - /// \param output output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. pub fn mbedtls_pkcs5_pbes2( @@ -25934,6 +26962,50 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief PKCS#5 PBES2 function + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params the ASN.1 algorithm parameters + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT + /// \param pwd password to use when generating key + /// \param pwdlen length of password + /// \param data data to process + /// \param datalen length of data + /// \param output Output buffer. + /// On success, it contains the decrypted data. + /// On failure, the content is indetermidate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails. + pub fn mbedtls_pkcs5_pbes2_ext( + pbe_params: *const mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, + datalen: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context /// @@ -26165,6 +27237,25 @@ unsafe extern "C" { /// \brief PKCS12 Password Based function (encryption / decryption) /// for cipher-based and mbedtls_md-based PBE's /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs12_pbe_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or /// #MBEDTLS_PKCS12_PBE_DECRYPT @@ -26173,9 +27264,17 @@ unsafe extern "C" { /// \param pwd Latin1-encoded password used. This may only be \c NULL when /// \p pwdlen is 0. No null terminator should be used. /// \param pwdlen length of the password (may be 0) - /// \param input the input data + /// \param data the input data /// \param len data length - /// \param output the output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \return 0 if successful, or a MBEDTLS_ERR_XXX code pub fn mbedtls_pkcs12_pbe( @@ -26185,9 +27284,62 @@ unsafe extern "C" { md_type: mbedtls_md_type_t, pwd: *const ::core::ffi::c_uchar, pwdlen: usize, - input: *const ::core::ffi::c_uchar, + data: *const ::core::ffi::c_uchar, + len: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief PKCS12 Password Based function (encryption / decryption) + /// for cipher-based and mbedtls_md-based PBE's + /// + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + /// #MBEDTLS_PKCS12_PBE_DECRYPT + /// \param cipher_type the cipher used + /// \param md_type the mbedtls_md used + /// \param pwd Latin1-encoded password used. This may only be \c NULL when + /// \p pwdlen is 0. No null terminator should be used. + /// \param pwdlen length of the password (may be 0) + /// \param data the input data + /// \param len data length + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \return 0 if successful, or a MBEDTLS_ERR_XXX code + pub fn mbedtls_pkcs12_pbe_ext( + pbe_params: *mut mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + cipher_type: mbedtls_cipher_type_t, + md_type: mbedtls_md_type_t, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, len: usize, output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -26286,6 +27438,11 @@ unsafe extern "C" { /// \param session_id_len The length of \p session_id in bytes. /// \param session The address at which to store the session /// associated with \p session_id, if present. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is + /// no cache entry with specified session ID found, or + /// any other negative error code for other failures. pub fn mbedtls_ssl_cache_get( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26302,6 +27459,9 @@ unsafe extern "C" { /// associated to \p session. /// \param session_id_len The length of \p session_id in bytes. /// \param session The session to store. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_set( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26315,12 +27475,13 @@ unsafe extern "C" { /// /// \param data The SSL cache context to use. /// \param session_id The pointer to the buffer holding the session ID - /// associated to \p session. + /// associated to session. /// \param session_id_len The length of \p session_id in bytes. /// - /// \return 0: The cache entry for session with provided ID - /// is removed or does not exist. - /// Otherwise: fail. + /// \return \c 0 on success. This indicates the cache entry for + /// the session with provided ID is removed or does not + /// exist. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_remove( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26373,13 +27534,7 @@ unsafe extern "C" { /// \brief Setup cookie context (generate keys) pub fn mbedtls_ssl_cookie_setup( ctx: *mut mbedtls_ssl_cookie_ctx, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26425,6 +27580,9 @@ unsafe extern "C" { #[derive(Copy, Clone)] pub struct mbedtls_ssl_ticket_key { pub private_name: [::core::ffi::c_uchar; 4usize], + /// Lifetime of the key in seconds. This is also the lifetime of the + /// tickets created under that key. + pub private_lifetime: u32, ///< context for auth enc/decryption pub private_ctx: mbedtls_cipher_context_t, } @@ -26480,7 +27638,9 @@ unsafe extern "C" { /// /// \param ctx Context to be set up /// \param f_rng RNG callback function (mandatory) - /// \param p_rng RNG callback context + /// \param p_rng RNG callback context. + /// Note that the RNG callback must remain valid + /// until the ticket context is freed. /// \param cipher AEAD cipher to use for ticket protection. /// Recommended value: MBEDTLS_CIPHER_AES_256_GCM. /// \param lifetime Tickets lifetime in seconds @@ -26490,21 +27650,21 @@ unsafe extern "C" { /// least as strong as the strongest ciphersuite /// supported. Usually that means a 256-bit key. /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_setup( ctx: *mut mbedtls_ssl_ticket_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, cipher: mbedtls_cipher_type_t, lifetime: u32, @@ -26535,10 +27695,16 @@ unsafe extern "C" { /// \note \c klength must be sufficient for use by cipher specified /// to \c mbedtls_ssl_ticket_setup /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_rotate( @@ -26604,7 +27770,7 @@ pub struct mbedtls_x509_csr { pub key_usage: ::core::ffi::c_uint, ///< Optional Netscape certificate type extension value: See the values in x509.h pub ns_cert_type: ::core::ffi::c_uchar, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions pub private_ext_types: ::core::ffi::c_int, @@ -26644,25 +27810,12 @@ impl Default for mbedtls_x509write_csr { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_x509_san_list { - pub node: mbedtls_x509_subject_alternative_name, - pub next: *mut mbedtls_x509_san_list, -} -impl Default for mbedtls_x509_san_list { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR) in DER format /// - /// \note CSR attributes (if any) are currently silently ignored. + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the CSR is rejected. /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling @@ -26679,6 +27832,70 @@ unsafe extern "C" { buflen: usize, ) -> ::core::ffi::c_int; } +/// \brief The type of certificate extension callbacks. +/// +/// Callbacks of this type are passed to and used by the +/// mbedtls_x509_csr_parse_der_with_ext_cb() routine when +/// it encounters either an unsupported extension. +/// Future versions of the library may invoke the callback +/// in other cases, if and when the need arises. +/// +/// \param p_ctx An opaque context passed to the callback. +/// \param csr The CSR being parsed. +/// \param oid The OID of the extension. +/// \param critical Whether the extension is critical. +/// \param p Pointer to the start of the extension value +/// (the content of the OCTET STRING). +/// \param end End of extension value. +/// +/// \note The callback must fail and return a negative error code +/// if it can not parse or does not support the extension. +/// When the callback fails to parse a critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() also fails. +/// When the callback fails to parse a non critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() simply skips +/// the extension and continues parsing. +/// +/// \return \c 0 on success. +/// \return A negative error code on failure. +pub type mbedtls_x509_csr_ext_cb_t = ::core::option::Option< + unsafe extern "C" fn( + p_ctx: *mut ::core::ffi::c_void, + csr: *const mbedtls_x509_csr, + oid: *const mbedtls_x509_buf, + critical: ::core::ffi::c_int, + p: *const ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +unsafe extern "C" { + /// \brief Load a Certificate Signing Request (CSR) in DER format + /// + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the result of the callback function decides whether + /// CSR is rejected. + /// + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. + /// + /// \param csr CSR context to fill + /// \param buf buffer holding the CRL data + /// \param buflen size of the buffer + /// \param cb A callback invoked for every unsupported certificate + /// extension. + /// \param p_ctx An opaque context passed to the callback. + /// + /// \return 0 if successful, or a specific X509 error code + pub fn mbedtls_x509_csr_parse_der_with_ext_cb( + csr: *mut mbedtls_x509_csr, + buf: *const ::core::ffi::c_uchar, + buflen: usize, + cb: mbedtls_x509_csr_ext_cb_t, + p_ctx: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR), DER or PEM format /// @@ -26740,7 +27957,7 @@ unsafe extern "C" { /// \brief Set the subject name for a CSR /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CSR context to use /// \param subject_name subject name to set @@ -26871,13 +28088,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26898,13 +28109,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } diff --git a/esp-mbedtls-sys/src/include/xtensa-esp32s2-none-elf.rs b/esp-mbedtls-sys/src/include/xtensa-esp32s2-none-elf.rs index 8a8f52f3..f6ce94cd 100644 --- a/esp-mbedtls-sys/src/include/xtensa-esp32s2-none-elf.rs +++ b/esp-mbedtls-sys/src/include/xtensa-esp32s2-none-elf.rs @@ -137,6 +137,36 @@ where } } } +#[repr(C)] +#[derive(Default)] +pub struct __IncompleteArrayField(::core::marker::PhantomData, [T; 0]); +impl __IncompleteArrayField { + #[inline] + pub const fn new() -> Self { + __IncompleteArrayField(::core::marker::PhantomData, []) + } + #[inline] + pub fn as_ptr(&self) -> *const T { + self as *const _ as *const T + } + #[inline] + pub fn as_mut_ptr(&mut self) -> *mut T { + self as *mut _ as *mut T + } + #[inline] + pub unsafe fn as_slice(&self, len: usize) -> &[T] { + ::core::slice::from_raw_parts(self.as_ptr(), len) + } + #[inline] + pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] { + ::core::slice::from_raw_parts_mut(self.as_mut_ptr(), len) + } +} +impl ::core::fmt::Debug for __IncompleteArrayField { + fn fmt(&self, fmt: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { + fmt.write_str("__IncompleteArrayField") + } +} pub const MBEDTLS_CONFIG_FILE: &[u8; 9] = b"config.h\0"; pub const MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT: u32 = 0; pub const MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: u32 = 1024; @@ -144,14 +174,33 @@ pub const MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE: u32 = 6000; pub const MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH: u32 = 32; pub const MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS: u32 = 1; pub const MBEDTLS_VERSION_MAJOR: u32 = 3; -pub const MBEDTLS_VERSION_MINOR: u32 = 4; -pub const MBEDTLS_VERSION_PATCH: u32 = 0; -pub const MBEDTLS_VERSION_NUMBER: u32 = 50593792; -pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.4.0\0"; -pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"mbed TLS 3.4.0\0"; +pub const MBEDTLS_VERSION_MINOR: u32 = 6; +pub const MBEDTLS_VERSION_PATCH: u32 = 5; +pub const MBEDTLS_VERSION_NUMBER: u32 = 50726144; +pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.6.5\0"; +pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"Mbed TLS 3.6.5\0"; +pub const PSA_WANT_ALG_MD5: u32 = 1; +pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; +pub const PSA_WANT_ALG_SHA_1: u32 = 1; +pub const PSA_WANT_ALG_SHA_224: u32 = 1; +pub const PSA_WANT_ALG_SHA_256: u32 = 1; +pub const PSA_WANT_ALG_SHA_384: u32 = 1; +pub const PSA_WANT_ALG_SHA_512: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_256: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_384: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_512: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_255: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_448: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_224: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_256: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_384: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_521: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CCM: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CMAC: u32 = 1; pub const PSA_WANT_ALG_CMAC: u32 = 1; @@ -162,10 +211,40 @@ pub const PSA_WANT_ALG_ECDSA: u32 = 1; pub const PSA_WANT_ALG_ECDSA_ANY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA: u32 = 1; pub const PSA_WANT_ALG_DETERMINISTIC_ECDSA: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_ALG_FFDH: u32 = 1; +pub const PSA_WANT_DH_RFC7919_2048: u32 = 1; +pub const PSA_WANT_DH_RFC7919_3072: u32 = 1; +pub const PSA_WANT_DH_RFC7919_4096: u32 = 1; +pub const PSA_WANT_DH_RFC7919_6144: u32 = 1; +pub const PSA_WANT_DH_RFC7919_8192: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_FFDH: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_GCM: u32 = 1; pub const PSA_WANT_ALG_GCM: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HMAC: u32 = 1; @@ -176,17 +255,16 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXTRACT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXPAND: u32 = 1; +pub const PSA_WANT_KEY_TYPE_HMAC: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF: u32 = 1; pub const PSA_WANT_ALG_TLS12_PRF: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const PSA_WANT_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_MD5: u32 = 1; -pub const PSA_WANT_ALG_MD5: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_PAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_JPAKE: u32 = 1; pub const PSA_WANT_ALG_JPAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160: u32 = 1; -pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const PSA_WANT_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN: u32 = 1; @@ -196,20 +274,19 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP: u32 = 1; pub const PSA_WANT_ALG_RSA_OAEP: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS: u32 = 1; pub const PSA_WANT_ALG_RSA_PSS: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_1: u32 = 1; -pub const PSA_WANT_ALG_SHA_1: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_224: u32 = 1; -pub const PSA_WANT_ALG_SHA_224: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_256: u32 = 1; -pub const PSA_WANT_ALG_SHA_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_384: u32 = 1; -pub const PSA_WANT_ALG_SHA_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_512: u32 = 1; -pub const PSA_WANT_ALG_SHA_512: u32 = 1; pub const PSA_WANT_KEY_TYPE_AES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES: u32 = 1; pub const PSA_WANT_KEY_TYPE_ARIA: u32 = 1; @@ -221,8 +298,8 @@ pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_KEY_TYPE_CHACHA20: u32 = 1; -pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20: u32 = 1; +pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER: u32 = 1; pub const PSA_WANT_ALG_CHACHA20_POLY1305: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305: u32 = 1; @@ -250,8 +327,7 @@ pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256: u32 = 1; -pub const PSA_HAVE_FULL_ECDSA: u32 = 1; -pub const PSA_HAVE_FULL_JPAKE: u32 = 1; +pub const PSA_WANT_ALG_SOME_PAKE: u32 = 1; pub const PSA_WANT_KEY_TYPE_DERIVE: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD_HASH: u32 = 1; @@ -272,7 +348,7 @@ pub const MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: i32 = -12; pub const MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: i32 = -14; pub const MBEDTLS_ERR_MPI_ALLOC_FAILED: i32 = -16; pub const MBEDTLS_MPI_MAX_LIMBS: u32 = 10000; -pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 2; +pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 3; pub const MBEDTLS_MPI_MAX_SIZE: u32 = 1024; pub const MBEDTLS_MPI_MAX_BITS: u32 = 8192; pub const MBEDTLS_MPI_MAX_BITS_SCALE100: u32 = 819200; @@ -320,6 +396,8 @@ pub const MBEDTLS_CIPHER_VARIABLE_KEY_LEN: u32 = 2; pub const MBEDTLS_MAX_IV_LENGTH: u32 = 16; pub const MBEDTLS_MAX_BLOCK_LENGTH: u32 = 16; pub const MBEDTLS_MAX_KEY_LENGTH: u32 = 64; +pub const MBEDTLS_KEY_BITLEN_SHIFT: u32 = 6; +pub const MBEDTLS_IV_SIZE_SHIFT: u32 = 2; pub const MBEDTLS_CCM_DECRYPT: u32 = 0; pub const MBEDTLS_CCM_ENCRYPT: u32 = 1; pub const MBEDTLS_CCM_STAR_DECRYPT: u32 = 2; @@ -332,7 +410,26 @@ pub const MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: i32 = -84; pub const MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: i32 = -86; pub const MBEDTLS_AES_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_DES3_BLOCK_SIZE: u32 = 8; +pub const MBEDTLS_CMAC_MAX_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_CIPHER_BLKSIZE_MAX: u32 = 16; +pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; +pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; +pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; +pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; +pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; +pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; +pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; +pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; +pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; +pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; +pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; +pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; +pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; +pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; +pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; +pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; +pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; +pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: i32 = -52; pub const MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: i32 = -54; pub const MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: i32 = -56; @@ -367,12 +464,6 @@ pub const MBEDTLS_ECP_MAX_PT_LEN: u32 = 133; pub const MBEDTLS_ECP_PF_UNCOMPRESSED: u32 = 0; pub const MBEDTLS_ECP_PF_COMPRESSED: u32 = 1; pub const MBEDTLS_ECP_TLS_NAMED_CURVE: u32 = 3; -pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; -pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; -pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; -pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; -pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; -pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; pub const MBEDTLS_ERR_RSA_BAD_INPUT_DATA: i32 = -16512; pub const MBEDTLS_ERR_RSA_INVALID_PADDING: i32 = -16640; pub const MBEDTLS_ERR_RSA_KEY_GEN_FAILED: i32 = -16768; @@ -387,6 +478,55 @@ pub const MBEDTLS_RSA_PKCS_V21: u32 = 1; pub const MBEDTLS_RSA_SIGN: u32 = 1; pub const MBEDTLS_RSA_CRYPT: u32 = 2; pub const MBEDTLS_RSA_SALT_LEN_ANY: i32 = -1; +pub const MBEDTLS_RSA_GEN_KEY_MIN_BITS: u32 = 1024; +pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; +pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; +pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; +pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; +pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; +pub const PSA_HASH_MAX_SIZE: u32 = 64; +pub const PSA_MAC_MAX_SIZE: u32 = 64; +pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; +pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; +pub const PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: u32 = 1024; +pub const PSA_VENDOR_FFDH_MAX_KEY_BITS: u32 = 8192; +pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; +pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; +pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; +pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; +pub const PSA_VENDOR_PBKDF2_MAX_ITERATIONS: u32 = 4294967295; +pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; +pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_SIGNATURE_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_KEY_PAIR_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_PUBLIC_KEY_MAX_SIZE: u32 = 1; +pub const PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE: u32 = 1; +pub const PSA_CIPHER_MAX_KEY_LENGTH: u32 = 32; +pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; +pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; +pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; +pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; +pub const MBEDTLS_ERR_SHA3_BAD_INPUT_DATA: i32 = -118; +pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; +pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; +pub const MBEDTLS_GCM_DECRYPT: u32 = 0; +pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; +pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; +pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; +pub const MBEDTLS_GCM_HTABLE_SIZE: u32 = 16; +pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; +pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; +pub const PSA_MAX_KEY_BITS: u32 = 65528; +pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; +pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; +pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; +pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; +pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; +pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; +pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_ERR_PK_ALLOC_FAILED: i32 = -16256; pub const MBEDTLS_ERR_PK_TYPE_MISMATCH: i32 = -16128; pub const MBEDTLS_ERR_PK_BAD_INPUT_DATA: i32 = -16000; @@ -597,45 +737,6 @@ pub const MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256: u32 = 4869; pub const MBEDTLS_CIPHERSUITE_WEAK: u32 = 1; pub const MBEDTLS_CIPHERSUITE_SHORT_TAG: u32 = 2; pub const MBEDTLS_CIPHERSUITE_NODTLS: u32 = 4; -pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; -pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; -pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; -pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; -pub const PSA_HASH_MAX_SIZE: u32 = 64; -pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; -pub const PSA_MAC_MAX_SIZE: u32 = 64; -pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; -pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; -pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; -pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; -pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; -pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; -pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; -pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; -pub const MBEDTLS_GCM_DECRYPT: u32 = 0; -pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; -pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; -pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; -pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; -pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; -pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; -pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; -pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; -pub const PSA_MAX_KEY_BITS: u32 = 65528; -pub const MBEDTLS_PSA_KA_MASK_DUAL_USE: u32 = 0; -pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; -pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; -pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; -pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; -pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; -pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; -pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_X509_MAX_INTERMEDIATE_CA: u32 = 8; pub const MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: i32 = -8320; pub const MBEDTLS_ERR_X509_UNKNOWN_OID: i32 = -8448; @@ -743,7 +844,9 @@ pub const MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: i32 = -30848; pub const MBEDTLS_ERR_SSL_BAD_CERTIFICATE: i32 = -31232; pub const MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET: i32 = -31488; pub const MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA: i32 = -31616; -pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31872; +pub const MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND: i32 = -32384; pub const MBEDTLS_ERR_SSL_ALLOC_FAILED: i32 = -32512; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FAILED: i32 = -32640; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: i32 = -28544; @@ -770,6 +873,7 @@ pub const MBEDTLS_ERR_SSL_EARLY_MESSAGE: i32 = -25728; pub const MBEDTLS_ERR_SSL_UNEXPECTED_CID: i32 = -24576; pub const MBEDTLS_ERR_SSL_VERSION_MISMATCH: i32 = -24320; pub const MBEDTLS_ERR_SSL_BAD_CONFIG: i32 = -24192; +pub const MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME: i32 = -23936; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: u32 = 1; pub const MBEDTLS_SSL_IANA_TLS_GROUP_NONE: u32 = 0; @@ -841,6 +945,8 @@ pub const MBEDTLS_SSL_TRUNC_HMAC_ENABLED: u32 = 1; pub const MBEDTLS_SSL_TRUNCATED_HMAC_LEN: u32 = 10; pub const MBEDTLS_SSL_SESSION_TICKETS_DISABLED: u32 = 0; pub const MBEDTLS_SSL_SESSION_TICKETS_ENABLED: u32 = 1; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED: u32 = 0; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED: u32 = 1; pub const MBEDTLS_SSL_PRESET_DEFAULT: u32 = 0; pub const MBEDTLS_SSL_PRESET_SUITEB: u32 = 2; pub const MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED: u32 = 1; @@ -854,6 +960,9 @@ pub const MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN: u32 = 48; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN: u32 = 1000; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX: u32 = 60000; +pub const MBEDTLS_SSL_EARLY_DATA_NO_DISCARD: u32 = 0; +pub const MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD: u32 = 1; +pub const MBEDTLS_SSL_EARLY_DATA_DISCARD: u32 = 2; pub const MBEDTLS_SSL_IN_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_OUT_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_DTLS_MAX_BUFFERING: u32 = 32768; @@ -988,18 +1097,6 @@ pub const MBEDTLS_SSL_UNEXPECTED_CID_IGNORE: u32 = 0; pub const MBEDTLS_SSL_UNEXPECTED_CID_FAIL: u32 = 1; pub const MBEDTLS_PRINTF_SIZET: &[u8; 3] = b"zu\0"; pub const MBEDTLS_PRINTF_LONGLONG: &[u8; 4] = b"lld\0"; -pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; -pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; -pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; -pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; -pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; -pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; -pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; -pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; -pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; -pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; -pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; -pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_HKDF_BAD_INPUT_DATA: i32 = -24448; pub const MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: i32 = -3; pub const MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: i32 = -5; @@ -1041,6 +1138,7 @@ pub const MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS: u32 = 4096; pub const MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY: u32 = 8192; pub const MBEDTLS_OID_X509_EXT_FRESHEST_CRL: u32 = 16384; pub const MBEDTLS_OID_X509_EXT_NS_CERT_TYPE: u32 = 65536; +pub const MBEDTLS_OID_MAX_COMPONENTS: u32 = 128; pub const MBEDTLS_OID_ISO_MEMBER_BODIES: &[u8; 2] = b"*\0"; pub const MBEDTLS_OID_ISO_IDENTIFIED_ORG: &[u8; 2] = b"+\0"; pub const MBEDTLS_OID_ISO_CCITT_DS: &[u8; 2] = b"U\0"; @@ -1055,6 +1153,8 @@ pub const MBEDTLS_OID_ORG_OIW: &[u8; 2] = b"\x0E\0"; pub const MBEDTLS_OID_OIW_SECSIG: &[u8; 3] = b"\x0E\x03\0"; pub const MBEDTLS_OID_OIW_SECSIG_ALG: &[u8; 4] = b"\x0E\x03\x02\0"; pub const MBEDTLS_OID_OIW_SECSIG_SHA1: &[u8; 5] = b"\x0E\x03\x02\x1A\0"; +pub const MBEDTLS_OID_ORG_THAWTE: &[u8; 2] = b"e\0"; +pub const MBEDTLS_OID_THAWTE: &[u8; 3] = b"+e\0"; pub const MBEDTLS_OID_ORG_CERTICOM: &[u8; 3] = b"\x81\x04\0"; pub const MBEDTLS_OID_CERTICOM: &[u8; 4] = b"+\x81\x04\0"; pub const MBEDTLS_OID_ORG_TELETRUST: &[u8; 2] = b"$\0"; @@ -1153,14 +1253,26 @@ pub const MBEDTLS_OID_DIGEST_ALG_SHA256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x pub const MBEDTLS_OID_DIGEST_ALG_SHA384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x02\0"; pub const MBEDTLS_OID_DIGEST_ALG_SHA512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x03\0"; pub const MBEDTLS_OID_DIGEST_ALG_RIPEMD160: &[u8; 6] = b"+$\x03\x02\x01\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x07\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x08\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\t\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA1: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x07\0"; pub const MBEDTLS_OID_HMAC_SHA224: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x08\0"; pub const MBEDTLS_OID_HMAC_SHA256: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\t\0"; pub const MBEDTLS_OID_HMAC_SHA384: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA512: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x0B\0"; +pub const MBEDTLS_OID_HMAC_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\r\0"; +pub const MBEDTLS_OID_HMAC_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0E\0"; +pub const MBEDTLS_OID_HMAC_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0F\0"; +pub const MBEDTLS_OID_HMAC_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x10\0"; +pub const MBEDTLS_OID_HMAC_RIPEMD160: &[u8; 9] = b"+\x06\x01\x05\x05\x08\x01\x04\0"; pub const MBEDTLS_OID_DES_CBC: &[u8; 6] = b"+\x0E\x03\x02\x07\0"; pub const MBEDTLS_OID_DES_EDE3_CBC: &[u8; 9] = b"*\x86H\x86\xF7\r\x03\x07\0"; pub const MBEDTLS_OID_AES: &[u8; 9] = b"`\x86H\x01e\x03\x04\x01\0"; +pub const MBEDTLS_OID_AES_128_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x02\0"; +pub const MBEDTLS_OID_AES_192_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x16\0"; +pub const MBEDTLS_OID_AES_256_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01*\0"; pub const MBEDTLS_OID_AES128_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x05\0"; pub const MBEDTLS_OID_AES128_KWP: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x08\0"; pub const MBEDTLS_OID_AES192_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x19\0"; @@ -1213,6 +1325,10 @@ pub const MBEDTLS_OID_ECDSA_SHA224: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x01\0"; pub const MBEDTLS_OID_ECDSA_SHA256: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x02\0"; pub const MBEDTLS_OID_ECDSA_SHA384: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x03\0"; pub const MBEDTLS_OID_ECDSA_SHA512: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x04\0"; +pub const MBEDTLS_OID_X25519: &[u8; 4] = b"+en\0"; +pub const MBEDTLS_OID_X448: &[u8; 4] = b"+eo\0"; +pub const MBEDTLS_OID_ED25519: &[u8; 4] = b"+ep\0"; +pub const MBEDTLS_OID_ED448: &[u8; 4] = b"+eq\0"; pub const MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT: i32 = -4224; pub const MBEDTLS_ERR_PEM_INVALID_DATA: i32 = -4352; pub const MBEDTLS_ERR_PEM_ALLOC_FAILED: i32 = -4480; @@ -1226,8 +1342,6 @@ pub const MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA: i32 = -12160; pub const MBEDTLS_ERR_PKCS5_INVALID_FORMAT: i32 = -12032; pub const MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE: i32 = -11904; pub const MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH: i32 = -11776; -pub const MBEDTLS_PKCS5_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS5_ENCRYPT: u32 = 1; pub const MBEDTLS_ERR_PKCS7_INVALID_FORMAT: i32 = -21248; pub const MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE: i32 = -21376; pub const MBEDTLS_ERR_PKCS7_INVALID_VERSION: i32 = -21504; @@ -1248,8 +1362,6 @@ pub const MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH: i32 = -7680; pub const MBEDTLS_PKCS12_DERIVE_KEY: u32 = 1; pub const MBEDTLS_PKCS12_DERIVE_IV: u32 = 2; pub const MBEDTLS_PKCS12_DERIVE_MAC_KEY: u32 = 3; -pub const MBEDTLS_PKCS12_PBE_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS12_PBE_ENCRYPT: u32 = 1; pub const MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT: u32 = 86400; pub const MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES: u32 = 50; pub const MBEDTLS_SSL_COOKIE_TIMEOUT: u32 = 60; @@ -1373,6 +1485,59 @@ unsafe extern "C" { /// \param len Length of the buffer in bytes pub fn mbedtls_platform_zeroize(buf: *mut ::core::ffi::c_void, len: usize); } +/// \brief The type of custom random generator (RNG) callbacks. +/// +/// Many Mbed TLS functions take two parameters +/// `mbedtls_f_rng_t *f_rng, void *p_rng`. The +/// library will call \c f_rng to generate +/// random values. +/// +/// \note This is typically one of the following: +/// - mbedtls_ctr_drbg_random() with \c p_rng +/// pointing to a #mbedtls_ctr_drbg_context; +/// - mbedtls_hmac_drbg_random() with \c p_rng +/// pointing to a #mbedtls_hmac_drbg_context; +/// - mbedtls_psa_get_random() with +/// `prng = MBEDTLS_PSA_RANDOM_STATE`. +/// +/// \note Generally, given a call +/// `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback +/// and the context only need to remain valid until +/// the call to `mbedtls_foo` returns. However, there +/// are a few exceptions where the callback is stored +/// in for future use. Check the documentation of +/// the calling function. +/// +/// \warning In a multithreaded environment, calling the +/// function should be thread-safe. The standard +/// functions provided by the library are thread-safe +/// when #MBEDTLS_THREADING_C is enabled. +/// +/// \warning This function must either provide as many +/// bytes as requested of **cryptographic quality** +/// random data, or return a negative error code. +/// +/// \param p_rng The \c p_rng argument that was passed along \c f_rng. +/// The library always passes \c p_rng unchanged. +/// This is typically a pointer to the random generator +/// state, or \c NULL if the custom random generator +/// doesn't need a context-specific state. +/// \param[out] output On success, this must be filled with \p output_size +/// bytes of cryptographic-quality random data. +/// \param output_size The number of bytes to output. +/// +/// \return \c 0 on success, or a negative error code on failure. +/// Library functions will generally propagate this +/// error code, so \c MBEDTLS_ERR_xxx values are +/// recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is +/// typically sensible for RNG failures. +pub type mbedtls_f_rng_t = ::core::option::Option< + unsafe extern "C" fn( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + ) -> ::core::ffi::c_int, +>; /// \brief The AES context-type definition. #[repr(C)] #[derive(Copy, Clone)] @@ -1931,6 +2096,10 @@ pub type mbedtls_t_udbl = u64; #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_mpi { + /// Pointer to limbs. + /// + /// This may be \c NULL if \c n is 0. + pub private_p: *mut mbedtls_mpi_uint, /// Sign: -1 if the mpi is negative, 1 otherwise. /// /// The number 0 must be represented with `s = +1`. Although many library @@ -1941,13 +2110,9 @@ pub struct mbedtls_mpi { /// /// Note that this implies that calloc() or `... = {0}` does not create /// a valid MPI representation. You must call mbedtls_mpi_init(). - pub private_s: ::core::ffi::c_int, + pub private_s: ::core::ffi::c_short, /// Total number of limbs in \c p. - pub private_n: usize, - /// Pointer to limbs. - /// - /// This may be \c NULL if \c n is 0. - pub private_p: *mut mbedtls_mpi_uint, + pub private_n: ::core::ffi::c_ushort, } impl Default for mbedtls_mpi { fn default() -> Self { @@ -2222,7 +2387,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2239,7 +2404,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2294,6 +2459,8 @@ unsafe extern "C" { /// \brief Perform a left-shift on an MPI: X <<= count /// /// \param X The MPI to shift. This must point to an initialized MPI. + /// The MPI pointed by \p X may be resized to fit + /// the resulting number. /// \param count The number of bits to shift by. /// /// \return \c 0 if successful. @@ -2586,7 +2753,7 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Perform a sliding-window exponentiation: X = A^E mod N + /// \brief Perform a modular exponentiation: X = A^E mod N /// /// \param X The destination MPI. This must point to an initialized MPI. /// This must not alias E or N. @@ -2637,13 +2804,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_fill_random( X: *mut mbedtls_mpi, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2683,13 +2844,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, min: mbedtls_mpi_sint, N: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2697,6 +2852,7 @@ unsafe extern "C" { /// \brief Compute the greatest common divisor: G = gcd(A, B) /// /// \param G The destination MPI. This must point to an initialized MPI. + /// This will always be positive or 0. /// \param A The first operand. This must point to an initialized MPI. /// \param B The second operand. This must point to an initialized MPI. /// @@ -2713,17 +2869,19 @@ unsafe extern "C" { /// \brief Compute the modular inverse: X = A^-1 mod N /// /// \param X The destination MPI. This must point to an initialized MPI. + /// The value returned on success will be between [1, N-1]. /// \param A The MPI to calculate the modular inverse of. This must point - /// to an initialized MPI. + /// to an initialized MPI. This value can be negative, in which + /// case a positive answer will still be returned in \p X. /// \param N The base of the modular inversion. This must point to an - /// initialized MPI. + /// initialized MPI and be greater than one. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. /// \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than /// or equal to one. - /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse - /// with respect to \p N. + /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular + /// inverse with respect to \p N. pub fn mbedtls_mpi_inv_mod( X: *mut mbedtls_mpi, A: *const mbedtls_mpi, @@ -2746,7 +2904,7 @@ unsafe extern "C" { /// This must point to an initialized MPI. /// \param rounds The number of bases to perform the Miller-Rabin primality /// test for. The probability of returning 0 on a composite is - /// at most 2-2*\p rounds. + /// at most 2-2*\p rounds . /// \param f_rng The RNG function to use. This must not be \c NULL. /// \param p_rng The RNG parameter to be passed to \p f_rng. /// This may be \c NULL if \p f_rng doesn't use @@ -2759,13 +2917,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_is_prime_ext( X: *const mbedtls_mpi, rounds: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2802,13 +2954,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, nbits: usize, flags: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -3185,7 +3331,7 @@ unsafe extern "C" { /// on a successful invocation. /// \param end The end of the ASN.1 SEQUENCE container. /// \param tag_must_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_must_value. + /// the SEQUENCE before comparing to \p tag_must_val. /// \param tag_must_val The required value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_must_mask. /// Mismatching tags lead to an error. @@ -3194,7 +3340,7 @@ unsafe extern "C" { /// while a value of \c 0xFF for \p tag_must_mask means /// that \p tag_must_val is the only allowed tag. /// \param tag_may_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_may_value. + /// the SEQUENCE before comparing to \p tag_may_val. /// \param tag_may_val The desired value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_may_mask. /// Mismatching tags will be silently ignored. @@ -3487,6 +3633,30 @@ unsafe extern "C" { par_len: usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Write an AlgorithmIdentifier sequence in ASN.1 format. + /// + /// \note This function works backwards in data buffer. + /// + /// \param p The reference to the current position pointer. + /// \param start The start of the buffer, for bounds-checking. + /// \param oid The OID of the algorithm to write. + /// \param oid_len The length of the algorithm's OID. + /// \param par_len The length of the parameters, which must be already written. + /// \param has_par If there are any parameters. If 0, par_len must be 0. If 1 + /// and \p par_len is 0, NULL parameters are added. + /// + /// \return The number of bytes written to \p p on success. + /// \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_asn1_write_algorithm_identifier_ext( + p: *mut *mut ::core::ffi::c_uchar, + start: *const ::core::ffi::c_uchar, + oid: *const ::core::ffi::c_char, + oid_len: usize, + par_len: usize, + has_par: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value /// in ASN.1 format. @@ -3989,32 +4159,17 @@ pub struct mbedtls_cipher_base_t { /// mbedtls_cipher_info_from_type(), /// mbedtls_cipher_info_from_values(), /// mbedtls_cipher_info_from_psa(). +/// +/// \note Some fields store a value that has been right-shifted to save +/// code-size, so should not be used directly. The accessor +/// functions adjust for this and return the "natural" value. #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_cipher_info_t { - /// Full cipher identifier. For example, - /// MBEDTLS_CIPHER_AES_256_CBC. - pub private_type: mbedtls_cipher_type_t, - /// The cipher mode. For example, MBEDTLS_MODE_CBC. - pub private_mode: mbedtls_cipher_mode_t, - /// The cipher key length, in bits. This is the - /// default length for variable sized ciphers. - /// Includes parity bits for ciphers like DES. - pub private_key_bitlen: ::core::ffi::c_uint, /// Name of the cipher. pub private_name: *const ::core::ffi::c_char, - /// IV or nonce size, in Bytes. - /// For ciphers that accept variable IV sizes, - /// this is the recommended size. - pub private_iv_size: ::core::ffi::c_uint, - /// Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and - /// MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the - /// cipher supports variable IV or variable key sizes, respectively. - pub private_flags: ::core::ffi::c_int, - /// The block size, in Bytes. - pub private_block_size: ::core::ffi::c_uint, - /// Struct for base cipher information and functions. - pub private_base: *const mbedtls_cipher_base_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 4usize]>, } impl Default for mbedtls_cipher_info_t { fn default() -> Self { @@ -4025,46 +4180,321 @@ impl Default for mbedtls_cipher_info_t { } } } -/// Generic cipher context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_cipher_context_t { - /// Information about the associated cipher. - pub private_cipher_info: *const mbedtls_cipher_info_t, - /// Key length to use. - pub private_key_bitlen: ::core::ffi::c_int, - /// Operation that the key of the context has been - /// initialized for. - pub private_operation: mbedtls_operation_t, - /// Padding functions to use, if relevant for - /// the specific cipher mode. - pub private_add_padding: ::core::option::Option< - unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), - >, - pub private_get_padding: ::core::option::Option< - unsafe extern "C" fn( - input: *mut ::core::ffi::c_uchar, - ilen: usize, - data_len: *mut usize, - ) -> ::core::ffi::c_int, - >, - /// Buffer for input that has not been processed yet. - pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], - /// Number of Bytes that have not been processed yet. - pub private_unprocessed_len: usize, - /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number - /// for XTS-mode. - pub private_iv: [::core::ffi::c_uchar; 16usize], - /// IV size in Bytes, for ciphers with variable-length IVs. - pub private_iv_size: usize, - /// The cipher-specific context. - pub private_cipher_ctx: *mut ::core::ffi::c_void, - /// CMAC-specific context. - pub private_cmac_ctx: *mut mbedtls_cmac_context_t, -} -impl Default for mbedtls_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); +impl mbedtls_cipher_info_t { + #[inline] + pub fn private_block_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_block_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_block_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_block_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(5usize, 3u8) as u32) } + } + #[inline] + pub fn set_private_iv_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(5usize, 3u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 5usize, + 3u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 5usize, + 3u8, + val as u64, + ) + } + } + #[inline] + pub fn private_key_bitlen(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(8usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_key_bitlen(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(8usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_key_bitlen_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 8usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_key_bitlen_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 8usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_mode(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(12usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_mode(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(12usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_mode_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 12usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_mode_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 12usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_type(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(16usize, 8u8) as u32) } + } + #[inline] + pub fn set_private_type(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(16usize, 8u8, val as u64) + } + } + #[inline] + pub unsafe fn private_type_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 16usize, + 8u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_type_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 16usize, + 8u8, + val as u64, + ) + } + } + #[inline] + pub fn private_flags(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(24usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_flags(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(24usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_flags_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 24usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_flags_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 24usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_base_idx(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(26usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_base_idx(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(26usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_base_idx_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 26usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_base_idx_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 26usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_block_size: ::core::ffi::c_uint, + private_iv_size: ::core::ffi::c_uint, + private_key_bitlen: ::core::ffi::c_uint, + private_mode: ::core::ffi::c_uint, + private_type: ::core::ffi::c_uint, + private_flags: ::core::ffi::c_uint, + private_base_idx: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 4usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 4usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 5u8, { + let private_block_size: u32 = unsafe { ::core::mem::transmute(private_block_size) }; + private_block_size as u64 + }); + __bindgen_bitfield_unit.set(5usize, 3u8, { + let private_iv_size: u32 = unsafe { ::core::mem::transmute(private_iv_size) }; + private_iv_size as u64 + }); + __bindgen_bitfield_unit.set(8usize, 4u8, { + let private_key_bitlen: u32 = unsafe { ::core::mem::transmute(private_key_bitlen) }; + private_key_bitlen as u64 + }); + __bindgen_bitfield_unit.set(12usize, 4u8, { + let private_mode: u32 = unsafe { ::core::mem::transmute(private_mode) }; + private_mode as u64 + }); + __bindgen_bitfield_unit.set(16usize, 8u8, { + let private_type: u32 = unsafe { ::core::mem::transmute(private_type) }; + private_type as u64 + }); + __bindgen_bitfield_unit.set(24usize, 2u8, { + let private_flags: u32 = unsafe { ::core::mem::transmute(private_flags) }; + private_flags as u64 + }); + __bindgen_bitfield_unit.set(26usize, 5u8, { + let private_base_idx: u32 = unsafe { ::core::mem::transmute(private_base_idx) }; + private_base_idx as u64 + }); + __bindgen_bitfield_unit + } +} +/// Generic cipher context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_cipher_context_t { + /// Information about the associated cipher. + pub private_cipher_info: *const mbedtls_cipher_info_t, + /// Key length to use. + pub private_key_bitlen: ::core::ffi::c_int, + /// Operation that the key of the context has been + /// initialized for. + pub private_operation: mbedtls_operation_t, + /// Padding functions to use, if relevant for + /// the specific cipher mode. + pub private_add_padding: ::core::option::Option< + unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), + >, + pub private_get_padding: ::core::option::Option< + unsafe extern "C" fn( + input: *mut ::core::ffi::c_uchar, + ilen: usize, + data_len: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int, + >, + /// Buffer for input that has not been processed yet. + pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], + /// Number of Bytes that have not been processed yet. + pub private_unprocessed_len: usize, + /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number + /// for XTS-mode. + pub private_iv: [::core::ffi::c_uchar; 16usize], + /// IV size in Bytes, for ciphers with variable-length IVs. + pub private_iv_size: usize, + /// The cipher-specific context. + pub private_cipher_ctx: *mut ::core::ffi::c_void, + /// CMAC-specific context. + pub private_cmac_ctx: *mut mbedtls_cmac_context_t, +} +impl Default for mbedtls_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); s.assume_init() @@ -4132,7 +4562,7 @@ unsafe extern "C" { ) -> *const mbedtls_cipher_info_t; } unsafe extern "C" { - /// \brief This function initializes a \p cipher_context as NONE. + /// \brief This function initializes a \p ctx as NONE. /// /// \param ctx The context to be initialized. This must not be \c NULL. pub fn mbedtls_cipher_init(ctx: *mut mbedtls_cipher_context_t); @@ -4203,7 +4633,6 @@ unsafe extern "C" { /// \brief This function sets the padding mode, for cipher modes /// that use padding. /// - /// The default passing mode is PKCS7 padding. /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a cipher information structure. @@ -4253,23 +4682,24 @@ unsafe extern "C" { /// /// \note With non-AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update() one or more times - /// 4. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update() zero, one or more times; + /// 4. mbedtls_cipher_finish_padded() (recommended for decryption + /// if the mode uses padding) or mbedtls_cipher_finish(). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. /// /// \note With AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update_ad() - /// 4. mbedtls_cipher_update() one or more times - /// 5. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update_ad(); + /// 4. mbedtls_cipher_update() zero, one or more times; + /// 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded()); /// 6. mbedtls_cipher_check_tag() (for decryption) or - /// mbedtls_cipher_write_tag() (for encryption). + /// mbedtls_cipher_write_tag() (for encryption). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. @@ -4304,7 +4734,8 @@ unsafe extern "C" { /// many block-sized blocks of data as possible to output. /// Any data that cannot be written immediately is either /// added to the next block, or flushed when - /// mbedtls_cipher_finish() is called. + /// mbedtls_cipher_finish() or mbedtls_cipher_finish_padded() + /// is called. /// Exception: For MBEDTLS_MODE_ECB, expects a single block /// in size. For example, 16 Bytes for AES. /// @@ -4340,12 +4771,30 @@ unsafe extern "C" { /// contained in it is padded to the size of /// the last block, and written to the \p output buffer. /// + /// \warning This function reports invalid padding through an error + /// code. Adversaries may be able to decrypt encrypted + /// data if they can submit chosen ciphertexts and + /// detect whether it has valid padding or not, + /// either through direct observation or through a side + /// channel such as timing. This is known as a + /// padding oracle attack. + /// Therefore applications that call this function for + /// decryption with a cipher that involves padding + /// should take care around error handling. Preferably, + /// such applications should use + /// mbedtls_cipher_finish_padded() instead of this function. + /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a key. /// \param output The buffer to write data to. This needs to be a writable - /// buffer of at least \p block_size Bytes. + /// buffer of at least block_size Bytes. /// \param olen The length of the data written to the \p output buffer. /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// above), although less efficiently than through + /// the invalid-padding condition. /// /// \return \c 0 on success. /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -4353,7 +4802,8 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption /// expecting a full block but not receiving one. /// \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - /// while decrypting. + /// while decrypting. Note that invalid-padding errors + /// should be handled carefully; see the warning above. /// \return A cipher-specific error code on failure. pub fn mbedtls_cipher_finish( ctx: *mut mbedtls_cipher_context_t, @@ -4361,10 +4811,60 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief The generic cipher finalization function. If data still + /// needs to be flushed from an incomplete block, the data + /// contained in it is padded to the size of + /// the last block, and written to the \p output buffer. + /// + /// \note This function is similar to mbedtls_cipher_finish(). + /// The only difference is that it reports invalid padding + /// decryption differently, through the \p invalid_padding + /// parameter rather than an error code. + /// For encryption, and in modes without padding (including + /// all authenticated modes), this function is identical + /// to mbedtls_cipher_finish(). + /// + /// \param[in,out] ctx The generic cipher context. This must be initialized and + /// bound to a key. + /// \param[out] output The buffer to write data to. This needs to be a writable + /// buffer of at least block_size Bytes. + /// \param[out] olen The length of the data written to the \p output buffer. + /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// on mbedtls_cipher_finish()). + /// \param[out] invalid_padding + /// If this function returns \c 0 on decryption, + /// \p *invalid_padding is \c 0 if the ciphertext was + /// valid, and all-bits-one if the ciphertext had invalid + /// padding. + /// On encryption, or in a mode without padding (including + /// all authenticated modes), \p *invalid_padding is \c 0 + /// on success. + /// The value in \p *invalid_padding is unspecified if + /// this function returns a nonzero status. + /// + /// \return \c 0 on success. + /// Also \c 0 for decryption with invalid padding. + /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + /// parameter-verification failure. + /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption + /// expecting a full block but not receiving one. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_cipher_finish_padded( + ctx: *mut mbedtls_cipher_context_t, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief This function writes a tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized, /// bound to a key, and have just completed a cipher @@ -4385,7 +4885,8 @@ unsafe extern "C" { unsafe extern "C" { /// \brief This function checks the tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized. /// \param tag The buffer holding the tag. This must be a readable @@ -4570,8 +5071,6 @@ pub struct mbedtls_ccm_context { pub private_y: [::core::ffi::c_uchar; 16usize], ///< The counter buffer pub private_ctr: [::core::ffi::c_uchar; 16usize], - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Total plaintext length pub private_plaintext_len: usize, ///< Total authentication data length @@ -4586,16 +5085,17 @@ pub struct mbedtls_ccm_context { ///auth data input is finished. pub private_processed: usize, ///< The Q working value - pub private_q: ::core::ffi::c_uchar, + pub private_q: ::core::ffi::c_uint, ///< The operation to perform: ///#MBEDTLS_CCM_ENCRYPT or ///#MBEDTLS_CCM_DECRYPT or ///#MBEDTLS_CCM_STAR_ENCRYPT or ///#MBEDTLS_CCM_STAR_DECRYPT. - pub private_mode: ::core::ffi::c_uchar, + pub private_mode: ::core::ffi::c_uint, + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Working value holding context's - ///state. Used for chunked data - ///input + ///state. Used for chunked data input pub private_state: ::core::ffi::c_int, } impl Default for mbedtls_ccm_context { @@ -5838,47 +6338,59 @@ unsafe extern "C" { /// \return \c 1 on failure. pub fn mbedtls_cmac_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -/// \brief The CTR_DRBG context structure. +///< None. +pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; +///< The MD5 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 3; +///< The RIPEMD-160 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 4; +///< The SHA-1 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 5; +///< The SHA-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 8; +///< The SHA-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 9; +///< The SHA-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 10; +///< The SHA-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 11; +///< The SHA3-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_224: mbedtls_md_type_t = 16; +///< The SHA3-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_256: mbedtls_md_type_t = 17; +///< The SHA3-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_384: mbedtls_md_type_t = 18; +///< The SHA3-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_512: mbedtls_md_type_t = 19; +/// \brief Supported message digests. +/// +/// \warning MD5 and SHA-1 are considered weak message digests and +/// their use constitutes a security risk. We recommend considering +/// stronger message digests instead. +pub type mbedtls_md_type_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct mbedtls_ctr_drbg_context { - ///< The counter (V). - pub private_counter: [::core::ffi::c_uchar; 16usize], - ///< The reseed counter. - /// This is the number of requests that have - /// been made since the last (re)seeding, - /// minus one. - /// Before the initial seeding, this field - /// contains the amount of entropy in bytes - /// to use as a nonce for the initial seeding, - /// or -1 if no nonce length has been explicitly - /// set (see mbedtls_ctr_drbg_set_nonce_len()). - pub private_reseed_counter: ::core::ffi::c_int, - ///< This determines whether prediction - ///resistance is enabled, that is - ///whether to systematically reseed before - ///each random generation. - pub private_prediction_resistance: ::core::ffi::c_int, - ///< The amount of entropy grabbed on each - ///seed or reseed operation, in bytes. - pub private_entropy_len: usize, - ///< The reseed interval. - /// This is the maximum number of requests - /// that can be made between reseedings. - pub private_reseed_interval: ::core::ffi::c_int, - ///< The AES context. - pub private_aes_ctx: mbedtls_aes_context, - pub private_f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - ///< The context for the entropy function. - pub private_p_entropy: *mut ::core::ffi::c_void, +pub struct mbedtls_md_info_t { + _unused: [u8; 0], } -impl Default for mbedtls_ctr_drbg_context { +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; +/// Used internally to indicate whether a context uses legacy or PSA. +/// +/// Internal use only. +pub type mbedtls_md_engine_t = ::core::ffi::c_uint; +/// The generic message-digest context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md_context_t { + /// Information about the associated message digest. + pub private_md_info: *const mbedtls_md_info_t, + /// The digest-specific context (legacy) or the PSA operation. + pub private_md_ctx: *mut ::core::ffi::c_void, + /// The HMAC part of the context. + pub private_hmac_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_md_context_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -5888,4389 +6400,3745 @@ impl Default for mbedtls_ctr_drbg_context { } } unsafe extern "C" { - /// \brief This function initializes the CTR_DRBG context, - /// and prepares it for mbedtls_ctr_drbg_seed() - /// or mbedtls_ctr_drbg_free(). + /// \brief This function returns the message-digest information + /// associated with the given digest type. /// - /// \note The reseed interval is - /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. - /// You can override it by calling - /// mbedtls_ctr_drbg_set_reseed_interval(). + /// \param md_type The type of digest to search for. /// - /// \param ctx The CTR_DRBG context to initialize. - pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); + /// \return The message-digest information associated with \p md_type. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// - The \p custom string. - /// - /// \note To achieve the nominal security strength permitted - /// by CTR_DRBG, the entropy length must be: - /// - at least 16 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 32 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// In addition, if you do not pass a nonce in \p custom, - /// the sum of the entropy length - /// and the entropy nonce length must be: - /// - at least 24 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 48 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// \param ctx The CTR_DRBG context to seed. - /// It must have been initialized with - /// mbedtls_ctr_drbg_init(). - /// After a successful call to mbedtls_ctr_drbg_seed(), - /// you may not call mbedtls_ctr_drbg_seed() again on - /// the same context unless you call - /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() - /// again first. - /// After a failed call to mbedtls_ctr_drbg_seed(), - /// you must call mbedtls_ctr_drbg_free(). - /// \param f_entropy The entropy callback, taking as arguments the - /// \p p_entropy context, the buffer to fill, and the - /// length of the buffer. - /// \p f_entropy is always called with a buffer size - /// less than or equal to the entropy length. - /// \param p_entropy The entropy context to pass to \p f_entropy. - /// \param custom The personalization string. - /// This can be \c NULL, in which case the personalization - /// string is empty regardless of the value of \p len. - /// \param len The length of the personalization string. - /// This must be at most - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function initializes a message-digest context without + /// binding it to a particular message-digest algorithm. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_seed( - ctx: *mut mbedtls_ctr_drbg_context, - f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_entropy: *mut ::core::ffi::c_void, - custom: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// This function should always be called first. It prepares the + /// context for mbedtls_md_setup() for binding it to a + /// message-digest algorithm. + pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function resets CTR_DRBG context to the state immediately - /// after initial call of mbedtls_ctr_drbg_init(). + /// \brief This function clears the internal structure of \p ctx and + /// frees any embedded internal structure, but does not free + /// \p ctx itself. /// - /// \param ctx The CTR_DRBG context to clear. - pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); + /// If you have called mbedtls_md_setup() on \p ctx, you must + /// call mbedtls_md_free() when you are no longer using the + /// context. + /// Calling this function if you have previously + /// called mbedtls_md_init() and nothing else is optional. + /// You must not call this function if you have not called + /// mbedtls_md_init(). + pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function turns prediction resistance on or off. - /// The default value is off. + /// \brief This function selects the message digest algorithm to use, + /// and allocates internal structures. /// - /// \note If enabled, entropy is gathered at the beginning of - /// every call to mbedtls_ctr_drbg_random_with_add() - /// or mbedtls_ctr_drbg_random(). - /// Only use this if your entropy source has sufficient - /// throughput. + /// It should be called after mbedtls_md_init() or + /// mbedtls_md_free(). Makes it necessary to call + /// mbedtls_md_free() later. /// - /// \param ctx The CTR_DRBG context. - /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. - pub fn mbedtls_ctr_drbg_set_prediction_resistance( - ctx: *mut mbedtls_ctr_drbg_context, - resistance: ::core::ffi::c_int, - ); + /// \param ctx The context to set up. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), + /// or non-zero: HMAC is used with this context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. + pub fn mbedtls_md_setup( + ctx: *mut mbedtls_md_context_t, + md_info: *const mbedtls_md_info_t, + hmac: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed on each - /// seed or reseed. - /// - /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function clones the state of a message-digest + /// context. /// - /// \note The security strength of CTR_DRBG is bounded by the - /// entropy length. Thus: - /// - When using AES-256 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, - /// which is the default), - /// \p len must be at least 32 (in bytes) - /// to achieve a 256-bit strength. - /// - When using AES-128 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) - /// \p len must be at least 16 (in bytes) - /// to achieve a 128-bit strength. + /// \note You must call mbedtls_md_setup() on \c dst before calling + /// this function. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. - pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); -} -unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed - /// as a nonce for the initial seeding. + /// \note The two contexts must have the same type, + /// for example, both are SHA-256. /// - /// Call this function before calling mbedtls_ctr_drbg_seed() to read - /// a nonce from the entropy source during the initial seeding. + /// \warning This function clones the message-digest state, not the + /// HMAC state. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab for the nonce, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. + /// \param dst The destination context. + /// \param src The context to be cloned. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is - /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED - /// if the initial seeding has already taken place. - pub fn mbedtls_ctr_drbg_set_nonce_len( - ctx: *mut mbedtls_ctr_drbg_context, - len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. + /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are + /// not using the same engine. This can be avoided by moving + /// the call to psa_crypto_init() before the first call to + /// mbedtls_md_setup(). + pub fn mbedtls_md_clone( + dst: *mut mbedtls_md_context_t, + src: *const mbedtls_md_context_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the reseed interval. - /// - /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() - /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function - /// is called again. + /// \brief This function extracts the message-digest size from the + /// message-digest information structure. /// - /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param interval The reseed interval. - pub fn mbedtls_ctr_drbg_set_reseed_interval( - ctx: *mut mbedtls_ctr_drbg_context, - interval: ::core::ffi::c_int, - ); + /// \return The size of the message-digest output in Bytes. + pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; } unsafe extern "C" { - /// \brief This function reseeds the CTR_DRBG context, that is - /// extracts data from the entropy source. + /// \brief This function extracts the message-digest type from the + /// message-digest information structure. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param additional Additional data to add to the state. Can be \c NULL. - /// \param len The length of the additional data. - /// This must be less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \return The type of the message digest. + pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; +} +unsafe extern "C" { + /// \brief This function starts a message-digest computation. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_reseed( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// You must call this function after setting up the context + /// with mbedtls_md_setup(), and before passing data with + /// mbedtls_md_update(). + /// + /// \param ctx The generic message-digest context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates the state of the CTR_DRBG context. + /// \brief This function feeds an input buffer into an ongoing + /// message-digest computation. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// You must call mbedtls_md_starts() before calling this + /// function. You may call this function multiple times. + /// Afterwards, call mbedtls_md_finish(). /// - /// \param ctx The CTR_DRBG context. - /// \param additional The data to update the state with. This must not be - /// \c NULL unless \p add_len is \c 0. - /// \param add_len Length of \p additional in bytes. This must be at - /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \param ctx The generic message-digest context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if - /// \p add_len is more than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return An error from the underlying AES cipher on failure. - pub fn mbedtls_ctr_drbg_update( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - add_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates a CTR_DRBG instance with additional - /// data and uses it to generate random data. - /// - /// This function automatically reseeds if the reseed counter is exceeded - /// or prediction resistance is enabled. + /// \brief This function finishes the digest operation, + /// and writes the result to the output buffer. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// Call this function after a call to mbedtls_md_starts(), + /// followed by any number of calls to mbedtls_md_update(). + /// Afterwards, you may either clear the context with + /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse + /// the context for another digest operation with the same + /// algorithm. /// - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. - /// \param additional Additional data to update. Can be \c NULL, in which - /// case the additional data is empty regardless of - /// the value of \p add_len. - /// \param add_len The length of the additional data - /// if \p additional is not \c NULL. - /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT - /// and less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \param ctx The generic message-digest context. + /// \param output The buffer for the generic message-digest checksum result. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random_with_add( - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_finish( + ctx: *mut mbedtls_md_context_t, output: *mut ::core::ffi::c_uchar, - output_len: usize, - additional: *const ::core::ffi::c_uchar, - add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. + /// \brief This function calculates the message-digest of a buffer, + /// with respect to a configurable message-digest algorithm + /// in a single call. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random( - p_rng: *mut ::core::ffi::c_void, + /// The result is calculated as + /// Output = message_digest(input buffer). + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param input The buffer holding the data. + /// \param ilen The length of the input data. + /// \param output The generic message-digest checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md( + md_info: *const mbedtls_md_info_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, output: *mut ::core::ffi::c_uchar, - output_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The CTR_DRBG checkup routine. + /// \brief This function returns the list of digests supported by the + /// generic digest module. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< Curve not defined. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; -///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; -///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; -///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; -///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; -///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; -///< Domain parameters for 256-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; -///< Domain parameters for 384-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; -///< Domain parameters for 512-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; -///< Domain parameters for Curve25519. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; -///< Domain parameters for 192-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; -///< Domain parameters for 224-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; -///< Domain parameters for 256-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; -///< Domain parameters for Curve448. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; -/// Domain-parameter identifiers: curve, subgroup, and generator. -/// -/// \note Only curves over prime fields are supported. -/// -/// \warning This library does not support validation of arbitrary domain -/// parameters. Therefore, only standardized domain parameters from trusted -/// sources should be used. See mbedtls_ecp_group_load(). -pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; -pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_NONE: mbedtls_ecp_modulus_type = 0; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_COORDINATE: mbedtls_ecp_modulus_type = 1; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_SCALAR: mbedtls_ecp_modulus_type = 2; -pub type mbedtls_ecp_modulus_type = ::core::ffi::c_uint; -/// Curve information, for use by other modules. -/// -/// The fields of this structure are part of the public API and can be -/// accessed directly by applications. Future versions of the library may -/// add extra fields or reorder existing fields. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_curve_info { - ///< An internal identifier. - pub grp_id: mbedtls_ecp_group_id, - ///< The TLS NamedCurve identifier. - pub tls_id: u16, - ///< The curve size in bits. - pub bit_size: u16, - ///< A human-friendly name. - pub name: *const ::core::ffi::c_char, + /// \note The list starts with the strongest available hashes. + /// + /// \return A statically allocated array of digests. Each element + /// in the returned list is an integer belonging to the + /// message-digest enumeration #mbedtls_md_type_t. + /// The last entry is 0. + pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; } -impl Default for mbedtls_ecp_curve_info { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief This function returns the message-digest information + /// associated with the given digest name. + /// + /// \param md_name The name of the digest to search for. + /// + /// \return The message-digest information associated with \p md_name. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_string( + md_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_md_info_t; } -/// \brief The ECP point structure, in Jacobian coordinates. -/// -/// \note All functions expect and return points satisfying -/// the following condition: Z == 0 or -/// Z == 1. Other values of \p Z are -/// used only by internal functions. -/// The point is zero, or "at infinity", if Z == 0. -/// Otherwise, \p X and \p Y are its standard (affine) -/// coordinates. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_point { - ///< The X coordinate of the ECP point. - pub private_X: mbedtls_mpi, - ///< The Y coordinate of the ECP point. - pub private_Y: mbedtls_mpi, - ///< The Z coordinate of the ECP point. - pub private_Z: mbedtls_mpi, -} -impl Default for mbedtls_ecp_point { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief The ECP group structure. -/// -/// We consider two types of curve equations: -///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P -/// (SEC1 + RFC-4492)
    • -///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, -/// Curve448)
-/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. -/// -/// For Short Weierstrass, this subgroup is the whole curve, and its -/// cardinality is denoted by \p N. Our code requires that \p N is an -/// odd prime as mbedtls_ecp_mul() requires an odd number, and -/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. -/// -/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, -/// which is the quantity used in the formulas. Additionally, \p nbits is -/// not the size of \p N but the required size for private keys. -/// -/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. -/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the -/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer -/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits -/// in size, so that it may be efficiently brought in the 0..P-1 range by a few -/// additions or subtractions. Therefore, it is only an approximative modular -/// reduction. It must return 0 on success and non-zero on failure. -/// -/// \note Alternative implementations of the ECP module must obey the -/// following constraints. -/// * Group IDs must be distinct: if two group structures have -/// the same ID, then they must be identical. -/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, -/// \c pbits and \c nbits must have the same type and semantics -/// as in the built-in implementation. -/// They must be available for reading, but direct modification -/// of these fields does not need to be supported. -/// They do not need to be at the same offset in the structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_group { - ///< An internal group identifier. - pub id: mbedtls_ecp_group_id, - ///< The prime modulus of the base field. - pub P: mbedtls_mpi, - ///< For Short Weierstrass: \p A in the equation. For - ///Montgomery curves: (A + 2) / 4. - pub A: mbedtls_mpi, - ///< For Short Weierstrass: \p B in the equation. - ///For Montgomery curves: unused. - pub B: mbedtls_mpi, - ///< The generator of the subgroup used. - pub G: mbedtls_ecp_point, - ///< The order of \p G. - pub N: mbedtls_mpi, - ///< The number of bits in \p P. - pub pbits: usize, - ///< For Short Weierstrass: The number of bits in \p P. - ///For Montgomery curves: the number of bits in the - ///private keys. - pub nbits: usize, - ///< \internal 1 if the constants are static. - pub private_h: ::core::ffi::c_uint, - ///< The function for fast pseudo-reduction - ///mod \p P (see above). - pub private_modp: - ::core::option::Option ::core::ffi::c_int>, - ///< Unused. - pub private_t_pre: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_post: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_data: *mut ::core::ffi::c_void, - ///< Pre-computed points for ecp_mul_comb(). - pub private_T: *mut mbedtls_ecp_point, - ///< The number of dynamic allocated pre-computed points. - pub private_T_size: usize, -} -impl Default for mbedtls_ecp_group { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; -/// \brief The ECP key-pair structure. -/// -/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. -/// -/// \note Members are deliberately in the same order as in the -/// ::mbedtls_ecdsa_context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_keypair { - ///< Elliptic curve and base point - pub private_grp: mbedtls_ecp_group, - ///< our secret value - pub private_d: mbedtls_mpi, - ///< our public value - pub private_Q: mbedtls_ecp_point, -} -impl Default for mbedtls_ecp_keypair { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +unsafe extern "C" { + /// \brief This function returns the name of the message digest for + /// the message-digest information structure given. + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// + /// \return The name of the message digest. + pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; } unsafe extern "C" { - /// \brief This function retrieves the information defined in - /// mbedtls_ecp_curve_info() for all supported curves. + /// \brief This function returns the message-digest information + /// from the given context. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// \param ctx The context from which to extract the information. + /// This must be initialized (or \c NULL). /// - /// \return A statically allocated array. The last entry is 0. - pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; + /// \return The message-digest information associated with \p ctx. + /// \return \c NULL if \p ctx is \c NULL. + pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// \brief This function retrieves the list of internal group - /// identifiers of all supported curves in the order of - /// preference. + /// \brief This function sets the HMAC key and prepares to + /// authenticate a new message. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// Call this function after mbedtls_md_setup(), to use + /// the MD context for an HMAC calculation, then call + /// mbedtls_md_hmac_update() to provide the input data, and + /// mbedtls_md_hmac_finish() to get the HMAC value. /// - /// \return A statically allocated array, - /// terminated with MBEDTLS_ECP_DP_NONE. - pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC key in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_starts( + ctx: *mut mbedtls_md_context_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from an internal - /// group identifier. + /// \brief This function feeds an input buffer into an ongoing HMAC + /// computation. /// - /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + /// before calling this function. + /// You may call this function multiple times to pass the + /// input piecewise. + /// Afterwards, call mbedtls_md_hmac_finish(). /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_grp_id( - grp_id: mbedtls_ecp_group_id, - ) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a TLS - /// NamedCurve value. + /// \brief This function finishes the HMAC operation, and writes + /// the result to the output buffer. /// - /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call this function after mbedtls_md_hmac_starts() and + /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards + /// you may either call mbedtls_md_free() to clear the context, + /// or call mbedtls_md_hmac_reset() to reuse the context with + /// the same HMAC key. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param output The generic HMAC checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_finish( + ctx: *mut mbedtls_md_context_t, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a - /// human-readable name. + /// \brief This function prepares to authenticate a new message with + /// the same key as the previous HMAC operation. /// - /// \param name The human-readable name. + /// You may call this function after mbedtls_md_hmac_finish(). + /// Afterwards call mbedtls_md_hmac_update() to pass the new + /// input. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_name( - name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ecp_curve_info; -} -unsafe extern "C" { - /// \brief This function initializes a point as zero. + /// \param ctx The message digest context containing an embedded HMAC + /// context. /// - /// \param pt The point to initialize. - pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECP group context - /// without loading any domain parameters. + /// \brief This function calculates the full generic HMAC + /// on the input buffer with the provided key. /// - /// \note After this function is called, domain parameters - /// for various ECP groups can be loaded through the - /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() - /// functions. - pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); -} -unsafe extern "C" { - /// \brief This function initializes a key pair as an invalid one. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param key The key pair to initialize. - pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); -} -unsafe extern "C" { - /// \brief This function frees the components of a point. + /// The HMAC result is calculated as + /// output = generic HMAC(hmac key, input buffer). /// - /// \param pt The point to free. - pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); -} -unsafe extern "C" { - /// \brief This function frees the components of an ECP group. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC secret key in Bytes. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// \param output The generic HMAC result. /// - /// \param grp The group to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP group. - pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac( + md_info: *const mbedtls_md_info_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function frees the components of a key pair. - /// - /// \param key The key pair to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP key pair. - pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +/// \brief Entropy poll callback pointer +/// +/// \param data Callback-specific data pointer +/// \param output Data to fill +/// \param len Maximum size to provide +/// \param olen The actual amount of bytes put into the buffer (Can be 0) +/// +/// \return 0 if no critical failures occurred, +/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise +pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< + unsafe extern "C" fn( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + ) -> ::core::ffi::c_int, +>; +/// \brief Entropy source state +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_source_state { + ///< The entropy source callback + pub private_f_source: mbedtls_entropy_f_source_ptr, + ///< The callback data pointer + pub private_p_source: *mut ::core::ffi::c_void, + ///< Amount received in bytes + pub private_size: usize, + ///< Minimum bytes required before release + pub private_threshold: usize, + ///< Is the source strong? + pub private_strong: ::core::ffi::c_int, } -unsafe extern "C" { - /// \brief This function copies the contents of point \p Q into - /// point \p P. - /// - /// \param P The destination point. This must be initialized. - /// \param Q The source point. This must be initialized. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code for other kinds of failure. - pub fn mbedtls_ecp_copy( - P: *mut mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_entropy_source_state { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +/// \brief Entropy context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_context { + pub private_accumulator: mbedtls_md_context_t, + pub private_accumulator_started: ::core::ffi::c_int, + pub private_source_count: ::core::ffi::c_int, + pub private_source: [mbedtls_entropy_source_state; 20usize], +} +impl Default for mbedtls_entropy_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function copies the contents of group \p src into - /// group \p dst. - /// - /// \param dst The destination group. This must be initialized. - /// \param src The source group. This must be initialized. + /// \brief Initialize the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_copy( - dst: *mut mbedtls_ecp_group, - src: *const mbedtls_ecp_group, - ) -> ::core::ffi::c_int; + /// \param ctx Entropy context to initialize + pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function sets a point to the point at infinity. - /// - /// \param pt The point to set. This must be initialized. + /// \brief Free the data in the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \param ctx Entropy context to free + pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function checks if a point is the point at infinity. + /// \brief Adds an entropy source to poll + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param pt The point to test. This must be initialized. + /// \param ctx Entropy context + /// \param f_source Entropy function + /// \param p_source Function data + /// \param threshold Minimum required from source before entropy is released + /// ( with mbedtls_entropy_func() ) (in bytes) + /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or + /// MBEDTLS_ENTROPY_SOURCE_WEAK. + /// At least one strong source needs to be added. + /// Weaker sources (such as the cycle counter) can be used as + /// a complement. /// - /// \return \c 1 if the point is zero. - /// \return \c 0 if the point is non-zero. - /// \return A negative error code on failure. - pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES + pub fn mbedtls_entropy_add_source( + ctx: *mut mbedtls_entropy_context, + f_source: mbedtls_entropy_f_source_ptr, + p_source: *mut ::core::ffi::c_void, + threshold: usize, + strong: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function compares two points. - /// - /// \note This assumes that the points are normalized. Otherwise, - /// they may compare as "not equal" even if they are. + /// \brief Trigger an extra gather poll for the accumulator + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The first point to compare. This must be initialized. - /// \param Q The second point to compare. This must be initialized. + /// \param ctx Entropy context /// - /// \return \c 0 if the points are equal. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. - pub fn mbedtls_ecp_point_cmp( - P: *const mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a non-zero point from two ASCII - /// strings. + /// \brief Retrieve entropy from the accumulator + /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The destination point. This must be initialized. - /// \param radix The numeric base of the input. - /// \param x The first affine coordinate, as a null-terminated string. - /// \param y The second affine coordinate, as a null-terminated string. + /// \param data Entropy context + /// \param output Buffer to fill + /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. - pub fn mbedtls_ecp_point_read_string( - P: *mut mbedtls_ecp_point, - radix: ::core::ffi::c_int, - x: *const ::core::ffi::c_char, - y: *const ::core::ffi::c_char, + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_func( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point into unsigned binary data. + /// \brief Add data to the accumulator manually + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The point to export. This must be initialized. - /// \param format The point format. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// (For groups without these formats, this parameter is - /// ignored. But it still has to be either of the above - /// values.) - /// \param olen The address at which to store the length of - /// the output in Bytes. This must not be \c NULL. - /// \param buf The output buffer. This must be a writable buffer - /// of length \p buflen Bytes. - /// \param buflen The length of the output buffer \p buf in Bytes. + /// \param ctx Entropy context + /// \param data Data to add + /// \param len Length of data /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer - /// is too small to hold the point. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format - /// or the export for the given group is not implemented. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_point_write_binary( - grp: *const mbedtls_ecp_group, - P: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, + /// \return 0 if successful + pub fn mbedtls_entropy_update_manual( + ctx: *mut mbedtls_entropy_context, + data: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a point from unsigned binary data. + /// \brief Checkup routine /// - /// \note This function does not check that the point actually - /// belongs to the given group, see mbedtls_ecp_check_pubkey() - /// for that. + /// This module self-test also calls the entropy self-test, + /// mbedtls_entropy_source_self_test(); /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The CTR_DRBG context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ctr_drbg_context { + ///< The counter (V). + pub private_counter: [::core::ffi::c_uchar; 16usize], + ///< The reseed counter. + /// This is the number of requests that have + /// been made since the last (re)seeding, + /// minus one. + /// Before the initial seeding, this field + /// contains the amount of entropy in bytes + /// to use as a nonce for the initial seeding, + /// or -1 if no nonce length has been explicitly + /// set (see mbedtls_ctr_drbg_set_nonce_len()). + pub private_reseed_counter: ::core::ffi::c_int, + ///< This determines whether prediction + ///resistance is enabled, that is + ///whether to systematically reseed before + ///each random generation. + pub private_prediction_resistance: ::core::ffi::c_int, + ///< The amount of entropy grabbed on each + ///seed or reseed operation, in bytes. + pub private_entropy_len: usize, + ///< The reseed interval. + /// This is the maximum number of requests + /// that can be made between reseedings. + pub private_reseed_interval: ::core::ffi::c_int, + ///< The AES context. + pub private_aes_ctx: mbedtls_aes_context, + pub private_f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + ///< The context for the entropy function. + pub private_p_entropy: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_ctr_drbg_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes the CTR_DRBG context, + /// and prepares it for mbedtls_ctr_drbg_seed() + /// or mbedtls_ctr_drbg_free(). /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The destination context to import the point to. - /// This must be initialized. - /// \param buf The input buffer. This must be a readable buffer - /// of length \p ilen Bytes. - /// \param ilen The length of the input buffer \p buf in Bytes. + /// \note The reseed interval is + /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. + /// You can override it by calling + /// mbedtls_ctr_drbg_set_reseed_interval(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the - /// given group is not implemented. - pub fn mbedtls_ecp_point_read_binary( - grp: *const mbedtls_ecp_group, - P: *mut mbedtls_ecp_point, - buf: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to initialize. + pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function imports a point from a TLS ECPoint record. + /// - The \p custom string. /// - /// \note On function return, \p *buf is updated to point immediately - /// after the ECPoint record. + /// \note To achieve the nominal security strength permitted + /// by CTR_DRBG, the entropy length must be: + /// - at least 16 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 32 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The destination point. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the buffer. + /// In addition, if you do not pass a nonce in \p custom, + /// the sum of the entropy length + /// and the entropy nonce length must be: + /// - at least 24 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 48 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization - /// failure. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - pub fn mbedtls_ecp_tls_read_point( - grp: *const mbedtls_ecp_group, - pt: *mut mbedtls_ecp_point, - buf: *mut *const ::core::ffi::c_uchar, + /// \param ctx The CTR_DRBG context to seed. + /// It must have been initialized with + /// mbedtls_ctr_drbg_init(). + /// After a successful call to mbedtls_ctr_drbg_seed(), + /// you may not call mbedtls_ctr_drbg_seed() again on + /// the same context unless you call + /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + /// again first. + /// After a failed call to mbedtls_ctr_drbg_seed(), + /// you must call mbedtls_ctr_drbg_free(). + /// \param f_entropy The entropy callback, taking as arguments the + /// \p p_entropy context, the buffer to fill, and the + /// length of the buffer. + /// \p f_entropy is always called with a buffer size + /// less than or equal to the entropy length. + /// \param p_entropy The entropy context to pass to \p f_entropy. + /// \param custom The personalization string. + /// This can be \c NULL, in which case the personalization + /// string is empty regardless of the value of \p len. + /// \param len The length of the personalization string. + /// This must be at most + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_seed( + ctx: *mut mbedtls_ctr_drbg_context, + f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + p_entropy: *mut ::core::ffi::c_void, + custom: *const ::core::ffi::c_uchar, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point as a TLS ECPoint record - /// defined in RFC 4492, Section 5.4. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to be exported. This must be initialized. - /// \param format The point format to use. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// \param olen The address at which to store the length in Bytes - /// of the data written. - /// \param buf The target buffer. This must be a writable buffer of - /// length \p blen Bytes. - /// \param blen The length of the target buffer \p buf in Bytes. + /// \brief This function resets CTR_DRBG context to the state immediately + /// after initial call of mbedtls_ctr_drbg_init(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer - /// is too small to hold the exported point. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_point( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to clear. + pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function sets up an ECP group context - /// from a standardized set of domain parameters. - /// - /// \note The index should be a value of the NamedCurve enum, - /// as defined in RFC-4492: Elliptic Curve Cryptography - /// (ECC) Cipher Suites for Transport Layer Security (TLS), - /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. + /// \brief This function turns prediction resistance on or off. + /// The default value is off. /// - /// \param grp The group context to setup. This must be initialized. - /// \param id The identifier of the domain parameter set to load. + /// \note If enabled, entropy is gathered at the beginning of + /// every call to mbedtls_ctr_drbg_random_with_add() + /// or mbedtls_ctr_drbg_random(). + /// Only use this if your entropy source has sufficient + /// throughput. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_load( - grp: *mut mbedtls_ecp_group, - id: mbedtls_ecp_group_id, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. + pub fn mbedtls_ctr_drbg_set_prediction_resistance( + ctx: *mut mbedtls_ctr_drbg_context, + resistance: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function sets up an ECP group context from a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed on each + /// seed or reseed. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. /// - /// \param grp The group context to setup. This must be initialized. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \note The security strength of CTR_DRBG is bounded by the + /// entropy length. Thus: + /// - When using AES-256 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, + /// which is the default), + /// \p len must be at least 32 (in bytes) + /// to achieve a 256-bit strength. + /// - When using AES-128 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) + /// \p len must be at least 16 (in bytes) + /// to achieve a 128-bit strength. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group( - grp: *mut mbedtls_ecp_group, - buf: *mut *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. + pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); } unsafe extern "C" { - /// \brief This function extracts an elliptic curve group ID from a - /// TLS ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed + /// as a nonce for the initial seeding. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// Call this function before calling mbedtls_ctr_drbg_seed() to read + /// a nonce from the entropy source during the initial seeding. /// - /// \param grp The address at which to store the group id. - /// This must not be \c NULL. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab for the nonce, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group_id( - grp: *mut mbedtls_ecp_group_id, - buf: *mut *const ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is + /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + /// if the initial seeding has already taken place. + pub fn mbedtls_ctr_drbg_set_nonce_len( + ctx: *mut mbedtls_ctr_drbg_context, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports an elliptic curve as a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the reseed interval. /// - /// \param grp The ECP group to be exported. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param olen The address at which to store the number of Bytes written. - /// This must not be \c NULL. - /// \param buf The buffer to write to. This must be a writable buffer - /// of length \p blen Bytes. - /// \param blen The length of the output buffer \p buf in Bytes. + /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() + /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function + /// is called again. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output - /// buffer is too small to hold the exported group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_group( - grp: *const mbedtls_ecp_group, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// + /// \param ctx The CTR_DRBG context. + /// \param interval The reseed interval. + pub fn mbedtls_ctr_drbg_set_reseed_interval( + ctx: *mut mbedtls_ctr_drbg_context, + interval: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function performs a scalar multiplication of a point - /// by an integer: \p R = \p m * \p P. - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function reseeds the CTR_DRBG context, that is + /// extracts data from the entropy source. /// - /// \note To prevent timing attacks, this function - /// executes the exact same sequence of base-field - /// operations for any valid \p m. It avoids any if-branch or - /// array index depending on the value of \p m. It also uses - /// \p f_rng to randomize some intermediate results. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param ctx The CTR_DRBG context. + /// \param additional Additional data to add to the state. Can be \c NULL. + /// \param len The length of the additional data. + /// This must be less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_reseed( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication of a point by - /// an integer: \p R = \p m * \p P in a restartable way. - /// - /// \see mbedtls_ecp_mul() + /// \brief This function updates the state of the CTR_DRBG context. /// - /// \note This function does the same as \c mbedtls_ecp_mul(), but - /// it can return early and restart according to the limit set - /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. - /// \param rs_ctx The restart context (NULL disables restart). + /// \param ctx The CTR_DRBG context. + /// \param additional The data to update the state with. This must not be + /// \c NULL unless \p add_len is \c 0. + /// \param add_len Length of \p additional in bytes. This must be at + /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecp_restart_ctx, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if + /// \p add_len is more than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return An error from the underlying AES cipher on failure. + pub fn mbedtls_ctr_drbg_update( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function updates a CTR_DRBG instance with additional + /// data and uses it to generate random data. /// - /// \note In contrast to mbedtls_ecp_mul(), this function does not - /// guarantee a constant execution flow and timing. + /// This function automatically reseeds if the reseed counter is exceeded + /// or prediction resistance is enabled. /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. + /// \param additional Additional data to update. Can be \c NULL, in which + /// case the additional data is empty regardless of + /// the value of \p add_len. + /// \param add_len The length of the additional data + /// if \p additional is not \c NULL. + /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT + /// and less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random_with_add( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q in a - /// restartable way. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. /// - /// \see \c mbedtls_ecp_muladd() + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The CTR_DRBG checkup routine. /// - /// \note This function works the same as \c mbedtls_ecp_muladd(), - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. - /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. - /// \param rs_ctx The restart context (NULL disables restart). - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, - rs_ctx: *mut mbedtls_ecp_restart_ctx, - ) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function checks that a point is a valid public key - /// on this curve. - /// - /// It only checks that the point is non-zero, has - /// valid coordinates and lies on the curve. It does not verify - /// that it is indeed a multiple of \p G. This additional - /// check is computationally more expensive, is not required - /// by standards, and should not be necessary if the group - /// used has a small cofactor. In particular, it is useless for - /// the NIST groups which all have a cofactor of 1. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure, to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the point should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid public key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not - /// a valid public key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_pubkey( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +///< Curve not defined. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; +///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; +///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; +///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; +///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; +///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; +///< Domain parameters for 256-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; +///< Domain parameters for 384-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; +///< Domain parameters for 512-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; +///< Domain parameters for Curve25519. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; +///< Domain parameters for 192-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; +///< Domain parameters for 224-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; +///< Domain parameters for 256-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; +///< Domain parameters for Curve448. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; +/// Domain-parameter identifiers: curve, subgroup, and generator. +/// +/// \note Only curves over prime fields are supported. +/// +/// \warning This library does not support validation of arbitrary domain +/// parameters. Therefore, only standardized domain parameters from trusted +/// sources should be used. See mbedtls_ecp_group_load(). +pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; +pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; +/// Curve information, for use by other modules. +/// +/// The fields of this structure are part of the public API and can be +/// accessed directly by applications. Future versions of the library may +/// add extra fields or reorder existing fields. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_curve_info { + ///< An internal identifier. + pub grp_id: mbedtls_ecp_group_id, + ///< The TLS NamedCurve identifier. + pub tls_id: u16, + ///< The curve size in bits. + pub bit_size: u16, + ///< A human-friendly name. + pub name: *const ::core::ffi::c_char, } -unsafe extern "C" { - /// \brief This function checks that an \p mbedtls_mpi is a - /// valid private key for this curve. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the private key should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The integer to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid private key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid - /// private key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_privkey( - grp: *const mbedtls_ecp_group, - d: *const mbedtls_mpi, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_curve_info { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates a private key. - /// - /// \param grp The ECP group to generate a private key for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_privkey( - grp: *const mbedtls_ecp_group, - d: *mut mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +/// \brief The ECP point structure, in Jacobian coordinates. +/// +/// \note All functions expect and return points satisfying +/// the following condition: Z == 0 or +/// Z == 1. Other values of \p Z are +/// used only by internal functions. +/// The point is zero, or "at infinity", if Z == 0. +/// Otherwise, \p X and \p Y are its standard (affine) +/// coordinates. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_point { + ///< The X coordinate of the ECP point. + pub private_X: mbedtls_mpi, + ///< The Y coordinate of the ECP point. + pub private_Y: mbedtls_mpi, + ///< The Z coordinate of the ECP point. + pub private_Z: mbedtls_mpi, } -unsafe extern "C" { - /// \brief This function generates a keypair with a configurable base - /// point. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param G The base point to use. This must be initialized - /// and belong to \p grp. It replaces the default base - /// point \c grp->G used by mbedtls_ecp_gen_keypair(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair_base( - grp: *mut mbedtls_ecp_group, - G: *const mbedtls_ecp_point, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_point { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates an ECP keypair. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. +/// \brief The ECP group structure. +/// +/// We consider two types of curve equations: +///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P +/// (SEC1 + RFC-4492)
    • +///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, +/// Curve448)
+/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. +/// +/// For Short Weierstrass, this subgroup is the whole curve, and its +/// cardinality is denoted by \p N. Our code requires that \p N is an +/// odd prime as mbedtls_ecp_mul() requires an odd number, and +/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. +/// +/// The default implementation only initializes \p A without setting it to the +/// authentic value for curves with A = -3(SECP256R1, etc), in which +/// case you need to load \p A by yourself when using domain parameters directly, +/// for example: +/// \code +/// mbedtls_mpi_init(&A); +/// mbedtls_ecp_group_init(&grp); +/// CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); +/// if (mbedtls_ecp_group_a_is_minus_3(&grp)) { +/// CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); +/// } else { +/// CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); +/// } +/// +/// do_something_with_a(&A); +/// +/// cleanup: +/// mbedtls_mpi_free(&A); +/// mbedtls_ecp_group_free(&grp); +/// \endcode +/// +/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, +/// which is the quantity used in the formulas. Additionally, \p nbits is +/// not the size of \p N but the required size for private keys. +/// +/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. +/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the +/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer +/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits +/// in size, so that it may be efficiently brought in the 0..P-1 range by a few +/// additions or subtractions. Therefore, it is only an approximate modular +/// reduction. It must return 0 on success and non-zero on failure. +/// +/// \note Alternative implementations of the ECP module must obey the +/// following constraints. +/// * Group IDs must be distinct: if two group structures have +/// the same ID, then they must be identical. +/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, +/// \c pbits and \c nbits must have the same type and semantics +/// as in the built-in implementation. +/// They must be available for reading, but direct modification +/// of these fields does not need to be supported. +/// They do not need to be at the same offset in the structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_group { + ///< An internal group identifier. + pub id: mbedtls_ecp_group_id, + ///< The prime modulus of the base field. + pub P: mbedtls_mpi, + ///< For Short Weierstrass: \p A in the equation. Note that + ///\p A is not set to the authentic value in some cases. + ///Refer to detailed description of ::mbedtls_ecp_group if + ///using domain parameters in the structure. + ///For Montgomery curves: (A + 2) / 4. + pub A: mbedtls_mpi, + ///< For Short Weierstrass: \p B in the equation. + ///For Montgomery curves: unused. + pub B: mbedtls_mpi, + ///< The generator of the subgroup used. + pub G: mbedtls_ecp_point, + ///< The order of \p G. + pub N: mbedtls_mpi, + ///< The number of bits in \p P. + pub pbits: usize, + ///< For Short Weierstrass: The number of bits in \p P. + ///For Montgomery curves: the number of bits in the + ///private keys. + pub nbits: usize, + ///< \internal 1 if the constants are static. + pub private_h: ::core::ffi::c_uint, + ///< The function for fast pseudo-reduction + ///mod \p P (see above). + pub private_modp: + ::core::option::Option ::core::ffi::c_int>, + ///< Unused. + pub private_t_pre: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_post: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_data: *mut ::core::ffi::c_void, + ///< Pre-computed points for ecp_mul_comb(). + pub private_T: *mut mbedtls_ecp_point, + ///< The number of dynamic allocated pre-computed points. + pub private_T_size: usize, +} +impl Default for mbedtls_ecp_group { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; +/// \brief The ECP key-pair structure. +/// +/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. +/// +/// \note Members are deliberately in the same order as in the +/// ::mbedtls_ecdsa_context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_keypair { + ///< Elliptic curve and base point + pub private_grp: mbedtls_ecp_group, + ///< our secret value + pub private_d: mbedtls_mpi, + ///< our public value + pub private_Q: mbedtls_ecp_point, +} +impl Default for mbedtls_ecp_keypair { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +} +unsafe extern "C" { + /// \brief This function retrieves the information defined in + /// mbedtls_ecp_curve_info() for all supported curves. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair( - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. + /// + /// \return A statically allocated array. The last entry is 0. + pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function generates an ECP key. + /// \brief This function retrieves the list of internal group + /// identifiers of all supported curves in the order of + /// preference. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. This must be initialized. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_key( - grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return A statically allocated array, + /// terminated with MBEDTLS_ECP_DP_NONE. + pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function reads an elliptic curve private key. + /// \brief This function retrieves curve information from an internal + /// group identifier. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. - /// \param buf The buffer containing the binary representation of the - /// key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The length of the buffer in bytes. + /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is - /// invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_read_key( + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_grp_id( grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - buf: *const ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports an elliptic curve private key. + /// \brief This function retrieves curve information from a TLS + /// NamedCurve value. /// - /// \param key The private key. - /// \param buf The output buffer for containing the binary representation - /// of the key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The total length of the buffer in bytes. + /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - ///representation is larger than the available space in \p buf. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_write_key( - key: *mut mbedtls_ecp_keypair, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function checks that the keypair objects - /// \p pub and \p prv have the same group and the - /// same public point, and that the private key in - /// \p prv is consistent with the public key. + /// \brief This function retrieves curve information from a + /// human-readable name. /// - /// \param pub The keypair structure holding the public key. This - /// must be initialized. If it contains a private key, that - /// part is ignored. - /// \param prv The keypair structure holding the full keypair. - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param name The human-readable name. /// - /// \return \c 0 on success, meaning that the keys are valid and match. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. - /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX - /// error code on calculation failure. - pub fn mbedtls_ecp_check_pub_priv( - pub_: *const mbedtls_ecp_keypair, - prv: *const mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_name( + name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports generic key-pair parameters. - /// - /// \param key The key pair to export from. - /// \param grp Slot for exported ECP group. - /// It must point to an initialized ECP group. - /// \param d Slot for the exported secret value. - /// It must point to an initialized mpi. - /// \param Q Slot for the exported public value. - /// It must point to an initialized ECP point. + /// \brief This function initializes a point as zero. /// - /// \return \c 0 on success, - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_export( - key: *const mbedtls_ecp_keypair, - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \param pt The point to initialize. + pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief The ECP checkup routine. + /// \brief This function initializes an ECP group context + /// without loading any domain parameters. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< None. -pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; -///< The MD5 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 1; -///< The SHA-1 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 2; -///< The SHA-224 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 3; -///< The SHA-256 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 4; -///< The SHA-384 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 5; -///< The SHA-512 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 6; -///< The RIPEMD-160 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 7; -/// \brief Supported message digests. -/// -/// \warning MD5 and SHA-1 are considered weak message digests and -/// their use constitutes a security risk. We recommend considering -/// stronger message digests instead. -pub type mbedtls_md_type_t = ::core::ffi::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_info_t { - _unused: [u8; 0], -} -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; -/// Used internally to indicate whether a context uses legacy or PSA. -/// -/// Internal use only. -pub type mbedtls_md_engine_t = ::core::ffi::c_uint; -/// The generic message-digest context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_context_t { - /// Information about the associated message digest. - pub private_md_info: *const mbedtls_md_info_t, - /// The digest-specific context (legacy) or the PSA operation. - pub private_md_ctx: *mut ::core::ffi::c_void, - /// The HMAC part of the context. - pub private_hmac_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_md_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \note After this function is called, domain parameters + /// for various ECP groups can be loaded through the + /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() + /// functions. + pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest type. - /// - /// \param md_type The type of digest to search for. + /// \brief This function initializes a key pair as an invalid one. /// - /// \return The message-digest information associated with \p md_type. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; + /// \param key The key pair to initialize. + pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); } unsafe extern "C" { - /// \brief This function initializes a message-digest context without - /// binding it to a particular message-digest algorithm. + /// \brief This function frees the components of a point. /// - /// This function should always be called first. It prepares the - /// context for mbedtls_md_setup() for binding it to a - /// message-digest algorithm. - pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); + /// \param pt The point to free. + pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief This function clears the internal structure of \p ctx and - /// frees any embedded internal structure, but does not free - /// \p ctx itself. + /// \brief This function frees the components of an ECP group. /// - /// If you have called mbedtls_md_setup() on \p ctx, you must - /// call mbedtls_md_free() when you are no longer using the - /// context. - /// Calling this function if you have previously - /// called mbedtls_md_init() and nothing else is optional. - /// You must not call this function if you have not called - /// mbedtls_md_init(). - pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); + /// \param grp The group to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP group. + pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function selects the message digest algorithm to use, - /// and allocates internal structures. + /// \brief This function frees the components of a key pair. /// - /// It should be called after mbedtls_md_init() or - /// mbedtls_md_free(). Makes it necessary to call - /// mbedtls_md_free() later. + /// \param key The key pair to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP key pair. + pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +} +unsafe extern "C" { + /// \brief This function copies the contents of point \p Q into + /// point \p P. /// - /// \param ctx The context to set up. - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), - /// or non-zero: HMAC is used with this context. + /// \param P The destination point. This must be initialized. + /// \param Q The source point. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. - pub fn mbedtls_md_setup( - ctx: *mut mbedtls_md_context_t, - md_info: *const mbedtls_md_info_t, - hmac: ::core::ffi::c_int, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code for other kinds of failure. + pub fn mbedtls_ecp_copy( + P: *mut mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function clones the state of a message-digest - /// context. - /// - /// \note You must call mbedtls_md_setup() on \c dst before calling - /// this function. - /// - /// \note The two contexts must have the same type, - /// for example, both are SHA-256. - /// - /// \warning This function clones the message-digest state, not the - /// HMAC state. + /// \brief This function copies the contents of group \p src into + /// group \p dst. /// - /// \param dst The destination context. - /// \param src The context to be cloned. + /// \param dst The destination group. This must be initialized. + /// \param src The source group. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. - /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are - /// not using the same engine. This can be avoided by moving - /// the call to psa_crypto_init() before the first call to - /// mbedtls_md_setup(). - pub fn mbedtls_md_clone( - dst: *mut mbedtls_md_context_t, - src: *const mbedtls_md_context_t, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_copy( + dst: *mut mbedtls_ecp_group, + src: *const mbedtls_ecp_group, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest size from the - /// message-digest information structure. + /// \brief This function sets a point to the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to set. This must be initialized. /// - /// \return The size of the message-digest output in Bytes. - pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest type from the - /// message-digest information structure. + /// \brief This function checks if a point is the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to test. This must be initialized. /// - /// \return The type of the message digest. - pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; + /// \return \c 1 if the point is zero. + /// \return \c 0 if the point is non-zero. + /// \return A negative error code on failure. + pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function starts a message-digest computation. + /// \brief This function compares two points. /// - /// You must call this function after setting up the context - /// with mbedtls_md_setup(), and before passing data with - /// mbedtls_md_update(). + /// \note This assumes that the points are normalized. Otherwise, + /// they may compare as "not equal" even if they are. /// - /// \param ctx The generic message-digest context. + /// \param P The first point to compare. This must be initialized. + /// \param Q The second point to compare. This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return \c 0 if the points are equal. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. + pub fn mbedtls_ecp_point_cmp( + P: *const mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// message-digest computation. - /// - /// You must call mbedtls_md_starts() before calling this - /// function. You may call this function multiple times. - /// Afterwards, call mbedtls_md_finish(). + /// \brief This function imports a non-zero point from two ASCII + /// strings. /// - /// \param ctx The generic message-digest context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param P The destination point. This must be initialized. + /// \param radix The numeric base of the input. + /// \param x The first affine coordinate, as a null-terminated string. + /// \param y The second affine coordinate, as a null-terminated string. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. + pub fn mbedtls_ecp_point_read_string( + P: *mut mbedtls_ecp_point, + radix: ::core::ffi::c_int, + x: *const ::core::ffi::c_char, + y: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the digest operation, - /// and writes the result to the output buffer. - /// - /// Call this function after a call to mbedtls_md_starts(), - /// followed by any number of calls to mbedtls_md_update(). - /// Afterwards, you may either clear the context with - /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse - /// the context for another digest operation with the same - /// algorithm. + /// \brief This function exports a point into unsigned binary data. /// - /// \param ctx The generic message-digest context. - /// \param output The buffer for the generic message-digest checksum result. + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The point to export. This must be initialized. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_point_write_binary( + grp: *const mbedtls_ecp_group, + P: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the message-digest of a buffer, - /// with respect to a configurable message-digest algorithm - /// in a single call. + /// \brief This function imports a point from unsigned binary data. /// - /// The result is calculated as - /// Output = message_digest(input buffer). + /// \note This function does not check that the point actually + /// belongs to the given group, see mbedtls_ecp_check_pubkey() + /// for that. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param input The buffer holding the data. - /// \param ilen The length of the input data. - /// \param output The generic message-digest checksum result. + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md( - md_info: *const mbedtls_md_info_t, - input: *const ::core::ffi::c_uchar, + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The destination context to import the point to. + /// This must be initialized. + /// \param buf The input buffer. This must be a readable buffer + /// of length \p ilen Bytes. + /// \param ilen The length of the input buffer \p buf in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the + /// given group is not implemented. + pub fn mbedtls_ecp_point_read_binary( + grp: *const mbedtls_ecp_group, + P: *mut mbedtls_ecp_point, + buf: *const ::core::ffi::c_uchar, ilen: usize, - output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the list of digests supported by the - /// generic digest module. - /// - /// \note The list starts with the strongest available hashes. + /// \brief This function imports a point from a TLS ECPoint record. /// - /// \return A statically allocated array of digests. Each element - /// in the returned list is an integer belonging to the - /// message-digest enumeration #mbedtls_md_type_t. - /// The last entry is 0. - pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest name. + /// \note On function return, \p *buf is updated to point immediately + /// after the ECPoint record. /// - /// \param md_name The name of the digest to search for. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The destination point. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the buffer. /// - /// \return The message-digest information associated with \p md_name. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_string( - md_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_md_info_t; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization + /// failure. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + pub fn mbedtls_ecp_tls_read_point( + grp: *const mbedtls_ecp_group, + pt: *mut mbedtls_ecp_point, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest name from the - /// message-digest information structure. + /// \brief This function exports a point as a TLS ECPoint record + /// defined in RFC 4492, Section 5.4. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to be exported. This must be initialized. + /// \param format The point format to use. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// \param olen The address at which to store the length in Bytes + /// of the data written. + /// \param buf The target buffer. This must be a writable buffer of + /// length \p blen Bytes. + /// \param blen The length of the target buffer \p buf in Bytes. /// - /// \return The name of the message digest. - pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer + /// is too small to hold the exported point. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_point( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// from the given context. + /// \brief This function sets up an ECP group context + /// from a standardized set of domain parameters. /// - /// \param ctx The context from which to extract the information. - /// This must be initialized (or \c NULL). + /// \note The index should be a value of the NamedCurve enum, + /// as defined in RFC-4492: Elliptic Curve Cryptography + /// (ECC) Cipher Suites for Transport Layer Security (TLS), + /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. /// - /// \return The message-digest information associated with \p ctx. - /// \return \c NULL if \p ctx is \c NULL. - pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; + /// \param grp The group context to setup. This must be initialized. + /// \param id The identifier of the domain parameter set to load. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_load( + grp: *mut mbedtls_ecp_group, + id: mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the HMAC key and prepares to - /// authenticate a new message. + /// \brief This function sets up an ECP group context from a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_setup(), to use - /// the MD context for an HMAC calculation, then call - /// mbedtls_md_hmac_update() to provide the input data, and - /// mbedtls_md_hmac_finish() to get the HMAC value. + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC key in Bytes. + /// \param grp The group context to setup. This must be initialized. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_starts( - ctx: *mut mbedtls_md_context_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group( + grp: *mut mbedtls_ecp_group, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing HMAC - /// computation. + /// \brief This function extracts an elliptic curve group ID from a + /// TLS ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - /// before calling this function. - /// You may call this function multiple times to pass the - /// input piecewise. - /// Afterwards, call mbedtls_md_hmac_finish(). + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param grp The address at which to store the group id. + /// This must not be \c NULL. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group_id( + grp: *mut mbedtls_ecp_group_id, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the HMAC operation, and writes - /// the result to the output buffer. + /// \brief This function exports an elliptic curve as a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_hmac_starts() and - /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards - /// you may either call mbedtls_md_free() to clear the context, - /// or call mbedtls_md_hmac_reset() to reuse the context with - /// the same HMAC key. - /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param output The generic HMAC checksum result. + /// \param grp The ECP group to be exported. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param olen The address at which to store the number of Bytes written. + /// This must not be \c NULL. + /// \param buf The buffer to write to. This must be a writable buffer + /// of length \p blen Bytes. + /// \param blen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output + /// buffer is too small to hold the exported group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_group( + grp: *const mbedtls_ecp_group, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function prepares to authenticate a new message with - /// the same key as the previous HMAC operation. + /// \brief This function performs a scalar multiplication of a point + /// by an integer: \p R = \p m * \p P. /// - /// You may call this function after mbedtls_md_hmac_finish(). - /// Afterwards call mbedtls_md_hmac_update() to pass the new - /// input. + /// It is not thread-safe to use same group in multiple threads. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. + /// \note To prevent timing attacks, this function + /// executes the exact same sequence of base-field + /// operations for any valid \p m. It avoids any if-branch or + /// array index depending on the value of \p m. It also uses + /// \p f_rng to randomize some intermediate results. + /// + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the full generic HMAC - /// on the input buffer with the provided key. + /// \brief This function performs multiplication of a point by + /// an integer: \p R = \p m * \p P in a restartable way. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// \see mbedtls_ecp_mul() /// - /// The HMAC result is calculated as - /// output = generic HMAC(hmac key, input buffer). + /// \note This function does the same as \c mbedtls_ecp_mul(), but + /// it can return early and restart according to the limit set + /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC secret key in Bytes. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. - /// \param output The generic HMAC result. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac( - md_info: *const mbedtls_md_info_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecp_restart_ctx, ) -> ::core::ffi::c_int; } -/// \brief The RSA context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_rsa_context { - ///< Reserved for internal purposes. - /// Do not set this field in application - /// code. Its meaning might change without - /// notice. - pub private_ver: ::core::ffi::c_int, - ///< The size of \p N in Bytes. - pub private_len: usize, - ///< The public modulus. - pub private_N: mbedtls_mpi, - ///< The public exponent. - pub private_E: mbedtls_mpi, - ///< The private exponent. - pub private_D: mbedtls_mpi, - ///< The first prime factor. - pub private_P: mbedtls_mpi, - ///< The second prime factor. - pub private_Q: mbedtls_mpi, - ///< D % (P - 1). - pub private_DP: mbedtls_mpi, - ///< D % (Q - 1). - pub private_DQ: mbedtls_mpi, - ///< 1 / (Q % P). - pub private_QP: mbedtls_mpi, - ///< cached R^2 mod N. - pub private_RN: mbedtls_mpi, - ///< cached R^2 mod P. - pub private_RP: mbedtls_mpi, - ///< cached R^2 mod Q. - pub private_RQ: mbedtls_mpi, - ///< The cached blinding value. - pub private_Vi: mbedtls_mpi, - ///< The cached un-blinding value. - pub private_Vf: mbedtls_mpi, - ///< Selects padding mode: - ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. - pub private_padding: ::core::ffi::c_int, - ///< Hash identifier of mbedtls_md_type_t type, - ///as specified in md.h for use in the MGF - ///mask generating function used in the - ///EME-OAEP and EMSA-PSS encodings. - pub private_hash_id: ::core::ffi::c_int, -} -impl Default for mbedtls_rsa_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes an RSA context. - /// - /// \note This function initializes the padding and the hash - /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and - /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more - /// information about those parameters. - /// - /// \param ctx The RSA context to initialize. This must not be \c NULL. - pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); -} -unsafe extern "C" { - /// \brief This function sets padding for an already initialized RSA - /// context. - /// - /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP - /// encryption scheme and the RSASSA-PSS signature scheme. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q /// - /// \note The \p hash_id parameter is ignored when using - /// #MBEDTLS_RSA_PKCS_V15 padding. + /// It is not thread-safe to use same group in multiple threads. /// - /// \note The choice of padding mode is strictly enforced for private - /// key operations, since there might be security concerns in - /// mixing padding modes. For public key operations it is - /// a default value, which can be overridden by calling specific - /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx - /// functions. + /// \note In contrast to mbedtls_ecp_mul(), this function does not + /// guarantee a constant execution flow and timing. /// - /// \note The hash selected in \p hash_id is always used for OEAP - /// encryption. For PSS signatures, it is always used for - /// making signatures, but can be overridden for verifying them. - /// If set to #MBEDTLS_MD_NONE, it is always overridden. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \param ctx The initialized RSA context to be configured. - /// \param padding The padding mode to use. This must be either - /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is - /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this - /// function but may be not suitable for some operations. - /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - /// \p padding or \p hash_id is invalid. - pub fn mbedtls_rsa_set_padding( - ctx: *mut mbedtls_rsa_context, - padding: ::core::ffi::c_int, - hash_id: mbedtls_md_type_t, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves padding mode of initialized - /// RSA context. - /// - /// \param ctx The initialized RSA context. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q in a + /// restartable way. /// - /// \return RSA padding mode. - pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function retrieves hash identifier of mbedtls_md_type_t - /// type. + /// \see \c mbedtls_ecp_muladd() /// - /// \param ctx The initialized RSA context. + /// \note This function works the same as \c mbedtls_ecp_muladd(), + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return Hash identifier of mbedtls_md_type_t type. - pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function imports a set of core parameters into an - /// RSA context. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, + rs_ctx: *mut mbedtls_ecp_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function checks that a point is a valid public key + /// on this curve. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// It only checks that the point is non-zero, has + /// valid coordinates and lies on the curve. It does not verify + /// that it is indeed a multiple of \c G. This additional + /// check is computationally more expensive, is not required + /// by standards, and should not be necessary if the group + /// used has a small cofactor. In particular, it is useless for + /// the NIST groups which all have a cofactor of 1. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure, to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param E The public exponent. This may be \c NULL. + /// \param grp The ECP group the point should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to check. This must be initialized. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import( - ctx: *mut mbedtls_rsa_context, - N: *const mbedtls_mpi, - P: *const mbedtls_mpi, - Q: *const mbedtls_mpi, - D: *const mbedtls_mpi, - E: *const mbedtls_mpi, + /// \return \c 0 if the point is a valid public key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not + /// a valid public key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_pubkey( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports core RSA parameters, in raw big-endian - /// binary format, into an RSA context. - /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \brief This function checks that an \c mbedtls_mpi is a + /// valid private key for this curve. /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// \param grp The ECP group the private key should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The integer to check. This must be initialized. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \return \c 0 if the point is a valid private key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid + /// private key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_privkey( + grp: *const mbedtls_ecp_group, + d: *const mbedtls_mpi, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates a private key. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. - /// \param E The public exponent. This may be \c NULL. - /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// \param grp The ECP group to generate a private key for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import_raw( - ctx: *mut mbedtls_rsa_context, - N: *const ::core::ffi::c_uchar, - N_len: usize, - P: *const ::core::ffi::c_uchar, - P_len: usize, - Q: *const ::core::ffi::c_uchar, - Q_len: usize, - D: *const ::core::ffi::c_uchar, - D_len: usize, - E: *const ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_privkey( + grp: *const mbedtls_ecp_group, + d: *mut mbedtls_mpi, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function completes an RSA context from - /// a set of imported core parameters. - /// - /// To setup an RSA public key, precisely \p N and \p E - /// must have been imported. + /// \brief This function generates a keypair with a configurable base + /// point. /// - /// To setup an RSA private key, sufficient information must - /// be present for the other parameters to be derivable. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// The default implementation supports the following: - ///
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • - ///
  • Derive \p N, \p D from \p P, \p Q, \p E.
- /// Alternative implementations need not support these. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param G The base point to use. This must be initialized + /// and belong to \p grp. It replaces the default base + /// point \c grp->G used by mbedtls_ecp_gen_keypair(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// If this function runs successfully, it guarantees that - /// the RSA context can be used for RSA operations without - /// the risk of failure or crash. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair_base( + grp: *mut mbedtls_ecp_group, + G: *const mbedtls_ecp_point, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates an ECP keypair. /// - /// \warning This function need not perform consistency checks - /// for the imported parameters. In particular, parameters that - /// are not needed by the implementation might be silently - /// discarded and left unchecked. To check the consistency - /// of the key material, see mbedtls_rsa_check_privkey(). + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context holding imported parameters. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations - /// failed. - pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair( + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports the core parameters of an RSA key. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. - /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// - /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \brief This function generates an ECP key. /// - /// \param ctx The initialized RSA context. - /// \param N The MPI to hold the RSA modulus. - /// This may be \c NULL if this field need not be exported. - /// \param P The MPI to hold the first prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param Q The MPI to hold the second prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param D The MPI to hold the private exponent. - /// This may be \c NULL if this field need not be exported. - /// \param E The MPI to hold the public exponent. - /// This may be \c NULL if this field need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. This must be initialized. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export( - ctx: *const mbedtls_rsa_context, - N: *mut mbedtls_mpi, - P: *mut mbedtls_mpi, - Q: *mut mbedtls_mpi, - D: *mut mbedtls_mpi, - E: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports core parameters of an RSA key - /// in raw big-endian binary format. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. + /// \brief Set the public key in a key pair object. /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \note This function does not check that the point actually + /// belongs to the given group. Call mbedtls_ecp_check_pubkey() + /// on \p Q before calling this function to check that. /// - /// \note The length parameters are ignored if the corresponding - /// buffer pointers are NULL. + /// \note This function does not check that the public key matches + /// the private key that is already in \p key, if any. + /// To check the consistency of the resulting key pair object, + /// call mbedtls_ecp_check_pub_priv() after setting both + /// the public key and the private key. /// - /// \param ctx The initialized RSA context. - /// \param N The Byte array to store the RSA modulus, - /// or \c NULL if this field need not be exported. - /// \param N_len The size of the buffer for the modulus. - /// \param P The Byte array to hold the first prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param P_len The size of the buffer for the first prime factor. - /// \param Q The Byte array to hold the second prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param Q_len The size of the buffer for the second prime factor. - /// \param D The Byte array to hold the private exponent, - /// or \c NULL if this field need not be exported. - /// \param D_len The size of the buffer for the private exponent. - /// \param E The Byte array to hold the public exponent, - /// or \c NULL if this field need not be exported. - /// \param E_len The size of the buffer for the public exponent. + /// \param grp_id The ECP group identifier. + /// \param key The key pair object. It must be initialized. + /// If its group has already been set, it must match \p grp_id. + /// If its group has not been set, it will be set to \p grp_id. + /// If the public key has already been set, it is overwritten. + /// \param Q The public key to copy. This must be a point on the + /// curve indicated by \p grp_id. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export_raw( - ctx: *const mbedtls_rsa_context, - N: *mut ::core::ffi::c_uchar, - N_len: usize, - P: *mut ::core::ffi::c_uchar, - P_len: usize, - Q: *mut ::core::ffi::c_uchar, - Q_len: usize, - D: *mut ::core::ffi::c_uchar, - D_len: usize, - E: *mut ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not + /// match \p grp_id. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_public_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports CRT parameters of a private RSA key. + /// \brief This function reads an elliptic curve private key. /// - /// \note Alternative RSA implementations not using CRT-parameters - /// internally can implement this function based on - /// mbedtls_rsa_deduce_opt(). + /// \note This function does not set the public key in the + /// key pair object. Without a public key, the key pair object + /// cannot be used with operations that require the public key. + /// Call mbedtls_ecp_keypair_calc_public() to set the public + /// key from the private key. Alternatively, you can call + /// mbedtls_ecp_set_public_key() to set the public key part, + /// and then optionally mbedtls_ecp_check_pub_priv() to check + /// that the private and public parts are consistent. + /// + /// \note If a public key has already been set in the key pair + /// object, this function does not check that it is consistent + /// with the private key. Call mbedtls_ecp_check_pub_priv() + /// after setting both the public key and the private key + /// to make that check. /// - /// \param ctx The initialized RSA context. - /// \param DP The MPI to hold \c D modulo `P-1`, - /// or \c NULL if it need not be exported. - /// \param DQ The MPI to hold \c D modulo `Q-1`, - /// or \c NULL if it need not be exported. - /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, - /// or \c NULL if it need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. + /// \param buf The buffer containing the binary representation of the + /// key. (Big endian integer for Weierstrass curves, byte + /// string for Montgomery curves.) + /// \param buflen The length of the buffer in bytes. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_export_crt( - ctx: *const mbedtls_rsa_context, - DP: *mut mbedtls_mpi, - DQ: *mut mbedtls_mpi, - QP: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is + /// invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_read_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + buf: *const ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves the length of RSA modulus in Bytes. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context. + /// \deprecated Note that although this function accepts an output + /// buffer that is smaller or larger than the key, most key + /// import interfaces require the output to have exactly + /// key's nominal length. It is generally simplest to + /// pass the key's nominal length as \c buflen, after + /// checking that the output buffer is large enough. + /// See the description of the \p buflen parameter for + /// how to calculate the nominal length. + /// To avoid this difficulty, use mbedtls_ecp_write_key_ext() + /// instead. + /// mbedtls_ecp_write_key() is deprecated and will be + /// removed in a future version of the library. + /// + /// \note If the private key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \return The length of the RSA modulus in Bytes. - pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; + /// \param key The private key. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// For Weierstrass curves, this is the big-endian + /// representation, padded with null bytes at the beginning + /// to reach \p buflen bytes. + /// For Montgomery curves, this is the standard byte string + /// representation (which is little-endian), padded with + /// null bytes at the end to reach \p buflen bytes. + /// \param buflen The total length of the buffer in bytes. + /// The length of the output is + /// (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// For Weierstrass keys, if the output buffer is smaller, + /// leading zeros are trimmed to fit if possible. For + /// Montgomery keys, the output buffer must always be large + /// enough for the nominal length. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + /// #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key( + key: *mut mbedtls_ecp_keypair, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an RSA keypair. - /// - /// \note mbedtls_rsa_init() must be called before this function, - /// to set up the RSA context. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context used to hold the key. - /// \param f_rng The RNG function to be used for key generation. - /// This is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. - /// This may be \c NULL if \p f_rng doesn't need a context. - /// \param nbits The size of the public key in bits. - /// \param exponent The public exponent to use. For example, \c 65537. - /// This must be odd and greater than \c 1. + /// \param key The private key. + /// \param olen On success, the length of the private key. + /// This is always (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// \param buflen The total length of the buffer in bytes. + /// #MBEDTLS_ECP_MAX_BYTES is always sufficient. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_gen_key( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - nbits: ::core::ffi::c_uint, - exponent: ::core::ffi::c_int, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + /// set in \p key. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key_ext( + key: *const mbedtls_ecp_keypair, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains at least an RSA - /// public key. + /// \brief This function exports an elliptic curve public key. /// - /// If the function runs successfully, it is guaranteed that - /// enough information is present to perform an RSA public key - /// operation using mbedtls_rsa_public(). + /// \note If the public key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to check. + /// \param key The public key. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_write_public_key( + key: *const mbedtls_ecp_keypair, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains an RSA private key - /// and perform basic consistency checks. - /// - /// \note The consistency checks performed by this function not only - /// ensure that mbedtls_rsa_private() can be called successfully - /// on the given context, but that the various parameters are - /// mutually consistent with high probability, in the sense that - /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// \brief This function checks that the keypair objects + /// \p pub and \p prv have the same group and the + /// same public point, and that the private key in + /// \p prv is consistent with the public key. /// - /// \warning This function should catch accidental misconfigurations - /// like swapping of parameters, but it cannot establish full - /// trust in neither the quality nor the consistency of the key - /// material that was used to setup the given RSA context: - ///
  • Consistency: Imported parameters that are irrelevant - /// for the implementation might be silently dropped. If dropped, - /// the current function does not have access to them, - /// and therefore cannot check them. See mbedtls_rsa_complete(). - /// If you want to check the consistency of the entire - /// content of a PKCS1-encoded RSA private key, for example, you - /// should use mbedtls_rsa_validate_params() before setting - /// up the RSA context. - /// Additionally, if the implementation performs empirical checks, - /// these checks substantiate but do not guarantee consistency.
    • - ///
  • Quality: This function is not expected to perform - /// extended quality assessments like checking that the prime - /// factors are safe. Additionally, it is the responsibility of the - /// user to ensure the trustworthiness of the source of his RSA - /// parameters, which goes beyond what is effectively checkable - /// by the library.
- /// - /// \param ctx The initialized RSA context to check. + /// \param pub The keypair structure holding the public key. This + /// must be initialized. If it contains a private key, that + /// part is ignored. + /// \param prv The keypair structure holding the full keypair. + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success, meaning that the keys are valid and match. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_check_pub_priv( + pub_: *const mbedtls_ecp_keypair, + prv: *const mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks a public-private RSA key pair. - /// - /// It checks each of the contexts, and makes sure they match. + /// \brief Calculate the public key from a private key in a key pair. /// - /// \param pub The initialized RSA context holding the public key. - /// \param prv The initialized RSA context holding the private key. + /// \param key A keypair structure. It must have a private key set. + /// If the public key is set, it will be overwritten. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pub_priv( - pub_: *const mbedtls_rsa_context, - prv: *const mbedtls_rsa_context, + /// \return \c 0 on success. The key pair object can be used for + /// operations that require the public key. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_keypair_calc_public( + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs an RSA public key operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// - /// \note This function does not handle message padding. + /// \brief Query the group that a key pair belongs to. /// - /// \note Make sure to set \p input[0] = 0 or ensure that - /// input is smaller than \p N. + /// \param key The key pair to query. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_public( - ctx: *mut mbedtls_rsa_context, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The group ID for the group registered in the key pair + /// object. + /// This is \c MBEDTLS_ECP_DP_NONE if no group has been set + /// in the key pair object. + pub fn mbedtls_ecp_keypair_get_group_id( + key: *const mbedtls_ecp_keypair, + ) -> mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function performs an RSA private key operation. - /// - /// \note Blinding is used if and only if a PRNG is provided. + /// \brief This function exports generic key-pair parameters. /// - /// \note If blinding is used, both the base of exponentiation - /// and the exponent are blinded, providing protection - /// against some side-channel attacks. + /// Each of the output parameters can be a null pointer + /// if you do not need that parameter. /// - /// \warning It is deprecated and a security risk to not provide - /// a PRNG here and thereby prevent the use of blinding. - /// Future versions of the library may enforce the presence - /// of a PRNG. + /// \note If the private key or the public key was not set in \p key, + /// the corresponding output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function, used for blinding. It is mandatory. - /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param key The key pair to export from. + /// \param grp Slot for exported ECP group. + /// It must either be null or point to an initialized ECP group. + /// \param d Slot for the exported secret value. + /// It must either be null or point to an initialized mpi. + /// \param Q Slot for the exported public value. + /// It must either be null or point to an initialized ECP point. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_private( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_export( + key: *const mbedtls_ecp_keypair, + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function adds the message padding, then performs an RSA - /// operation. - /// - /// It is the generic wrapper for performing a PKCS#1 encryption - /// operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG to use. It is used for padding generation - /// and it is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. May be - /// \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \brief The ECP checkup routine. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return \c 1 on failure. + pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The RSA context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_rsa_context { + ///< Reserved for internal purposes. + /// Do not set this field in application + /// code. Its meaning might change without + /// notice. + pub private_ver: ::core::ffi::c_int, + ///< The size of \p N in Bytes. + pub private_len: usize, + ///< The public modulus. + pub private_N: mbedtls_mpi, + ///< The public exponent. + pub private_E: mbedtls_mpi, + ///< The private exponent. + pub private_D: mbedtls_mpi, + ///< The first prime factor. + pub private_P: mbedtls_mpi, + ///< The second prime factor. + pub private_Q: mbedtls_mpi, + ///< D % (P - 1). + pub private_DP: mbedtls_mpi, + ///< D % (Q - 1). + pub private_DQ: mbedtls_mpi, + ///< 1 / (Q % P). + pub private_QP: mbedtls_mpi, + ///< cached R^2 mod N. + pub private_RN: mbedtls_mpi, + ///< cached R^2 mod P. + pub private_RP: mbedtls_mpi, + ///< cached R^2 mod Q. + pub private_RQ: mbedtls_mpi, + ///< The cached blinding value. + pub private_Vi: mbedtls_mpi, + ///< The cached un-blinding value. + pub private_Vf: mbedtls_mpi, + ///< Selects padding mode: + ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. + pub private_padding: ::core::ffi::c_int, + ///< Hash identifier of mbedtls_md_type_t type, + ///as specified in md.h for use in the MGF + ///mask generating function used in the + ///EME-OAEP and EMSA-PSS encodings. + pub private_hash_id: ::core::ffi::c_int, +} +impl Default for mbedtls_rsa_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 encryption operation - /// (RSAES-PKCS1-v1_5-ENCRYPT). + /// \brief This function initializes an RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. It is mandatory and used for - /// padding generation. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note This function initializes the padding and the hash + /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + /// information about those parameters. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The RSA context to initialize. This must not be \c NULL. + pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP encryption - /// operation (RSAES-OAEP-ENCRYPT). - /// - /// \note The output buffer must be as large as the size - /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \brief This function sets padding for an already initialized RSA + /// context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is needed for padding - /// generation and is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param ilen The length of the plaintext buffer \p input in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + /// encryption scheme and the RSASSA-PSS signature scheme. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs an RSA operation, then removes the - /// message padding. + /// \note The \p hash_id parameter is ignored when using + /// #MBEDTLS_RSA_PKCS_V15 padding. /// - /// It is the generic wrapper for performing a PKCS#1 decryption - /// operation. + /// \note The choice of padding mode is strictly enforced for private + /// key operations, since there might be security concerns in + /// mixing padding modes. For public key operations it is + /// a default value, which can be overridden by calling specific + /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + /// functions. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N (for example, - /// 128 Bytes if RSA-1024 is used) to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note The hash selected in \p hash_id is always used for OEAP + /// encryption. For PSS signatures, it is always used for + /// making signatures, but can be overridden for verifying them. + /// If set to #MBEDTLS_MD_NONE, it is always overridden. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \param ctx The initialized RSA context to be configured. + /// \param padding The padding mode to use. This must be either + /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. + /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is + /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + /// function but may be not suitable for some operations. + /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_decrypt( + /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + /// \p padding or \p hash_id is invalid. + pub fn mbedtls_rsa_set_padding( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + padding: ::core::ffi::c_int, + hash_id: mbedtls_md_type_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 decryption - /// operation (RSAES-PKCS1-v1_5-DECRYPT). + /// \brief This function retrieves padding mode of initialized + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for example, - /// 128 Bytes if RSA-1024 is used, to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \param ctx The initialized RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \return RSA padding mode. + pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function retrieves hash identifier of mbedtls_md_type_t + /// type. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context. + /// + /// \return Hash identifier of mbedtls_md_type_t type. + pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP decryption - /// operation (RSAES-OAEP-DECRYPT). + /// \brief This function imports a set of core parameters into an + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for - /// example, 128 Bytes if RSA-1024 is used, to be able to - /// hold an arbitrary decrypted message. If it is not - /// large enough to hold the decryption of the particular - /// ciphertext provided, the function returns - /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. + /// + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. + /// + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. + /// + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param E The public exponent. This may be \c NULL. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_decrypt( + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + N: *const mbedtls_mpi, + P: *const mbedtls_mpi, + Q: *const mbedtls_mpi, + D: *const mbedtls_mpi, + E: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a private RSA operation to sign - /// a message digest using PKCS#1. + /// \brief This function imports core RSA parameters, in raw big-endian + /// binary format, into an RSA context. /// - /// It is the generic wrapper for performing a PKCS#1 - /// signature. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_sign() for details on - /// \p md_alg and \p hash_id. + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is mandatory and - /// must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_sign( + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. + /// \param E The public exponent. This may be \c NULL. + /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import_raw( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + N: *const ::core::ffi::c_uchar, + N_len: usize, + P: *const ::core::ffi::c_uchar, + P_len: usize, + Q: *const ::core::ffi::c_uchar, + Q_len: usize, + D: *const ::core::ffi::c_uchar, + D_len: usize, + E: *const ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 signature - /// operation (RSASSA-PKCS1-v1_5-SIGN). + /// \brief This function completes an RSA context from + /// a set of imported core parameters. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// To setup an RSA public key, precisely \c N and \c E + /// must have been imported. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// To setup an RSA private key, sufficient information must + /// be present for the other parameters to be derivable. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// The default implementation supports the following: + ///
  • Derive \c P, \c Q from \c N, \c D, \c E.
    • + ///
  • Derive \c N, \c D from \c P, \c Q, \c E.
+ /// Alternative implementations need not support these. /// - /// \note This function enforces that the provided salt length complies - /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 - /// step 3. The constraint is that the hash length plus the salt - /// length plus 2 bytes must be at most the key length. If this - /// constraint is not met, this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// If this function runs successfully, it guarantees that + /// the RSA context can be used for RSA operations without + /// the risk of failure or crash. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param saltlen The length of the salt that should be used. - /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use - /// the largest possible salt length up to the hash length, - /// which is the largest permitted by some standards including - /// FIPS 186-4 §5.5. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \warning This function need not perform consistency checks + /// for the imported parameters. In particular, parameters that + /// are not needed by the implementation might be silently + /// discarded and left unchecked. To check the consistency + /// of the key material, see mbedtls_rsa_check_privkey(). /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign_ext( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - saltlen: ::core::ffi::c_int, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context holding imported parameters. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations + /// failed. + pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// \brief This function exports the core parameters of an RSA key. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \note This function always uses the maximum possible salt size, - /// up to the length of the payload hash. This choice of salt - /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 - /// v2.2) §9.1.1 step 3. Furthermore this function enforces a - /// minimum salt size which is the hash size minus 2 bytes. If - /// this minimum size is too large given the key size (the salt - /// size, plus the hash size, plus 2 bytes must be no more than - /// the key size in bytes), this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
/// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param N The MPI to hold the RSA modulus. + /// This may be \c NULL if this field need not be exported. + /// \param P The MPI to hold the first prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param Q The MPI to hold the second prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param D The MPI to hold the private exponent. + /// This may be \c NULL if this field need not be exported. + /// \param E The MPI to hold the public exponent. + /// This may be \c NULL if this field need not be exported. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export( + ctx: *const mbedtls_rsa_context, + N: *mut mbedtls_mpi, + P: *mut mbedtls_mpi, + Q: *mut mbedtls_mpi, + D: *mut mbedtls_mpi, + E: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a public RSA operation and checks - /// the message digest. - /// - /// This is the generic wrapper for performing a PKCS#1 - /// verification. + /// \brief This function exports core parameters of an RSA key + /// in raw big-endian binary format. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_verify() about \p md_alg and - /// \p hash_id. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
+ /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \note The length parameters are ignored if the corresponding + /// buffer pointers are NULL. + /// + /// \param ctx The initialized RSA context. + /// \param N The Byte array to store the RSA modulus, + /// or \c NULL if this field need not be exported. + /// \param N_len The size of the buffer for the modulus. + /// \param P The Byte array to hold the first prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param P_len The size of the buffer for the first prime factor. + /// \param Q The Byte array to hold the second prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param Q_len The size of the buffer for the second prime factor. + /// \param D The Byte array to hold the private exponent, + /// or \c NULL if this field need not be exported. + /// \param D_len The size of the buffer for the private exponent. + /// \param E The Byte array to hold the public exponent, + /// or \c NULL if this field need not be exported. + /// \param E_len The size of the buffer for the public exponent. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export_raw( + ctx: *const mbedtls_rsa_context, + N: *mut ::core::ffi::c_uchar, + N_len: usize, + P: *mut ::core::ffi::c_uchar, + P_len: usize, + Q: *mut ::core::ffi::c_uchar, + Q_len: usize, + D: *mut ::core::ffi::c_uchar, + D_len: usize, + E: *mut ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 verification - /// operation (RSASSA-PKCS1-v1_5-VERIFY). + /// \brief This function exports CRT parameters of a private RSA key. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Alternative RSA implementations not using CRT-parameters + /// internally can implement this function based on + /// mbedtls_rsa_deduce_opt(). /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param DP The MPI to hold \c D modulo `P-1`, + /// or \c NULL if it need not be exported. + /// \param DQ The MPI to hold \c D modulo `Q-1`, + /// or \c NULL if it need not be exported. + /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, + /// or \c NULL if it need not be exported. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_export_crt( + ctx: *const mbedtls_rsa_context, + DP: *mut mbedtls_mpi, + DQ: *mut mbedtls_mpi, + QP: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). - /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. If the \c hash_id set in \p ctx by - /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg - /// parameter is used. + /// \brief This function retrieves the length of the RSA modulus in bits. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param ctx The initialized RSA context. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The length of the RSA modulus in bits. + pub fn mbedtls_rsa_get_bitlen(ctx: *const mbedtls_rsa_context) -> usize; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). + /// \brief This function retrieves the length of RSA modulus in Bytes. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \param ctx The initialized RSA context. /// - /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is - /// ignored. + /// \return The length of the RSA modulus in Bytes. + pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; +} +unsafe extern "C" { + /// \brief This function generates an RSA keypair. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param mgf1_hash_id The message digest algorithm used for the - /// verification operation and the mask generation - /// function (MGF1). For more details on the encoding - /// operation and the mask generation function, consult - /// RFC-3447: Public-Key Cryptography Standards - /// (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. - /// \param expected_salt_len The length of the salt used in padding. Use - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note mbedtls_rsa_init() must be called before this function, + /// to set up the RSA context. /// - /// \return \c 0 if the verify operation was successful. + /// \param ctx The initialized RSA context used to hold the key. + /// \param f_rng The RNG function to be used for key generation. + /// This is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. + /// This may be \c NULL if \p f_rng doesn't need a context. + /// \param nbits The size of the public key in bits. + /// \param exponent The public exponent to use. For example, \c 65537. + /// This must be odd and greater than \c 1. + /// + /// \return \c 0 on success. /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify_ext( + pub fn mbedtls_rsa_gen_key( ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - mgf1_hash_id: mbedtls_md_type_t, - expected_salt_len: ::core::ffi::c_int, - sig: *const ::core::ffi::c_uchar, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + nbits: ::core::ffi::c_uint, + exponent: ::core::ffi::c_int, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function copies the components of an RSA context. + /// \brief This function checks if a context contains at least an RSA + /// public key. /// - /// \param dst The destination context. This must be initialized. - /// \param src The source context. This must be initialized. + /// If the function runs successfully, it is guaranteed that + /// enough information is present to perform an RSA public key + /// operation using mbedtls_rsa_public(). + /// + /// \param ctx The initialized RSA context to check. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. - pub fn mbedtls_rsa_copy( - dst: *mut mbedtls_rsa_context, - src: *const mbedtls_rsa_context, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees the components of an RSA key. + /// \brief This function checks if a context contains an RSA private key + /// and perform basic consistency checks. /// - /// \param ctx The RSA context to free. May be \c NULL, in which case - /// this function is a no-op. If it is not \c NULL, it must - /// point to an initialized RSA context. - pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); + /// \note The consistency checks performed by this function not only + /// ensure that mbedtls_rsa_private() can be called successfully + /// on the given context, but that the various parameters are + /// mutually consistent with high probability, in the sense that + /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// + /// \warning This function should catch accidental misconfigurations + /// like swapping of parameters, but it cannot establish full + /// trust in neither the quality nor the consistency of the key + /// material that was used to setup the given RSA context: + ///
  • Consistency: Imported parameters that are irrelevant + /// for the implementation might be silently dropped. If dropped, + /// the current function does not have access to them, + /// and therefore cannot check them. See mbedtls_rsa_complete(). + /// If you want to check the consistency of the entire + /// content of a PKCS1-encoded RSA private key, for example, you + /// should use mbedtls_rsa_validate_params() before setting + /// up the RSA context. + /// Additionally, if the implementation performs empirical checks, + /// these checks substantiate but do not guarantee consistency.
    • + ///
  • Quality: This function is not expected to perform + /// extended quality assessments like checking that the prime + /// factors are safe. Additionally, it is the responsibility of the + /// user to ensure the trustworthiness of the source of his RSA + /// parameters, which goes beyond what is effectively checkable + /// by the library.
+ /// + /// \param ctx The initialized RSA context to check. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The RSA checkup routine. + /// \brief This function checks a public-private RSA key pair. + /// + /// It checks each of the contexts, and makes sure they match. + /// + /// \param pub The initialized RSA context holding the public key. + /// \param prv The initialized RSA context holding the private key. /// /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief The ECDSA context structure. -/// -/// \warning Performing multiple operations concurrently on the same -/// ECDSA context is not supported; objects of this type -/// should not be shared between multiple threads. -/// -/// \note pk_wrap module assumes that "ecdsa_context" is identical -/// to "ecp_keypair" (see for example structure -/// "mbedtls_eckey_info" where ECDSA sign/verify functions -/// are used also for EC key) -pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; -pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pub_priv( + pub_: *const mbedtls_rsa_context, + prv: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { - /// \brief This function checks whether a given group can be used - /// for ECDSA. + /// \brief This function performs an RSA public key operation. /// - /// \param gid The ECP group ID to check. + /// \param ctx The initialized RSA context to use. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 1 if the group can be used, \c 0 otherwise - pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; + /// \note This function does not handle message padding. + /// + /// \note Make sure to set \p input[0] = 0 or ensure that + /// input is smaller than \c N. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_public( + ctx: *mut mbedtls_rsa_context, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message. + /// \brief This function performs an RSA private key operation. /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_ext() is usually preferred. + /// \note Blinding is used if and only if a PRNG is provided. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated - /// as defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \note If blinding is used, both the base of exponentiation + /// and the exponent are blinded, providing protection + /// against some side-channel attacks. /// - /// \see ecp.h + /// \warning It is deprecated and a security risk to not provide + /// a PRNG here and thereby prevent the use of blinding. + /// Future versions of the library may enforce the presence + /// of a PRNG. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized. - /// \param buf The content to be signed. This is usually the hash of - /// the original data to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function, used for blinding. It is mandatory. + /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX - /// or \c MBEDTLS_MPI_XXX error code on failure. - pub fn mbedtls_ecdsa_sign( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_private( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, deterministic version. + /// \brief This function adds the message padding, then performs an RSA + /// operation. /// - /// For more information, see RFC-6979: Deterministic - /// Usage of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). + /// It is the generic wrapper for performing a PKCS#1 encryption + /// operation. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG to use. It is used for padding generation + /// and it is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. May be + /// \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \see ecp.h + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v1.5 encryption operation + /// (RSAES-PKCS1-v1_5-ENCRYPT). /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. It is mandatory and used for + /// padding generation. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_ext( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 OAEP encryption + /// operation (RSAES-OAEP-ENCRYPT). /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_restartable() is usually - /// preferred. + /// \note The output buffer must be as large as the size + /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \note This function is like \c mbedtls_ecdsa_sign() but - /// it can return early and restart according to the - /// limit set with \c mbedtls_ecp_set_max_ops() to - /// reduce blocking. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is needed for padding + /// generation and is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param ilen The length of the plaintext buffer \p input in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs an RSA operation, then removes the + /// message padding. /// - /// \see ecp.h + /// It is the generic wrapper for performing a PKCS#1 decryption + /// operation. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15, + /// mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an + /// inherently dangerous function (CWE-242). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N (for example, + /// 128 Bytes if RSA-1024 is used) to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. - /// - /// \note This function is like \c - /// mbedtls_ecdsa_sign_det_ext() but it can return - /// early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 decryption + /// operation (RSAES-PKCS1-v1_5-DECRYPT). /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \warning This is an inherently dangerous function (CWE-242). Unless + /// it is used in a side channel free and safe way (eg. + /// implementing the TLS protocol as per 7.4.7.1 of RFC 5246), + /// the calling code is vulnerable. /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for example, + /// 128 Bytes if RSA-1024 is used, to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message. - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \brief This function performs a PKCS#1 v2.1 OAEP decryption + /// operation (RSAES-OAEP-DECRYPT). /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for + /// example, 128 Bytes if RSA-1024 is used, to be able to + /// hold an arbitrary decrypted message. If it is not + /// large enough to hold the decryption of the particular + /// ciphertext provided, the function returns + /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message, in a restartable manner + /// \brief This function performs a private RSA operation to sign + /// a message digest using PKCS#1. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// It is the generic wrapper for performing a PKCS#1 + /// signature. /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify_restartable( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, serialized as defined in RFC-4492: - /// Elliptic Curve Cryptography (ECC) Cipher Suites for - /// Transport Layer Security (TLS). - /// - /// \warning It is not thread-safe to use the same context in - /// multiple threads. - /// - /// \note The deterministic version is used if - /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more - /// information, see RFC-6979: Deterministic Usage - /// of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. - /// - /// \see ecp.h + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_sign() for details on + /// \p md_alg and \p hash_id. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is used only for blinding and may be set to \c NULL, but - /// doing so is DEPRECATED. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is mandatory and + /// must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, in a restartable way. - /// - /// \see \c mbedtls_ecdsa_write_signature() - /// - /// \note This function is like \c mbedtls_ecdsa_write_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 signature + /// operation (RSASSA-PKCS1-v1_5-SIGN). /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is unused and may be set to \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \see ecp.h + /// \note This function enforces that the provided salt length complies + /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 + /// step 3. The constraint is that the hash length plus the salt + /// length plus 2 bytes must be at most the key length. If this + /// constraint is not met, this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param saltlen The length of the salt that should be used. + /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use + /// the largest possible salt length up to the hash length, + /// which is the largest permitted by some standards including + /// FIPS 186-4 §5.5. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign_ext( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, - sig: *const ::core::ffi::c_uchar, - slen: usize, + saltlen: ::core::ffi::c_int, + sig: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature, - /// in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \see \c mbedtls_ecdsa_read_signature() + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \note This function is like \c mbedtls_ecdsa_read_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function always uses the maximum possible salt size, + /// up to the length of the payload hash. This choice of salt + /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 + /// v2.2) §9.1.1 step 3. Furthermore this function enforces a + /// minimum salt size which is the hash size minus 2 bytes. If + /// this minimum size is too large given the key size (the salt + /// size, plus the hash size, plus 2 bytes must be no more than + /// the key size in bytes), this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a public RSA operation and checks + /// the message digest. + /// + /// This is the generic wrapper for performing a PKCS#1 + /// verification. + /// + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_verify() about \c md_alg and + /// \c hash_id. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *const ::core::ffi::c_uchar, - slen: usize, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an ECDSA keypair on the given curve. + /// \brief This function performs a PKCS#1 v1.5 verification + /// operation (RSASSA-PKCS1-v1_5-VERIFY). /// - /// \see ecp.h + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \param ctx The ECDSA context to store the keypair in. - /// This must be initialized. - /// \param gid The elliptic curve to use. One of the various - /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_genkey( - ctx: *mut mbedtls_ecdsa_context, - gid: mbedtls_ecp_group_id, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. If the \c hash_id set in \p ctx by + /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg + /// parameter is used. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets up an ECDSA context from an EC key pair. + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param ctx The ECDSA context to setup. This must be initialized. - /// \param key The EC key to use. This must be initialized and hold - /// a private-public key pair or a public key. In the former - /// case, the ECDSA context may be used for signature creation - /// and verification after this call. In the latter case, it - /// may be used for signature verification. + /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is + /// ignored. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_from_keypair( - ctx: *mut mbedtls_ecdsa_context, - key: *const mbedtls_ecp_keypair, + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param mgf1_hash_id The message digest algorithm used for the + /// verification operation and the mask generation + /// function (MGF1). For more details on the encoding + /// operation and the mask generation function, consult + /// RFC-3447: Public-Key Cryptography Standards + /// (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. + /// \param expected_salt_len The length of the salt used in padding. Use + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify_ext( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + mgf1_hash_id: mbedtls_md_type_t, + expected_salt_len: ::core::ffi::c_int, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECDSA context. + /// \brief This function copies the components of an RSA context. /// - /// \param ctx The ECDSA context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); + /// \param dst The destination context. This must be initialized. + /// \param src The source context. This must be initialized. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. + pub fn mbedtls_rsa_copy( + dst: *mut mbedtls_rsa_context, + src: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees an ECDSA context. + /// \brief This function frees the components of an RSA key. /// - /// \param ctx The ECDSA context to free. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must be initialized. - pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); + /// \param ctx The RSA context to free. May be \c NULL, in which case + /// this function is a no-op. If it is not \c NULL, it must + /// point to an initialized RSA context. + pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); } -pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; -pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; -/// \brief Public key types -pub type mbedtls_pk_type_t = ::core::ffi::c_uint; -/// \brief Options for RSASSA-PSS signature verification. -/// See \c mbedtls_rsa_rsassa_pss_verify_ext() -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_rsassa_pss_options { - /// The digest to use for MGF1 in PSS. +unsafe extern "C" { + /// \brief The RSA checkup routine. /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is - /// disabled, this must be equal to the \c md_alg argument passed - /// to mbedtls_pk_verify_ext(). In a future version of the library, - /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is - /// enabled regardless of the status of #MBEDTLS_RSA_C. - pub mgf1_hash_id: mbedtls_md_type_t, - /// The expected length of the salt, in bytes. This may be - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only - /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be - /// ignored (allowing any salt length). - pub expected_salt_len: ::core::ffi::c_int, -} -impl Default for mbedtls_pk_rsassa_pss_options { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; -/// \brief Types for interfacing with the debug module -pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; -/// \brief Item to send to the debug module -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_debug_item { - pub private_type: mbedtls_pk_debug_type, - pub private_name: *const ::core::ffi::c_char, - pub private_value: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_debug_item { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_info_t { - _unused: [u8; 0], -} -/// \brief Public key container -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_context { - ///< Public key information - pub private_pk_info: *const mbedtls_pk_info_t, - ///< Underlying public key context - pub private_pk_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; -/// \brief Types for RSA-alt abstraction -pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_key_len_func = - ::core::option::Option usize>; +/// \brief The ECDSA context structure. +/// +/// \warning Performing multiple operations concurrently on the same +/// ECDSA context is not supported; objects of this type +/// should not be shared between multiple threads. +/// +/// \note pk_wrap module assumes that "ecdsa_context" is identical +/// to "ecp_keypair" (see for example structure +/// "mbedtls_eckey_info" where ECDSA sign/verify functions +/// are used also for EC key) +pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; +pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; unsafe extern "C" { - /// \brief Return information associated with the given PK type - /// - /// \param pk_type PK type to search for. + /// \brief This function checks whether a given group can be used + /// for ECDSA. /// - /// \return The PK info associated with the type or NULL if not found. - pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; -} -unsafe extern "C" { - /// \brief Initialize a #mbedtls_pk_context (as NONE). + /// \param gid The ECP group ID to check. /// - /// \param ctx The context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); + /// \return \c 1 if the group can be used, \c 0 otherwise + pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Free the components of a #mbedtls_pk_context. + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message. /// - /// \param ctx The context to clear. It must have been initialized. - /// If this is \c NULL, this function does nothing. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_ext() is usually preferred. /// - /// \note For contexts that have been set up with - /// mbedtls_pk_setup_opaque(), this does not free the underlying - /// PSA key and you still need to call psa_destroy_key() - /// independently if you want to destroy that key. - pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); -} -unsafe extern "C" { - /// \brief Initialize a PK context with the information given - /// and allocates the type-specific PK subcontext. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated + /// as defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param info Information to use + /// \see ecp.h /// - /// \return 0 on success, - /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, - /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized. + /// \param buf The content to be signed. This is usually the hash of + /// the original data to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function, used both to generate the ECDSA nonce + /// and for blinding. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. /// - /// \note For contexts holding an RSA-alt key, use - /// \c mbedtls_pk_setup_rsa_alt() instead. - pub fn mbedtls_pk_setup( - ctx: *mut mbedtls_pk_context, - info: *const mbedtls_pk_info_t, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX + /// or \c MBEDTLS_MPI_XXX error code on failure. + pub fn mbedtls_ecdsa_sign( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Initialize an RSA-alt context + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, deterministic version. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param key RSA key pointer - /// \param decrypt_func Decryption function - /// \param sign_func Signing function - /// \param key_len_func Function returning key length in bytes + /// For more information, see RFC-6979: Deterministic + /// Usage of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the - /// context wasn't already initialized as RSA_ALT. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. - pub fn mbedtls_pk_setup_rsa_alt( - ctx: *mut mbedtls_pk_context, - key: *mut ::core::ffi::c_void, - decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, - sign_func: mbedtls_pk_rsa_alt_sign_func, - key_len_func: mbedtls_pk_rsa_alt_key_len_func, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Get the size in bits of the underlying key + /// \see ecp.h /// - /// \param ctx The context to query. It must have been initialized. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This + /// may be \c NULL if \p f_rng_blind doesn't need a context + /// parameter. /// - /// \return Key size in bits, or 0 on error - pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_ext( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + md_alg: mbedtls_md_type_t, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Tell if a context can do the operation given by type + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \param ctx The context to query. It must have been initialized. - /// \param type The desired type. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_restartable() is usually + /// preferred. /// - /// \return 1 if the context can do operations on the given type. - /// \return 0 if the context cannot do the operations on the given - /// type. This is always the case for a context that has - /// been initialized but not set up, or that has been - /// cleared with mbedtls_pk_free(). - pub fn mbedtls_pk_can_do( - ctx: *const mbedtls_pk_context, - type_: mbedtls_pk_type_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Verify signature (including padding if relevant). + /// \note This function is like \c mbedtls_ecdsa_sign() but + /// it can return early and restart according to the + /// limit set with \c mbedtls_ecp_set_max_ops() to + /// reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used. - /// This can be #MBEDTLS_MD_NONE if the signature algorithm - /// does not rely on a hash algorithm (non-deterministic - /// ECDSA, RSA PKCS#1 v1.5). - /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then - /// \p hash is the DigestInfo structure used by RFC 8017 - /// §9.2 steps 3–6. If \p md_alg is a valid hash - /// algorithm then \p hash is the digest itself, and this - /// function calculates the DigestInfo encoding internally. - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \see ecp.h /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - /// to verify RSASSA_PSS signatures. - pub fn mbedtls_pk_verify( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_verify() + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_verify(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_verify(). + /// \note This function is like \c + /// mbedtls_ecdsa_sign_det_ext() but it can return + /// early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length - /// \param rs_ctx Restart context (NULL to disable restart) + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return See \c mbedtls_pk_verify(), or - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_verify_restartable( - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This may be + /// \c NULL if \p f_rng_blind doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, - rs_ctx: *mut mbedtls_pk_restart_ctx, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify signature, with options. - /// (Includes verification of the padding depending on type.) - /// - /// \param type Signature type (inc. possible padding type) to verify - /// \param options Pointer to type-specific options, or NULL - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be - /// used for this type of signatures, - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note If hash_len is 0, then the length associated with md_alg - /// is used instead, or an error returned if it is invalid. + /// \see ecp.h /// - /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. /// - /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point - /// to a mbedtls_pk_rsassa_pss_options structure, - /// otherwise it must be NULL. Note that if - /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not - /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. - pub fn mbedtls_pk_verify_ext( - type_: mbedtls_pk_type_t, - options: *const ::core::ffi::c_void, - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature, including padding if relevant. - /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message, in a restartable manner /// - /// \return 0 on success, or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// There is no interface in the PK module to make RSASSA-PSS - /// signatures yet. + /// \see ecp.h /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify_restartable( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature given a signature type. + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, serialized as defined in RFC-4492: + /// Elliptic Curve Cryptography (ECC) Cipher Suites for + /// Transport Layer Security (TLS). /// - /// \param pk_type Signature type. - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \warning It is not thread-safe to use the same context in + /// multiple threads. /// - /// \return 0 on success, or a specific error code. + /// \note The deterministic version is used if + /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + /// information, see RFC-6979: Deterministic Usage + /// of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, - /// see #PSA_ALG_RSA_PSS for a description of PSS options used. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign_ext( - pk_type: mbedtls_pk_type_t, - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_sign() + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_sign(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_sign(). + /// \see \c mbedtls_ecdsa_write_signature() /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. + /// \note This function is like \c mbedtls_ecdsa_write_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// \param rs_ctx Restart context (NULL to disable restart) + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return See \c mbedtls_pk_sign(). + /// \return \c 0 on success. /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_sign_restartable( - ctx: *mut mbedtls_pk_context, + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_pk_restart_ctx, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Decrypt message (including padding if relevant). + /// \brief This function reads and verifies an ECDSA signature. /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param input Input to decrypt - /// \param ilen Input size - /// \param output Decrypted output - /// \param olen Decrypted message length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \see ecp.h /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_decrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Encrypt message (including padding if relevant). - /// - /// \param ctx The PK context to use. It must have been set up. - /// \param input Message to encrypt - /// \param ilen Message size - /// \param output Encrypted output - /// \param olen Encrypted output length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function reads and verifies an ECDSA signature, + /// in a restartable way. /// - /// \note \p f_rng is used for padding generation. + /// \see \c mbedtls_ecdsa_read_signature() /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \note This function is like \c mbedtls_ecdsa_read_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_encrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if a public-private pair of keys matches. - /// - /// \param pub Context holding a public key. - /// \param prv Context holding a private (and public) key. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// - /// \return \c 0 on success (keys were checked and match each other). - /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not - /// be checked - in that case they may or may not match. - /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. - /// \return Another non-zero value if the keys do not match. - pub fn mbedtls_pk_check_pair( - pub_: *const mbedtls_pk_context, - prv: *const mbedtls_pk_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Export debug information - /// - /// \param ctx The PK context to use. It must have been initialized. - /// \param items Place to write debug items + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA - pub fn mbedtls_pk_debug( - ctx: *const mbedtls_pk_context, - items: *mut mbedtls_pk_debug_item, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Access the type name - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type name on success, or "invalid PK" - pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; -} -unsafe extern "C" { - /// \brief Get the key type - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type on success. - /// \return #MBEDTLS_PK_NONE for a context that has not been set up. - pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a private key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// \param pwd Optional password for decryption. - /// Pass \c NULL if expecting a non-encrypted key. - /// Pass a string of \p pwdlen bytes if expecting an encrypted - /// key; a non-encrypted key will also be accepted. - /// The empty password is not supported. - /// \param pwdlen Size of the password in bytes. - /// Ignored if \p pwd is \c NULL. - /// \param f_rng RNG function, must not be \c NULL. Used for blinding. - /// \param p_rng RNG parameter + /// \brief This function generates an ECDSA keypair on the given curve. /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to store the keypair in. + /// This must be initialized. + /// \param gid The elliptic curve to use. One of the various + /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, - pwd: *const ::core::ffi::c_uchar, - pwdlen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_genkey( + ctx: *mut mbedtls_ecdsa_context, + gid: mbedtls_ecp_group_id, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a public key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \brief This function sets up an ECDSA context from an EC key pair. /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to setup. This must be initialized. + /// \param key The EC key to use. This must be initialized and hold + /// a private-public key pair or a public key. In the former + /// case, the ECDSA context may be used for signature creation + /// and verification after this call. In the latter case, it + /// may be used for signature verification. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_public_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_from_keypair( + ctx: *mut mbedtls_ecdsa_context, + key: *const mbedtls_ecp_keypair, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function initializes an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_key_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); } unsafe extern "C" { - /// \brief Write a public key to a SubjectPublicKeyInfo DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function frees an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_pubkey_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to free. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must be initialized. + pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); } -unsafe extern "C" { - /// \brief Write a public key to a PEM string - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_pubkey_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 PEM string - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_key_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Parse a SubjectPublicKeyInfo DER structure - /// - /// \param p the position in the ASN.1 data - /// \param end end of the buffer - /// \param pk The PK context to fill. It must have been initialized - /// but not set up. - /// - /// \return 0 if successful, or a specific PK error code - pub fn mbedtls_pk_parse_subpubkey( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - pk: *mut mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a subjectPublicKey to ASN.1 data - /// Note: function works backwards in data buffer - /// - /// \param p reference to current position pointer - /// \param start start of the buffer (for bounds-checking) - /// \param key PK context which must contain a valid public or private key. - /// - /// \return the length written or a negative error code - pub fn mbedtls_pk_write_pubkey( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - key: *const mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = - 3; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - mbedtls_key_exchange_type_t = 4; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = - 8; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = - 9; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = - 10; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = - 11; -pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; -/// \brief This structure is used for storing ciphersuite information -/// -/// \note members are defined using integral types instead of enums -/// in order to pack structure and reduce memory usage by internal -/// \c ciphersuite_definitions[] -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ssl_ciphersuite_t { - pub private_id: ::core::ffi::c_int, - pub private_name: *const ::core::ffi::c_char, - pub private_cipher: u8, - pub private_mac: u8, - pub private_key_exchange: u8, - pub private_flags: u8, - pub private_min_tls_version: u16, - pub private_max_tls_version: u16, -} -impl Default for mbedtls_ssl_ciphersuite_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_string( - ciphersuite_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_id( - ciphersuite_id: ::core::ffi::c_int, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_pk_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_ec( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_psk( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> usize; -} -/// The type of the context passed to mbedtls_psa_external_get_random(). -/// -/// Mbed TLS initializes the context to all-bits-zero before calling -/// mbedtls_psa_external_get_random() for the first time. -/// -/// The definition of this type in the Mbed TLS source code is for -/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() -/// are expected to replace it with a custom definition. -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_external_random_context_t { - pub private_opaque: [usize; 2usize], +/// The type of the context passed to mbedtls_psa_external_get_random(). +/// +/// Mbed TLS initializes the context to all-bits-zero before calling +/// mbedtls_psa_external_get_random() for the first time. +/// +/// The definition of this type in the Mbed TLS source code is for +/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() +/// are expected to replace it with a custom definition. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_external_random_context_t { + pub private_opaque: [usize; 2usize], } pub type psa_status_t = i32; /// \brief Encoding of a key type. @@ -10577,6478 +10445,7672 @@ pub type psa_key_attributes_t = psa_key_attributes_s; /// Values of this type are generally constructed by macros called /// `PSA_KEY_DERIVATION_INPUT_xxx`. pub type psa_key_derivation_step_t = u16; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following field: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// +/// Functions that take such a structure as input also take an associated +/// input buffer \c custom_data of length \c custom_data_length. +/// +/// The interpretation of this structure and the associated \c custom_data +/// parameter depend on the type of the created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c custom_data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_custom_key_parameters_t = psa_custom_key_parameters_s; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following fields: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// - \c data: a flexible array of bytes. +/// +/// The interpretation of this structure depend on the type of the +/// created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty or if the custom production parameters are omitted +/// altogether, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_key_production_parameters_t = psa_key_production_parameters_s; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; +/// For encrypt-decrypt functions, whether the operation is an encryption +/// or a decryption. +pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; +/// \brief MD5 context structure +/// +/// \warning MD5 is considered a weak message digest and its use +/// constitutes a security risk. We recommend considering +/// stronger message digests instead. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md5_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 4usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_md5_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { - /// \brief Library initialization. - /// - /// Applications must call this function before calling any other - /// function in this module. - /// - /// Applications may call this function more than once. Once a call - /// succeeds, subsequent calls are guaranteed to succeed. + /// \brief Initialize MD5 context /// - /// If the application calls other functions before calling psa_crypto_init(), - /// the behavior is undefined. Implementations are encouraged to either perform - /// the operation as if the library had been initialized or to return - /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, - /// implementations should not return a success status if the lack of - /// initialization may have security implications, for example due to improper - /// seeding of the random number generator. + /// \param ctx MD5 context to be initialized /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - pub fn psa_crypto_init() -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Retrieve the attributes of a key. - /// - /// This function first resets the attribute structure as with - /// psa_reset_key_attributes(). It then copies the attributes of - /// the given key into the given attribute structure. - /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \brief Clear MD5 context /// - /// \param[in] key Identifier of the key to query. - /// \param[in,out] attributes On success, the attributes of the key. - /// On failure, equivalent to a - /// freshly-initialized structure. + /// \param ctx MD5 context to be cleared /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_get_key_attributes( - key: mbedtls_svc_key_id_t, - attributes: *mut psa_key_attributes_t, - ) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Reset a key attribute structure to a freshly initialized state. - /// - /// You must initialize the attribute structure as described in the - /// documentation of the type #psa_key_attributes_t before calling this - /// function. Once the structure has been initialized, you may call this - /// function at any time. + /// \brief Clone (the state of) an MD5 context /// - /// This function frees any auxiliary resources that the structure - /// may contain. + /// \param dst The destination context + /// \param src The context to be cloned /// - /// \param[in,out] attributes The attribute structure to reset. - pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); } unsafe extern "C" { - /// Remove non-essential copies of key material from memory. + /// \brief MD5 context setup /// - /// If the key identifier designates a volatile key, this functions does not do - /// anything and returns successfully. - /// - /// If the key identifier designates a persistent key, then this function will - /// free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and the key can still be used. + /// \param ctx context to be initialized /// - /// \param key Identifier of the key to purge. + /// \return 0 if successful /// - /// \retval #PSA_SUCCESS - /// The key material will have been removed from memory if it is not - /// currently required. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid key identifier. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Make a copy of a key. + /// \brief MD5 process buffer /// - /// Copy key material from one location to another. + /// \param ctx MD5 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// This function is primarily useful to copy a key from one location - /// to another, since it populates a key using the material from - /// another key which may have a different lifetime. + /// \return 0 if successful /// - /// This function may be used to share a key with a different party, - /// subject to implementation-defined restrictions on key sharing. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_update( + ctx: *mut mbedtls_md5_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 final digest /// - /// The policy on the source key must have the usage flag - /// #PSA_KEY_USAGE_COPY set. - /// This flag is sufficient to permit the copy if the key has the lifetime - /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. - /// Some secure elements do not provide a way to copy a key without - /// making it extractable from the secure element. If a key is located - /// in such a secure element, then the key must have both usage flags - /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make - /// a copy of the key outside the secure element. + /// \param ctx MD5 context + /// \param output MD5 checksum result /// - /// The resulting key may only be used in a way that conforms to - /// both the policy of the original key and the policy specified in - /// the \p attributes parameter: - /// - The usage flags on the resulting key are the bitwise-and of the - /// usage flags on the source policy and the usage flags in \p attributes. - /// - If both allow the same algorithm or wildcard-based - /// algorithm policy, the resulting key has the same algorithm policy. - /// - If either of the policies allows an algorithm and the other policy - /// allows a wildcard-based algorithm policy that includes this algorithm, - /// the resulting key allows the same algorithm. - /// - If the policies do not allow any algorithm in common, this function - /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// \return 0 if successful /// - /// The effect of this function on implementation-defined attributes is - /// implementation-defined. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_finish( + ctx: *mut mbedtls_md5_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 process data block (internal use only) /// - /// \param source_key The key to copy. It must allow the usage - /// #PSA_KEY_USAGE_COPY. If a private or secret key is - /// being copied outside of a secure element it must - /// also allow #PSA_KEY_USAGE_EXPORT. - /// \param[in] attributes The attributes for the new key. - /// They are used as follows: - /// - The key type and size may be 0. If either is - /// nonzero, it must match the corresponding - /// attribute of the source key. - /// - The key location (the lifetime and, for - /// persistent keys, the key identifier) is - /// used directly. - /// - The policy constraints (usage flags and - /// algorithm policy) are combined from - /// the source key and \p attributes so that - /// both sets of restrictions apply, as - /// described in the documentation of this function. - /// \param[out] target_key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param ctx MD5 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p source_key is invalid. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The lifetime or identifier in \p attributes are invalid, or - /// the policy constraints on the source and specified in - /// \p attributes are incompatible, or - /// \p attributes specifies a key type or key size - /// which does not match the attributes of the source key. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or - /// the source key is not exportable and its lifetime does not - /// allow copying it to the target's lifetime. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_copy_key( - source_key: mbedtls_svc_key_id_t, - attributes: *const psa_key_attributes_t, - target_key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + /// + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_internal_md5_process( + ctx: *mut mbedtls_md5_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Destroy a key. + /// \brief Output = MD5( input buffer ) /// - /// This function destroys a key from both volatile - /// memory and, if applicable, non-volatile storage. Implementations shall - /// make a best effort to ensure that the key material cannot be recovered. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output MD5 checksum result /// - /// This function also erases any metadata such as policies and frees - /// resources associated with the key. + /// \return 0 if successful /// - /// If a key is currently in use in a multipart operation, then destroying the - /// key will cause the multipart operation to fail. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \param key Identifier of the key to erase. If this is \c 0, do nothing and - /// return #PSA_SUCCESS. + /// \return 0 if successful, or 1 if the test failed /// - /// \retval #PSA_SUCCESS - /// \p key was a valid identifier and the key material that it - /// referred to has been erased. Alternatively, \p key is \c 0. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key cannot be erased because it is - /// read-only, either due to a policy or due to physical restrictions. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p key is not a valid identifier nor \c 0. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE - /// There was a failure in communication with the cryptoprocessor. - /// The key material may still be present in the cryptoprocessor. - /// \retval #PSA_ERROR_DATA_INVALID - /// This error is typically a result of either storage corruption on a - /// cleartext storage backend, or an attempt to read data that was - /// written by an incompatible version of the library. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The storage is corrupted. Implementations shall make a best effort - /// to erase key material even in this stage, however applications - /// should be aware that it may be impossible to guarantee that the - /// key material is not recoverable in such cases. - /// \retval #PSA_ERROR_CORRUPTION_DETECTED - /// An unexpected condition which is not a storage corruption or - /// a communication failure occurred. The cryptoprocessor may have - /// been compromised. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief RIPEMD-160 context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ripemd160_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 5usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_ripemd160_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief Import a key in binary format. + /// \brief Initialize RIPEMD-160 context /// - /// This function supports any output from psa_export_key(). Refer to the - /// documentation of psa_export_public_key() for the format of public keys - /// and to the documentation of psa_export_key() for the format for - /// other key types. + /// \param ctx RIPEMD-160 context to be initialized + pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clear RIPEMD-160 context /// - /// The key data determines the key size. The attributes may optionally - /// specify a key size; in this case it must match the size determined - /// from the key data. A key size of 0 in \p attributes indicates that - /// the key size is solely determined by the key data. + /// \param ctx RIPEMD-160 context to be cleared + pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clone (the state of) a RIPEMD-160 context /// - /// Implementations must reject an attempt to import a key of size 0. + /// \param dst The destination context + /// \param src The context to be cloned + pub fn mbedtls_ripemd160_clone( + dst: *mut mbedtls_ripemd160_context, + src: *const mbedtls_ripemd160_context, + ); +} +unsafe extern "C" { + /// \brief RIPEMD-160 context setup /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. - /// - /// \param[in] attributes The attributes for the new key. - /// The key size is always determined from the - /// \p data buffer. - /// If the key size in \p attributes is nonzero, - /// it must be equal to the size from \p data. - /// \param[out] key On success, an identifier to the newly created key. - /// For persistent keys, this is the key identifier - /// defined in \p attributes. - /// \c 0 on failure. - /// \param[in] data Buffer containing the key data. The content of this - /// buffer is interpreted according to the type declared - /// in \p attributes. - /// All implementations must support at least the format - /// described in the documentation - /// of psa_export_key() or psa_export_public_key() for - /// the chosen type. Implementations may allow other - /// formats, but should be conservative: implementations - /// should err on the side of rejecting content if it - /// may be erroneous (e.g. wrong type or truncated data). - /// \param data_length Size of the \p data buffer in bytes. + /// \param ctx context to be initialized /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular persistent location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key attributes, as a whole, are invalid, or - /// the key data is not correctly formatted, or - /// the size in \p attributes is nonzero and does not match the size - /// of the key data. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_import_key( - attributes: *const psa_key_attributes_t, - data: *const u8, - data_length: usize, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a key in binary format. - /// - /// The output of this function can be passed to psa_import_key() to - /// create an equivalent object. + /// \brief RIPEMD-160 process buffer /// - /// If the implementation of psa_import_key() supports other formats - /// beyond the format specified here, the output from psa_export_key() - /// must use the representation specified here, not the original - /// representation. + /// \param ctx RIPEMD-160 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// For standard key types, the output format is as follows: + /// \return 0 if successful + pub fn mbedtls_ripemd160_update( + ctx: *mut mbedtls_ripemd160_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 final digest /// - /// - For symmetric keys (including MAC keys), the format is the - /// raw bytes of the key. - /// - For DES, the key data consists of 8 bytes. The parity bits must be - /// correct. - /// - For Triple-DES, the format is the concatenation of the - /// two or three DES keys. - /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format - /// is the non-encrypted DER encoding of the representation defined by - /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. - /// ``` - /// RSAPrivateKey ::= SEQUENCE { - /// version INTEGER, -- must be 0 - /// modulus INTEGER, -- n - /// publicExponent INTEGER, -- e - /// privateExponent INTEGER, -- d - /// prime1 INTEGER, -- p - /// prime2 INTEGER, -- q - /// exponent1 INTEGER, -- d mod (p-1) - /// exponent2 INTEGER, -- d mod (q-1) - /// coefficient INTEGER, -- (inverse of q) mod p - /// } - /// ``` - /// - For elliptic curve key pairs (key types for which - /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is - /// a representation of the private value as a `ceiling(m/8)`-byte string - /// where `m` is the bit size associated with the curve, i.e. the bit size - /// of the order of the curve's coordinate field. This byte string is - /// in little-endian order for Montgomery curves (curve types - /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass - /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` - /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). - /// For Weierstrass curves, this is the content of the `privateKey` field of - /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, - /// the format is defined by RFC 7748, and output is masked according to §5. - /// For twisted Edwards curves, the private key is as defined by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For Diffie-Hellman key exchange key pairs (key types for which - /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the - /// format is the representation of the private key `x` as a big-endian byte - /// string. The length of the byte string is the private key size in bytes - /// (leading zeroes are not stripped). - /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is - /// true), the format is the same as for psa_export_public_key(). + /// \param ctx RIPEMD-160 context + /// \param output RIPEMD-160 checksum result /// - /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// \return 0 if successful + pub fn mbedtls_ripemd160_finish( + ctx: *mut mbedtls_ripemd160_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 process data block (internal use only) /// - /// \param key Identifier of the key to export. It must allow the - /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public - /// key. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. + /// \param ctx RIPEMD-160 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_internal_ripemd160_process( + ctx: *mut mbedtls_ripemd160_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a public key or the public part of a key pair in binary format. + /// \brief Output = RIPEMD-160( input buffer ) /// - /// The output of this function can be passed to psa_import_key() to - /// create an object that is equivalent to the public key. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output RIPEMD-160 checksum result /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. + /// \return 0 if successful + pub fn mbedtls_ripemd160( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// For standard key types, the output format is as follows: - /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of - /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. - /// ``` - /// RSAPublicKey ::= SEQUENCE { - /// modulus INTEGER, -- n - /// publicExponent INTEGER } -- e - /// ``` - /// - For elliptic curve keys on a twisted Edwards curve (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY - /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined - /// by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For other elliptic curve public keys (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed - /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. - /// Let `m` be the bit size associated with the curve, i.e. the bit size of - /// `q` for a curve over `F_q`. The representation consists of: - /// - The byte 0x04; - /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; - /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. - /// - For Diffie-Hellman key exchange public keys (key types for which - /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), - /// the format is the representation of the public key `y = g^x mod p` as a - /// big-endian byte string. The length of the byte string is the length of the - /// base prime `p` in bytes. + /// \return 0 if successful, or 1 if the test failed + pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha1_context { + pub work_area: [::core::ffi::c_uchar; 208usize], +} +impl Default for mbedtls_sha1_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-1 context. /// - /// Exporting a public key object or the public part of a key pair is - /// always permitted, regardless of the key's usage flags. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param key Identifier of the key to export. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key is neither a public key nor a key pair. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_public_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message. - /// - /// \note To verify the hash of a message against an - /// expected value, use psa_hash_compare() instead. + /// \brief This function clears a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\p alg). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p hash_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compute( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it is + /// not \c NULL, it must point to an initialized + /// SHA-1 context. + pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message and compare it with a - /// reference value. + /// \brief This function clones the state of a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p input_length or \p hash_length do not match the hash size for \p alg - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compare( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \param dst The SHA-1 context to clone to. This must be initialized. + /// \param src The SHA-1 context to clone from. This must be initialized. + pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); } -/// The type of the state data structure for multipart hash operations. -/// -/// Before calling any function on a hash operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_hash_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_hash_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, -/// for example: -/// \code -/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_hash_operation_init() -/// to the structure, for example: -/// \code -/// psa_hash_operation_t operation; -/// operation = psa_hash_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_hash_operation_t = psa_hash_operation_s; unsafe extern "C" { - /// Set up a multipart hash operation. - /// - /// The sequence of operations to calculate a hash (message digest) - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. - /// -# Call psa_hash_setup() to specify the algorithm. - /// -# Call psa_hash_update() zero, one or more times, passing a fragment - /// of the message each time. The hash that is calculated is the hash - /// of the concatenation of these messages in order. - /// -# To calculate the hash, call psa_hash_finish(). - /// To compare the hash with an expected value, call psa_hash_verify(). - /// - /// If an error occurs at any step after a call to psa_hash_setup(), the - /// operation will need to be reset by a call to psa_hash_abort(). The - /// application may call psa_hash_abort() at any time after the operation - /// has been initialized. + /// \brief This function starts a SHA-1 checksum calculation. /// - /// After a successful call to psa_hash_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_hash_finish() or psa_hash_verify(). - /// - A call to psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_hash_operation_t and not yet in use. - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param ctx The SHA-1 context to initialize. This must be initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a hash algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_setup( - operation: *mut psa_hash_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart hash operation. - /// - /// The application must call psa_hash_setup() before calling this function. + /// \brief This function feeds an input buffer into an ongoing SHA-1 + /// checksum calculation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] input Buffer containing the message fragment to hash. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-1 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_update( - operation: *mut psa_hash_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_update( + ctx: *mut mbedtls_sha1_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message. + /// \brief This function finishes the SHA-1 operation, and writes + /// the result to the output buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \param ctx The SHA-1 context to use. This must be initialized and + /// have a hash operation started. + /// \param output The SHA-1 checksum result. This must be a writable + /// buffer of length \c 20 Bytes. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the hash. Call psa_hash_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// hash values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the hashed data which could allow an attacker to guess - /// a valid hash and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_finish( + ctx: *mut mbedtls_sha1_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief SHA-1 process data block (internal use only). /// - /// \param[in,out] operation Active hash operation. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\c alg) where \c alg is the - /// hash algorithm that is calculated. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p hash buffer is too small. You can determine a - /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) - /// where \c alg is the hash algorithm that is calculated. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_finish( - operation: *mut psa_hash_operation_t, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to use. This must be initialized. + /// \param data The data block being processed. This must be a + /// readable buffer of length \c 64 Bytes. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha1_process( + ctx: *mut mbedtls_sha1_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-1 checksum of a buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). It then - /// compares the calculated hash with the expected hash passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// The SHA-1 result is calculated as + /// output = SHA-1(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual hash and the expected hash is performed - /// in constant time. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. + /// \param output The SHA-1 checksum result. + /// This must be a writable buffer of length \c 20 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_verify( - operation: *mut psa_hash_operation_t, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a hash operation. + /// \brief The SHA-1 checkup routine. /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_hash_setup() again. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_hash_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha256_context { + pub work_area: [::core::ffi::c_uchar; 208usize], + pub is224: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha256_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-256 context. /// - /// In particular, calling psa_hash_abort() after the operation has been - /// terminated by a call to psa_hash_abort(), psa_hash_finish() or - /// psa_hash_verify() is safe and has no effect. + /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-256 context. /// - /// \param[in,out] operation Initialized hash operation. + /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-256 context. + pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-256 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha256_clone( + dst: *mut mbedtls_sha256_context, + src: *const mbedtls_sha256_context, + ); } unsafe extern "C" { - /// Clone a hash operation. + /// \brief This function starts a SHA-224 or SHA-256 checksum + /// calculation. /// - /// This function copies the state of an ongoing hash operation to - /// a new operation object. In other words, this function is equivalent - /// to calling psa_hash_setup() on \p target_operation with the same - /// algorithm that \p source_operation was set up for, then - /// psa_hash_update() on \p target_operation with the same input that - /// that was passed to \p source_operation. After this function returns, the - /// two objects are independent, i.e. subsequent calls involving one of - /// the objects do not affect the other object. + /// \param ctx The context to use. This must be initialized. + /// \param is224 This determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// \param[in] source_operation The active hash operation to clone. - /// \param[in,out] target_operation The operation object to set up. - /// It must be initialized but not active. + /// \note is224 must be defined accordingly to the enabled + /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The \p source_operation state is not valid (it must be active), or - /// the \p target_operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_clone( - source_operation: *const psa_hash_operation_t, - target_operation: *mut psa_hash_operation_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_starts( + ctx: *mut mbedtls_sha256_context, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC (message authentication code) of a message. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-256 checksum calculation. /// - /// \note To verify the MAC of a message against an - /// expected value, use psa_mac_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_update( + ctx: *mut mbedtls_sha256_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function finishes the SHA-256 operation, and writes + /// the result to the output buffer. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p mac_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_compute( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_finish( + ctx: *mut mbedtls_sha256_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC of a message and compare it with a reference value. + /// \brief This function processes a single data block within + /// the ongoing SHA-256 computation. This function is for + /// internal use only. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \param ctx The SHA-256 context. This must be initialized. + /// \param data The buffer holding one block of data. This must + /// be a readable buffer of length \c 64 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected value. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha256_process( + ctx: *mut mbedtls_sha256_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart MAC operations. -/// -/// Before calling any function on a MAC operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_mac_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_mac_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, -/// for example: -/// \code -/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_mac_operation_init() -/// to the structure, for example: -/// \code -/// psa_mac_operation_t operation; -/// operation = psa_mac_operation_init(); -/// \endcode -/// -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Set up a multipart MAC calculation operation. + /// \brief This function calculates the SHA-224 or SHA-256 + /// checksum of a buffer. /// - /// This function sets up the calculation of the MAC - /// (message authentication code) of a byte string. - /// To verify the MAC of a message against an - /// expected value, use psa_mac_verify_setup() instead. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// The sequence of operations to calculate a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_sign_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_sign_finish() to finish - /// calculating the MAC value and retrieve it. + /// The SHA-256 result is calculated as + /// output = SHA-256(input buffer). /// - /// If an error occurs at any step after a call to psa_mac_sign_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// \param is224 Determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// After a successful call to psa_mac_sign_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_sign_finish(). - /// - A call to psa_mac_abort(). + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-224 checkup routine. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-256 checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha512_context { + pub work_area: [::core::ffi::c_uchar; 304usize], + pub is384: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha512_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Set up a multipart MAC verification operation. + /// \brief This function initializes a SHA-512 context. /// - /// This function sets up the verification of the MAC - /// (message authentication code) of a byte string against an expected value. + /// \param ctx The SHA-512 context to initialize. This must + /// not be \c NULL. + pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-512 context. /// - /// The sequence of operations to verify a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_verify_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_verify_finish() to finish - /// calculating the actual MAC of the message and verify it against - /// the expected value. + /// \param ctx The SHA-512 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must point to an initialized + /// SHA-512 context. + pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-512 context. /// - /// If an error occurs at any step after a call to psa_mac_verify_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha512_clone( + dst: *mut mbedtls_sha512_context, + src: *const mbedtls_sha512_context, + ); +} +unsafe extern "C" { + /// \brief This function starts a SHA-384 or SHA-512 checksum + /// calculation. /// - /// After a successful call to psa_mac_verify_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_verify_finish(). - /// - A call to psa_mac_abort(). + /// \param ctx The SHA-512 context to use. This must be initialized. + /// \param is384 Determines which function to use. This must be + /// either \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage - /// PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \note is384 must be defined accordingly to the enabled + /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c key is not compatible with \c alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_starts( + ctx: *mut mbedtls_sha512_context, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart MAC operation. - /// - /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() - /// before calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \brief This function feeds an input buffer into an ongoing + /// SHA-512 checksum calculation. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] input Buffer containing the message fragment to add to - /// the MAC calculation. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. This must + /// be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_update( - operation: *mut psa_mac_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_update( + ctx: *mut mbedtls_sha512_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message. - /// - /// The application must call psa_mac_sign_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). + /// \brief This function finishes the SHA-512 operation, and writes + /// the result to the output buffer. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the MAC. Call psa_mac_verify_finish() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_finish( + ctx: *mut mbedtls_sha512_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function processes a single data block within + /// the ongoing SHA-512 computation. + /// This function is for internal use only. /// - /// \param[in,out] operation Active MAC operation. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. This is always - /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of the key and \c alg is the - /// MAC algorithm that is calculated. + /// \param ctx The SHA-512 context. This must be initialized. + /// \param data The buffer holding one block of data. This + /// must be a readable buffer of length \c 128 Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p mac buffer is too small. You can determine a - /// sufficient buffer size by calling PSA_MAC_LENGTH(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac sign - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_finish( - operation: *mut psa_mac_operation_t, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha512_process( + ctx: *mut mbedtls_sha512_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-512 or SHA-384 + /// checksum of a buffer. /// - /// The application must call psa_mac_verify_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). It then - /// compares the calculated MAC with the expected MAC passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// The SHA-512 result is calculated as + /// output = SHA-512(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual MAC and the expected MAC is performed - /// in constant time. + /// \param input The buffer holding the input data. This must be + /// a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. + /// \param is384 Determines which function to use. This must be either + /// \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \note is384 must be defined accordingly with the supported + /// symbols in the config file. If: + /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or + /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined + /// then the function will return + /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected MAC. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac verify - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_finish( - operation: *mut psa_mac_operation_t, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a MAC operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_mac_sign_setup() or psa_mac_verify_setup() again. + /// \brief The SHA-384 checkup routine. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_mac_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-512 checkup routine. /// - /// In particular, calling psa_mac_abort() after the operation has been - /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or - /// psa_mac_verify_finish() is safe and has no effect. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +///< Operation not defined. +pub const mbedtls_sha3_id_MBEDTLS_SHA3_NONE: mbedtls_sha3_id = 0; +///< SHA3-224 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_224: mbedtls_sha3_id = 1; +///< SHA3-256 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_256: mbedtls_sha3_id = 2; +///< SHA3-384 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_384: mbedtls_sha3_id = 3; +///< SHA3-512 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_512: mbedtls_sha3_id = 4; +/// SHA-3 family id. +/// +/// It identifies the family (SHA3-256, SHA3-512, etc.) +pub type mbedtls_sha3_id = ::core::ffi::c_uint; +/// \brief The SHA-3 context structure. +/// +/// The structure is used SHA-3 checksum calculations. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_sha3_context { + pub private_state: [u64; 25usize], + pub private_index: u32, + pub private_olen: u16, + pub private_max_block_size: u16, +} +unsafe extern "C" { + /// \brief This function initializes a SHA-3 context. /// - /// \param[in,out] operation Initialized MAC operation. + /// \param ctx The SHA-3 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha3_init(ctx: *mut mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-3 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; + /// \param ctx The SHA-3 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-3 context. + pub fn mbedtls_sha3_free(ctx: *mut mbedtls_sha3_context); } unsafe extern "C" { - /// Encrypt a message using a symmetric cipher. + /// \brief This function clones the state of a SHA-3 context. /// - /// This function encrypts a message with a random IV (initialization - /// vector). Use the multipart operation interface with a - /// #psa_cipher_operation_t object to provide other forms of IV. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha3_clone(dst: *mut mbedtls_sha3_context, src: *const mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function starts a SHA-3 checksum + /// calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// The output contains the IV followed by - /// the ciphertext proper. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The context to use. This must be initialized. + /// \param id The id of the SHA-3 family. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_starts( + ctx: *mut mbedtls_sha3_context, + id: mbedtls_sha3_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Decrypt a message using a symmetric cipher. - /// - /// This function decrypts a message encrypted with a symmetric cipher. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-3 checksum calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to decrypt. - /// This consists of the IV followed by the - /// ciphertext proper. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the plaintext is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_update( + ctx: *mut mbedtls_sha3_context, input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + ilen: usize, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart cipher operations. -/// -/// Before calling any function on a cipher operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_cipher_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_cipher_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, -/// for example: -/// \code -/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_cipher_operation_init() -/// to the structure, for example: -/// \code -/// psa_cipher_operation_t operation; -/// operation = psa_cipher_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// Set the key for a multipart symmetric encryption operation. + /// \brief This function finishes the SHA-3 operation, and writes + /// the result to the output buffer. /// - /// The sequence of operations to encrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. - /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to - /// generate or set the IV (initialization vector). You should use - /// psa_cipher_generate_iv() unless the protocol you are implementing - /// requires a specific IV value. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. /// - /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_finish( + ctx: *mut mbedtls_sha3_context, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function calculates the SHA-3 + /// checksum of a buffer. /// - /// After a successful call to psa_cipher_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// The SHA-3 result is calculated as + /// output = SHA-3(id, input buffer, d). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \param id The id of the SHA-3 family. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3( + id: mbedtls_sha3_id, + input: *const u8, + ilen: usize, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart symmetric decryption operation. + /// \brief Checkup routine for the algorithms implemented + /// by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512. /// - /// The sequence of operations to decrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. - /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the - /// decryption. If the IV is prepended to the ciphertext, you can call - /// psa_cipher_update() on a buffer containing the IV followed by the - /// beginning of the message. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). - /// - /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_cipher_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). - /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if the test failed. + pub fn mbedtls_sha3_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// Generate an IV for a symmetric encryption operation. - /// - /// This function generates a random IV (initialization vector), nonce - /// or initial counter value for the encryption operation as appropriate - /// for the chosen algorithm, key type and key size. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] iv Buffer where the generated IV is to be written. - /// \param iv_size Size of the \p iv buffer in bytes. - /// \param[out] iv_length On success, the number of bytes of the - /// generated IV. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p iv buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no IV set), - /// or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_generate_iv( - operation: *mut psa_cipher_operation_t, - iv: *mut u8, - iv_size: usize, - iv_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hash_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// Set the IV for a symmetric encryption or decryption operation. - /// - /// This function sets the IV (initialization vector), nonce - /// or initial counter value for the encryption or decryption operation. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \note When encrypting, applications should use psa_cipher_generate_iv() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] iv Buffer containing the IV to use. - /// \param iv_length Size of the IV in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p iv is not acceptable for the chosen algorithm, - /// or the chosen algorithm does not use an IV. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active cipher - /// encrypt operation, with no IV set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_set_iv( - operation: *mut psa_cipher_operation_t, - iv: *const u8, - iv_length: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub md5: mbedtls_md5_context, + pub ripemd160: mbedtls_ripemd160_context, + pub sha1: mbedtls_sha1_context, + pub sha256: mbedtls_sha256_context, + pub sha512: mbedtls_sha512_context, } -unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active cipher operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() - /// (recommended when encrypting) or psa_cipher_set_iv(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_update( - operation: *mut psa_cipher_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Finish encrypting or decrypting a message in a cipher operation. - /// - /// The application must call psa_cipher_encrypt_setup() or - /// psa_cipher_decrypt_setup() before calling this function. The choice - /// of setup function determines whether this function encrypts or - /// decrypts its input. - /// - /// This function finishes the encryption or decryption of the message - /// formed by concatenating the inputs passed to preceding calls to - /// psa_cipher_update(). - /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input size passed to this operation is not valid for - /// this particular algorithm. For example, the algorithm is a based - /// on block cipher and requires a whole number of blocks, but the - /// total input size is not a multiple of the block size. - /// \retval #PSA_ERROR_INVALID_PADDING - /// This is a decryption operation for an algorithm that includes - /// padding, and the ciphertext does not contain valid padding. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_finish( - operation: *mut psa_cipher_operation_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_cipher_operation_t { + pub private_alg: psa_algorithm_t, + pub private_iv_length: u8, + pub private_block_length: u8, + pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_cipher: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_cipher_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_hash_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_hash_operation_t, +} +impl Default for psa_driver_hash_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_cipher_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, +} +impl Default for psa_driver_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hash_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h. + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. the driver context is not active, in use). + pub private_id: ::core::ffi::c_uint, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_hash_context_t, +} +impl Default for psa_hash_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_cipher_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_default_iv_length: u8, + pub private_ctx: psa_driver_cipher_context_t, +} +impl Default for psa_cipher_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_cipher_operation_s { + #[inline] + pub fn private_iv_required(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_iv_required: ::core::ffi::c_uint, + private_iv_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; + private_iv_required as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; + private_iv_set as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The GCM context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_gcm_context { + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, + ///< Precalculated HTable. + pub private_H: [[u64; 2usize]; 16usize], + ///< The total length of the encrypted data. + pub private_len: u64, + ///< The total length of the additional data. + pub private_add_len: u64, + ///< The first ECTR for tag. + pub private_base_ectr: [::core::ffi::c_uchar; 16usize], + ///< The Y working value. + pub private_y: [::core::ffi::c_uchar; 16usize], + ///< The buf working value. + pub private_buf: [::core::ffi::c_uchar; 16usize], + ///< The operation to perform: + ///#MBEDTLS_GCM_ENCRYPT or + ///#MBEDTLS_GCM_DECRYPT. + pub private_mode: ::core::ffi::c_uchar, + ///< The acceleration to use. + pub private_acceleration: ::core::ffi::c_uchar, +} +impl Default for mbedtls_gcm_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Abort a cipher operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. - /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_cipher_operation_t. - /// - /// In particular, calling psa_cipher_abort() after the operation has been - /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() - /// is safe and has no effect. + /// \brief This function initializes the specified GCM context, + /// to make references valid, and prepares the context + /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). /// - /// \param[in,out] operation Initialized cipher operation. + /// The function does not bind the GCM context to a particular + /// cipher, nor set the key. For this purpose, use + /// mbedtls_gcm_setkey(). /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; + /// \param ctx The GCM context to initialize. This must not be \c NULL. + pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Process an authenticated encryption operation. + /// \brief This function associates a GCM context with a + /// cipher algorithm and a key. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that will be authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] plaintext Data that will be authenticated and - /// encrypted. - /// \param plaintext_length Size of \p plaintext in bytes. - /// \param[out] ciphertext Output buffer for the authenticated and - /// encrypted data. The additional data is not - /// part of this output. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate outputs, the - /// authentication tag is appended to the - /// encrypted data. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p plaintext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p - /// plaintext_length) evaluates to the maximum - /// ciphertext size of any supported AEAD - /// encryption. - /// \param[out] ciphertext_length On success, the size of the output - /// in the \p ciphertext buffer. + /// \param ctx The GCM context. This must be initialized. + /// \param cipher The 128-bit block cipher to use. + /// \param key The encryption key. This must be a readable buffer of at + /// least \p keybits bits. + /// \param keybits The key size in bits. Valid options are: + ///
  • 128 bits
    • + ///
  • 192 bits
    • + ///
  • 256 bits
/// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p ciphertext_size is too small. - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p plaintext_length) or - /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - plaintext: *const u8, - plaintext_length: usize, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_gcm_setkey( + ctx: *mut mbedtls_gcm_context, + cipher: mbedtls_cipher_id_t, + key: *const ::core::ffi::c_uchar, + keybits: ::core::ffi::c_uint, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Process an authenticated decryption operation. + /// \brief This function performs GCM encryption or decryption of a buffer. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that has been authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] ciphertext Data that has been authenticated and - /// encrypted. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate inputs, the buffer - /// must contain the encrypted data followed - /// by the authentication tag. - /// \param ciphertext_length Size of \p ciphertext in bytes. - /// \param[out] plaintext Output buffer for the decrypted data. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p ciphertext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p - /// ciphertext_length) evaluates to the maximum - /// plaintext size of any supported AEAD - /// decryption. - /// \param[out] plaintext_length On success, the size of the output - /// in the \p plaintext buffer. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The ciphertext is not authentic. - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p plaintext_size is too small. - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p ciphertext_length) or - /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used - /// to determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - ciphertext: *const u8, - ciphertext_length: usize, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - ) -> psa_status_t; + /// \warning When this function performs a decryption, it outputs the + /// authentication tag and does not verify that the data is + /// authentic. You should use this function to perform encryption + /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// + /// \param ctx The GCM context to use for encryption or decryption. This + /// must be initialized. + /// \param mode The operation to perform: + /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. + /// The ciphertext is written to \p output and the + /// authentication tag is written to \p tag. + /// - #MBEDTLS_GCM_DECRYPT to perform decryption. + /// The plaintext is written to \p output and the + /// authentication tag is written to \p tag. + /// Note that this mode is not recommended, because it does + /// not verify the authenticity of the data. For this reason, + /// you should use mbedtls_gcm_auth_decrypt() instead of + /// calling this function in decryption mode. + /// \param length The length of the input data, which is equal to the length + /// of the output data. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param input The buffer holding the input data. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size in Bytes. + /// \param output The buffer for holding the output data. If \p length is greater + /// than zero, this must be a writable buffer of at least that + /// size in Bytes. + /// \param tag_len The length of the tag to generate. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// + /// \return \c 0 if the encryption or decryption was performed + /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, + /// this does not indicate that the data is authentic. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the encryption + /// or decryption failed. + pub fn mbedtls_gcm_crypt_and_tag( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + tag_len: usize, + tag: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart AEAD operations. -/// -/// Before calling any function on an AEAD operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_aead_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_aead_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, -/// for example: -/// \code -/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_aead_operation_init() -/// to the structure, for example: -/// \code -/// psa_aead_operation_t operation; -/// operation = psa_aead_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// Set the key for a multipart authenticated encryption operation. + /// \brief This function performs a GCM authenticated decryption of a + /// buffer. /// - /// The sequence of operations to encrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to - /// generate or set the nonce. You should use - /// psa_aead_generate_nonce() unless the protocol you are implementing - /// requires a specific nonce value. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the message to encrypt each time. - /// -# Call psa_aead_finish(). - /// - /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_finish(). - /// - A call to psa_aead_abort(). + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param length The length of the ciphertext to decrypt, which is also + /// the length of the decrypted plaintext. + /// \param iv The initialization vector. This must be a readable buffer + /// of at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param tag The buffer holding the tag to verify. This must be a + /// readable buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to verify. + /// \param input The buffer holding the ciphertext. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size. + /// \param output The buffer for holding the decrypted plaintext. If \p length + /// is greater than zero, this must be a writable buffer of at + /// least that size. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 if successful and authenticated. + /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the decryption + /// failed. + pub fn mbedtls_gcm_auth_decrypt( + ctx: *mut mbedtls_gcm_context, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + tag: *const ::core::ffi::c_uchar, + tag_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart authenticated decryption operation. - /// - /// The sequence of operations to decrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call psa_aead_set_nonce() with the nonce for the decryption. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the ciphertext to decrypt each time. - /// -# Call psa_aead_verify(). - /// - /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_verify(). - /// - A call to psa_aead_abort(). + /// \brief This function starts a GCM encryption or decryption + /// operation. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + /// #MBEDTLS_GCM_DECRYPT. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_starts( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Generate a random nonce for an authenticated encryption operation. - /// - /// This function generates a random nonce for the authenticated encryption - /// operation with an appropriate size for the chosen algorithm, key type - /// and key size. - /// - /// The application must call psa_aead_encrypt_setup() before - /// calling this function. + /// \brief This function feeds an input buffer as associated data + /// (authenticated but not encrypted data) in a GCM + /// encryption or decryption operation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// Call this function after mbedtls_gcm_starts() to pass + /// the associated data. If the associated data is empty, + /// you do not need to call this function. You may not + /// call this function after calling mbedtls_cipher_update(). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] nonce Buffer where the generated nonce is to be - /// written. - /// \param nonce_size Size of the \p nonce buffer in bytes. - /// \param[out] nonce_length On success, the number of bytes of the - /// generated nonce. + /// \param ctx The GCM context. This must have been started with + /// mbedtls_gcm_starts() and must not have yet received + /// any input with mbedtls_gcm_update(). + /// \param add The buffer holding the additional data, or \c NULL + /// if \p add_len is \c 0. + /// \param add_len The length of the additional data. If \c 0, + /// \p add may be \c NULL. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p nonce buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active aead encrypt - /// operation, with no nonce set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_generate_nonce( - operation: *mut psa_aead_operation_t, - nonce: *mut u8, - nonce_size: usize, - nonce_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_update_ad( + ctx: *mut mbedtls_gcm_context, + add: *const ::core::ffi::c_uchar, + add_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the nonce for an authenticated encryption or decryption operation. + /// \brief This function feeds an input buffer into an ongoing GCM + /// encryption or decryption operation. /// - /// This function sets the nonce for the authenticated - /// encryption or decryption operation. + /// You may call this function zero, one or more times + /// to pass successive parts of the input: the plaintext to + /// encrypt, or the ciphertext (not including the tag) to + /// decrypt. After the last part of the input, call + /// mbedtls_gcm_finish(). /// - /// The application must call psa_aead_encrypt_setup() or - /// psa_aead_decrypt_setup() before calling this function. + /// This function may produce output in one of the following + /// ways: + /// - Immediate output: the output length is always equal + /// to the input length. + /// - Buffered output: the output consists of a whole number + /// of 16-byte blocks. If the total input length so far + /// (not including associated data) is 16 \* *B* + *A* + /// with *A* < 16 then the total output length is 16 \* *B*. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// In particular: + /// - It is always correct to call this function with + /// \p output_size >= \p input_length + 15. + /// - If \p input_length is a multiple of 16 for all the calls + /// to this function during an operation, then it is + /// correct to use \p output_size = \p input_length. /// - /// \note When encrypting, applications should use psa_aead_generate_nonce() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] nonce Buffer containing the nonce to use. - /// \param nonce_length Size of the nonce in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param input The buffer holding the input data. If \p input_length + /// is greater than zero, this must be a readable buffer + /// of at least \p input_length bytes. + /// \param input_length The length of the input data in bytes. + /// \param output The buffer for the output data. If \p output_size + /// is greater than zero, this must be a writable buffer of + /// of at least \p output_size bytes. + /// \param output_size The size of the output buffer in bytes. + /// See the function description regarding the output size. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p nonce is not acceptable for the chosen algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no nonce - /// set), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_nonce( - operation: *mut psa_aead_operation_t, - nonce: *const u8, - nonce_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// total input length too long, + /// unsupported input/output buffer overlap detected, + /// or \p output_size too small. + pub fn mbedtls_gcm_update( + ctx: *mut mbedtls_gcm_context, + input: *const ::core::ffi::c_uchar, + input_length: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Declare the lengths of the message and additional data for AEAD. - /// - /// The application must call this function before calling - /// psa_aead_update_ad() or psa_aead_update() if the algorithm for - /// the operation requires it. If the algorithm does not require it, - /// calling this function is optional, but if this function is called - /// then the implementation must enforce the lengths. - /// - /// You may call this function before or after setting the nonce with - /// psa_aead_set_nonce() or psa_aead_generate_nonce(). - /// - /// - For #PSA_ALG_CCM, calling this function is required. - /// - For the other AEAD algorithms defined in this specification, calling - /// this function is not required. - /// - For vendor-defined algorithm, refer to the vendor documentation. + /// \brief This function finishes the GCM operation and generates + /// the authentication tag. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// It wraps up the GCM stream, and generates the + /// tag. The tag can have a maximum length of 16 Bytes. /// - /// \param[in,out] operation Active AEAD operation. - /// \param ad_length Size of the non-encrypted additional - /// authenticated data in bytes. - /// \param plaintext_length Size of the plaintext to encrypt in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to generate. This must be at least + /// four. + /// \param output The buffer for the final output. + /// If \p output_size is nonzero, this must be a writable + /// buffer of at least \p output_size bytes. + /// \param output_size The size of the \p output buffer in bytes. + /// This must be large enough for the output that + /// mbedtls_gcm_update() has not produced. In particular: + /// - If mbedtls_gcm_update() produces immediate output, + /// or if the total input size is a multiple of \c 16, + /// then mbedtls_gcm_finish() never produces any output, + /// so \p output_size can be \c 0. + /// - \p output_size never needs to be more than \c 15. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// At least one of the lengths is not acceptable for the chosen - /// algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and - /// psa_aead_update_ad() and psa_aead_update() must not have been - /// called yet), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_lengths( - operation: *mut psa_aead_operation_t, - ad_length: usize, - plaintext_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// invalid value of \p tag_len, + /// or \p output_size too small. + pub fn mbedtls_gcm_finish( + ctx: *mut mbedtls_gcm_context, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + tag: *mut ::core::ffi::c_uchar, + tag_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Pass additional data to an active AEAD operation. - /// - /// Additional data is authenticated, but not encrypted. - /// - /// You may call this function multiple times to pass successive fragments - /// of the additional data. You may not call this function after passing - /// data to encrypt or decrypt with psa_aead_update(). - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, - /// treat the input as untrusted and prepare to undo any action that - /// depends on the input if psa_aead_verify() returns an error status. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the fragment of - /// additional data. - /// \param input_length Size of the \p input buffer in bytes. + /// \brief This function clears a GCM context and the underlying + /// cipher sub-context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input length overflows the additional data length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, have lengths set if required by the algorithm, and - /// psa_aead_update() must not have been called yet), or the library - /// has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update_ad( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The GCM context to clear. If this is \c NULL, the call has + /// no effect. Otherwise, this must be initialized. + pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active AEAD operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// 3. Call psa_aead_update_ad() to pass all the additional data. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: - /// - Do not use the output in any way other than storing it in a - /// confidential location. If you take any action that depends - /// on the tentative decrypted data, this action will need to be - /// undone if the input turns out not to be valid. Furthermore, - /// if an adversary can observe that this action took place - /// (for example through timing), they may be able to use this - /// fact as an oracle to decrypt any message encrypted with the - /// same key. - /// - In particular, do not copy the output anywhere but to a - /// memory or storage space that you have exclusive access to. - /// - /// This function does not require the input to be aligned to any - /// particular block boundary. If the implementation can only process - /// a whole block at a time, it must consume all the input provided, but - /// it may delay the end of the corresponding output until a subsequent - /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() - /// provides sufficient input. The amount of data that can be delayed - /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, - /// \c alg, \p input_length) where - /// \c key_type is the type of key and \c alg is - /// the algorithm that were used to set up the - /// operation. - /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p - /// input_length) evaluates to the maximum - /// output size of any supported AEAD - /// algorithm. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// \brief The GCM checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or - /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total input length overflows the plaintext length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, and have lengths set if required by the algorithm), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hmac_operation_t { + /// The HMAC algorithm in use + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + /// The hash context. + pub hash_ctx: psa_hash_operation_s, + /// The HMAC part of the context. + pub private_opad: [u8; 128usize], +} +impl Default for mbedtls_psa_hmac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_mac_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_hmac: mbedtls_psa_hmac_operation_t, + pub private_cmac: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_mac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_aead_operation_t { + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_tag_length: u8, + pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub private_ccm: mbedtls_ccm_context, + pub private_gcm: mbedtls_gcm_context, + pub private_chachapoly: mbedtls_chachapoly_context, +} +impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_aead_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl mbedtls_psa_aead_operation_t { + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_sign_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_verify_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +///< Client +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; +///< Server +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; +///< Undefined +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_NONE: mbedtls_ecjpake_role = 2; +/// Roles in the EC J-PAKE exchange +pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; +/// EC J-PAKE context structure. +/// +/// J-PAKE is a symmetric protocol, except for the identifiers used in +/// Zero-Knowledge Proofs, and the serialization of the second message +/// (KeyExchange) as defined by the Thread spec. +/// +/// In order to benefit from this symmetry, we choose a different naming +/// convention from the Thread v1.0 spec. Correspondence is indicated in the +/// description as a pair C: client name, S: server name +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecjpake_context { + ///< Hash to use + pub private_md_type: mbedtls_md_type_t, + ///< Elliptic curve + pub private_grp: mbedtls_ecp_group, + ///< Are we client or server? + pub private_role: mbedtls_ecjpake_role, + ///< Format for point export + pub private_point_format: ::core::ffi::c_int, + ///< My public key 1 C: X1, S: X3 + pub private_Xm1: mbedtls_ecp_point, + ///< My public key 2 C: X2, S: X4 + pub private_Xm2: mbedtls_ecp_point, + ///< Peer public key 1 C: X3, S: X1 + pub private_Xp1: mbedtls_ecp_point, + ///< Peer public key 2 C: X4, S: X2 + pub private_Xp2: mbedtls_ecp_point, + ///< Peer public key C: Xs, S: Xc + pub private_Xp: mbedtls_ecp_point, + ///< My private key 1 C: x1, S: x3 + pub private_xm1: mbedtls_mpi, + ///< My private key 2 C: x2, S: x4 + pub private_xm2: mbedtls_mpi, + ///< Pre-shared secret (passphrase) + pub private_s: mbedtls_mpi, +} +impl Default for mbedtls_ecjpake_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Finish encrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_encrypt_setup(). + /// \brief Initialize an ECJPAKE context. /// - /// This function finishes the authentication of the additional data - /// formed by concatenating the inputs passed to preceding calls to - /// psa_aead_update_ad() with the plaintext formed by concatenating the - /// inputs passed to preceding calls to psa_aead_update(). + /// \param ctx The ECJPAKE context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Set up an ECJPAKE context for use. /// - /// This function has two output buffers: - /// - \p ciphertext contains trailing ciphertext that was buffered from - /// preceding calls to psa_aead_update(). - /// - \p tag contains the authentication tag. + /// \note Currently the only values for hash/curve allowed by the + /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to set up. This must be initialized. + /// \param role The role of the caller. This must be either + /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. + /// \param hash The identifier of the hash function to use, + /// for example #MBEDTLS_MD_SHA256. + /// \param curve The identifier of the elliptic curve to use, + /// for example #MBEDTLS_ECP_DP_SECP256R1. + /// \param secret The pre-shared secret (passphrase). This must be + /// a readable not empty buffer of length \p len Bytes. It need + /// only be valid for the duration of this call. + /// \param len The length of the pre-shared secret \p secret. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] ciphertext Buffer where the last part of the ciphertext - /// is to be written. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] ciphertext_length On success, the number of bytes of - /// returned ciphertext. - /// \param[out] tag Buffer where the authentication tag is - /// to be written. - /// \param tag_size Size of the \p tag buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c - /// key_type, \c key_bits, \c alg) where - /// \c key_type and \c key_bits are the type and - /// bit-size of the key, and \c alg is the - /// algorithm that were used in the call to - /// psa_aead_encrypt_setup(). - /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the - /// maximum tag size of any supported AEAD - /// algorithm. - /// \param[out] tag_length On success, the number of bytes - /// that make up the returned tag. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p ciphertext or \p tag buffer is too small. - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the - /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, - /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to - /// determine the required \p tag buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active encryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_finish( - operation: *mut psa_aead_operation_t, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - tag: *mut u8, - tag_size: usize, - tag_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_setup( + ctx: *mut mbedtls_ecjpake_context, + role: mbedtls_ecjpake_role, + hash: mbedtls_md_type_t, + curve: mbedtls_ecp_group_id, + secret: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish authenticating and decrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_decrypt_setup(). - /// - /// This function finishes the authenticated decryption of the message - /// components: + /// \brief Set the point format for future reads and writes. /// - /// - The additional data consisting of the concatenation of the inputs - /// passed to preceding calls to psa_aead_update_ad(). - /// - The ciphertext consisting of the concatenation of the inputs passed to - /// preceding calls to psa_aead_update(). - /// - The tag passed to this function call. + /// \param ctx The ECJPAKE context to configure. + /// \param point_format The point format to use: + /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) + /// or #MBEDTLS_ECP_PF_COMPRESSED. /// - /// If the authentication tag is correct, this function outputs any remaining - /// plaintext and reports success. If the authentication tag is not correct, - /// this function returns #PSA_ERROR_INVALID_SIGNATURE. + /// \return \c 0 if successful. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format + /// is invalid. + pub fn mbedtls_ecjpake_set_point_format( + ctx: *mut mbedtls_ecjpake_context, + point_format: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if an ECJPAKE context is ready for use. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to check. This must be + /// initialized. /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual tag and the expected tag is performed - /// in constant time. + /// \return \c 0 if the context is ready for use. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. + pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] plaintext Buffer where the last part of the plaintext - /// is to be written. This is the remaining data - /// from previous calls to psa_aead_update() - /// that could not be processed until the end - /// of the input. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] plaintext_length On success, the number of bytes of - /// returned plaintext. - /// \param[in] tag Buffer containing the authentication tag. - /// \param tag_length Size of the \p tag buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be + /// initialized and set up. + /// \param buf The buffer to write the contents to. This must be a + /// writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number + /// of Bytes written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculations were successful, but the authentication tag is - /// not correct. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p plaintext buffer is too small. - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the - /// required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active decryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_verify( - operation: *mut psa_aead_operation_t, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - tag: *const u8, - tag_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort an AEAD operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// \brief Read and process the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_aead_operation_t. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up. + /// \param buf The buffer holding the first round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// In particular, calling psa_aead_abort() after the operation has been - /// terminated by a call to psa_aead_abort(), psa_aead_finish() or - /// psa_aead_verify() is safe and has no effect. + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \param[in,out] operation Initialized AEAD operation. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up, and already have performed round one. + /// \param buf The buffer to write the round two contents to. + /// This must be a writable buffer of length \p len Bytes. + /// \param len The size of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a message with a private key. For hash-and-sign algorithms, - /// this includes the hashing step. + /// \brief Read and process the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \note To perform a multi-part hash-and-sign signature algorithm, first use - /// a multi-part hash operation and then pass the resulting hash to - /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the - /// hash algorithm to use. - /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The input message to sign. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param[in] signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up and already have performed round one. + /// \param buf The buffer holding the second round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a message with a public key, using - /// a hash-and-sign verification algorithm. - /// - /// \note To perform a multi-part hash-and-sign signature verification - /// algorithm, first use a multi-part hash operation to hash the message - /// and then pass the resulting hash to psa_verify_hash(). - /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm - /// to use. + /// \brief Derive the shared secret + /// (TLS: Pre-Master Secret). /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The message whose signature is to be verified. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer containing the signature to verify. - /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed signature - /// is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_derive_secret( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a hash or short message with a private key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief Write the shared key material to be passed to a Key + /// Derivation Function as described in RFC8236. /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. - /// \param[out] signature_length On success, the number of bytes - /// that make up the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_shared_key( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a hash or short message using a public key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief This clears an ECJPAKE context and frees any + /// embedded data structure. /// - /// \param key Identifier of the key to use for the operation. It - /// must be a public key or an asymmetric key pair. The - /// key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message whose signature is to be - /// verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to free. This may be \c NULL, + /// in which case this function does nothing. If it is not + /// \c NULL, it must point to an initialized ECJPAKE context. + pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \retval #PSA_SUCCESS - /// The signature is valid. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief Encrypt a short message with a public key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the encrypted message is to - /// be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_pake_operation_t { + pub private_alg: psa_algorithm_t, + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_role: mbedtls_ecjpake_role, + pub private_buffer: [u8; 336usize], + pub private_buffer_length: usize, + pub private_buffer_offset: usize, + pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// \brief Decrypt a short message with a private key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. It must - /// allow the usage #PSA_KEY_USAGE_DECRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_jpake: mbedtls_ecjpake_context, } -/// The type of the state data structure for key derivation operations. -/// -/// Before calling any function on a key derivation operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_key_derivation_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, -/// for example: -/// \code -/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_key_derivation_operation_init() -/// to the structure, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// operation = psa_key_derivation_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_key_derivation_operation_t = psa_key_derivation_s; -unsafe extern "C" { - /// Set up a key derivation operation. - /// - /// A key derivation algorithm takes some inputs and uses them to generate - /// a byte stream in a deterministic way. - /// This byte stream can be used to produce keys and other - /// cryptographic material. - /// - /// To derive a key: - /// -# Start with an initialized object of type #psa_key_derivation_operation_t. - /// -# Call psa_key_derivation_setup() to select the algorithm. - /// -# Provide the inputs for the key derivation by calling - /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() - /// as appropriate. Which inputs are needed, in what order, and whether - /// they may be keys and if so of what type depends on the algorithm. - /// -# Optionally set the operation's maximum capacity with - /// psa_key_derivation_set_capacity(). You may do this before, in the middle - /// of or after providing inputs. For some algorithms, this step is mandatory - /// because the output depends on the maximum capacity. - /// -# To derive a key, call psa_key_derivation_output_key(). - /// To derive a byte string for a different purpose, call - /// psa_key_derivation_output_bytes(). - /// Successive calls to these functions use successive output bytes - /// calculated by the key derivation algorithm. - /// -# Clean up the key derivation operation object with - /// psa_key_derivation_abort(). - /// - /// If this function returns an error, the key derivation operation object is - /// not changed. - /// - /// If an error occurs at any step after a call to psa_key_derivation_setup(), - /// the operation will need to be reset by a call to psa_key_derivation_abort(). - /// - /// Implementations must reject an attempt to derive a key of size 0. - /// - /// \param[in,out] operation The key derivation operation object - /// to set up. It must - /// have been initialized but not set up yet. - /// \param alg The key derivation algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c alg is not a key derivation algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_setup( - operation: *mut psa_key_derivation_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Retrieve the current capacity of a key derivation operation. - /// - /// The capacity of a key derivation is the maximum number of bytes that it can - /// return. When you get *N* bytes of output from a key derivation operation, - /// this reduces its capacity by *N*. - /// - /// \param[in] operation The operation to query. - /// \param[out] capacity On success, the capacity of the operation. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_get_capacity( - operation: *const psa_key_derivation_operation_t, - capacity: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Set the maximum capacity of a key derivation operation. - /// - /// The capacity of a key derivation operation is the maximum number of bytes - /// that the key derivation operation can return from this point onwards. - /// - /// \param[in,out] operation The key derivation operation object to modify. - /// \param capacity The new capacity of the operation. - /// It must be less or equal to the operation's - /// current capacity. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p capacity is larger than the operation's current capacity. - /// In this case, the operation object remains valid and its capacity - /// remains unchanged. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_set_capacity( - operation: *mut psa_key_derivation_operation_t, - capacity: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_mac_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_mac_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function passes direct inputs, which is usually correct for - /// non-secret inputs. To pass a secret input, which should be in a key - /// object, call psa_key_derivation_input_key() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] data Input data to use. - /// \param data_length Size of the \p data buffer in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow direct inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_bytes( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - data: *const u8, - data_length: usize, - ) -> psa_status_t; +impl Default for psa_driver_mac_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Provide a numeric input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// However, when an algorithm requires a particular order, numeric inputs - /// usually come first as they tend to be configuration parameters. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function is used for inputs which are fixed-size non-negative - /// integers. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] value The value of the numeric input. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow numeric inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_integer( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - value: u64, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_aead_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_aead_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation in the form of a key. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function obtains input from a key object, which is usually correct for - /// secret inputs or for non-secret personalization strings kept in the key - /// store. To pass a non-secret parameter which is not in the key store, - /// call psa_key_derivation_input_bytes() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param key Identifier of the key. It must have an - /// appropriate type for step and must allow the - /// usage #PSA_KEY_USAGE_DERIVE or - /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) - /// and the algorithm used by the operation. - /// - /// \note Once all inputs steps are completed, the operations will allow: - /// - psa_key_derivation_output_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_output_key() if the input for step - /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was - /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_verify_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - /// - psa_key_derivation_verify_key() under the same conditions as - /// psa_key_derivation_verify_bytes(). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key allows neither #PSA_KEY_USAGE_DERIVE nor - /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this - /// algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow key inputs of the given type - /// or does not allow key inputs at all. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_key( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - key: mbedtls_svc_key_id_t, - ) -> psa_status_t; +impl Default for psa_driver_aead_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Perform a key agreement and use the shared secret as input to a key - /// derivation. - /// - /// A key agreement algorithm takes two inputs: a private key \p private_key - /// a public key \p peer_key. - /// The result of this function is passed as input to a key derivation. - /// The output of this key derivation can be extracted by reading from the - /// resulting operation to produce keys and other cryptographic material. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() with a - /// key agreement and derivation algorithm - /// \c alg (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true - /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) - /// is false). - /// The operation must be ready for an - /// input of the type given by \p step. - /// \param step Which step the input data is for. - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. The peer key must be in the - /// same format that psa_import_key() accepts for the - /// public key type corresponding to the type of - /// private_key. That is, this function performs the - /// equivalent of - /// #psa_import_key(..., - /// `peer_key`, `peer_key_length`) where - /// with key attributes indicating the public key - /// type corresponding to the type of `private_key`. - /// For example, for EC keys, this means that peer_key - /// is interpreted as a point on the curve that the - /// private key is on. The standard formats for public - /// keys are documented in the documentation of - /// psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_sign_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, +} +impl Default for psa_driver_sign_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_verify_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, +} +impl Default for psa_driver_verify_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_pake_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_pake_operation_t, +} +impl Default for psa_driver_pake_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_mac_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_mac_size: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_mac_context_t, +} +impl Default for psa_mac_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_mac_operation_s { + #[inline] + pub fn private_is_sign(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_sign: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; + private_is_sign as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_aead_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub private_ad_remaining: usize, + pub private_body_remaining: usize, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_ctx: psa_driver_aead_context_t, +} +impl Default for psa_aead_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_aead_operation_s { + #[inline] + pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_ad_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_body_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(3usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 3usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 3usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(4usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 4usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 4usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_nonce_set: ::core::ffi::c_uint, + private_lengths_set: ::core::ffi::c_uint, + private_ad_started: ::core::ffi::c_uint, + private_body_started: ::core::ffi::c_uint, + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; + private_nonce_set as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; + private_lengths_set as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; + private_ad_started as u64 + }); + __bindgen_bitfield_unit.set(3usize, 1u8, { + let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; + private_body_started as u64 + }); + __bindgen_bitfield_unit.set(4usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hkdf_key_derivation_t { + pub private_info: *mut u8, + pub private_info_length: usize, + pub private_offset_in_block: u8, + pub private_block_number: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_output_block: [u8; 64usize], + pub private_prk: [u8; 64usize], + pub __bindgen_padding_0: [u64; 0usize], + pub private_hmac: psa_mac_operation_s, +} +impl Default for psa_hkdf_key_derivation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_hkdf_key_derivation_t { + #[inline] + pub fn private_state(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_info_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_state: ::core::ffi::c_uint, + private_info_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 2u8, { + let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; + private_state as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; + private_info_set as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_tls12_ecjpake_to_pms_t { + pub private_data: [u8; 32usize], +} +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: + psa_tls12_prf_key_derivation_state_t = 0; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: + psa_tls12_prf_key_derivation_state_t = 1; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 2; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 3; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: + psa_tls12_prf_key_derivation_state_t = 4; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: + psa_tls12_prf_key_derivation_state_t = 5; +pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_tls12_prf_key_derivation_s { + pub private_left_in_block: u8, + pub private_block_number: u8, + pub private_state: psa_tls12_prf_key_derivation_state_t, + pub private_secret: *mut u8, + pub private_secret_length: usize, + pub private_seed: *mut u8, + pub private_seed_length: usize, + pub private_label: *mut u8, + pub private_label_length: usize, + pub private_other_secret: *mut u8, + pub private_other_secret_length: usize, + pub private_Ai: [u8; 64usize], + pub private_output_block: [u8; 64usize], +} +impl Default for psa_tls12_prf_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_key_derivation_context_t { + pub dummy: ::core::ffi::c_uint, + pub private_hkdf: psa_hkdf_key_derivation_t, + pub private_tls12_prf: psa_tls12_prf_key_derivation_t, + pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +} +impl Default for psa_driver_key_derivation_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_key_derivation_s { + pub private_alg: psa_algorithm_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_capacity: usize, + pub __bindgen_padding_0: [u64; 0usize], + pub private_ctx: psa_driver_key_derivation_context_t, +} +impl Default for psa_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_key_derivation_s { + #[inline] + pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_can_output_key: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_can_output_key: u32 = + unsafe { ::core::mem::transmute(private_can_output_key) }; + private_can_output_key as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_custom_key_parameters_s { + pub flags: u32, +} +#[repr(C)] +#[derive(Default)] +pub struct psa_key_production_parameters_s { + pub flags: u32, + pub data: __IncompleteArrayField, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_policy_s { + pub private_usage: psa_key_usage_t, + pub private_alg: psa_algorithm_t, + pub private_alg2: psa_algorithm_t, +} +pub type psa_key_policy_t = psa_key_policy_s; +pub type psa_key_bits_t = u16; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_attributes_s { + pub private_type: psa_key_type_t, + pub private_bits: psa_key_bits_t, + pub private_lifetime: psa_key_lifetime_t, + pub private_policy: psa_key_policy_t, + pub private_id: mbedtls_svc_key_id_t, +} +/// \brief The context for PSA interruptible hash signing. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_sign_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_sign_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_sign_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_sign_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The context for PSA interruptible hash verification. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_verify_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_verify_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_verify_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_verify_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +unsafe extern "C" { + /// \brief Library initialization. + /// + /// Applications must call this function before calling any other + /// function in this module. + /// + /// Applications may call this function more than once. Once a call + /// succeeds, subsequent calls are guaranteed to succeed. + /// + /// If the application calls other functions before calling psa_crypto_init(), + /// the behavior is undefined. Implementations are encouraged to either perform + /// the operation as if the library had been initialized or to return + /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, + /// implementations should not return a success status if the lack of + /// initialization may have security implications, for example due to improper + /// seeding of the random number generator. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + pub fn psa_crypto_init() -> psa_status_t; +} +unsafe extern "C" { + /// Retrieve the attributes of a key. + /// + /// This function first resets the attribute structure as with + /// psa_reset_key_attributes(). It then copies the attributes of + /// the given key into the given attribute structure. + /// + /// \note This function may allocate memory or other resources. + /// Once you have called this function on an attribute structure, + /// you must call psa_reset_key_attributes() to free these resources. + /// + /// \param[in] key Identifier of the key to query. + /// \param[in,out] attributes On success, the attributes of the key. + /// On failure, equivalent to a + /// freshly-initialized structure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_get_key_attributes( + key: mbedtls_svc_key_id_t, + attributes: *mut psa_key_attributes_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Reset a key attribute structure to a freshly initialized state. + /// + /// You must initialize the attribute structure as described in the + /// documentation of the type #psa_key_attributes_t before calling this + /// function. Once the structure has been initialized, you may call this + /// function at any time. + /// + /// This function frees any auxiliary resources that the structure + /// may contain. + /// + /// \param[in,out] attributes The attribute structure to reset. + pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); +} +unsafe extern "C" { + /// Remove non-essential copies of key material from memory. + /// + /// If the key identifier designates a volatile key, this functions does not do + /// anything and returns successfully. + /// + /// If the key identifier designates a persistent key, then this function will + /// free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and the key can still be used. + /// + /// \param key Identifier of the key to purge. + /// + /// \retval #PSA_SUCCESS + /// The key material will have been removed from memory if it is not + /// currently required. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid key identifier. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// Make a copy of a key. + /// + /// Copy key material from one location to another. + /// + /// This function is primarily useful to copy a key from one location + /// to another, since it populates a key using the material from + /// another key which may have a different lifetime. + /// + /// This function may be used to share a key with a different party, + /// subject to implementation-defined restrictions on key sharing. + /// + /// The policy on the source key must have the usage flag + /// #PSA_KEY_USAGE_COPY set. + /// This flag is sufficient to permit the copy if the key has the lifetime + /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. + /// Some secure elements do not provide a way to copy a key without + /// making it extractable from the secure element. If a key is located + /// in such a secure element, then the key must have both usage flags + /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make + /// a copy of the key outside the secure element. + /// + /// The resulting key may only be used in a way that conforms to + /// both the policy of the original key and the policy specified in + /// the \p attributes parameter: + /// - The usage flags on the resulting key are the bitwise-and of the + /// usage flags on the source policy and the usage flags in \p attributes. + /// - If both allow the same algorithm or wildcard-based + /// algorithm policy, the resulting key has the same algorithm policy. + /// - If either of the policies allows an algorithm and the other policy + /// allows a wildcard-based algorithm policy that includes this algorithm, + /// the resulting key allows the same algorithm. + /// - If the policies do not allow any algorithm in common, this function + /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// + /// The effect of this function on implementation-defined attributes is + /// implementation-defined. + /// + /// \param source_key The key to copy. It must allow the usage + /// #PSA_KEY_USAGE_COPY. If a private or secret key is + /// being copied outside of a secure element it must + /// also allow #PSA_KEY_USAGE_EXPORT. + /// \param[in] attributes The attributes for the new key. + /// They are used as follows: + /// - The key type and size may be 0. If either is + /// nonzero, it must match the corresponding + /// attribute of the source key. + /// - The key location (the lifetime and, for + /// persistent keys, the key identifier) is + /// used directly. + /// - The policy constraints (usage flags and + /// algorithm policy) are combined from + /// the source key and \p attributes so that + /// both sets of restrictions apply, as + /// described in the documentation of this function. + /// \param[out] target_key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p source_key is invalid. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The lifetime or identifier in \p attributes are invalid, or + /// the policy constraints on the source and specified in + /// \p attributes are incompatible, or + /// \p attributes specifies a key type or key size + /// which does not match the attributes of the source key. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or + /// the source key is not exportable and its lifetime does not + /// allow copying it to the target's lifetime. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_copy_key( + source_key: mbedtls_svc_key_id_t, + attributes: *const psa_key_attributes_t, + target_key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Destroy a key. + /// + /// This function destroys a key from both volatile + /// memory and, if applicable, non-volatile storage. Implementations shall + /// make a best effort to ensure that the key material cannot be recovered. + /// + /// This function also erases any metadata such as policies and frees + /// resources associated with the key. + /// + /// If a key is currently in use in a multipart operation, then destroying the + /// key will cause the multipart operation to fail. + /// + /// \warning We can only guarantee that the the key material will + /// eventually be wiped from memory. With threading enabled + /// and during concurrent execution, copies of the key material may + /// still exist until all threads have finished using the key. + /// + /// \param key Identifier of the key to erase. If this is \c 0, do nothing and + /// return #PSA_SUCCESS. + /// + /// \retval #PSA_SUCCESS + /// \p key was a valid identifier and the key material that it + /// referred to has been erased. Alternatively, \p key is \c 0. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key cannot be erased because it is + /// read-only, either due to a policy or due to physical restrictions. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p key is not a valid identifier nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE + /// There was a failure in communication with the cryptoprocessor. + /// The key material may still be present in the cryptoprocessor. + /// \retval #PSA_ERROR_DATA_INVALID + /// This error is typically a result of either storage corruption on a + /// cleartext storage backend, or an attempt to read data that was + /// written by an incompatible version of the library. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The storage is corrupted. Implementations shall make a best effort + /// to erase key material even in this stage, however applications + /// should be aware that it may be impossible to guarantee that the + /// key material is not recoverable in such cases. + /// \retval #PSA_ERROR_CORRUPTION_DETECTED + /// An unexpected condition which is not a storage corruption or + /// a communication failure occurred. The cryptoprocessor may have + /// been compromised. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Import a key in binary format. + /// + /// This function supports any output from psa_export_key(). Refer to the + /// documentation of psa_export_public_key() for the format of public keys + /// and to the documentation of psa_export_key() for the format for + /// other key types. + /// + /// The key data determines the key size. The attributes may optionally + /// specify a key size; in this case it must match the size determined + /// from the key data. A key size of 0 in \p attributes indicates that + /// the key size is solely determined by the key data. + /// + /// Implementations must reject an attempt to import a key of size 0. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// \param[in] attributes The attributes for the new key. + /// The key size is always determined from the + /// \p data buffer. + /// If the key size in \p attributes is nonzero, + /// it must be equal to the size from \p data. + /// \param[out] key On success, an identifier to the newly created key. + /// For persistent keys, this is the key identifier + /// defined in \p attributes. + /// \c 0 on failure. + /// \param[in] data Buffer containing the key data. The content of this + /// buffer is interpreted according to the type declared + /// in \p attributes. + /// All implementations must support at least the format + /// described in the documentation + /// of psa_export_key() or psa_export_public_key() for + /// the chosen type. Implementations may allow other + /// formats, but should be conservative: implementations + /// should err on the side of rejecting content if it + /// may be erroneous (e.g. wrong type or truncated data). + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular persistent location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key attributes, as a whole, are invalid, or + /// the key data is not correctly formatted, or + /// the size in \p attributes is nonzero and does not match the size + /// of the key data. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_import_key( + attributes: *const psa_key_attributes_t, + data: *const u8, + data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a key in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an equivalent object. + /// + /// If the implementation of psa_import_key() supports other formats + /// beyond the format specified here, the output from psa_export_key() + /// must use the representation specified here, not the original + /// representation. + /// + /// For standard key types, the output format is as follows: + /// + /// - For symmetric keys (including MAC keys), the format is the + /// raw bytes of the key. + /// - For DES, the key data consists of 8 bytes. The parity bits must be + /// correct. + /// - For Triple-DES, the format is the concatenation of the + /// two or three DES keys. + /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format + /// is the non-encrypted DER encoding of the representation defined by + /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. + /// ``` + /// RSAPrivateKey ::= SEQUENCE { + /// version INTEGER, -- must be 0 + /// modulus INTEGER, -- n + /// publicExponent INTEGER, -- e + /// privateExponent INTEGER, -- d + /// prime1 INTEGER, -- p + /// prime2 INTEGER, -- q + /// exponent1 INTEGER, -- d mod (p-1) + /// exponent2 INTEGER, -- d mod (q-1) + /// coefficient INTEGER, -- (inverse of q) mod p + /// } + /// ``` + /// - For elliptic curve key pairs (key types for which + /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is + /// a representation of the private value as a `ceiling(m/8)`-byte string + /// where `m` is the bit size associated with the curve, i.e. the bit size + /// of the order of the curve's coordinate field. This byte string is + /// in little-endian order for Montgomery curves (curve types + /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass + /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` + /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). + /// For Weierstrass curves, this is the content of the `privateKey` field of + /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, + /// the format is defined by RFC 7748, and output is masked according to §5. + /// For twisted Edwards curves, the private key is as defined by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For Diffie-Hellman key exchange key pairs (key types for which + /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the + /// format is the representation of the private key `x` as a big-endian byte + /// string. The length of the byte string is the private key size in bytes + /// (leading zeroes are not stripped). + /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is + /// true), the format is the same as for psa_export_public_key(). + /// + /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// + /// \param key Identifier of the key to export. It must allow the + /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public + /// key. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a public key or the public part of a key pair in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an object that is equivalent to the public key. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// For standard key types, the output format is as follows: + /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of + /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. + /// ``` + /// RSAPublicKey ::= SEQUENCE { + /// modulus INTEGER, -- n + /// publicExponent INTEGER } -- e + /// ``` + /// - For elliptic curve keys on a twisted Edwards curve (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY + /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined + /// by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For other elliptic curve public keys (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed + /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. + /// Let `m` be the bit size associated with the curve, i.e. the bit size of + /// `q` for a curve over `F_q`. The representation consists of: + /// - The byte 0x04; + /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; + /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. + /// - For Diffie-Hellman key exchange public keys (key types for which + /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), + /// the format is the representation of the public key `y = g^x mod p` as a + /// big-endian byte string. The length of the byte string is the length of the + /// base prime `p` in bytes. + /// + /// Exporting a public key object or the public part of a key pair is + /// always permitted, regardless of the key's usage flags. + /// + /// \param key Identifier of the key to export. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key is neither a public key nor a key pair. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_public_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message. + /// + /// \note To verify the hash of a message against an + /// expected value, use psa_hash_compare() instead. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\p alg). /// /// \retval #PSA_SUCCESS /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p hash_size is too small + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compute( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message and compare it with a + /// reference value. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the input. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c private_key is not compatible with \c alg, - /// or \p peer_key is not valid for \c alg or not compatible with - /// \c private_key, or \c step does not allow an input resulting - /// from a key agreement. + /// \p input_length or \p hash_length do not match the hash size for \p alg + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compare( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; +} +/// The type of the state data structure for multipart hash operations. +/// +/// Before calling any function on a hash operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_hash_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_hash_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, +/// for example: +/// \code +/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_hash_operation_init() +/// to the structure, for example: +/// \code +/// psa_hash_operation_t operation; +/// operation = psa_hash_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_hash_operation_t = psa_hash_operation_s; +unsafe extern "C" { + /// Set up a multipart hash operation. + /// + /// The sequence of operations to calculate a hash (message digest) + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. + /// -# Call psa_hash_setup() to specify the algorithm. + /// -# Call psa_hash_update() zero, one or more times, passing a fragment + /// of the message each time. The hash that is calculated is the hash + /// of the concatenation of these messages in order. + /// -# To calculate the hash, call psa_hash_finish(). + /// To compare the hash with an expected value, call psa_hash_verify(). + /// + /// If an error occurs at any step after a call to psa_hash_setup(), the + /// operation will need to be reset by a call to psa_hash_abort(). The + /// application may call psa_hash_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_hash_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_hash_finish() or psa_hash_verify(). + /// - A call to psa_hash_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_hash_operation_t and not yet in use. + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. + /// \p alg is not a supported hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a hash algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this key agreement \p step, - /// or the library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_key_agreement( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, + pub fn psa_hash_setup( + operation: *mut psa_hash_operation_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// Read some data from a key derivation operation. + /// Add a message fragment to a multipart hash operation. /// - /// This function calculates output bytes from a key derivation algorithm and - /// return those bytes. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the requested number of bytes from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. + /// The application must call psa_hash_setup() before calling this function. /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] output Buffer where the output will be written. - /// \param output_length Number of bytes to output. + /// \param[in,out] operation Active hash operation. + /// \param[in] input Buffer containing the message fragment to hash. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// no output is written to the output buffer. - /// The operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller output buffer. + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_update( + operation: *mut psa_hash_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \warning Applications should not call this function if they expect + /// a specific value for the hash. Call psa_hash_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// hash values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the hashed data which could allow an attacker to guess + /// a valid hash and thereby bypass security controls. + /// + /// \param[in,out] operation Active hash operation. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\c alg) where \c alg is the + /// hash algorithm that is calculated. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p hash buffer is too small. You can determine a + /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) + /// where \c alg is the hash algorithm that is calculated. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_finish( + operation: *mut psa_hash_operation_t, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message and compare it with + /// an expected value. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). It then + /// compares the calculated hash with the expected hash passed as a + /// parameter to this function. + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual hash and the expected hash is performed + /// in constant time. + /// + /// \param[in,out] operation Active hash operation. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_bytes( - operation: *mut psa_key_derivation_operation_t, - output: *mut u8, - output_length: usize, + pub fn psa_hash_verify( + operation: *mut psa_hash_operation_t, + hash: *const u8, + hash_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// Derive a key from an ongoing key derivation operation. - /// - /// This function calculates output bytes from a key derivation algorithm - /// and uses those bytes to generate a key deterministically. - /// The key's location, usage policy, type and size are taken from - /// \p attributes. - /// - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads as many bytes as required from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// How much output is produced and consumed from the operation, and how - /// the key is derived, depends on the key type and on the key size - /// (denoted \c bits below): - /// - /// - For key types for which the key is an arbitrary sequence of bytes - /// of a given size, this function is functionally equivalent to - /// calling #psa_key_derivation_output_bytes - /// and passing the resulting output to #psa_import_key. - /// However, this function has a security benefit: - /// if the implementation provides an isolation boundary then - /// the key material is not exposed outside the isolation boundary. - /// As a consequence, for these key types, this function always consumes - /// exactly (\c bits / 8) bytes from the operation. - /// The following key types defined in this specification follow this scheme: - /// - /// - #PSA_KEY_TYPE_AES; - /// - #PSA_KEY_TYPE_ARIA; - /// - #PSA_KEY_TYPE_CAMELLIA; - /// - #PSA_KEY_TYPE_DERIVE; - /// - #PSA_KEY_TYPE_HMAC; - /// - #PSA_KEY_TYPE_PASSWORD_HASH. - /// - /// - For ECC keys on a Montgomery elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Montgomery curve), this function always draws a byte string whose - /// length is determined by the curve, and sets the mandatory bits - /// accordingly. That is: + /// Abort a hash operation. /// - /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte - /// string and process it as specified in RFC 7748 §5. - /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte - /// string and process it as specified in RFC 7748 §5. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_hash_setup() again. /// - /// - For key types for which the key is represented by a single sequence of - /// \c bits bits with constraints as to which bit sequences are acceptable, - /// this function draws a byte string of length (\c bits / 8) bytes rounded - /// up to the nearest whole number of bytes. If the resulting byte string - /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. - /// This process is repeated until an acceptable byte string is drawn. - /// The byte string drawn from the operation is interpreted as specified - /// for the output produced by psa_export_key(). - /// The following key types defined in this specification follow this scheme: + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_hash_operation_t. /// - /// - #PSA_KEY_TYPE_DES. - /// Force-set the parity bits, but discard forbidden weak keys. - /// For 2-key and 3-key triple-DES, the three keys are generated - /// successively (for example, for 3-key triple-DES, - /// if the first 8 bytes specify a weak key and the next 8 bytes do not, - /// discard the first 8 bytes, use the next 8 bytes as the first key, - /// and continue reading output from the operation to derive the other - /// two keys). - /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) - /// where \c group designates any Diffie-Hellman group) and - /// ECC keys on a Weierstrass elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Weierstrass curve). - /// For these key types, interpret the byte string as integer - /// in big-endian order. Discard it if it is not in the range - /// [0, *N* - 2] where *N* is the boundary of the private key domain - /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, - /// or the order of the curve's base point for ECC). - /// Add 1 to the resulting integer and use this as the private key *x*. - /// This method allows compliance to NIST standards, specifically - /// the methods titled "key-pair generation by testing candidates" - /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, - /// in FIPS 186-4 §B.1.2 for DSA, and - /// in NIST SP 800-56A §5.6.1.2.2 or - /// FIPS 186-4 §B.4.2 for elliptic curve keys. + /// In particular, calling psa_hash_abort() after the operation has been + /// terminated by a call to psa_hash_abort(), psa_hash_finish() or + /// psa_hash_verify() is safe and has no effect. /// - /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, - /// the way in which the operation output is consumed is - /// implementation-defined. + /// \param[in,out] operation Initialized hash operation. /// - /// In all cases, the data that is read is discarded from the operation. - /// The operation's capacity is decreased by the number of bytes read. + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Clone a hash operation. /// - /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, - /// the input to that step must be provided with psa_key_derivation_input_key(). - /// Future versions of this specification may include additional restrictions - /// on the derived key based on the attributes and strength of the secret key. + /// This function copies the state of an ongoing hash operation to + /// a new operation object. In other words, this function is equivalent + /// to calling psa_hash_setup() on \p target_operation with the same + /// algorithm that \p source_operation was set up for, then + /// psa_hash_update() on \p target_operation with the same input that + /// that was passed to \p source_operation. After this function returns, the + /// two objects are independent, i.e. subsequent calls involving one of + /// the objects do not affect the other object. /// - /// \param[in] attributes The attributes for the new key. - /// If the key type to be created is - /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - /// the policy must be the same as in the current - /// operation. - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in] source_operation The active hash operation to clone. + /// \param[in,out] target_operation The operation object to set up. + /// It must be initialized but not active. /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// There was not enough data to create the desired key. - /// Note that in this case, no output is written to the output buffer. - /// The operation's capacity is set to 0, thus subsequent calls to - /// this function will not succeed, even with a smaller output buffer. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The provided key attributes are not valid for the operation. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The #PSA_KEY_DERIVATION_INPUT_SECRET or - /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - /// key; or one of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_SUCCESS \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The \p source_operation state is not valid (it must be active), or + /// the \p target_operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_key( - attributes: *const psa_key_attributes_t, - operation: *mut psa_key_derivation_operation_t, - key: *mut mbedtls_svc_key_id_t, + pub fn psa_hash_clone( + source_operation: *const psa_hash_operation_t, + target_operation: *mut psa_hash_operation_t, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value in constant time. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the expected number of bytes from the - /// stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to the following code: - /// \code - /// psa_key_derivation_output_bytes(operation, tmp, output_length); - /// if (memcmp(output, tmp, output_length) != 0) - /// return PSA_ERROR_INVALID_SIGNATURE; - /// \endcode - /// except (1) it works even if the key's policy does not allow outputting the - /// bytes, and (2) the comparison will be done in constant time. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC (message authentication code) of a message. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected_output Buffer containing the expected derivation output. - /// \param output_length Length of the expected output; this is also the - /// number of bytes that will be read. + /// \note To verify the MAC of a message against an + /// expected value, use psa_mac_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but it differs from the expected - /// output. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p mac_size is too small /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_bytes( - operation: *mut psa_key_derivation_operation_t, - expected_output: *const u8, - output_length: usize, + pub fn psa_mac_compute( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value - /// stored in a key object. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value, provided as key of type - /// #PSA_KEY_TYPE_PASSWORD_HASH. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the number of bytes corresponding to the - /// length of the expected value from the stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to exporting the key and calling - /// psa_key_derivation_verify_bytes() on the result, except that it - /// works even if the key cannot be exported. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC of a message and compare it with a reference value. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH - /// containing the expected output. Its policy must - /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag - /// and the permitted algorithm must match the - /// operation. The value of this key was likely - /// computed by a previous call to - /// psa_key_derivation_output_key(). + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the input. /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but if differs from the expected - /// output. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// The key passed as the expected value does not exist. + /// The MAC of the message was calculated successfully, but it + /// differs from the expected value. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key passed as the expected value has an invalid type. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key passed as the expected value does not allow this usage or - /// this algorithm; or one of the inputs was a key whose policy didn't - /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// the length of the expected value. In this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_key( - operation: *mut psa_key_derivation_operation_t, - expected: psa_key_id_t, + pub fn psa_mac_verify( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *const u8, + mac_length: usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart MAC operations. +/// +/// Before calling any function on a MAC operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_mac_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_mac_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, +/// for example: +/// \code +/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_mac_operation_init() +/// to the structure, for example: +/// \code +/// psa_mac_operation_t operation; +/// operation = psa_mac_operation_init(); +/// \endcode +/// +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Abort a key derivation operation. + /// Set up a multipart MAC calculation operation. /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_key_derivation_setup() again. + /// This function sets up the calculation of the MAC + /// (message authentication code) of a byte string. + /// To verify the MAC of a message against an + /// expected value, use psa_mac_verify_setup() instead. /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_key_derivation_operation_t. + /// The sequence of operations to calculate a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_sign_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_sign_finish() to finish + /// calculating the MAC value and retrieve it. /// - /// In particular, it is valid to call psa_key_derivation_abort() twice, or to - /// call psa_key_derivation_abort() on an operation that has not been set up. + /// If an error occurs at any step after a call to psa_mac_sign_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. /// - /// \param[in,out] operation The operation to abort. + /// After a successful call to psa_mac_sign_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_sign_finish(). + /// - A call to psa_mac_abort(). /// - /// \retval #PSA_SUCCESS \emptydescription + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) - -> psa_status_t; + pub fn psa_mac_sign_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Perform a key agreement and return the raw shared secret. + /// Set up a multipart MAC verification operation. /// - /// \warning The raw result of a key agreement algorithm such as finite-field - /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should - /// not be used directly as key material. It should instead be passed as - /// input to a key derivation algorithm. To chain a key agreement with - /// a key derivation, use psa_key_derivation_key_agreement() and other - /// functions from the key derivation interface. + /// This function sets up the verification of the MAC + /// (message authentication code) of a byte string against an expected value. /// - /// \param alg The key agreement algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) - /// is true). - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. It must be - /// in the same format that psa_import_key() - /// accepts. The standard formats for public - /// keys are documented in the documentation - /// of psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// The sequence of operations to verify a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_verify_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_verify_finish() to finish + /// calculating the actual MAC of the message and verify it against + /// the expected value. + /// + /// If an error occurs at any step after a call to psa_mac_verify_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_mac_verify_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_verify_finish(). + /// - A call to psa_mac_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage + /// PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). /// /// \retval #PSA_SUCCESS /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a key agreement algorithm, or - /// \p private_key is not compatible with \p alg, - /// or \p peer_key is not valid for \p alg or not compatible with - /// \p private_key. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p output_size is too small + /// \c key is not compatible with \c alg. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported key agreement algorithm. + /// \c alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_raw_key_agreement( + pub fn psa_mac_verify_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate random bytes. - /// - /// \warning This function **can** fail! Callers MUST check the return status - /// and MUST NOT use the content of the output buffer if the return - /// status is not #PSA_SUCCESS. - /// - /// \note To generate a key, use psa_generate_key() instead. - /// - /// \param[out] output Output buffer for the generated data. - /// \param output_size Number of bytes to generate and output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Generate a key or key pair. - /// - /// The key is generated randomly. - /// Its location, usage policy, type and size are taken from \p attributes. + /// Add a message fragment to a multipart MAC operation. /// - /// Implementations must reject an attempt to generate a key of size 0. + /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() + /// before calling this function. /// - /// The following type-specific considerations apply: - /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the public exponent is 65537. - /// The modulus is a product of two probabilistic primes - /// between 2^{n-1} and 2^n where n is the bit size specified in the - /// attributes. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param[in] attributes The attributes for the new key. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in,out] operation Active MAC operation. + /// \param[in] input Buffer containing the message fragment to add to + /// the MAC calculation. + /// \param input_length Size of the \p input buffer in bytes. /// /// \retval #PSA_SUCCESS /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_generate_key( - attributes: *const psa_key_attributes_t, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; -} -/// The type of the state data structure for interruptible hash -/// signing operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = -/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_sign_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// operation = psa_sign_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; -/// The type of the state data structure for interruptible hash -/// verification operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = -/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_verify_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// operation = psa_verify_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; -unsafe extern "C" { - /// \brief Set the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note The time taken to execute a single op is - /// implementation specific and depends on - /// software, hardware, the algorithm, key type and - /// curve chosen. Even within a single operation, - /// successive ops can take differing amounts of - /// time. The only guarantee is that lower values - /// for \p max_ops means functions will block for a - /// lesser maximum amount of time. The functions - /// \c psa_sign_interruptible_get_num_ops() and - /// \c psa_verify_interruptible_get_num_ops() are - /// provided to help with tuning this value. - /// - /// \note This value defaults to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which - /// means the whole operation will be done in one - /// go, regardless of the number of ops required. - /// - /// \note If more ops are needed to complete a - /// computation, #PSA_OPERATION_INCOMPLETE will be - /// returned by the function performing the - /// computation. It is then the caller's - /// responsibility to either call again with the - /// same operation context until it returns 0 or an - /// error code; or to call the relevant abort - /// function if the answer is no longer required. - /// - /// \note The interpretation of \p max_ops is also - /// implementation defined. On a hard real time - /// system, this can indicate a hard deadline, as a - /// real-time system needs a guarantee of not - /// spending more than X time, however care must be - /// taken in such an implementation to avoid the - /// situation whereby calls just return, not being - /// able to do any actual work within the allotted - /// time. On a non-real-time system, the - /// implementation can be more relaxed, but again - /// whether this number should be interpreted as as - /// hard or soft limit or even whether a less than - /// or equals as regards to ops executed in a - /// single call is implementation defined. - /// - /// \note For keys in local storage when no accelerator - /// driver applies, please see also the - /// documentation for \c mbedtls_ecp_set_max_ops(), - /// which is the internal implementation in these - /// cases. - /// - /// \warning With implementations that interpret this number - /// as a hard limit, setting this number too small - /// may result in an infinite loop, whereby each - /// call results in immediate return with no ops - /// done (as there is not enough time to execute - /// any), and thus no result will ever be achieved. - /// - /// \note This only applies to functions whose - /// documentation mentions they may return - /// #PSA_OPERATION_INCOMPLETE. - /// - /// \param max_ops The maximum number of ops to be executed in a - /// single call. This can be a number from 0 to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 - /// is the least amount of work done per call. - pub fn psa_interruptible_set_max_ops(max_ops: u32); -} -unsafe extern "C" { - /// \brief Get the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. This will return the last - /// value set by - /// \c psa_interruptible_set_max_ops() or - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if - /// that function has never been called. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \return Maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - pub fn psa_interruptible_get_max_ops() -> u32; + pub fn psa_mac_update( + operation: *mut psa_mac_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash signing - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling - /// \c psa_sign_hash_interruptible_abort() on - /// the operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message. /// - /// \note This interface is guaranteed re-entrant and - /// thus may be called from driver code. + /// The application must call psa_mac_sign_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// \warning Applications should not call this function if they expect + /// a specific value for the MAC. Call psa_mac_verify_finish() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \param operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// \param[in,out] operation Active MAC operation. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. This is always + /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of the key and \c alg is the + /// MAC algorithm that is calculated. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_sign_hash_get_num_ops( - operation: *const psa_sign_hash_interruptible_operation_t, - ) -> u32; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p mac buffer is too small. You can determine a + /// sufficient buffer size by calling PSA_MAC_LENGTH(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac sign + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_sign_finish( + operation: *mut psa_mac_operation_t, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash verification - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling \c - /// psa_verify_hash_interruptible_abort() on the - /// operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message and compare it with + /// an expected value. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// The application must call psa_mac_verify_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). It then + /// compares the calculated MAC with the expected MAC passed as a + /// parameter to this function. /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param operation The \c - /// psa_verify_hash_interruptible_operation_t to - /// use. This must be initialized first. + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual MAC and the expected MAC is performed + /// in constant time. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_verify_hash_get_num_ops( - operation: *const psa_verify_hash_interruptible_operation_t, - ) -> u32; + /// \param[in,out] operation Active MAC operation. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The MAC of the message was calculated successfully, but it + /// differs from the expected MAC. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac verify + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_verify_finish( + operation: *mut psa_mac_operation_t, + mac: *const u8, + mac_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start signing a hash or short message with a - /// private key, in an interruptible manner. + /// Abort a MAC operation. /// - /// \see \c psa_sign_hash_complete() + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_mac_sign_setup() or psa_mac_verify_setup() again. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_mac_operation_t. /// - /// \note This function combined with \c - /// psa_sign_hash_complete() is equivalent to - /// \c psa_sign_hash() but - /// \c psa_sign_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// In particular, calling psa_mac_abort() after the operation has been + /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or + /// psa_mac_verify_finish() is safe and has no effect. /// - /// \note Users should call \c psa_sign_hash_complete() - /// repeatedly on the same context after a - /// successful call to this function until \c - /// psa_sign_hash_complete() either returns 0 or an - /// error. \c psa_sign_hash_complete() will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// \param[in,out] operation Initialized MAC operation. /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_sign_hash_abort(). + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Encrypt a message using a symmetric cipher. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// This function encrypts a message with a random IV (initialization + /// vector). Use the multipart operation interface with a + /// #psa_cipher_operation_t object to provide other forms of IV. /// /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. + /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// The output contains the IV followed by + /// the ciphertext proper. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. /// /// \retval #PSA_SUCCESS - /// The operation started successfully - call \c psa_sign_hash_complete() - /// with the same context to complete the operation - /// + /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does - /// not permit the requested algorithm. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// An operation has previously been started on this context, and is - /// still in progress. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Decrypt a message using a symmetric cipher. + /// + /// This function decrypts a message encrypted with a symmetric cipher. + /// + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to decrypt. + /// This consists of the IV followed by the + /// ciphertext proper. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the plaintext is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_start( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt( key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart cipher operations. +/// +/// Before calling any function on a cipher operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_cipher_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_cipher_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, +/// for example: +/// \code +/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_cipher_operation_init() +/// to the structure, for example: +/// \code +/// psa_cipher_operation_t operation; +/// operation = psa_cipher_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// signing a hash or short message with a private - /// key, in an interruptible manner. - /// - /// \see \c psa_sign_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_sign_hash_start() is equivalent to - /// \c psa_sign_hash() but this function can return - /// early and resume according to the limit set with - /// \c psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// Set the key for a multipart symmetric encryption operation. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// The sequence of operations to encrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. + /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to + /// generate or set the IV (initialization vector). You should use + /// psa_cipher_generate_iv() unless the protocol you are implementing + /// requires a specific IV value. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_sign_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_sign_hash_start() called with it - /// first. + /// After a successful call to psa_cipher_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c - /// key_bits, \c alg) where \c key_type and \c - /// key_bits are the type and bit-size - /// respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// Operation completed successfully - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_sign_hash_start(). - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_sign_hash_start() with this operation object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_sign_hash_complete( - operation: *mut psa_sign_hash_interruptible_operation_t, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Abort a sign hash operation. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function is the only function that clears - /// the number of ops completed as part of the - /// operation. Please ensure you copy this value via - /// \c psa_sign_hash_get_num_ops() if required - /// before calling. - /// - /// \note Aborting an operation frees all associated - /// resources except for the \p operation structure - /// itself. Once aborted, the operation object can - /// be reused for another operation by calling \c - /// psa_sign_hash_start() again. - /// - /// \note You may call this function any time after the - /// operation object has been initialized. In - /// particular, calling \c psa_sign_hash_abort() - /// after the operation has already been terminated - /// by a call to \c psa_sign_hash_abort() or - /// psa_sign_hash_complete() is safe. - /// - /// \param[in,out] operation Initialized sign hash operation. - /// - /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_abort( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_encrypt_setup( + operation: *mut psa_cipher_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start reading and verifying a hash or short - /// message, in an interruptible manner. - /// - /// \see \c psa_verify_hash_complete() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_verify_hash_complete() is equivalent to - /// \c psa_verify_hash() but \c - /// psa_verify_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function. + /// Set the key for a multipart symmetric decryption operation. /// - /// \note Users should call \c psa_verify_hash_complete() - /// repeatedly on the same operation object after a - /// successful call to this function until \c - /// psa_verify_hash_complete() either returns 0 or - /// an error. \c psa_verify_hash_complete() will - /// return #PSA_OPERATION_INCOMPLETE if there is - /// more work to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The sequence of operations to decrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. + /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the + /// decryption. If the IV is prepended to the ciphertext, you can call + /// psa_cipher_update() on a buffer containing the IV followed by the + /// beginning of the message. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_verify_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// After a successful call to psa_cipher_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. /// \param key Identifier of the key to use for the operation. - /// The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash whose signature is to be verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// The operation started successfully - please call \c - /// psa_verify_hash_complete() with the same context to complete the - /// operation. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// Another operation has already been started on this context, and is - /// still in progress. - /// - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does - /// not permit the requested algorithm. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_start( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt_setup( + operation: *mut psa_cipher_operation_t, key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// reading and verifying a hash or short message - /// signed with a private key, in an interruptible - /// manner. - /// - /// \see \c psa_verify_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// Generate an IV for a symmetric encryption operation. /// - /// \note This function combined with \c - /// psa_verify_hash_start() is equivalent to - /// \c psa_verify_hash() but this function can - /// return early and resume according to the limit - /// set with \c psa_interruptible_set_max_ops() to - /// reduce the maximum time spent in a function - /// call. + /// This function generates a random IV (initialization vector), nonce + /// or initial counter value for the encryption operation as appropriate + /// for the chosen algorithm, key type and key size. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_verify_hash_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_verify_hash_start() called with it - /// first. + /// \param[in,out] operation Active cipher operation. + /// \param[out] iv Buffer where the generated IV is to be written. + /// \param iv_size Size of the \p iv buffer in bytes. + /// \param[out] iv_length On success, the number of bytes of the + /// generated IV. /// /// \retval #PSA_SUCCESS - /// Operation completed successfully, and the passed signature is valid. - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_verify_hash_start(). - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p iv buffer is too small. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_verify_hash_start() on this object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_verify_hash_complete( - operation: *mut psa_verify_hash_interruptible_operation_t, + /// The operation state is not valid (it must be active, with no IV set), + /// or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_generate_iv( + operation: *mut psa_cipher_operation_t, + iv: *mut u8, + iv_size: usize, + iv_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Abort a verify hash operation. + /// Set the IV for a symmetric encryption or decryption operation. /// - /// \warning This is a beta API, and thus subject to change at - /// any point. It is not bound by the usual interface - /// stability promises. + /// This function sets the IV (initialization vector), nonce + /// or initial counter value for the encryption or decryption operation. /// - /// \note This function is the only function that clears the - /// number of ops completed as part of the operation. - /// Please ensure you copy this value via - /// \c psa_verify_hash_get_num_ops() if required - /// before calling. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note Aborting an operation frees all associated - /// resources except for the operation structure - /// itself. Once aborted, the operation object can be - /// reused for another operation by calling \c - /// psa_verify_hash_start() again. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \note You may call this function any time after the - /// operation object has been initialized. - /// In particular, calling \c psa_verify_hash_abort() - /// after the operation has already been terminated by - /// a call to \c psa_verify_hash_abort() or - /// psa_verify_hash_complete() is safe. + /// \note When encrypting, applications should use psa_cipher_generate_iv() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \param[in,out] operation Initialized verify hash operation. + /// \param[in,out] operation Active cipher operation. + /// \param[in] iv Buffer containing the IV to use. + /// \param iv_length Size of the IV in bytes. /// /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p iv is not acceptable for the chosen algorithm, + /// or the chosen algorithm does not use an IV. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be an active cipher + /// encrypt operation, with no IV set), or the library has not been + /// previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_abort( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_set_iv( + operation: *mut psa_cipher_operation_t, + iv: *const u8, + iv_length: usize, ) -> psa_status_t; } -/// \brief The GCM context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_gcm_context { - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, - ///< Precalculated HTable low. - pub private_HL: [u64; 16usize], - ///< Precalculated HTable high. - pub private_HH: [u64; 16usize], - ///< The total length of the encrypted data. - pub private_len: u64, - ///< The total length of the additional data. - pub private_add_len: u64, - ///< The first ECTR for tag. - pub private_base_ectr: [::core::ffi::c_uchar; 16usize], - ///< The Y working value. - pub private_y: [::core::ffi::c_uchar; 16usize], - ///< The buf working value. - pub private_buf: [::core::ffi::c_uchar; 16usize], - ///< The operation to perform: - ///#MBEDTLS_GCM_ENCRYPT or - ///#MBEDTLS_GCM_DECRYPT. - pub private_mode: ::core::ffi::c_int, -} -impl Default for mbedtls_gcm_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes the specified GCM context, - /// to make references valid, and prepares the context - /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). + /// Encrypt or decrypt a message fragment in an active cipher operation. /// - /// The function does not bind the GCM context to a particular - /// cipher, nor set the key. For this purpose, use - /// mbedtls_gcm_setkey(). + /// Before calling this function, you must: + /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() + /// (recommended when encrypting) or psa_cipher_set_iv(). /// - /// \param ctx The GCM context to initialize. This must not be \c NULL. - pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief This function associates a GCM context with a - /// cipher algorithm and a key. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param cipher The 128-bit block cipher to use. - /// \param key The encryption key. This must be a readable buffer of at - /// least \p keybits bits. - /// \param keybits The key size in bits. Valid options are: - ///
  • 128 bits
    • - ///
  • 192 bits
    • - ///
  • 256 bits
+ /// \param[in,out] operation Active cipher operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A cipher-specific error code on failure. - pub fn mbedtls_gcm_setkey( - ctx: *mut mbedtls_gcm_context, - cipher: mbedtls_cipher_id_t, - key: *const ::core::ffi::c_uchar, - keybits: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_update( + operation: *mut psa_cipher_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs GCM encryption or decryption of a buffer. + /// Finish encrypting or decrypting a message in a cipher operation. /// - /// \note For encryption, the output buffer can be the same as the - /// input buffer. For decryption, the output buffer cannot be - /// the same as input buffer. If the buffers overlap, the output - /// buffer must trail at least 8 Bytes behind the input buffer. + /// The application must call psa_cipher_encrypt_setup() or + /// psa_cipher_decrypt_setup() before calling this function. The choice + /// of setup function determines whether this function encrypts or + /// decrypts its input. /// - /// \warning When this function performs a decryption, it outputs the - /// authentication tag and does not verify that the data is - /// authentic. You should use this function to perform encryption - /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// This function finishes the encryption or decryption of the message + /// formed by concatenating the inputs passed to preceding calls to + /// psa_cipher_update(). /// - /// \param ctx The GCM context to use for encryption or decryption. This - /// must be initialized. - /// \param mode The operation to perform: - /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. - /// The ciphertext is written to \p output and the - /// authentication tag is written to \p tag. - /// - #MBEDTLS_GCM_DECRYPT to perform decryption. - /// The plaintext is written to \p output and the - /// authentication tag is written to \p tag. - /// Note that this mode is not recommended, because it does - /// not verify the authenticity of the data. For this reason, - /// you should use mbedtls_gcm_auth_decrypt() instead of - /// calling this function in decryption mode. - /// \param length The length of the input data, which is equal to the length - /// of the output data. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param input The buffer holding the input data. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size in Bytes. - /// \param output The buffer for holding the output data. If \p length is greater - /// than zero, this must be a writable buffer of at least that - /// size in Bytes. - /// \param tag_len The length of the tag to generate. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \return \c 0 if the encryption or decryption was performed - /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, - /// this does not indicate that the data is authentic. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the encryption - /// or decryption failed. - pub fn mbedtls_gcm_crypt_and_tag( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - tag_len: usize, - tag: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active cipher operation. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input size passed to this operation is not valid for + /// this particular algorithm. For example, the algorithm is a based + /// on block cipher and requires a whole number of blocks, but the + /// total input size is not a multiple of the block size. + /// \retval #PSA_ERROR_INVALID_PADDING + /// This is a decryption operation for an algorithm that includes + /// padding, and the ciphertext does not contain valid padding. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_finish( + operation: *mut psa_cipher_operation_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs a GCM authenticated decryption of a - /// buffer. + /// Abort a cipher operation. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. /// - /// \param ctx The GCM context. This must be initialized. - /// \param length The length of the ciphertext to decrypt, which is also - /// the length of the decrypted plaintext. - /// \param iv The initialization vector. This must be a readable buffer - /// of at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param tag The buffer holding the tag to verify. This must be a - /// readable buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to verify. - /// \param input The buffer holding the ciphertext. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size. - /// \param output The buffer for holding the decrypted plaintext. If \p length - /// is greater than zero, this must be a writable buffer of at - /// least that size. + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_cipher_operation_t. /// - /// \return \c 0 if successful and authenticated. - /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the decryption - /// failed. - pub fn mbedtls_gcm_auth_decrypt( - ctx: *mut mbedtls_gcm_context, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - tag: *const ::core::ffi::c_uchar, - tag_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// In particular, calling psa_cipher_abort() after the operation has been + /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() + /// is safe and has no effect. + /// + /// \param[in,out] operation Initialized cipher operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a GCM encryption or decryption - /// operation. + /// Process an authenticated encryption operation. /// - /// \param ctx The GCM context. This must be initialized. - /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or - /// #MBEDTLS_GCM_DECRYPT. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that will be authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] plaintext Data that will be authenticated and + /// encrypted. + /// \param plaintext_length Size of \p plaintext in bytes. + /// \param[out] ciphertext Output buffer for the authenticated and + /// encrypted data. The additional data is not + /// part of this output. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate outputs, the + /// authentication tag is appended to the + /// encrypted data. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p plaintext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p + /// plaintext_length) evaluates to the maximum + /// ciphertext size of any supported AEAD + /// encryption. + /// \param[out] ciphertext_length On success, the size of the output + /// in the \p ciphertext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_starts( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p ciphertext_size is too small. + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p plaintext_length) or + /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + plaintext: *const u8, + plaintext_length: usize, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer as associated data - /// (authenticated but not encrypted data) in a GCM - /// encryption or decryption operation. - /// - /// Call this function after mbedtls_gcm_starts() to pass - /// the associated data. If the associated data is empty, - /// you do not need to call this function. You may not - /// call this function after calling mbedtls_cipher_update(). + /// Process an authenticated decryption operation. /// - /// \param ctx The GCM context. This must have been started with - /// mbedtls_gcm_starts() and must not have yet received - /// any input with mbedtls_gcm_update(). - /// \param add The buffer holding the additional data, or \c NULL - /// if \p add_len is \c 0. - /// \param add_len The length of the additional data. If \c 0, - /// \p add may be \c NULL. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that has been authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] ciphertext Data that has been authenticated and + /// encrypted. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate inputs, the buffer + /// must contain the encrypted data followed + /// by the authentication tag. + /// \param ciphertext_length Size of \p ciphertext in bytes. + /// \param[out] plaintext Output buffer for the decrypted data. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p ciphertext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p + /// ciphertext_length) evaluates to the maximum + /// plaintext size of any supported AEAD + /// decryption. + /// \param[out] plaintext_length On success, the size of the output + /// in the \p plaintext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_update_ad( - ctx: *mut mbedtls_gcm_context, - add: *const ::core::ffi::c_uchar, - add_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The ciphertext is not authentic. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p plaintext_size is too small. + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p ciphertext_length) or + /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used + /// to determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + ciphertext: *const u8, + ciphertext_length: usize, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for multipart AEAD operations. +/// +/// Before calling any function on an AEAD operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_aead_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_aead_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, +/// for example: +/// \code +/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_aead_operation_init() +/// to the structure, for example: +/// \code +/// psa_aead_operation_t operation; +/// operation = psa_aead_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing GCM - /// encryption or decryption operation. - /// - /// You may call this function zero, one or more times - /// to pass successive parts of the input: the plaintext to - /// encrypt, or the ciphertext (not including the tag) to - /// decrypt. After the last part of the input, call - /// mbedtls_gcm_finish(). + /// Set the key for a multipart authenticated encryption operation. /// - /// This function may produce output in one of the following - /// ways: - /// - Immediate output: the output length is always equal - /// to the input length. - /// - Buffered output: the output consists of a whole number - /// of 16-byte blocks. If the total input length so far - /// (not including associated data) is 16 \* *B* + *A* - /// with *A* < 16 then the total output length is 16 \* *B*. + /// The sequence of operations to encrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to + /// generate or set the nonce. You should use + /// psa_aead_generate_nonce() unless the protocol you are implementing + /// requires a specific nonce value. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the message to encrypt each time. + /// -# Call psa_aead_finish(). /// - /// In particular: - /// - It is always correct to call this function with - /// \p output_size >= \p input_length + 15. - /// - If \p input_length is a multiple of 16 for all the calls - /// to this function during an operation, then it is - /// correct to use \p output_size = \p input_length. + /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// After a successful call to psa_aead_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_finish(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param input The buffer holding the input data. If \p input_length - /// is greater than zero, this must be a readable buffer - /// of at least \p input_length bytes. - /// \param input_length The length of the input data in bytes. - /// \param output The buffer for the output data. If \p output_size - /// is greater than zero, this must be a writable buffer of - /// of at least \p output_size bytes. - /// \param output_size The size of the output buffer in bytes. - /// See the function description regarding the output size. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// total input length too long, - /// unsupported input/output buffer overlap detected, - /// or \p output_size too small. - pub fn mbedtls_gcm_update( - ctx: *mut mbedtls_gcm_context, - input: *const ::core::ffi::c_uchar, - input_length: usize, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the GCM operation and generates - /// the authentication tag. + /// Set the key for a multipart authenticated decryption operation. /// - /// It wraps up the GCM stream, and generates the - /// tag. The tag can have a maximum length of 16 Bytes. + /// The sequence of operations to decrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call psa_aead_set_nonce() with the nonce for the decryption. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the ciphertext to decrypt each time. + /// -# Call psa_aead_verify(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to generate. This must be at least - /// four. - /// \param output The buffer for the final output. - /// If \p output_size is nonzero, this must be a writable - /// buffer of at least \p output_size bytes. - /// \param output_size The size of the \p output buffer in bytes. - /// This must be large enough for the output that - /// mbedtls_gcm_update() has not produced. In particular: - /// - If mbedtls_gcm_update() produces immediate output, - /// or if the total input size is a multiple of \c 16, - /// then mbedtls_gcm_finish() never produces any output, - /// so \p output_size can be \c 0. - /// - \p output_size never needs to be more than \c 15. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// invalid value of \p tag_len, - /// or \p output_size too small. - pub fn mbedtls_gcm_finish( - ctx: *mut mbedtls_gcm_context, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - tag: *mut ::core::ffi::c_uchar, - tag_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function clears a GCM context and the underlying - /// cipher sub-context. + /// After a successful call to psa_aead_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_verify(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context to clear. If this is \c NULL, the call has - /// no effect. Otherwise, this must be initialized. - pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief The GCM checkup routine. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; -/// For encrypt-decrypt functions, whether the operation is an encryption -/// or a decryption. -pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; -/// \brief MD5 context structure -/// -/// \warning MD5 is considered a weak message digest and its use -/// constitutes a security risk. We recommend considering -/// stronger message digests instead. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md5_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 4usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_md5_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize MD5 context + /// Generate a random nonce for an authenticated encryption operation. /// - /// \param ctx MD5 context to be initialized + /// This function generates a random nonce for the authenticated encryption + /// operation with an appropriate size for the chosen algorithm, key type + /// and key size. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief Clear MD5 context + /// The application must call psa_aead_encrypt_setup() before + /// calling this function. /// - /// \param ctx MD5 context to be cleared + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); + /// \param[in,out] operation Active AEAD operation. + /// \param[out] nonce Buffer where the generated nonce is to be + /// written. + /// \param nonce_size Size of the \p nonce buffer in bytes. + /// \param[out] nonce_length On success, the number of bytes of the + /// generated nonce. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p nonce buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active aead encrypt + /// operation, with no nonce set), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_generate_nonce( + operation: *mut psa_aead_operation_t, + nonce: *mut u8, + nonce_size: usize, + nonce_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) an MD5 context + /// Set the nonce for an authenticated encryption or decryption operation. /// - /// \param dst The destination context - /// \param src The context to be cloned + /// This function sets the nonce for the authenticated + /// encryption or decryption operation. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief MD5 context setup + /// The application must call psa_aead_encrypt_setup() or + /// psa_aead_decrypt_setup() before calling this function. /// - /// \param ctx context to be initialized + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \note When encrypting, applications should use psa_aead_generate_nonce() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] nonce Buffer containing the nonce to use. + /// \param nonce_length Size of the nonce in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p nonce is not acceptable for the chosen algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with no nonce + /// set), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_nonce( + operation: *mut psa_aead_operation_t, + nonce: *const u8, + nonce_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process buffer + /// Declare the lengths of the message and additional data for AEAD. /// - /// \param ctx MD5 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// The application must call this function before calling + /// psa_aead_update_ad() or psa_aead_update() if the algorithm for + /// the operation requires it. If the algorithm does not require it, + /// calling this function is optional, but if this function is called + /// then the implementation must enforce the lengths. /// - /// \return 0 if successful + /// You may call this function before or after setting the nonce with + /// psa_aead_set_nonce() or psa_aead_generate_nonce(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_update( - ctx: *mut mbedtls_md5_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief MD5 final digest + /// - For #PSA_ALG_CCM, calling this function is required. + /// - For the other AEAD algorithms defined in this specification, calling + /// this function is not required. + /// - For vendor-defined algorithm, refer to the vendor documentation. /// - /// \param ctx MD5 context - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \param[in,out] operation Active AEAD operation. + /// \param ad_length Size of the non-encrypted additional + /// authenticated data in bytes. + /// \param plaintext_length Size of the plaintext to encrypt in bytes. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_finish( - ctx: *mut mbedtls_md5_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// At least one of the lengths is not acceptable for the chosen + /// algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and + /// psa_aead_update_ad() and psa_aead_update() must not have been + /// called yet), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_lengths( + operation: *mut psa_aead_operation_t, + ad_length: usize, + plaintext_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process data block (internal use only) + /// Pass additional data to an active AEAD operation. /// - /// \param ctx MD5 context - /// \param data buffer holding one block of data + /// Additional data is authenticated, but not encrypted. /// - /// \return 0 if successful + /// You may call this function multiple times to pass successive fragments + /// of the additional data. You may not call this function after passing + /// data to encrypt or decrypt with psa_aead_update(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_internal_md5_process( - ctx: *mut mbedtls_md5_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = MD5( input buffer ) + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, + /// treat the input as untrusted and prepare to undo any action that + /// depends on the input if psa_aead_verify() returns an error status. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the fragment of + /// additional data. + /// \param input_length Size of the \p input buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input length overflows the additional data length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, have lengths set if required by the algorithm, and + /// psa_aead_update() must not have been called yet), or the library + /// has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update_ad( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Encrypt or decrypt a message fragment in an active AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). + /// 3. Call psa_aead_update_ad() to pass all the additional data. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief RIPEMD-160 context structure -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ripemd160_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 5usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_ripemd160_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize RIPEMD-160 context + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \param ctx RIPEMD-160 context to be initialized - pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); -} -unsafe extern "C" { - /// \brief Clear RIPEMD-160 context + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: + /// - Do not use the output in any way other than storing it in a + /// confidential location. If you take any action that depends + /// on the tentative decrypted data, this action will need to be + /// undone if the input turns out not to be valid. Furthermore, + /// if an adversary can observe that this action took place + /// (for example through timing), they may be able to use this + /// fact as an oracle to decrypt any message encrypted with the + /// same key. + /// - In particular, do not copy the output anywhere but to a + /// memory or storage space that you have exclusive access to. /// - /// \param ctx RIPEMD-160 context to be cleared - pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); + /// This function does not require the input to be aligned to any + /// particular block boundary. If the implementation can only process + /// a whole block at a time, it must consume all the input provided, but + /// it may delay the end of the corresponding output until a subsequent + /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() + /// provides sufficient input. The amount of data that can be delayed + /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, + /// \c alg, \p input_length) where + /// \c key_type is the type of key and \c alg is + /// the algorithm that were used to set up the + /// operation. + /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p + /// input_length) evaluates to the maximum + /// output size of any supported AEAD + /// algorithm. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or + /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total input length overflows the plaintext length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, and have lengths set if required by the algorithm), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) a RIPEMD-160 context + /// Finish encrypting a message in an AEAD operation. /// - /// \param dst The destination context - /// \param src The context to be cloned - pub fn mbedtls_ripemd160_clone( - dst: *mut mbedtls_ripemd160_context, - src: *const mbedtls_ripemd160_context, - ); -} -unsafe extern "C" { - /// \brief RIPEMD-160 context setup + /// The operation must have been set up with psa_aead_encrypt_setup(). /// - /// \param ctx context to be initialized + /// This function finishes the authentication of the additional data + /// formed by concatenating the inputs passed to preceding calls to + /// psa_aead_update_ad() with the plaintext formed by concatenating the + /// inputs passed to preceding calls to psa_aead_update(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process buffer + /// This function has two output buffers: + /// - \p ciphertext contains trailing ciphertext that was buffered from + /// preceding calls to psa_aead_update(). + /// - \p tag contains the authentication tag. /// - /// \param ctx RIPEMD-160 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_update( - ctx: *mut mbedtls_ripemd160_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[out] ciphertext Buffer where the last part of the ciphertext + /// is to be written. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] ciphertext_length On success, the number of bytes of + /// returned ciphertext. + /// \param[out] tag Buffer where the authentication tag is + /// to be written. + /// \param tag_size Size of the \p tag buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c + /// key_type, \c key_bits, \c alg) where + /// \c key_type and \c key_bits are the type and + /// bit-size of the key, and \c alg is the + /// algorithm that were used in the call to + /// psa_aead_encrypt_setup(). + /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the + /// maximum tag size of any supported AEAD + /// algorithm. + /// \param[out] tag_length On success, the number of bytes + /// that make up the returned tag. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p ciphertext or \p tag buffer is too small. + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the + /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, + /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to + /// determine the required \p tag buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active encryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_finish( + operation: *mut psa_aead_operation_t, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + tag: *mut u8, + tag_size: usize, + tag_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief RIPEMD-160 final digest + /// Finish authenticating and decrypting a message in an AEAD operation. /// - /// \param ctx RIPEMD-160 context - /// \param output RIPEMD-160 checksum result + /// The operation must have been set up with psa_aead_decrypt_setup(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_finish( - ctx: *mut mbedtls_ripemd160_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process data block (internal use only) + /// This function finishes the authenticated decryption of the message + /// components: /// - /// \param ctx RIPEMD-160 context - /// \param data buffer holding one block of data + /// - The additional data consisting of the concatenation of the inputs + /// passed to preceding calls to psa_aead_update_ad(). + /// - The ciphertext consisting of the concatenation of the inputs passed to + /// preceding calls to psa_aead_update(). + /// - The tag passed to this function call. /// - /// \return 0 if successful - pub fn mbedtls_internal_ripemd160_process( - ctx: *mut mbedtls_ripemd160_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = RIPEMD-160( input buffer ) + /// If the authentication tag is correct, this function outputs any remaining + /// plaintext and reports success. If the authentication tag is not correct, + /// this function returns #PSA_ERROR_INVALID_SIGNATURE. /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output RIPEMD-160 checksum result + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual tag and the expected tag is performed + /// in constant time. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[out] plaintext Buffer where the last part of the plaintext + /// is to be written. This is the remaining data + /// from previous calls to psa_aead_update() + /// that could not be processed until the end + /// of the input. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] plaintext_length On success, the number of bytes of + /// returned plaintext. + /// \param[in] tag Buffer containing the authentication tag. + /// \param tag_length Size of the \p tag buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculations were successful, but the authentication tag is + /// not correct. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p plaintext buffer is too small. + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the + /// required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active decryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_verify( + operation: *mut psa_aead_operation_t, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + tag: *const u8, + tag_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Abort an AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed - pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha1_context { - pub work_area: [::core::ffi::c_uchar; 208usize], -} -impl Default for mbedtls_sha1_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_aead_operation_t. + /// + /// In particular, calling psa_aead_abort() after the operation has been + /// terminated by a call to psa_aead_abort(), psa_aead_finish() or + /// psa_aead_verify() is safe and has no effect. + /// + /// \param[in,out] operation Initialized AEAD operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-1 context. - /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \brief Sign a message with a private key. For hash-and-sign algorithms, + /// this includes the hashing step. /// - /// \param ctx The SHA-1 context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-1 context. + /// \note To perform a multi-part hash-and-sign signature algorithm, first use + /// a multi-part hash operation and then pass the resulting hash to + /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the + /// hash algorithm to use. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in] key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The input message to sign. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param[in] signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. /// - /// \param ctx The SHA-1 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it is - /// not \c NULL, it must point to an initialized - /// SHA-1 context. - pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-1 context. + /// \brief Verify the signature of a message with a public key, using + /// a hash-and-sign verification algorithm. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \note To perform a multi-part hash-and-sign signature verification + /// algorithm, first use a multi-part hash operation to hash the message + /// and then pass the resulting hash to psa_verify_hash(). + /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm + /// to use. /// - /// \param dst The SHA-1 context to clone to. This must be initialized. - /// \param src The SHA-1 context to clone from. This must be initialized. - pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); + /// \param[in] key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The message whose signature is to be verified. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed signature + /// is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-1 checksum calculation. + /// \brief Sign a hash or short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context to initialize. This must be initialized. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. + /// \param[out] signature_length On success, the number of bytes + /// that make up the returned signature value. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing SHA-1 - /// checksum calculation. + /// \brief Verify the signature of a hash or short message using a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. + /// \param key Identifier of the key to use for the operation. It + /// must be a public key or an asymmetric key pair. The + /// key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message whose signature is to be + /// verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_update( - ctx: *mut mbedtls_sha1_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// The signature is valid. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the SHA-1 operation, and writes - /// the result to the output buffer. + /// \brief Encrypt a short message with a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized and - /// have a hash operation started. - /// \param output The SHA-1 checksum result. This must be a writable - /// buffer of length \c 20 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the encrypted message is to + /// be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_finish( - ctx: *mut mbedtls_sha1_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief SHA-1 process data block (internal use only). + /// \brief Decrypt a short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. It must + /// allow the usage #PSA_KEY_USAGE_DECRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized. - /// \param data The data block being processed. This must be a - /// readable buffer of length \c 64 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha1_process( - ctx: *mut mbedtls_sha1_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for key derivation operations. +/// +/// Before calling any function on a key derivation operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_key_derivation_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, +/// for example: +/// \code +/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_key_derivation_operation_init() +/// to the structure, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// operation = psa_key_derivation_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_key_derivation_operation_t = psa_key_derivation_s; unsafe extern "C" { - /// \brief This function calculates the SHA-1 checksum of a buffer. + /// Set up a key derivation operation. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// A key derivation algorithm takes some inputs and uses them to generate + /// a byte stream in a deterministic way. + /// This byte stream can be used to produce keys and other + /// cryptographic material. /// - /// The SHA-1 result is calculated as - /// output = SHA-1(input buffer). + /// To derive a key: + /// -# Start with an initialized object of type #psa_key_derivation_operation_t. + /// -# Call psa_key_derivation_setup() to select the algorithm. + /// -# Provide the inputs for the key derivation by calling + /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() + /// as appropriate. Which inputs are needed, in what order, and whether + /// they may be keys and if so of what type depends on the algorithm. + /// -# Optionally set the operation's maximum capacity with + /// psa_key_derivation_set_capacity(). You may do this before, in the middle + /// of or after providing inputs. For some algorithms, this step is mandatory + /// because the output depends on the maximum capacity. + /// -# To derive a key, call psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// To derive a byte string for a different purpose, call + /// psa_key_derivation_output_bytes(). + /// Successive calls to these functions use successive output bytes + /// calculated by the key derivation algorithm. + /// -# Clean up the key derivation operation object with + /// psa_key_derivation_abort(). /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// If this function returns an error, the key derivation operation object is + /// not changed. /// - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. - /// \param output The SHA-1 checksum result. - /// This must be a writable buffer of length \c 20 Bytes. + /// If an error occurs at any step after a call to psa_key_derivation_setup(), + /// the operation will need to be reset by a call to psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-1 checkup routine. + /// Implementations must reject an attempt to derive a key of size 0. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in,out] operation The key derivation operation object + /// to set up. It must + /// have been initialized but not set up yet. + /// \param alg The key derivation algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha256_context { - pub work_area: [::core::ffi::c_uchar; 208usize], - pub is224: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha256_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c alg is not a key derivation algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_setup( + operation: *mut psa_key_derivation_operation_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-256 context. + /// Retrieve the current capacity of a key derivation operation. /// - /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. - pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-256 context. + /// The capacity of a key derivation is the maximum number of bytes that it can + /// return. When you get *N* bytes of output from a key derivation operation, + /// this reduces its capacity by *N*. /// - /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which - /// case this function returns immediately. If it is not \c NULL, - /// it must point to an initialized SHA-256 context. - pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clones the state of a SHA-256 context. + /// \param[in] operation The operation to query. + /// \param[out] capacity On success, the capacity of the operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha256_clone( - dst: *mut mbedtls_sha256_context, - src: *const mbedtls_sha256_context, - ); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_get_capacity( + operation: *const psa_key_derivation_operation_t, + capacity: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-224 or SHA-256 checksum - /// calculation. + /// Set the maximum capacity of a key derivation operation. /// - /// \param ctx The context to use. This must be initialized. - /// \param is224 This determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// The capacity of a key derivation operation is the maximum number of bytes + /// that the key derivation operation can return from this point onwards. /// - /// \note is224 must be defined accordingly to the enabled - /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to modify. + /// \param capacity The new capacity of the operation. + /// It must be less or equal to the operation's + /// current capacity. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_starts( - ctx: *mut mbedtls_sha256_context, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p capacity is larger than the operation's current capacity. + /// In this case, the operation object remains valid and its capacity + /// remains unchanged. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_set_capacity( + operation: *mut psa_key_derivation_operation_t, + capacity: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-256 checksum calculation. + /// Provide an input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_update( - ctx: *mut mbedtls_sha256_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-256 operation, and writes - /// the result to the output buffer. + /// This function passes direct inputs, which is usually correct for + /// non-secret inputs. To pass a secret input, which should be in a key + /// object, call psa_key_derivation_input_key() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_finish( - ctx: *mut mbedtls_sha256_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] data Input data to use. + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow direct inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_bytes( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + data: *const u8, + data_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-256 computation. This function is for - /// internal use only. + /// Provide a numeric input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized. - /// \param data The buffer holding one block of data. This must - /// be a readable buffer of length \c 64 Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// However, when an algorithm requires a particular order, numeric inputs + /// usually come first as they tend to be configuration parameters. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha256_process( - ctx: *mut mbedtls_sha256_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// This function is used for inputs which are fixed-size non-negative + /// integers. + /// + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] value The value of the numeric input. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow numeric inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_integer( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + value: u64, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function calculates the SHA-224 or SHA-256 - /// checksum of a buffer. + /// Provide an input for key derivation in the form of a key. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// The SHA-256 result is calculated as - /// output = SHA-256(input buffer). + /// This function obtains input from a key object, which is usually correct for + /// secret inputs or for non-secret personalization strings kept in the key + /// store. To pass a non-secret parameter which is not in the key store, + /// call psa_key_derivation_input_bytes() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. - /// \param is224 Determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param key Identifier of the key. It must have an + /// appropriate type for step and must allow the + /// usage #PSA_KEY_USAGE_DERIVE or + /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + /// and the algorithm used by the operation. + /// + /// \note Once all inputs steps are completed, the operations will allow: + /// - psa_key_derivation_output_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() + /// if the input for step + /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_verify_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + /// - psa_key_derivation_verify_key() under the same conditions as + /// psa_key_derivation_verify_bytes(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key allows neither #PSA_KEY_USAGE_DERIVE nor + /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + /// algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow key inputs of the given type + /// or does not allow key inputs at all. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_key( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + key: mbedtls_svc_key_id_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief The SHA-224 checkup routine. + /// Perform a key agreement and use the shared secret as input to a key + /// derivation. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-256 checkup routine. + /// A key agreement algorithm takes two inputs: a private key \p private_key + /// a public key \p peer_key. + /// The result of this function is passed as input to a key derivation. + /// The output of this key derivation can be extracted by reading from the + /// resulting operation to produce keys and other cryptographic material. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha512_context { - pub work_area: [::core::ffi::c_uchar; 304usize], - pub is384: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha512_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief This function initializes a SHA-512 context. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \param ctx The SHA-512 context to initialize. This must - /// not be \c NULL. - pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-512 context. + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() with a + /// key agreement and derivation algorithm + /// \c alg (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true + /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) + /// is false). + /// The operation must be ready for an + /// input of the type given by \p step. + /// \param step Which step the input data is for. + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. The peer key must be in the + /// same format that psa_import_key() accepts for the + /// public key type corresponding to the type of + /// private_key. That is, this function performs the + /// equivalent of + /// #psa_import_key(..., + /// `peer_key`, `peer_key_length`) where + /// with key attributes indicating the public key + /// type corresponding to the type of `private_key`. + /// For example, for EC keys, this means that peer_key + /// is interpreted as a point on the curve that the + /// private key is on. The standard formats for public + /// keys are documented in the documentation of + /// psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. /// - /// \param ctx The SHA-512 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must point to an initialized - /// SHA-512 context. - pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c private_key is not compatible with \c alg, + /// or \p peer_key is not valid for \c alg or not compatible with + /// \c private_key, or \c step does not allow an input resulting + /// from a key agreement. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this key agreement \p step, + /// or the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_key_agreement( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-512 context. + /// Read some data from a key derivation operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha512_clone( - dst: *mut mbedtls_sha512_context, - src: *const mbedtls_sha512_context, - ); -} -unsafe extern "C" { - /// \brief This function starts a SHA-384 or SHA-512 checksum - /// calculation. + /// This function calculates output bytes from a key derivation algorithm and + /// return those bytes. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the requested number of bytes from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context to use. This must be initialized. - /// \param is384 Determines which function to use. This must be - /// either \c 0 for SHA-512, or \c 1 for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \note is384 must be defined accordingly to the enabled - /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] output Buffer where the output will be written. + /// \param output_length Number of bytes to output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_starts( - ctx: *mut mbedtls_sha512_context, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// no output is written to the output buffer. + /// The operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_bytes( + operation: *mut psa_key_derivation_operation_t, + output: *mut u8, + output_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-512 checksum calculation. + /// Derive a key from an ongoing key derivation operation. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. This must - /// be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// This function calculates output bytes from a key derivation algorithm + /// and uses those bytes to generate a key deterministically. + /// The key's location, usage policy, type and size are taken from + /// \p attributes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_update( - ctx: *mut mbedtls_sha512_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-512 operation, and writes - /// the result to the output buffer. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads as many bytes as required from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_finish( - ctx: *mut mbedtls_sha512_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-512 computation. - /// This function is for internal use only. + /// How much output is produced and consumed from the operation, and how + /// the key is derived, depends on the key type and on the key size + /// (denoted \c bits below): /// - /// \param ctx The SHA-512 context. This must be initialized. - /// \param data The buffer holding one block of data. This - /// must be a readable buffer of length \c 128 Bytes. + /// - For key types for which the key is an arbitrary sequence of bytes + /// of a given size, this function is functionally equivalent to + /// calling #psa_key_derivation_output_bytes + /// and passing the resulting output to #psa_import_key. + /// However, this function has a security benefit: + /// if the implementation provides an isolation boundary then + /// the key material is not exposed outside the isolation boundary. + /// As a consequence, for these key types, this function always consumes + /// exactly (\c bits / 8) bytes from the operation. + /// The following key types defined in this specification follow this scheme: /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha512_process( - ctx: *mut mbedtls_sha512_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function calculates the SHA-512 or SHA-384 - /// checksum of a buffer. + /// - #PSA_KEY_TYPE_AES; + /// - #PSA_KEY_TYPE_ARIA; + /// - #PSA_KEY_TYPE_CAMELLIA; + /// - #PSA_KEY_TYPE_DERIVE; + /// - #PSA_KEY_TYPE_HMAC; + /// - #PSA_KEY_TYPE_PASSWORD_HASH. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// - For ECC keys on a Montgomery elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Montgomery curve), this function always draws a byte string whose + /// length is determined by the curve, and sets the mandatory bits + /// accordingly. That is: /// - /// The SHA-512 result is calculated as - /// output = SHA-512(input buffer). + /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte + /// string and process it as specified in RFC 7748 §5. + /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte + /// string and process it as specified in RFC 7748 §5. /// - /// \param input The buffer holding the input data. This must be - /// a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. - /// \param is384 Determines which function to use. This must be either - /// \c 0 for SHA-512, or \c 1 for SHA-384. + /// - For key types for which the key is represented by a single sequence of + /// \c bits bits with constraints as to which bit sequences are acceptable, + /// this function draws a byte string of length (\c bits / 8) bytes rounded + /// up to the nearest whole number of bytes. If the resulting byte string + /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. + /// This process is repeated until an acceptable byte string is drawn. + /// The byte string drawn from the operation is interpreted as specified + /// for the output produced by psa_export_key(). + /// The following key types defined in this specification follow this scheme: /// - /// \note is384 must be defined accordingly with the supported - /// symbols in the config file. If: - /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or - /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined - /// then the function will return - /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// - #PSA_KEY_TYPE_DES. + /// Force-set the parity bits, but discard forbidden weak keys. + /// For 2-key and 3-key triple-DES, the three keys are generated + /// successively (for example, for 3-key triple-DES, + /// if the first 8 bytes specify a weak key and the next 8 bytes do not, + /// discard the first 8 bytes, use the next 8 bytes as the first key, + /// and continue reading output from the operation to derive the other + /// two keys). + /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) + /// where \c group designates any Diffie-Hellman group) and + /// ECC keys on a Weierstrass elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Weierstrass curve). + /// For these key types, interpret the byte string as integer + /// in big-endian order. Discard it if it is not in the range + /// [0, *N* - 2] where *N* is the boundary of the private key domain + /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, + /// or the order of the curve's base point for ECC). + /// Add 1 to the resulting integer and use this as the private key *x*. + /// This method allows compliance to NIST standards, specifically + /// the methods titled "key-pair generation by testing candidates" + /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, + /// in FIPS 186-4 §B.1.2 for DSA, and + /// in NIST SP 800-56A §5.6.1.2.2 or + /// FIPS 186-4 §B.4.2 for elliptic curve keys. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-384 checkup routine. + /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, + /// the way in which the operation output is consumed is + /// implementation-defined. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-512 checkup routine. + /// In all cases, the data that is read is discarded from the operation. + /// The operation's capacity is decreased by the number of bytes read. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hash_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub md5: mbedtls_md5_context, - pub ripemd160: mbedtls_ripemd160_context, - pub sha1: mbedtls_sha1_context, - pub sha256: mbedtls_sha256_context, - pub sha512: mbedtls_sha512_context, -} -impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_hash_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_cipher_operation_t { - pub private_alg: psa_algorithm_t, - pub private_iv_length: u8, - pub private_block_length: u8, - pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_cipher: mbedtls_cipher_context_t, -} -impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_cipher_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_hash_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_hash_operation_t, -} -impl Default for psa_driver_hash_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_cipher_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, -} -impl Default for psa_driver_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_hash_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h. - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. the driver context is not active, in use). - pub private_id: ::core::ffi::c_uint, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_hash_context_t, -} -impl Default for psa_hash_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_cipher_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_default_iv_length: u8, - pub private_ctx: psa_driver_cipher_context_t, + /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, + /// the input to that step must be provided with psa_key_derivation_input_key(). + /// Future versions of this specification may include additional restrictions + /// on the derived key based on the attributes and strength of the secret key. + /// + /// \note This function is equivalent to calling + /// psa_key_derivation_output_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for psa_cipher_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// See the description of psa_key_derivation_out_key() for the operation of + /// this function with the default production parameters. + /// Mbed TLS currently does not currently support any non-default production + /// parameters. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_custom( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl psa_cipher_operation_s { - #[inline] - pub fn private_iv_required(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_iv_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_iv_required: ::core::ffi::c_uint, - private_iv_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; - private_iv_required as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; - private_iv_set as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] params Customization parameters for the key derivation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// Mbed TLS currently only supports the default + /// production parameters, i.e. + /// #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + /// for all key types. + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_ext( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hmac_operation_t { - /// The HMAC algorithm in use - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - /// The hash context. - pub hash_ctx: psa_hash_operation_s, - /// The HMAC part of the context. - pub private_opad: [u8; 128usize], +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value in constant time. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the expected number of bytes from the + /// stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to the following code: + /// \code + /// psa_key_derivation_output_bytes(operation, tmp, output_length); + /// if (memcmp(output, tmp, output_length) != 0) + /// return PSA_ERROR_INVALID_SIGNATURE; + /// \endcode + /// except (1) it works even if the key's policy does not allow outputting the + /// bytes, and (2) the comparison will be done in constant time. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected Buffer containing the expected derivation output. + /// \param expected_length Length of the expected output; this is also the + /// number of bytes that will be read. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but it differs from the expected + /// output. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_bytes( + operation: *mut psa_key_derivation_operation_t, + expected: *const u8, + expected_length: usize, + ) -> psa_status_t; } -impl Default for mbedtls_psa_hmac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value + /// stored in a key object. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value, provided as key of type + /// #PSA_KEY_TYPE_PASSWORD_HASH. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the number of bytes corresponding to the + /// length of the expected value from the stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to exporting the key and calling + /// psa_key_derivation_verify_bytes() on the result, except that it + /// works even if the key cannot be exported. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + /// containing the expected output. Its policy must + /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + /// and the permitted algorithm must match the + /// operation. The value of this key was likely + /// computed by a previous call to + /// psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but if differs from the expected + /// output. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// The key passed as the expected value does not exist. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key passed as the expected value has an invalid type. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key passed as the expected value does not allow this usage or + /// this algorithm; or one of the inputs was a key whose policy didn't + /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// the length of the expected value. In this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_key( + operation: *mut psa_key_derivation_operation_t, + expected: psa_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_mac_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// Abort a key derivation operation. + /// + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_key_derivation_setup() again. + /// + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_key_derivation_operation_t. + /// + /// In particular, it is valid to call psa_key_derivation_abort() twice, or to + /// call psa_key_derivation_abort() on an operation that has not been set up. + /// + /// \param[in,out] operation The operation to abort. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) + -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_hmac: mbedtls_psa_hmac_operation_t, - pub private_cmac: mbedtls_cipher_context_t, +unsafe extern "C" { + /// Perform a key agreement and return the raw shared secret. + /// + /// \warning The raw result of a key agreement algorithm such as finite-field + /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should + /// not be used directly as key material. It should instead be passed as + /// input to a key derivation algorithm. To chain a key agreement with + /// a key derivation, use psa_key_derivation_key_agreement() and other + /// functions from the key derivation interface. + /// + /// \param alg The key agreement algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) + /// is true). + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. It must be + /// in the same format that psa_import_key() + /// accepts. The standard formats for public + /// keys are documented in the documentation + /// of psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a key agreement algorithm, or + /// \p private_key is not compatible with \p alg, + /// or \p peer_key is not valid for \p alg or not compatible with + /// \p private_key. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p output_size is too small + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not a supported key agreement algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_raw_key_agreement( + alg: psa_algorithm_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Generate random bytes. + /// + /// \warning This function **can** fail! Callers MUST check the return status + /// and MUST NOT use the content of the output buffer if the return + /// status is not #PSA_SUCCESS. + /// + /// \note To generate a key, use psa_generate_key() instead. + /// + /// \param[out] output Output buffer for the generated data. + /// \param output_size Number of bytes to generate and output. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair. + /// + /// The key is generated randomly. + /// Its location, usage policy, type and size are taken from \p attributes. + /// + /// Implementations must reject an attempt to generate a key of size 0. + /// + /// The following type-specific considerations apply: + /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), + /// the public exponent is 65537. + /// The modulus is a product of two probabilistic primes + /// between 2^{n-1} and 2^n where n is the bit size specified in the + /// attributes. + /// + /// \note This function is equivalent to calling psa_generate_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key( + attributes: *const psa_key_attributes_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// See the description of psa_generate_key() for the operation of this + /// function with the default production parameters. In addition, this function + /// supports the following production customizations, described in more detail + /// in the documentation of ::psa_custom_key_parameters_t: + /// + /// - RSA keys: generation with a custom public exponent. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_custom( + attributes: *const psa_key_attributes_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_aead_operation_t { - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_tag_length: u8, - pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] params Customization parameters for the key generation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_ext( + attributes: *const psa_key_attributes_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub private_ccm: mbedtls_ccm_context, - pub private_gcm: mbedtls_gcm_context, - pub private_chachapoly: mbedtls_chachapoly_context, +/// The type of the state data structure for interruptible hash +/// signing operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = +/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_sign_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// operation = psa_sign_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; +/// The type of the state data structure for interruptible hash +/// verification operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = +/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_verify_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// operation = psa_verify_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; +unsafe extern "C" { + /// \brief Set the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note The time taken to execute a single op is + /// implementation specific and depends on + /// software, hardware, the algorithm, key type and + /// curve chosen. Even within a single operation, + /// successive ops can take differing amounts of + /// time. The only guarantee is that lower values + /// for \p max_ops means functions will block for a + /// lesser maximum amount of time. The functions + /// \c psa_sign_interruptible_get_num_ops() and + /// \c psa_verify_interruptible_get_num_ops() are + /// provided to help with tuning this value. + /// + /// \note This value defaults to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + /// means the whole operation will be done in one + /// go, regardless of the number of ops required. + /// + /// \note If more ops are needed to complete a + /// computation, #PSA_OPERATION_INCOMPLETE will be + /// returned by the function performing the + /// computation. It is then the caller's + /// responsibility to either call again with the + /// same operation context until it returns 0 or an + /// error code; or to call the relevant abort + /// function if the answer is no longer required. + /// + /// \note The interpretation of \p max_ops is also + /// implementation defined. On a hard real time + /// system, this can indicate a hard deadline, as a + /// real-time system needs a guarantee of not + /// spending more than X time, however care must be + /// taken in such an implementation to avoid the + /// situation whereby calls just return, not being + /// able to do any actual work within the allotted + /// time. On a non-real-time system, the + /// implementation can be more relaxed, but again + /// whether this number should be interpreted as as + /// hard or soft limit or even whether a less than + /// or equals as regards to ops executed in a + /// single call is implementation defined. + /// + /// \note For keys in local storage when no accelerator + /// driver applies, please see also the + /// documentation for \c mbedtls_ecp_set_max_ops(), + /// which is the internal implementation in these + /// cases. + /// + /// \warning With implementations that interpret this number + /// as a hard limit, setting this number too small + /// may result in an infinite loop, whereby each + /// call results in immediate return with no ops + /// done (as there is not enough time to execute + /// any), and thus no result will ever be achieved. + /// + /// \note This only applies to functions whose + /// documentation mentions they may return + /// #PSA_OPERATION_INCOMPLETE. + /// + /// \param max_ops The maximum number of ops to be executed in a + /// single call. This can be a number from 0 to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + /// is the least amount of work done per call. + pub fn psa_interruptible_set_max_ops(max_ops: u32); } -impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. This will return the last + /// value set by + /// \c psa_interruptible_set_max_ops() or + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + /// that function has never been called. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \return Maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + pub fn psa_interruptible_get_max_ops() -> u32; } -impl Default for mbedtls_psa_aead_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash signing + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling + /// \c psa_sign_hash_interruptible_abort() on + /// the operation, a value of 0 will be returned. + /// + /// \note This interface is guaranteed re-entrant and + /// thus may be called from driver code. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_sign_hash_get_num_ops( + operation: *const psa_sign_hash_interruptible_operation_t, + ) -> u32; } -impl mbedtls_psa_aead_operation_t { - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash verification + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling \c + /// psa_verify_hash_interruptible_abort() on the + /// operation, a value of 0 will be returned. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c + /// psa_verify_hash_interruptible_operation_t to + /// use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_verify_hash_get_num_ops( + operation: *const psa_verify_hash_interruptible_operation_t, + ) -> u32; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_sign_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Start signing a hash or short message with a + /// private key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_complete() is equivalent to + /// \c psa_sign_hash() but + /// \c psa_sign_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call \c psa_sign_hash_complete() + /// repeatedly on the same context after a + /// successful call to this function until \c + /// psa_sign_hash_complete() either returns 0 or an + /// error. \c psa_sign_hash_complete() will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - call \c psa_sign_hash_complete() + /// with the same context to complete the operation + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + /// not permit the requested algorithm. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation has previously been started on this context, and is + /// still in progress. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_start( + operation: *mut psa_sign_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_verify_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Continue and eventually complete the action of + /// signing a hash or short message with a private + /// key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_start() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_start() is equivalent to + /// \c psa_sign_hash() but this function can return + /// early and resume according to the limit set with + /// \c psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_sign_hash_start() called with it + /// first. + /// + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + /// key_bits, \c alg) where \c key_type and \c + /// key_bits are the type and bit-size + /// respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. + /// + /// \retval #PSA_SUCCESS + /// Operation completed successfully + /// + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \c key. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_sign_hash_start(). + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_sign_hash_start() with this operation object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_sign_hash_complete( + operation: *mut psa_sign_hash_interruptible_operation_t, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } -///< Client -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; -///< Server -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; -/// Roles in the EC J-PAKE exchange -pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; -/// EC J-PAKE context structure. -/// -/// J-PAKE is a symmetric protocol, except for the identifiers used in -/// Zero-Knowledge Proofs, and the serialization of the second message -/// (KeyExchange) as defined by the Thread spec. -/// -/// In order to benefit from this symmetry, we choose a different naming -/// convention from the Thread v1.0 spec. Correspondence is indicated in the -/// description as a pair C: client name, S: server name -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecjpake_context { - ///< Hash to use - pub private_md_type: mbedtls_md_type_t, - ///< Elliptic curve - pub private_grp: mbedtls_ecp_group, - ///< Are we client or server? - pub private_role: mbedtls_ecjpake_role, - ///< Format for point export - pub private_point_format: ::core::ffi::c_int, - ///< My public key 1 C: X1, S: X3 - pub private_Xm1: mbedtls_ecp_point, - ///< My public key 2 C: X2, S: X4 - pub private_Xm2: mbedtls_ecp_point, - ///< Peer public key 1 C: X3, S: X1 - pub private_Xp1: mbedtls_ecp_point, - ///< Peer public key 2 C: X4, S: X2 - pub private_Xp2: mbedtls_ecp_point, - ///< Peer public key C: Xs, S: Xc - pub private_Xp: mbedtls_ecp_point, - ///< My private key 1 C: x1, S: x3 - pub private_xm1: mbedtls_mpi, - ///< My private key 2 C: x2, S: x4 - pub private_xm2: mbedtls_mpi, - ///< Pre-shared secret (passphrase) - pub private_s: mbedtls_mpi, +unsafe extern "C" { + /// \brief Abort a sign hash operation. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function is the only function that clears + /// the number of ops completed as part of the + /// operation. Please ensure you copy this value via + /// \c psa_sign_hash_get_num_ops() if required + /// before calling. + /// + /// \note Aborting an operation frees all associated + /// resources except for the \p operation structure + /// itself. Once aborted, the operation object can + /// be reused for another operation by calling \c + /// psa_sign_hash_start() again. + /// + /// \note You may call this function any time after the + /// operation object has been initialized. In + /// particular, calling \c psa_sign_hash_abort() + /// after the operation has already been terminated + /// by a call to \c psa_sign_hash_abort() or + /// psa_sign_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized sign hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_abort( + operation: *mut psa_sign_hash_interruptible_operation_t, + ) -> psa_status_t; } -impl Default for mbedtls_ecjpake_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Start reading and verifying a hash or short + /// message, in an interruptible manner. + /// + /// \see \c psa_verify_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_verify_hash_complete() is equivalent to + /// \c psa_verify_hash() but \c + /// psa_verify_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function. + /// + /// \note Users should call \c psa_verify_hash_complete() + /// repeatedly on the same operation object after a + /// successful call to this function until \c + /// psa_verify_hash_complete() either returns 0 or + /// an error. \c psa_verify_hash_complete() will + /// return #PSA_OPERATION_INCOMPLETE if there is + /// more work to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_verify_hash_abort(). + /// + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash whose signature is to be verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - please call \c + /// psa_verify_hash_complete() with the same context to complete the + /// operation. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// Another operation has already been started on this context, and is + /// still in progress. + /// + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + /// not permit the requested algorithm. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_start( + operation: *mut psa_verify_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize an ECJPAKE context. + /// \brief Continue and eventually complete the action of + /// reading and verifying a hash or short message + /// signed with a private key, in an interruptible + /// manner. /// - /// \param ctx The ECJPAKE context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); -} -unsafe extern "C" { - /// \brief Set up an ECJPAKE context for use. + /// \see \c psa_verify_hash_start() /// - /// \note Currently the only values for hash/curve allowed by the - /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. /// - /// \param ctx The ECJPAKE context to set up. This must be initialized. - /// \param role The role of the caller. This must be either - /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. - /// \param hash The identifier of the hash function to use, - /// for example #MBEDTLS_MD_SHA256. - /// \param curve The identifier of the elliptic curve to use, - /// for example #MBEDTLS_ECP_DP_SECP256R1. - /// \param secret The pre-shared secret (passphrase). This must be - /// a readable not empty buffer of length \p len Bytes. It need - /// only be valid for the duration of this call. - /// \param len The length of the pre-shared secret \p secret. + /// \note This function combined with \c + /// psa_verify_hash_start() is equivalent to + /// \c psa_verify_hash() but this function can + /// return early and resume according to the limit + /// set with \c psa_interruptible_set_max_ops() to + /// reduce the maximum time spent in a function + /// call. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_setup( - ctx: *mut mbedtls_ecjpake_context, - role: mbedtls_ecjpake_role, - hash: mbedtls_md_type_t, - curve: mbedtls_ecp_group_id, - secret: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the point format for future reads and writes. + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. /// - /// \param ctx The ECJPAKE context to configure. - /// \param point_format The point format to use: - /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) - /// or #MBEDTLS_ECP_PF_COMPRESSED. + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_verify_hash_abort(). /// - /// \return \c 0 if successful. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format - /// is invalid. - pub fn mbedtls_ecjpake_set_point_format( - ctx: *mut mbedtls_ecjpake_context, - point_format: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if an ECJPAKE context is ready for use. + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_verify_hash_start() called with it + /// first. /// - /// \param ctx The ECJPAKE context to check. This must be - /// initialized. + /// \retval #PSA_SUCCESS + /// Operation completed successfully, and the passed signature is valid. /// - /// \return \c 0 if the context is ready for use. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. - pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_verify_hash_start(). + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_verify_hash_start() on this object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_verify_hash_complete( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate and write the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \brief Abort a verify hash operation. /// - /// \param ctx The ECJPAKE context to use. This must be - /// initialized and set up. - /// \param buf The buffer to write the contents to. This must be a - /// writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number - /// of Bytes written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \warning This is a beta API, and thus subject to change at + /// any point. It is not bound by the usual interface + /// stability promises. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Read and process the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \note This function is the only function that clears the + /// number of ops completed as part of the operation. + /// Please ensure you copy this value via + /// \c psa_verify_hash_get_num_ops() if required + /// before calling. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up. - /// \param buf The buffer holding the first round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// \note Aborting an operation frees all associated + /// resources except for the operation structure + /// itself. Once aborted, the operation object can be + /// reused for another operation by calling \c + /// psa_verify_hash_start() again. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \note You may call this function any time after the + /// operation object has been initialized. + /// In particular, calling \c psa_verify_hash_abort() + /// after the operation has already been terminated by + /// a call to \c psa_verify_hash_abort() or + /// psa_verify_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized verify hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_abort( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } +pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// \brief Generate and write the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Open a handle to an existing persistent key. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up, and already have performed round one. - /// \param buf The buffer to write the round two contents to. - /// This must be a writable buffer of length \p len Bytes. - /// \param len The size of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Open a handle to a persistent key. A key is persistent if it was created + /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key + /// always has a nonzero key identifier, set with psa_set_key_id() when + /// creating the key. Implementations may provide additional pre-provisioned + /// keys that can be opened with psa_open_key(). Such keys have an application + /// key identifier in the vendor range, as documented in the description of + /// #psa_key_id_t. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// The application must eventually close the handle with psa_close_key() or + /// psa_destroy_key() to release associated resources. If the application dies + /// without calling one of these functions, the implementation should perform + /// the equivalent of a call to psa_close_key(). + /// + /// Some implementations permit an application to open the same key multiple + /// times. If this is successful, each call to psa_open_key() will return a + /// different key handle. + /// + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. + /// + /// \note Applications that rely on opening a key multiple times will not be + /// portable to implementations that only permit a single key handle to be + /// opened. See also :ref:\`key-handles\`. + /// + /// + /// \param key The persistent identifier of the key. + /// \param[out] handle On success, a handle to the key. + /// + /// \retval #PSA_SUCCESS + /// Success. The application can now use the value of `*handle` + /// to access the key. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY + /// The implementation does not have sufficient resources to open the + /// key. This can be due to reaching an implementation limit on the + /// number of open keys, the number of open key handles, or available + /// memory. + /// \retval #PSA_ERROR_DOES_NOT_EXIST + /// There is no persistent key with key identifier \p key. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid persistent key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The specified key exists, but the application does not have the + /// permission to access it. Note that this specification does not + /// define any way to create such a key, but it may be possible + /// through implementation-specific means. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Read and process the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Close a key handle. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up and already have performed round one. - /// \param buf The buffer holding the second round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// If the handle designates a volatile key, this will destroy the key material + /// and free all associated resources, just like psa_destroy_key(). /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Derive the shared secret - /// (TLS: Pre-Master Secret). + /// If this is the last open handle to a persistent key, then closing the handle + /// will free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and can be opened again later + /// with a call to psa_open_key(). /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Closing the key handle makes the handle invalid, and the key handle + /// must not be used again by the application. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_derive_secret( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write the shared key material to be passed to a Key - /// Derivation Function as described in RFC8236. + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \note If the key handle was used to set up an active + /// :ref:\`multipart operation \`, then closing the + /// key handle can cause the multipart operation to fail. Applications should + /// maintain the key handle until after the multipart operation has finished. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_shared_key( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This clears an ECJPAKE context and frees any - /// embedded data structure. + /// \param handle The key handle to close. + /// If this is \c 0, do nothing and return \c PSA_SUCCESS. /// - /// \param ctx The ECJPAKE context to free. This may be \c NULL, - /// in which case this function does nothing. If it is not - /// \c NULL, it must point to an initialized ECJPAKE context. - pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); + /// \retval #PSA_SUCCESS + /// \p handle was a valid handle or \c 0. It is now closed. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p handle is not a valid handle nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// \brief Library deinitialization. /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_pake_operation_t { - pub private_alg: psa_algorithm_t, - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: u8, - pub private_buffer: [u8; 336usize], - pub private_buffer_length: usize, - pub private_buffer_offset: usize, - pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_jpake: mbedtls_ecjpake_context, -} -impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_pake_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_mac_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_mac_operation_t, -} -impl Default for psa_driver_mac_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_aead_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_aead_operation_t, -} -impl Default for psa_driver_aead_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_sign_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, -} -impl Default for psa_driver_sign_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_verify_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, -} -impl Default for psa_driver_verify_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_pake_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_pake_operation_t, -} -impl Default for psa_driver_pake_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// This function clears all data associated with the PSA layer, + /// including the whole key store. + /// This function is not thread safe, it wipes every key slot regardless of + /// state and reader count. It should only be called when no slot is in use. + /// + /// This is an Mbed TLS extension. + pub fn mbedtls_psa_crypto_free(); } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. #[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_mac_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_mac_size: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_mac_context_t, +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_stats_s { + /// Number of slots containing key material for a volatile key. + pub private_volatile_slots: usize, + /// Number of slots containing key material for a key which is in + /// internal persistent storage. + pub private_persistent_slots: usize, + /// Number of slots containing a reference to a key in a + /// secure element. + pub private_external_slots: usize, + /// Number of slots which are occupied, but do not contain + /// key material yet. + pub private_half_filled_slots: usize, + /// Number of slots that contain cache data. + pub private_cache_slots: usize, + /// Number of slots that are not used for anything. + pub private_empty_slots: usize, + /// Number of slots that are locked. + pub private_locked_slots: usize, + /// Largest key id value among open keys in internal persistent storage. + pub private_max_open_internal_key_id: psa_key_id_t, + /// Largest key id value among open keys in secure elements. + pub private_max_open_external_key_id: psa_key_id_t, } -impl Default for psa_mac_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. +pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; +unsafe extern "C" { + /// \brief Get statistics about + /// resource consumption related to the PSA keystore. + /// + /// \note When Mbed TLS is built as part of a service, with isolation + /// between the application and the keystore, the service may or + /// may not expose this function. + pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); } -impl psa_mac_operation_s { - #[inline] - pub fn private_is_sign(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_sign: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; - private_is_sign as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Inject an initial entropy seed for the random generator into + /// secure storage. + /// + /// This function injects data to be used as a seed for the random generator + /// used by the PSA Crypto implementation. On devices that lack a trusted + /// entropy source (preferably a hardware random number generator), + /// the Mbed PSA Crypto implementation uses this value to seed its + /// random generator. + /// + /// On devices without a trusted entropy source, this function must be + /// called exactly once in the lifetime of the device. On devices with + /// a trusted entropy source, calling this function is optional. + /// In all cases, this function may only be called before calling any + /// other function in the PSA Crypto API, including psa_crypto_init(). + /// + /// When this function returns successfully, it populates a file in + /// persistent storage. Once the file has been created, this function + /// can no longer succeed. + /// + /// If any error occurs, this function does not change the system state. + /// You can call this function again after correcting the reason for the + /// error if possible. + /// + /// \warning This function **can** fail! Callers MUST check the return status. + /// + /// \warning If you use this function, you should use it as part of a + /// factory provisioning process. The value of the injected seed + /// is critical to the security of the device. It must be + /// *secret*, *unpredictable* and (statistically) *unique per device*. + /// You should be generate it randomly using a cryptographically + /// secure random generator seeded from trusted entropy sources. + /// You should transmit it securely to the device and ensure + /// that its value is not leaked or stored anywhere beyond the + /// needs of transmitting it from the point of generation to + /// the call of this function, and erase all copies of the value + /// once this function returns. + /// + /// This is an Mbed TLS extension. + /// + /// \note This function is only available on the following platforms: + /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. + /// Note that you must provide compatible implementations of + /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. + /// * In a client-server integration of PSA Cryptography, on the client side, + /// if the server supports this feature. + /// \param[in] seed Buffer containing the seed value to inject. + /// \param[in] seed_size Size of the \p seed buffer. + /// The size of the seed in bytes must be greater + /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE + /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM + /// in `library/entropy_poll.h` in the Mbed TLS source + /// code. + /// It must be less or equal to + /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. + /// + /// \retval #PSA_SUCCESS + /// The seed value was injected successfully. The random generator + /// of the PSA Crypto implementation is now ready for use. + /// You may now call psa_crypto_init() and use the PSA Crypto + /// implementation. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p seed_size is out of range. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// There was a failure reading or writing from storage. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The library has already been initialized. It is no longer + /// possible to call this function. + pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_aead_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub private_ad_remaining: usize, - pub private_body_remaining: usize, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_ctx: psa_driver_aead_context_t, +unsafe extern "C" { + /// External random generator function, implemented by the platform. + /// + /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, + /// this function replaces Mbed TLS's entropy and DRBG modules for all + /// random generation triggered via PSA crypto interfaces. + /// + /// \note This random generator must deliver random numbers with cryptographic + /// quality and high performance. It must supply unpredictable numbers + /// with a uniform distribution. The implementation of this function + /// is responsible for ensuring that the random generator is seeded + /// with sufficient entropy. If you have a hardware TRNG which is slow + /// or delivers non-uniform output, declare it as an entropy source + /// with mbedtls_entropy_add_source() instead of enabling this option. + /// + /// \param[in,out] context Pointer to the random generator context. + /// This is all-bits-zero on the first call + /// and preserved between successive calls. + /// \param[out] output Output buffer. On success, this buffer + /// contains random data with a uniform + /// distribution. + /// \param output_size The size of the \p output buffer in bytes. + /// \param[out] output_length On success, set this value to \p output_size. + /// + /// \retval #PSA_SUCCESS + /// Success. The output buffer contains \p output_size bytes of + /// cryptographic-quality random data, and \c *output_length is + /// set to \p output_size. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + /// The random generator requires extra entropy and there is no + /// way to obtain entropy under current environment conditions. + /// This error should not happen under normal circumstances since + /// this function is responsible for obtaining as much entropy as + /// it needs. However implementations of this function may return + /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain + /// entropy without blocking indefinitely. + /// \retval #PSA_ERROR_HARDWARE_FAILURE + /// A failure of the random generator hardware that isn't covered + /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. + pub fn mbedtls_psa_external_get_random( + context: *mut mbedtls_psa_external_random_context_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_aead_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// A slot number identifying a key in a driver. +/// +/// Values of this type are used to identify built-in keys. +pub type psa_drv_slot_number_t = u64; +unsafe extern "C" { + /// Check if PSA is capable of handling the specified hash algorithm. + /// + /// This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + /// set and that psa_crypto_init has already been called. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the algorithm. + /// This might be improved in the future. + /// + /// \param hash_alg The hash algorithm. + /// + /// \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + pub fn psa_can_do_hash(hash_alg: psa_algorithm_t) -> ::core::ffi::c_int; } -impl psa_aead_operation_s { - #[inline] - pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_ad_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_body_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(3usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 3usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 3usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(4usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 4usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 4usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_nonce_set: ::core::ffi::c_uint, - private_lengths_set: ::core::ffi::c_uint, - private_ad_started: ::core::ffi::c_uint, - private_body_started: ::core::ffi::c_uint, - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; - private_nonce_set as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; - private_lengths_set as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; - private_ad_started as u64 - }); - __bindgen_bitfield_unit.set(3usize, 1u8, { - let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; - private_body_started as u64 - }); - __bindgen_bitfield_unit.set(4usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Tell if PSA is ready for this cipher. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the key type and algorithm. + /// This might be improved in the future. + /// + /// \param key_type The key type. + /// \param cipher_alg The cipher algorithm. + /// + /// \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. + pub fn psa_can_do_cipher( + key_type: psa_key_type_t, + cipher_alg: psa_algorithm_t, + ) -> ::core::ffi::c_int; +} +/// \brief Encoding of the application role of PAKE +/// +/// Encodes the application's role in the algorithm is being executed. For more +/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX +/// constants. +pub type psa_pake_role_t = u8; +/// Encoding of input and output indicators for PAKE. +/// +/// Some PAKE algorithms need to exchange more data than just a single key share. +/// This type is for encoding additional input and output data for such +/// algorithms. +pub type psa_pake_step_t = u8; +/// Encoding of the type of the PAKE's primitive. +/// +/// Values defined by this standard will never be in the range 0x80-0xff. +/// Vendors who define additional types must use an encoding in this range. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_primitive_type_t = u8; +/// \brief Encoding of the family of the primitive associated with the PAKE. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_family_t = u8; +/// \brief Encoding of the primitive associated with the PAKE. +/// +/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. +pub type psa_pake_primitive_t = u32; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_pake_cipher_suite_s { + pub algorithm: psa_algorithm_t, + pub type_: psa_pake_primitive_type_t, + pub family: psa_pake_family_t, + pub bits: u16, + pub hash: psa_algorithm_t, } #[repr(C)] -#[repr(align(16))] #[derive(Copy, Clone)] -pub struct psa_hkdf_key_derivation_t { - pub private_info: *mut u8, - pub private_info_length: usize, - pub private_offset_in_block: u8, - pub private_block_number: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_output_block: [u8; 64usize], - pub private_prk: [u8; 64usize], - pub __bindgen_padding_0: [u64; 0usize], - pub private_hmac: psa_mac_operation_s, +pub struct psa_crypto_driver_pake_inputs_s { + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_user: *mut u8, + pub private_user_len: usize, + pub private_peer: *mut u8, + pub private_peer_len: usize, + pub private_attributes: psa_key_attributes_t, + pub private_cipher_suite: psa_pake_cipher_suite_s, } -impl Default for psa_hkdf_key_derivation_t { +impl Default for psa_crypto_driver_pake_inputs_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17057,126 +18119,97 @@ impl Default for psa_hkdf_key_derivation_t { } } } -impl psa_hkdf_key_derivation_t { - #[inline] - pub fn private_state(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } - } - #[inline] - pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 2u8, val as u64) - } - } - #[inline] - pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 2u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 2u8, - val as u64, - ) - } - } - #[inline] - pub fn private_info_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { +pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = + 10; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = + 11; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; +pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; +pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; +pub const psa_jpake_round_PSA_JPAKE_FIRST: psa_jpake_round = 0; +pub const psa_jpake_round_PSA_JPAKE_SECOND: psa_jpake_round = 1; +pub const psa_jpake_round_PSA_JPAKE_FINISHED: psa_jpake_round = 2; +pub type psa_jpake_round = ::core::ffi::c_uint; +pub use self::psa_jpake_round as psa_jpake_round_t; +pub const psa_jpake_io_mode_PSA_JPAKE_INPUT: psa_jpake_io_mode = 0; +pub const psa_jpake_io_mode_PSA_JPAKE_OUTPUT: psa_jpake_io_mode = 1; +pub type psa_jpake_io_mode = ::core::ffi::c_uint; +pub use self::psa_jpake_io_mode as psa_jpake_io_mode_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_jpake_computation_stage_s { + pub private_round: psa_jpake_round_t, + pub private_io_mode: psa_jpake_io_mode_t, + pub private_inputs: u8, + pub private_outputs: u8, + pub private_step: psa_pake_step_t, +} +impl Default for psa_jpake_computation_stage_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_pake_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_primitive: psa_pake_primitive_t, + pub private_stage: u8, + pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, + pub private_data: psa_pake_operation_s__bindgen_ty_2, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_pake_operation_s__bindgen_ty_1 { + pub private_dummy: u8, + pub private_jpake: psa_jpake_computation_stage_s, +} +impl Default for psa_pake_operation_s__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub fn new_bitfield_1( - private_state: ::core::ffi::c_uint, - private_info_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 2u8, { - let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; - private_state as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; - private_info_set as u64 - }); - __bindgen_bitfield_unit - } -} -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_tls12_ecjpake_to_pms_t { - pub private_data: [u8; 32usize], } -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: - psa_tls12_prf_key_derivation_state_t = 0; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: - psa_tls12_prf_key_derivation_state_t = 1; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 2; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 3; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: - psa_tls12_prf_key_derivation_state_t = 4; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: - psa_tls12_prf_key_derivation_state_t = 5; -pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct psa_tls12_prf_key_derivation_s { - pub private_left_in_block: u8, - pub private_block_number: u8, - pub private_state: psa_tls12_prf_key_derivation_state_t, - pub private_secret: *mut u8, - pub private_secret_length: usize, - pub private_seed: *mut u8, - pub private_seed_length: usize, - pub private_label: *mut u8, - pub private_label_length: usize, - pub private_other_secret: *mut u8, - pub private_other_secret_length: usize, - pub private_Ai: [u8; 64usize], - pub private_output_block: [u8; 64usize], +pub union psa_pake_operation_s__bindgen_ty_2 { + pub private_ctx: psa_driver_pake_context_t, + pub private_inputs: psa_crypto_driver_pake_inputs_s, } -impl Default for psa_tls12_prf_key_derivation_s { +impl Default for psa_pake_operation_s__bindgen_ty_2 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for psa_pake_operation_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17185,1462 +18218,1629 @@ impl Default for psa_tls12_prf_key_derivation_s { } } } -pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_key_derivation_s { - pub private_alg: psa_algorithm_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_capacity: usize, - pub __bindgen_padding_0: [u64; 0usize], - pub private_ctx: psa_key_derivation_s__bindgen_ty_1, +/// The type of the data structure for PAKE cipher suites. +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; +/// The type of the state data structure for PAKE operations. +/// +/// Before calling any function on a PAKE operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_pake_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_pake_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, +/// for example: +/// \code +/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_pake_operation_init() +/// to the structure, for example: +/// \code +/// psa_pake_operation_t operation; +/// operation = psa_pake_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_operation_t = psa_pake_operation_s; +/// The type of input values for PAKE operations. +pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; +/// The type of computation stage for J-PAKE operations. +pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; +unsafe extern "C" { + /// Get the length of the password in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] password_len Password length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + password_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the password from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] buffer Return buffer for password. + /// \param buffer_size Size of the return buffer in bytes. + /// \param[out] buffer_length Actual size of the password in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password( + inputs: *const psa_crypto_driver_pake_inputs_t, + buffer: *mut u8, + buffer_size: usize, + buffer_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the user id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_len User id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_user_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the peer id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_len Peer id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_peer_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_len: *mut usize, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_key_derivation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_hkdf: psa_hkdf_key_derivation_t, - pub private_tls12_prf: psa_tls12_prf_key_derivation_t, - pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +unsafe extern "C" { + /// Get the user id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_id User id. + /// \param user_id_size Size of \p user_id in bytes. + /// \param[out] user_id_len Size of the user id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p user_id is too small. + pub fn psa_crypto_driver_pake_get_user( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_id: *mut u8, + user_id_size: usize, + user_id_len: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the peer id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_id Peer id. + /// \param peer_id_size Size of \p peer_id in bytes. + /// \param[out] peer_id_length Size of the peer id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p peer_id is too small. + pub fn psa_crypto_driver_pake_get_peer( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_id: *mut u8, + peer_id_size: usize, + peer_id_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the cipher suite from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] cipher_suite Return buffer for role. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Cipher_suite hasn't been set yet. + pub fn psa_crypto_driver_pake_get_cipher_suite( + inputs: *const psa_crypto_driver_pake_inputs_t, + cipher_suite: *mut psa_pake_cipher_suite_t, + ) -> psa_status_t; } -impl psa_key_derivation_s { - #[inline] - pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_can_output_key: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_can_output_key: u32 = - unsafe { ::core::mem::transmute(private_can_output_key) }; - private_can_output_key as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Set the session information for a password-authenticated key exchange. + /// + /// The sequence of operations to set up a password-authenticated key exchange + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_pake_operation_t, e.g. + /// #PSA_PAKE_OPERATION_INIT. + /// -# Call psa_pake_setup() to specify the cipher suite. + /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the + /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + /// to be called depends on the algorithm in use. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// A typical sequence of calls to perform a password-authenticated key + /// exchange: + /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + /// key share that needs to be sent to the peer. + /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + /// the key share that was received from the peer. + /// -# Depending on the algorithm additional calls to psa_pake_output() and + /// psa_pake_input() might be necessary. + /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// If an error occurs at any step after a call to psa_pake_setup(), + /// the operation will need to be reset by a call to psa_pake_abort(). The + /// application may call psa_pake_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_pake_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A call to psa_pake_abort(). + /// - A successful call to psa_pake_get_implicit_key(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized but not set up yet. + /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + /// characterizes a PAKE algorithm and determines + /// the algorithm as well.) + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the + /// PAKE primitive in \p cipher_suite is not compatible with the + /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + /// or not compatible with the PAKE algorithm and primitive. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, + /// or the PAKE primitive in \p cipher_suite is not supported or not + /// compatible with the PAKE algorithm, or the hash algorithm in + /// \p cipher_suite is not supported or not compatible with the PAKE + /// algorithm and primitive. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_setup( + operation: *mut psa_pake_operation_t, + cipher_suite: *const psa_pake_cipher_suite_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_key_policy_s { - pub private_usage: psa_key_usage_t, - pub private_alg: psa_algorithm_t, - pub private_alg2: psa_algorithm_t, +unsafe extern "C" { + /// Set the password for a password-authenticated key exchange from key ID. + /// + /// Call this function when the password, or a value derived from the password, + /// is already present in the key store. + /// + /// \param[in,out] operation The operation object to set the password for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the password hasn't + /// been set yet (psa_pake_set_password_key() + /// hasn't been called yet). + /// \param password Identifier of the key holding the password or a + /// value derived from the password (eg. by a + /// memory-hard function). It must remain valid + /// until the operation terminates. It must be of + /// type #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + /// the usage #PSA_KEY_USAGE_DERIVE. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p password is not a valid key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + /// permit the \p operation's algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + /// the \p operation's cipher suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size of \p password is not supported with the + /// \p operation's cipher suite. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must have been set up.), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_password_key( + operation: *mut psa_pake_operation_t, + password: mbedtls_svc_key_id_t, + ) -> psa_status_t; } -pub type psa_key_policy_t = psa_key_policy_s; -pub type psa_key_bits_t = u16; -/// A mask of flags that can be stored in key attributes. -/// -/// This type is also used internally to store flags in slots. Internal -/// flags are defined in library/psa_crypto_core.h. Internal flags may have -/// the same value as external flags if they are properly handled during -/// key creation and in psa_get_key_attributes. -pub type psa_key_attributes_flag_t = u16; -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_core_key_attributes_t { - pub private_type: psa_key_type_t, - pub private_bits: psa_key_bits_t, - pub private_lifetime: psa_key_lifetime_t, - pub private_id: mbedtls_svc_key_id_t, - pub private_policy: psa_key_policy_t, - pub private_flags: psa_key_attributes_flag_t, +unsafe extern "C" { + /// Set the user ID for a password-authenticated key exchange. + /// + /// Call this function to set the user ID. For PAKE algorithms that associate a + /// user identifier with each side of the session you need to call + /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single + /// user identifier with the session, call psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the user ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the user ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the user ID hasn't + /// been set (psa_pake_set_user() hasn't been + /// called yet). + /// \param[in] user_id The user ID to authenticate with. + /// \param user_id_len Size of the \p user_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p user_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The value of \p user_id is not supported by the implementation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_user( + operation: *mut psa_pake_operation_t, + user_id: *const u8, + user_id_len: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_key_attributes_s { - pub private_core: psa_core_key_attributes_t, - pub private_domain_parameters: *mut ::core::ffi::c_void, - pub private_domain_parameters_size: usize, +unsafe extern "C" { + /// Set the peer ID for a password-authenticated key exchange. + /// + /// Call this function in addition to psa_pake_set_user() for PAKE algorithms + /// that associate a user identifier with each side of the session. For PAKE + /// algorithms that associate a single user identifier with the session, call + /// psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the peer ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the peer ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the peer ID hasn't + /// been set (psa_pake_set_peer() hasn't been + /// called yet). + /// \param[in] peer_id The peer's ID to authenticate. + /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p peer_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm doesn't associate a second identity with the session. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// Calling psa_pake_set_peer() is invalid with the \p operation's + /// algorithm, the operation state is not valid, or the library has not + /// been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_peer( + operation: *mut psa_pake_operation_t, + peer_id: *const u8, + peer_id_len: usize, + ) -> psa_status_t; } -impl Default for psa_key_attributes_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Set the application role for a password-authenticated key exchange. + /// + /// Not all PAKE algorithms need to differentiate the communicating entities. + /// It is optional to call this function for PAKEs that don't require a role + /// to be specified. For such PAKEs the application role parameter is ignored, + /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \param[in,out] operation The operation object to specify the + /// application's role for. It must have been set up + /// by psa_pake_setup() and not yet in use (neither + /// psa_pake_output() nor psa_pake_input() has been + /// called yet). It must be on operation for which + /// the application's role hasn't been specified + /// (psa_pake_set_role() hasn't been called yet). + /// \param role A value of type ::psa_pake_role_t indicating the + /// application's role in the PAKE the algorithm + /// that is being set up. For more information see + /// the documentation of \c PSA_PAKE_ROLE_XXX + /// constants. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The \p role is not a valid PAKE role in the \p operation’s algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The \p role for this algorithm is not supported or is not valid. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_role( + operation: *mut psa_pake_operation_t, + role: psa_pake_role_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Set domain parameters for a key. + /// Get output for a step of a password-authenticated key exchange. /// - /// Some key types require additional domain parameters in addition to - /// the key type identifier and the key size. Use this function instead - /// of psa_set_key_type() when you need to specify domain parameters. + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. /// - /// The format for the required domain parameters varies based on the key type. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the domain parameter data consists of the public exponent, - /// represented as a big-endian integer with no leading zeros. - /// This information is used when generating an RSA key pair. - /// When importing a key, the public exponent is read from the imported - /// key data and the exponent recorded in the attribute structure is ignored. - /// As an exception, the public exponent 65537 is represented by an empty - /// byte string. - /// - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR), - /// the `Dss-Params` format as defined by RFC 3279 §2.3.2. - /// ``` - /// Dss-Params ::= SEQUENCE { - /// p INTEGER, - /// q INTEGER, - /// g INTEGER - /// } - /// ``` - /// - For Diffie-Hellman key exchange keys - /// (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - /// #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the - /// `DomainParameters` format as defined by RFC 3279 §2.3.3. - /// ``` - /// DomainParameters ::= SEQUENCE { - /// p INTEGER, -- odd prime, p=jq +1 - /// g INTEGER, -- generator, g - /// q INTEGER, -- factor of p-1 - /// j INTEGER OPTIONAL, -- subgroup factor - /// validationParams ValidationParams OPTIONAL - /// } - /// ValidationParams ::= SEQUENCE { - /// seed BIT STRING, - /// pgenCounter INTEGER - /// } - /// ``` + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step of the algorithm for which the output is + /// requested. + /// \param[out] output Buffer where the output is to be written in the + /// format appropriate for this \p step. Refer to + /// the documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param output_size Size of the \p output buffer in bytes. This must + /// be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c + /// primitive, \p output_step) where \c alg and + /// \p primitive are the PAKE algorithm and primitive + /// in the operation's cipher suite, and \p step is + /// the output step. + /// + /// \param[out] output_length On success, the number of bytes of the returned + /// output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p step is not compatible with the operation's algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step is not supported with the operation's algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_output( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Provide input for a step of a password-authenticated key exchange. + /// + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. + /// + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \param[in,out] attributes Attribute structure where the specified domain - /// parameters will be stored. - /// If this function fails, the content of - /// \p attributes is not modified. - /// \param type Key type (a \c PSA_KEY_TYPE_XXX value). - /// \param[in] data Buffer containing the key domain parameters. - /// The content of this buffer is interpreted - /// according to \p type as described above. - /// \param data_length Size of the \p data buffer in bytes. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step for which the input is provided. + /// \param[in] input Buffer containing the input in the format + /// appropriate for this \p step. Refer to the + /// documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p input_length is not compatible with the \p operation’s algorithm, + /// or the \p input is not valid for the \p operation's algorithm, + /// cipher suite or \p step. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step p is not supported with the \p operation's algorithm, or the + /// \p input is not supported for the \p operation's algorithm, cipher + /// suite or \p step. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - pub fn psa_set_key_domain_parameters( - attributes: *mut psa_key_attributes_t, - type_: psa_key_type_t, - data: *const u8, - data_length: usize, + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_input( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + input: *const u8, + input_length: usize, ) -> psa_status_t; } -/// \brief The context for PSA interruptible hash signing. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_sign_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_sign_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_sign_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_sign_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -/// \brief The context for PSA interruptible hash verification. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_verify_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_verify_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_verify_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_verify_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// Open a handle to an existing persistent key. - /// - /// Open a handle to a persistent key. A key is persistent if it was created - /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key - /// always has a nonzero key identifier, set with psa_set_key_id() when - /// creating the key. Implementations may provide additional pre-provisioned - /// keys that can be opened with psa_open_key(). Such keys have an application - /// key identifier in the vendor range, as documented in the description of - /// #psa_key_id_t. + /// Get implicitly confirmed shared secret from a PAKE. /// - /// The application must eventually close the handle with psa_close_key() or - /// psa_destroy_key() to release associated resources. If the application dies - /// without calling one of these functions, the implementation should perform - /// the equivalent of a call to psa_close_key(). + /// At this point there is a cryptographic guarantee that only the authenticated + /// party who used the same password is able to compute the key. But there is no + /// guarantee that the peer is the party it claims to be and was able to do so. /// - /// Some implementations permit an application to open the same key multiple - /// times. If this is successful, each call to psa_open_key() will return a - /// different key handle. + /// That is, the authentication is only implicit. Since the peer is not + /// authenticated yet, no action should be taken yet that assumes that the peer + /// is who it claims to be. For example, do not access restricted files on the + /// peer's behalf until an explicit authentication has succeeded. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function can be called after the key exchange phase of the operation + /// has completed. It imports the shared secret output of the PAKE into the + /// provided derivation operation. The input step + /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + /// material in the key derivation operation. /// - /// \note Applications that rely on opening a key multiple times will not be - /// portable to implementations that only permit a single key handle to be - /// opened. See also :ref:\`key-handles\`. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// + /// When this function returns successfully, \p operation becomes inactive. + /// If this function returns an error status, both \p operation + /// and \c key_derivation operations enter an error state and must be aborted by + /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. /// - /// \param key The persistent identifier of the key. - /// \param[out] handle On success, a handle to the key. + /// \param[in,out] operation Active PAKE operation. + /// \param[out] output A key derivation operation that is ready + /// for an input step of type + /// #PSA_KEY_DERIVATION_INPUT_SECRET. /// /// \retval #PSA_SUCCESS - /// Success. The application can now use the value of `*handle` - /// to access the key. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY - /// The implementation does not have sufficient resources to open the - /// key. This can be due to reaching an implementation limit on the - /// number of open keys, the number of open key handles, or available - /// memory. - /// \retval #PSA_ERROR_DOES_NOT_EXIST - /// There is no persistent key with key identifier \p key. + /// Success. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid persistent key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The specified key exists, but the application does not have the - /// permission to access it. Note that this specification does not - /// define any way to create such a key, but it may be possible - /// through implementation-specific means. + /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + /// algorithm in the \p output key derivation operation. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// Input from a PAKE is not supported by the algorithm in the \p output + /// key derivation operation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The PAKE operation state is not valid (it must be active, but beyond + /// that validity is specific to the algorithm), or + /// the library has not been previously initialized by psa_crypto_init(), + /// or the state of \p output is not valid for + /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + /// step is out of order or the application has done this step already + /// and it may not be repeated. /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_get_implicit_key( + operation: *mut psa_pake_operation_t, + output: *mut psa_key_derivation_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Close a key handle. - /// - /// If the handle designates a volatile key, this will destroy the key material - /// and free all associated resources, just like psa_destroy_key(). - /// - /// If this is the last open handle to a persistent key, then closing the handle - /// will free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and can be opened again later - /// with a call to psa_open_key(). + /// Abort a PAKE operation. /// - /// Closing the key handle makes the handle invalid, and the key handle - /// must not be used again by the application. + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_pake_setup() again. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_pake_operation_t. /// - /// \note If the key handle was used to set up an active - /// :ref:\`multipart operation \`, then closing the - /// key handle can cause the multipart operation to fail. Applications should - /// maintain the key handle until after the multipart operation has finished. + /// In particular, calling psa_pake_abort() after the operation has been + /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + /// is safe and has no effect. /// - /// \param handle The key handle to close. - /// If this is \c 0, do nothing and return \c PSA_SUCCESS. + /// \param[in,out] operation The operation to abort. /// /// \retval #PSA_SUCCESS - /// \p handle was a valid handle or \c 0. It is now closed. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p handle is not a valid handle nor \c 0. + /// Success. /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; } -unsafe extern "C" { - /// \brief Library deinitialization. +pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; +pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; +/// \brief Public key types +pub type mbedtls_pk_type_t = ::core::ffi::c_uint; +/// \brief Options for RSASSA-PSS signature verification. +/// See \c mbedtls_rsa_rsassa_pss_verify_ext() +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_rsassa_pss_options { + /// The digest to use for MGF1 in PSS. /// - /// This function clears all data associated with the PSA layer, - /// including the whole key store. + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is + /// disabled, this must be equal to the \c md_alg argument passed + /// to mbedtls_pk_verify_ext(). In a future version of the library, + /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is + /// enabled regardless of the status of #MBEDTLS_RSA_C. + pub mgf1_hash_id: mbedtls_md_type_t, + /// The expected length of the salt, in bytes. This may be + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. /// - /// This is an Mbed TLS extension. - pub fn mbedtls_psa_crypto_free(); + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only + /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be + /// ignored (allowing any salt length). + pub expected_salt_len: ::core::ffi::c_int, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. +impl Default for mbedtls_pk_rsassa_pss_options { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_PSA_EC: mbedtls_pk_debug_type = 3; +/// \brief Types for interfacing with the debug module +pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; +/// \brief Item to send to the debug module #[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_stats_s { - /// Number of slots containing key material for a volatile key. - pub private_volatile_slots: usize, - /// Number of slots containing key material for a key which is in - /// internal persistent storage. - pub private_persistent_slots: usize, - /// Number of slots containing a reference to a key in a - /// secure element. - pub private_external_slots: usize, - /// Number of slots which are occupied, but do not contain - /// key material yet. - pub private_half_filled_slots: usize, - /// Number of slots that contain cache data. - pub private_cache_slots: usize, - /// Number of slots that are not used for anything. - pub private_empty_slots: usize, - /// Number of slots that are locked. - pub private_locked_slots: usize, - /// Largest key id value among open keys in internal persistent storage. - pub private_max_open_internal_key_id: psa_key_id_t, - /// Largest key id value among open keys in secure elements. - pub private_max_open_external_key_id: psa_key_id_t, +#[derive(Copy, Clone)] +pub struct mbedtls_pk_debug_item { + pub private_type: mbedtls_pk_debug_type, + pub private_name: *const ::core::ffi::c_char, + pub private_value: *mut ::core::ffi::c_void, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. -pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; -unsafe extern "C" { - /// \brief Get statistics about - /// resource consumption related to the PSA keystore. - /// - /// \note When Mbed Crypto is built as part of a service, with isolation - /// between the application and the keystore, the service may or - /// may not expose this function. - pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); +impl Default for mbedtls_pk_debug_item { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief Inject an initial entropy seed for the random generator into - /// secure storage. - /// - /// This function injects data to be used as a seed for the random generator - /// used by the PSA Crypto implementation. On devices that lack a trusted - /// entropy source (preferably a hardware random number generator), - /// the Mbed PSA Crypto implementation uses this value to seed its - /// random generator. - /// - /// On devices without a trusted entropy source, this function must be - /// called exactly once in the lifetime of the device. On devices with - /// a trusted entropy source, calling this function is optional. - /// In all cases, this function may only be called before calling any - /// other function in the PSA Crypto API, including psa_crypto_init(). - /// - /// When this function returns successfully, it populates a file in - /// persistent storage. Once the file has been created, this function - /// can no longer succeed. - /// - /// If any error occurs, this function does not change the system state. - /// You can call this function again after correcting the reason for the - /// error if possible. - /// - /// \warning This function **can** fail! Callers MUST check the return status. - /// - /// \warning If you use this function, you should use it as part of a - /// factory provisioning process. The value of the injected seed - /// is critical to the security of the device. It must be - /// *secret*, *unpredictable* and (statistically) *unique per device*. - /// You should be generate it randomly using a cryptographically - /// secure random generator seeded from trusted entropy sources. - /// You should transmit it securely to the device and ensure - /// that its value is not leaked or stored anywhere beyond the - /// needs of transmitting it from the point of generation to - /// the call of this function, and erase all copies of the value - /// once this function returns. - /// - /// This is an Mbed TLS extension. - /// - /// \note This function is only available on the following platforms: - /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. - /// Note that you must provide compatible implementations of - /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. - /// * In a client-server integration of PSA Cryptography, on the client side, - /// if the server supports this feature. - /// \param[in] seed Buffer containing the seed value to inject. - /// \param[in] seed_size Size of the \p seed buffer. - /// The size of the seed in bytes must be greater - /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE - /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM - /// in `library/entropy_poll.h` in the Mbed TLS source - /// code. - /// It must be less or equal to - /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. - /// - /// \retval #PSA_SUCCESS - /// The seed value was injected successfully. The random generator - /// of the PSA Crypto implementation is now ready for use. - /// You may now call psa_crypto_init() and use the PSA Crypto - /// implementation. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p seed_size is out of range. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// There was a failure reading or writing from storage. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The library has already been initialized. It is no longer - /// possible to call this function. - pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_info_t { + _unused: [u8; 0], } -unsafe extern "C" { - /// \brief Get domain parameters for a key. - /// - /// Get the domain parameters for a key with this function, if any. The format - /// of the domain parameters written to \p data is specified in the - /// documentation for psa_set_key_domain_parameters(). - /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. - /// - /// \param[in] attributes The key attribute structure to query. - /// \param[out] data On success, the key domain parameters. - /// \param data_size Size of the \p data buffer in bytes. - /// The buffer is guaranteed to be large - /// enough if its size in bytes is at least - /// the value given by - /// PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - /// \param[out] data_length On success, the number of bytes - /// that make up the key domain parameters data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - pub fn psa_get_key_domain_parameters( - attributes: *const psa_key_attributes_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; +/// \brief Public key container +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_context { + ///< Public key information + pub private_pk_info: *const mbedtls_pk_info_t, + ///< Underlying public key context + pub private_pk_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_pk_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } +pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; +/// \brief Types for RSA-alt abstraction +pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_key_len_func = + ::core::option::Option usize>; unsafe extern "C" { - /// Convert an ECC curve identifier from the PSA encoding to Mbed TLS. - /// - /// \note This function is provided solely for the convenience of - /// Mbed TLS and may be removed at any time without notice. + /// \brief Return information associated with the given PK type /// - /// \param curve A PSA elliptic curve identifier - /// (`PSA_ECC_FAMILY_xxx`). - /// \param bits The bit-length of a private key on \p curve. - /// \param bits_is_sloppy If true, \p bits may be the bit-length rounded up - /// to the nearest multiple of 8. This allows the caller - /// to infer the exact curve from the length of a key - /// which is supplied as a byte string. + /// \param pk_type PK type to search for. /// - /// \return The corresponding Mbed TLS elliptic curve identifier - /// (`MBEDTLS_ECP_DP_xxx`). - /// \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized. - /// \return #MBEDTLS_ECP_DP_NONE if \p bits is not - /// correct for \p curve. - pub fn mbedtls_ecc_group_of_psa( - curve: psa_ecc_family_t, - bits: usize, - bits_is_sloppy: ::core::ffi::c_int, - ) -> mbedtls_ecp_group_id; + /// \return The PK info associated with the type or NULL if not found. + pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; } unsafe extern "C" { - /// External random generator function, implemented by the platform. - /// - /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, - /// this function replaces Mbed TLS's entropy and DRBG modules for all - /// random generation triggered via PSA crypto interfaces. - /// - /// \note This random generator must deliver random numbers with cryptographic - /// quality and high performance. It must supply unpredictable numbers - /// with a uniform distribution. The implementation of this function - /// is responsible for ensuring that the random generator is seeded - /// with sufficient entropy. If you have a hardware TRNG which is slow - /// or delivers non-uniform output, declare it as an entropy source - /// with mbedtls_entropy_add_source() instead of enabling this option. - /// - /// \param[in,out] context Pointer to the random generator context. - /// This is all-bits-zero on the first call - /// and preserved between successive calls. - /// \param[out] output Output buffer. On success, this buffer - /// contains random data with a uniform - /// distribution. - /// \param output_size The size of the \p output buffer in bytes. - /// \param[out] output_length On success, set this value to \p output_size. + /// \brief Initialize a #mbedtls_pk_context (as NONE). /// - /// \retval #PSA_SUCCESS - /// Success. The output buffer contains \p output_size bytes of - /// cryptographic-quality random data, and \c *output_length is - /// set to \p output_size. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - /// The random generator requires extra entropy and there is no - /// way to obtain entropy under current environment conditions. - /// This error should not happen under normal circumstances since - /// this function is responsible for obtaining as much entropy as - /// it needs. However implementations of this function may return - /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain - /// entropy without blocking indefinitely. - /// \retval #PSA_ERROR_HARDWARE_FAILURE - /// A failure of the random generator hardware that isn't covered - /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. - pub fn mbedtls_psa_external_get_random( - context: *mut mbedtls_psa_external_random_context_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); } -/// A slot number identifying a key in a driver. -/// -/// Values of this type are used to identify built-in keys. -pub type psa_drv_slot_number_t = u64; -/// \brief Encoding of the application role of PAKE -/// -/// Encodes the application's role in the algorithm is being executed. For more -/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX -/// constants. -pub type psa_pake_role_t = u8; -/// Encoding of input and output indicators for PAKE. -/// -/// Some PAKE algorithms need to exchange more data than just a single key share. -/// This type is for encoding additional input and output data for such -/// algorithms. -pub type psa_pake_step_t = u8; -/// Encoding of the type of the PAKE's primitive. -/// -/// Values defined by this standard will never be in the range 0x80-0xff. -/// Vendors who define additional types must use an encoding in this range. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_primitive_type_t = u8; -/// \brief Encoding of the family of the primitive associated with the PAKE. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_family_t = u8; -/// \brief Encoding of the primitive associated with the PAKE. -/// -/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. -pub type psa_pake_primitive_t = u32; -/// The type of the data structure for PAKE cipher suites. -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; -/// The type of the state data structure for PAKE operations. -/// -/// Before calling any function on a PAKE operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_pake_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_pake_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, -/// for example: -/// \code -/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_pake_operation_init() -/// to the structure, for example: -/// \code -/// psa_pake_operation_t operation; -/// operation = psa_pake_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_operation_t = psa_pake_operation_s; -/// The type of input values for PAKE operations. -pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; -/// The type of computation stage for J-PAKE operations. -pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; unsafe extern "C" { - /// Get the length of the password in bytes from given inputs. + /// \brief Free the components of a #mbedtls_pk_context. /// - /// \param[in] inputs Operation inputs. - /// \param[out] password_len Password length. + /// \param ctx The context to clear. It must have been initialized. + /// If this is \c NULL, this function does nothing. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - password_len: *mut usize, - ) -> psa_status_t; + /// \note For contexts that have been set up with + /// mbedtls_pk_setup_opaque(), this does not free the underlying + /// PSA key and you still need to call psa_destroy_key() + /// independently if you want to destroy that key. + pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); } unsafe extern "C" { - /// Get the password from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] buffer Return buffer for password. - /// \param buffer_size Size of the return buffer in bytes. - /// \param[out] buffer_length Actual size of the password in bytes. + /// \brief Initialize a PK context with the information given + /// and allocates the type-specific PK subcontext. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password( - inputs: *const psa_crypto_driver_pake_inputs_t, - buffer: *mut u8, - buffer_size: usize, - buffer_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// Get the role from given inputs. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param info Information to use /// - /// \param[in] inputs Operation inputs. - /// \param[out] role Return buffer for role. + /// \return 0 on success, + /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, + /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Role hasn't been set yet. - pub fn psa_crypto_driver_pake_get_role( - inputs: *const psa_crypto_driver_pake_inputs_t, - role: *mut psa_pake_role_t, - ) -> psa_status_t; + /// \note For contexts holding an RSA-alt key, use + /// \c mbedtls_pk_setup_rsa_alt() instead. + pub fn mbedtls_pk_setup( + ctx: *mut mbedtls_pk_context, + info: *const mbedtls_pk_info_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the user id in bytes from given inputs. + /// \brief Initialize an RSA-alt context /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_len User id length. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param key RSA key pointer + /// \param decrypt_func Decryption function + /// \param sign_func Signing function + /// \param key_len_func Function returning key length in bytes /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_user_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_len: *mut usize, - ) -> psa_status_t; + /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the + /// context wasn't already initialized as RSA_ALT. + /// + /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. + pub fn mbedtls_pk_setup_rsa_alt( + ctx: *mut mbedtls_pk_context, + key: *mut ::core::ffi::c_void, + decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, + sign_func: mbedtls_pk_rsa_alt_sign_func, + key_len_func: mbedtls_pk_rsa_alt_key_len_func, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the peer id in bytes from given inputs. + /// \brief Get the size in bits of the underlying key /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_len Peer id length. + /// \param ctx The context to query. It must have been initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_peer_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_len: *mut usize, - ) -> psa_status_t; + /// \return Key size in bits, or 0 on error + pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; } unsafe extern "C" { - /// Get the user id from given inputs. + /// \brief Tell if a context can do the operation given by type /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_id User id. - /// \param user_id_size Size of \p user_id in bytes. - /// \param[out] user_id_len Size of the user id in bytes. + /// \param ctx The context to query. It must have been initialized. + /// \param type The desired type. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p user_id is too small. - pub fn psa_crypto_driver_pake_get_user( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_id: *mut u8, - user_id_size: usize, - user_id_len: *mut usize, - ) -> psa_status_t; + /// \return 1 if the context can do operations on the given type. + /// \return 0 if the context cannot do the operations on the given + /// type. This is always the case for a context that has + /// been initialized but not set up, or that has been + /// cleared with mbedtls_pk_free(). + pub fn mbedtls_pk_can_do( + ctx: *const mbedtls_pk_context, + type_: mbedtls_pk_type_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the peer id from given inputs. + /// \brief Determine valid PSA attributes that can be used to + /// import a key into PSA. /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_id Peer id. - /// \param peer_id_size Size of \p peer_id in bytes. - /// \param[out] peer_id_length Size of the peer id in bytes. + /// The attributes determined by this function are suitable + /// for calling mbedtls_pk_import_into_psa() to create + /// a PSA key with the same key material. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p peer_id is too small. - pub fn psa_crypto_driver_pake_get_peer( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_id: *mut u8, - peer_id_size: usize, - peer_id_length: *mut usize, - ) -> psa_status_t; + /// The typical flow of operations involving this function is + /// ``` + /// psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + /// int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + /// if (ret != 0) ...; // error handling omitted + /// // Tweak attributes if desired + /// psa_key_id_t key_id = 0; + /// ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + /// if (ret != 0) ...; // error handling omitted + /// ``` + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + /// - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_ENCRYPT as well as + /// #PSA_KEY_USAGE_DECRYPT. + /// - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type. + /// - #PSA_KEY_USAGE_ENCRYPT: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_HASH as well as + /// #PSA_KEY_USAGE_SIGN_HASH. + /// - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + /// #PSA_KEY_USAGE_SIGN_MESSAGE. + /// - #PSA_KEY_USAGE_VERIFY_HASH: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + /// \p attributes will contain a public key type. + /// \param[out] attributes + /// On success, valid attributes to import the key into PSA. + /// - The lifetime and key identifier are unchanged. If the + /// attribute structure was initialized or reset before + /// calling this function, this will result in a volatile + /// key. Call psa_set_key_identifier() before or after this + /// function if you wish to create a persistent key. Call + /// psa_set_key_lifetime() before or after this function if + /// you wish to import the key in a secure element. + /// - The key type and bit-size are determined by the contents + /// of the PK context. If the PK context contains a key + /// pair, the key type can be either a key pair type or + /// the corresponding public key type, depending on + /// \p usage. If the PK context contains a public key, + /// the key type is a public key type. + /// - The key's policy is determined by the key type and + /// the \p usage parameter. The usage always allows + /// \p usage, exporting and copying the key, and + /// possibly other permissions as documented for the + /// \p usage parameter. + /// The permitted algorithm policy is determined as follows + /// based on the #mbedtls_pk_type_t type of \p pk, + /// the chosen \p usage and other factors: + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V15: + /// #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_PKCS1V15_CRYPT + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V21 and the digest type + /// corresponding to the PSA algorithm \c hash: + /// #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_OAEP(\c hash) + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA_ALT: not supported. + /// - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + /// if \p usage is SIGN/VERIFY: + /// #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + /// if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + /// otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + /// - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + /// if \p usage is DERIVE: + /// #PSA_ALG_ECDH. + /// - #MBEDTLS_PK_OPAQUE: same as the primary algorithm + /// set for the underlying PSA key, except that + /// sign/decrypt flags are removed if the type is + /// set to a public key type. + /// The underlying key must allow \p usage. + /// Note that the enrollment algorithm set with + /// psa_set_key_enrollment_algorithm() is not copied. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_get_psa_attributes( + pk: *const mbedtls_pk_context, + usage: psa_key_usage_t, + attributes: *mut psa_key_attributes_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the cipher suite from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] cipher_suite Return buffer for role. + /// \brief Import a key into the PSA key store. + /// + /// This function is equivalent to calling psa_import_key() + /// with the key material from \p pk. + /// + /// The typical way to use this function is: + /// -# Call mbedtls_pk_get_psa_attributes() to obtain + /// attributes for the given key. + /// -# If desired, modify the attributes, for example: + /// - To create a persistent key, call + /// psa_set_key_identifier() and optionally + /// psa_set_key_lifetime(). + /// - To import only the public part of a key pair: + /// + /// psa_set_key_type(&attributes, + /// PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + /// psa_get_key_type(&attributes))); + /// - Restrict the key usage if desired. + /// -# Call mbedtls_pk_import_into_psa(). + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param[in] attributes + /// The attributes to use for the new key. They must be + /// compatible with \p pk. In particular, the key type + /// must match the content of \p pk. + /// If \p pk contains a key pair, the key type in + /// attributes can be either the key pair type or the + /// corresponding public key type (to import only the + /// public part). + /// \param[out] key_id + /// On success, the identifier of the newly created key. + /// On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_import_into_psa( + pk: *const mbedtls_pk_context, + attributes: *const psa_key_attributes_t, + key_id: *mut mbedtls_svc_key_id_t, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Create a PK context starting from a key stored in PSA. + /// This key: + /// - must be exportable and + /// - must be an RSA or EC key pair or public key (FFDH is not supported in PK). + /// + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. + /// + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_sign(), mbedtls_pk_verify(), + /// mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. + /// * For ECDSA, the choice of deterministic vs randomized will + /// be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. + /// * For an RSA key, the output PK context will allow both + /// encrypt/decrypt and sign/verify regardless of the original + /// key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. + /// + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Cipher_suite hasn't been set yet. - pub fn psa_crypto_driver_pake_get_cipher_suite( - inputs: *const psa_crypto_driver_pake_inputs_t, - cipher_suite: *mut psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the session information for a password-authenticated key exchange. + /// \brief Create a PK context for the public key of a PSA key. /// - /// The sequence of operations to set up a password-authenticated key exchange - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_pake_operation_t, e.g. - /// #PSA_PAKE_OPERATION_INIT. - /// -# Call psa_pake_setup() to specify the cipher suite. - /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the - /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - /// to be called depends on the algorithm in use. + /// The key must be an RSA or ECC key. It can be either a + /// public key or a key pair, and only the public key is copied. + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_verify() or + /// mbedtls_pk_encrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. /// - /// A typical sequence of calls to perform a password-authenticated key - /// exchange: - /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - /// key share that needs to be sent to the peer. - /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - /// the key share that was received from the peer. - /// -# Depending on the algorithm additional calls to psa_pake_output() and - /// psa_pake_input() might be necessary. - /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// For an RSA key, the output PK context will allow both + /// encrypt and verify regardless of the original key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// If an error occurs at any step after a call to psa_pake_setup(), - /// the operation will need to be reset by a call to psa_pake_abort(). The - /// application may call psa_pake_abort() at any time after the operation - /// has been initialized. + /// \return 0 on success. + /// \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_public_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature (including padding if relevant). /// - /// After a successful call to psa_pake_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A call to psa_pake_abort(). - /// - A successful call to psa_pake_get_implicit_key(). + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used. + /// This can be #MBEDTLS_MD_NONE if the signature algorithm + /// does not rely on a hash algorithm (non-deterministic + /// ECDSA, RSA PKCS#1 v1.5). + /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + /// \p hash is the DigestInfo structure used by RFC 8017 + /// §9.2 steps 3–6. If \p md_alg is a valid hash + /// algorithm then \p hash is the digest itself, and this + /// function calculates the DigestInfo encoding internally. + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Signature to verify + /// \param sig_len Signature length /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized but not set up yet. - /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - /// characterizes a PAKE algorithm and determines - /// the algorithm as well.) + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (accepting any salt length), + /// depending on the padding mode in the underlying RSA context. + /// For a pk object constructed by parsing, this is PKCS#1 v1.5 + /// by default. Use mbedtls_pk_verify_ext() to explicitly select + /// a different algorithm. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the - /// PAKE primitive in \p cipher_suite is not compatible with the - /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - /// or not compatible with the PAKE algorithm and primitive. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, - /// or the PAKE primitive in \p cipher_suite is not supported or not - /// compatible with the PAKE algorithm, or the hash algorithm in - /// \p cipher_suite is not supported or not compatible with the PAKE - /// algorithm and primitive. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_setup( - operation: *mut psa_pake_operation_t, - cipher_suite: *const psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + pub fn mbedtls_pk_verify( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the password for a password-authenticated key exchange from key ID. + /// \brief Restartable version of \c mbedtls_pk_verify() /// - /// Call this function when the password, or a value derived from the password, - /// is already present in the key store. + /// \note Performs the same job as \c mbedtls_pk_verify(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_verify(). /// - /// \param[in,out] operation The operation object to set the password for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the password hasn't - /// been set yet (psa_pake_set_password_key() - /// hasn't been called yet). - /// \param password Identifier of the key holding the password or a - /// value derived from the password (eg. by a - /// memory-hard function). It must remain valid - /// until the operation terminates. It must be of - /// type #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - /// the usage #PSA_KEY_USAGE_DERIVE. + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p password is not a valid key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - /// permit the \p operation's algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - /// the \p operation's cipher suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size of \p password is not supported with the - /// \p operation's cipher suite. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must have been set up.), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_password_key( - operation: *mut psa_pake_operation_t, - password: mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return See \c mbedtls_pk_verify(), or + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_verify_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature, with options. + /// (Includes verification of the padding depending on type.) + /// + /// \param type Signature type (inc. possible padding type) to verify + /// \param options Pointer to type-specific options, or NULL + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be + /// used for this type of signatures, + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + /// + /// \note If hash_len is 0, then the length associated with md_alg + /// is used instead, or an error returned if it is invalid. + /// + /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// + /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point + /// to a mbedtls_pk_rsassa_pss_options structure, + /// otherwise it must be NULL. Note that if + /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not + /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. + pub fn mbedtls_pk_verify_ext( + type_: mbedtls_pk_type_t, + options: *const ::core::ffi::c_void, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the user ID for a password-authenticated key exchange. + /// \brief Make signature, including padding if relevant. /// - /// Call this function to set the user ID. For PAKE algorithms that associate a - /// user identifier with each side of the session you need to call - /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single - /// user identifier with the session, call psa_pake_set_user() only. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (using the largest possible salt + /// length up to the hash length), depending on the padding mode + /// in the underlying RSA context. For a pk object constructed + /// by parsing, this is PKCS#1 v1.5 by default. Use + /// mbedtls_pk_verify_ext() to explicitly select a different + /// algorithm. /// - /// \param[in,out] operation The operation object to set the user ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the user ID hasn't - /// been set (psa_pake_set_user() hasn't been - /// called yet). - /// \param[in] user_id The user ID to authenticate with. - /// (temporary limitation: "client" or "server" only) - /// \param user_id_len Size of the \p user_id buffer in bytes. + /// \return 0 on success, or a specific error code. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The value of \p user_id is not supported by the implementation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_user( - operation: *mut psa_pake_operation_t, - user_id: *const u8, - user_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the peer ID for a password-authenticated key exchange. + /// \brief Make signature given a signature type. /// - /// Call this function in addition to psa_pake_set_user() for PAKE algorithms - /// that associate a user identifier with each side of the session. For PAKE - /// algorithms that associate a single user identifier with the session, call - /// psa_pake_set_user() only. + /// \param pk_type Signature type. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \return 0 on success, or a specific error code. /// - /// \param[in,out] operation The operation object to set the peer ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the peer ID hasn't - /// been set (psa_pake_set_peer() hasn't been - /// called yet). - /// \param[in] peer_id The peer's ID to authenticate. - /// (temporary limitation: "client" or "server" only) - /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, + /// see #PSA_ALG_RSA_PSS for a description of PSS options used. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm doesn't associate a second identity with the session. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// Calling psa_pake_set_peer() is invalid with the \p operation's - /// algorithm, the operation state is not valid, or the library has not - /// been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_peer( - operation: *mut psa_pake_operation_t, - peer_id: *const u8, - peer_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign_ext( + pk_type: mbedtls_pk_type_t, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the application role for a password-authenticated key exchange. + /// \brief Restartable version of \c mbedtls_pk_sign() /// - /// Not all PAKE algorithms need to differentiate the communicating entities. - /// It is optional to call this function for PAKEs that don't require a role - /// to be specified. For such PAKEs the application role parameter is ignored, - /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// \note Performs the same job as \c mbedtls_pk_sign(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_sign(). /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \param[in,out] operation The operation object to specify the - /// application's role for. It must have been set up - /// by psa_pake_setup() and not yet in use (neither - /// psa_pake_output() nor psa_pake_input() has been - /// called yet). It must be on operation for which - /// the application's role hasn't been specified - /// (psa_pake_set_role() hasn't been called yet). - /// \param role A value of type ::psa_pake_role_t indicating the - /// application's role in the PAKE the algorithm - /// that is being set up. For more information see - /// the documentation of \c PSA_PAKE_ROLE_XXX - /// constants. + /// \return See \c mbedtls_pk_sign(). + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_sign_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Decrypt message (including padding if relevant). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The \p role is not a valid PAKE role in the \p operation’s algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The \p role for this algorithm is not supported or is not valid. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_role( - operation: *mut psa_pake_operation_t, - role: psa_pake_role_t, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param input Input to decrypt + /// \param ilen Input size + /// \param output Decrypted output + /// \param olen Decrypted message length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. + /// + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_decrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get output for a step of a password-authenticated key exchange. + /// \brief Encrypt message (including padding if relevant). /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been set up. + /// \param input Message to encrypt + /// \param ilen Message size + /// \param output Encrypted output + /// \param olen Encrypted output length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \note \p f_rng is used for padding generation. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step of the algorithm for which the output is - /// requested. - /// \param[out] output Buffer where the output is to be written in the - /// format appropriate for this \p step. Refer to - /// the documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param output_size Size of the \p output buffer in bytes. This must - /// be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p - /// primitive, \p step) where \p alg and - /// \p primitive are the PAKE algorithm and primitive - /// in the operation's cipher suite, and \p step is - /// the output step. + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_encrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if a public-private pair of keys matches. /// - /// \param[out] output_length On success, the number of bytes of the returned - /// output. + /// \param pub Context holding a public key. + /// \param prv Context holding a private (and public) key. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p step is not compatible with the operation's algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step is not supported with the operation's algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_output( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success (keys were checked and match each other). + /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not + /// be checked - in that case they may or may not match. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. + /// \return Another non-zero value if the keys do not match. + pub fn mbedtls_pk_check_pair( + pub_: *const mbedtls_pk_context, + prv: *const mbedtls_pk_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Provide input for a step of a password-authenticated key exchange. + /// \brief Export debug information /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been initialized. + /// \param items Place to write debug items /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA + pub fn mbedtls_pk_debug( + ctx: *const mbedtls_pk_context, + items: *mut mbedtls_pk_debug_item, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Access the type name /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \param ctx The PK context to use. It must have been initialized. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step for which the input is provided. - /// \param[in] input Buffer containing the input in the format - /// appropriate for this \p step. Refer to the - /// documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param input_length Size of the \p input buffer in bytes. + /// \return Type name on success, or "invalid PK" + pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; +} +unsafe extern "C" { + /// \brief Get the key type /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p is not compatible with the \p operation’s algorithm, or the - /// \p input is not valid for the \p operation's algorithm, cipher suite - /// or \p step. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step p is not supported with the \p operation's algorithm, or the - /// \p input is not supported for the \p operation's algorithm, cipher - /// suite or \p step. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_input( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been initialized. + /// + /// \return Type on success. + /// \return #MBEDTLS_PK_NONE for a context that has not been set up. + pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; } unsafe extern "C" { - /// Get implicitly confirmed shared secret from a PAKE. + /// \ingroup pk_module */ + ////** + /// \brief Parse a private key in PEM or DER format /// - /// At this point there is a cryptographic guarantee that only the authenticated - /// party who used the same password is able to compute the key. But there is no - /// guarantee that the peer is the party it claims to be and was able to do so. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// That is, the authentication is only implicit. Since the peer is not - /// authenticated yet, no action should be taken yet that assumes that the peer - /// is who it claims to be. For example, do not access restricted files on the - /// peer's behalf until an explicit authentication has succeeded. + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// \param pwd Optional password for decryption. + /// Pass \c NULL if expecting a non-encrypted key. + /// Pass a string of \p pwdlen bytes if expecting an encrypted + /// key; a non-encrypted key will also be accepted. + /// The empty password is not supported. + /// \param pwdlen Size of the password in bytes. + /// Ignored if \p pwd is \c NULL. + /// \param f_rng RNG function, must not be \c NULL. Used for blinding. + /// \param p_rng RNG parameter /// - /// This function can be called after the key exchange phase of the operation - /// has completed. It imports the shared secret output of the PAKE into the - /// provided derivation operation. The input step - /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - /// material in the key derivation operation. + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note The key is also checked for correctness. /// - /// When this function returns successfully, \p operation becomes inactive. - /// If this function returns an error status, both \p operation - /// and \p key_derivation operations enter an error state and must be aborted by - /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \ingroup pk_module */ + ////** + /// \brief Parse a public key in PEM or DER format /// - /// \param[in,out] operation Active PAKE operation. - /// \param[out] output A key derivation operation that is ready - /// for an input step of type - /// #PSA_KEY_DERIVATION_INPUT_SECRET. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - /// algorithm in the \p output key derivation operation. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// Input from a PAKE is not supported by the algorithm in the \p output - /// key derivation operation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The PAKE operation state is not valid (it must be active, but beyond - /// that validity is specific to the algorithm), or - /// the library has not been previously initialized by psa_crypto_init(), - /// or the state of \p output is not valid for - /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - /// step is out of order or the application has done this step already - /// and it may not be repeated. - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_get_implicit_key( - operation: *mut psa_pake_operation_t, - output: *mut psa_key_derivation_operation_t, - ) -> psa_status_t; + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). + /// + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. + /// + /// \note The key is also checked for correctness. + /// + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_public_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a PAKE operation. + /// \brief Write a private key to a PKCS#1 or SEC1 DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_pake_setup() again. + /// \param ctx PK context which must contain a valid private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_pake_operation_t. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_key_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a SubjectPublicKeyInfo DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// In particular, calling psa_pake_abort() after the operation has been - /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - /// is safe and has no effect. + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// \param[in,out] operation The operation to abort. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_pubkey_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a PEM string /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_pubkey_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_pake_cipher_suite_s { - pub algorithm: psa_algorithm_t, - pub type_: psa_pake_primitive_type_t, - pub family: psa_pake_family_t, - pub bits: u16, - pub hash: psa_algorithm_t, +unsafe extern "C" { + /// \brief Write a private key to a PKCS#1 or SEC1 PEM string + /// + /// \param ctx PK context which must contain a valid private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_key_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_crypto_driver_pake_inputs_s { - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: psa_pake_role_t, - pub private_user: *mut u8, - pub private_user_len: usize, - pub private_peer: *mut u8, - pub private_peer_len: usize, - pub private_attributes: psa_key_attributes_t, - pub private_cipher_suite: psa_pake_cipher_suite_t, +unsafe extern "C" { + /// \brief Parse a SubjectPublicKeyInfo DER structure + /// + /// \param p the position in the ASN.1 data + /// \param end end of the buffer + /// \param pk The PK context to fill. It must have been initialized + /// but not set up. + /// + /// \return 0 if successful, or a specific PK error code + pub fn mbedtls_pk_parse_subpubkey( + p: *mut *mut ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -impl Default for psa_crypto_driver_pake_inputs_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Write a subjectPublicKey to ASN.1 data + /// Note: function works backwards in data buffer + /// + /// \param p reference to current position pointer + /// \param start start of the buffer (for bounds-checking) + /// \param key PK context which must contain a valid public or private key. + /// + /// \return the length written or a negative error code + pub fn mbedtls_pk_write_pubkey( + p: *mut *mut ::core::ffi::c_uchar, + start: *mut ::core::ffi::c_uchar, + key: *const mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -pub const psa_jpake_step_PSA_PAKE_STEP_INVALID: psa_jpake_step = 0; -pub const psa_jpake_step_PSA_PAKE_STEP_X1_X2: psa_jpake_step = 1; -pub const psa_jpake_step_PSA_PAKE_STEP_X2S: psa_jpake_step = 2; -pub const psa_jpake_step_PSA_PAKE_STEP_DERIVE: psa_jpake_step = 3; -pub type psa_jpake_step = ::core::ffi::c_uint; -pub use self::psa_jpake_step as psa_jpake_step_t; -pub const psa_jpake_state_PSA_PAKE_STATE_INVALID: psa_jpake_state = 0; -pub const psa_jpake_state_PSA_PAKE_STATE_SETUP: psa_jpake_state = 1; -pub const psa_jpake_state_PSA_PAKE_STATE_READY: psa_jpake_state = 2; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X1_X2: psa_jpake_state = 3; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X2S: psa_jpake_state = 4; -pub const psa_jpake_state_PSA_PAKE_INPUT_X1_X2: psa_jpake_state = 5; -pub const psa_jpake_state_PSA_PAKE_INPUT_X4S: psa_jpake_state = 6; -pub type psa_jpake_state = ::core::ffi::c_uint; -pub use self::psa_jpake_state as psa_jpake_state_t; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_INVALID: psa_jpake_sequence = 0; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_KEY_SHARE: psa_jpake_sequence = 1; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PUBLIC: psa_jpake_sequence = 2; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PROOF: psa_jpake_sequence = 3; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_KEY_SHARE: psa_jpake_sequence = 4; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PUBLIC: psa_jpake_sequence = 5; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PROOF: psa_jpake_sequence = 6; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_END: psa_jpake_sequence = 7; -pub type psa_jpake_sequence = ::core::ffi::c_uint; -pub use self::psa_jpake_sequence as psa_jpake_sequence_t; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = + 3; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + mbedtls_key_exchange_type_t = 4; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = + 8; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = + 9; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = 10; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = 11; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; -pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; -pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_jpake_computation_stage_s { - pub private_state: psa_jpake_state_t, - pub private_sequence: psa_jpake_sequence_t, - pub private_input_step: psa_jpake_step_t, - pub private_output_step: psa_jpake_step_t, -} -impl Default for psa_jpake_computation_stage_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_pake_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_stage: u8, - pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, - pub private_data: psa_pake_operation_s__bindgen_ty_2, -} +pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; +/// \brief This structure is used for storing ciphersuite information +/// +/// \note members are defined using integral types instead of enums +/// in order to pack structure and reduce memory usage by internal +/// \c ciphersuite_definitions[] #[repr(C)] #[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_jpake: psa_jpake_computation_stage_t, +pub struct mbedtls_ssl_ciphersuite_t { + pub private_id: ::core::ffi::c_int, + pub private_name: *const ::core::ffi::c_char, + pub private_cipher: u8, + pub private_mac: u8, + pub private_key_exchange: u8, + pub private_flags: u8, + pub private_min_tls_version: u16, + pub private_max_tls_version: u16, } -impl Default for psa_pake_operation_s__bindgen_ty_1 { +impl Default for mbedtls_ssl_ciphersuite_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -18649,29 +19849,23 @@ impl Default for psa_pake_operation_s__bindgen_ty_1 { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_2 { - pub private_ctx: psa_driver_pake_context_t, - pub private_inputs: psa_crypto_driver_pake_inputs_t, +unsafe extern "C" { + pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; } -impl Default for psa_pake_operation_s__bindgen_ty_2 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_string( + ciphersuite_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ssl_ciphersuite_t; } -impl Default for psa_pake_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_id( + ciphersuite_id: ::core::ffi::c_int, + ) -> *const mbedtls_ssl_ciphersuite_t; +} +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( + info: *const mbedtls_ssl_ciphersuite_t, + ) -> usize; } /// Type-length-value structure that allows for ASN1 using DER. pub type mbedtls_x509_buf = mbedtls_asn1_buf; @@ -18682,6 +19876,23 @@ pub type mbedtls_x509_bitstring = mbedtls_asn1_bitstring; pub type mbedtls_x509_name = mbedtls_asn1_named_data; /// Container for a sequence of ASN.1 items pub type mbedtls_x509_sequence = mbedtls_asn1_sequence; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_authority { + pub keyIdentifier: mbedtls_x509_buf, + pub authorityCertIssuer: mbedtls_x509_sequence, + pub authorityCertSerialNumber: mbedtls_x509_buf, + pub raw: mbedtls_x509_buf, +} +impl Default for mbedtls_x509_authority { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} /// Container for date and time (precision in seconds). #[repr(C)] #[derive(Default, Copy, Clone)] @@ -18773,9 +19984,9 @@ pub struct mbedtls_x509_subject_alternative_name { #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_x509_subject_alternative_name__bindgen_ty_1 { - ///< The otherName supported type. pub other_name: mbedtls_x509_san_other_name, - ///< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported + pub directory_name: mbedtls_x509_name, + ///< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. pub unstructured_name: mbedtls_x509_buf, } impl Default for mbedtls_x509_subject_alternative_name__bindgen_ty_1 { @@ -18796,6 +20007,21 @@ impl Default for mbedtls_x509_subject_alternative_name { } } } +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_san_list { + pub node: mbedtls_x509_subject_alternative_name, + pub next: *mut mbedtls_x509_san_list, +} +impl Default for mbedtls_x509_san_list { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { /// \brief Store the certificate DN in printable form into buf; /// no more than size characters will be written. @@ -18812,6 +20038,26 @@ unsafe extern "C" { dn: *const mbedtls_x509_name, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Convert the certificate DN string \p name into + /// a linked list of mbedtls_x509_name (equivalent to + /// mbedtls_asn1_named_data). + /// + /// \note This function allocates a linked list, and places the head + /// pointer in \p head. This list must later be freed by a + /// call to mbedtls_asn1_free_named_data_list(). + /// + /// \param[out] head Address in which to store the pointer to the head of the + /// allocated list of mbedtls_x509_name. Must point to NULL on + /// entry. + /// \param[in] name The string representation of a DN to convert + /// + /// \return 0 on success, or a negative error code. + pub fn mbedtls_x509_string_to_names( + head: *mut *mut mbedtls_asn1_named_data, + name: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Store the certificate serial in printable form into buf; /// no more than size characters will be written. @@ -18828,6 +20074,20 @@ unsafe extern "C" { serial: *const mbedtls_x509_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Compare pair of mbedtls_x509_time. + /// + /// \param t1 mbedtls_x509_time to compare + /// \param t2 mbedtls_x509_time to compare + /// + /// \return < 0 if t1 is before t2 + /// 0 if t1 equals t2 + /// > 0 if t1 is after t2 + pub fn mbedtls_x509_time_cmp( + t1: *const mbedtls_x509_time, + t2: *const mbedtls_x509_time, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Check a given mbedtls_x509_time against the system time /// and tell if it's in the past. @@ -18856,21 +20116,25 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief This function parses an item in the SubjectAlternativeNames - /// extension. + /// extension. Please note that this function might allocate + /// additional memory for a subject alternative name, thus + /// mbedtls_x509_free_subject_alt_name has to be called + /// to dispose of this additional memory afterwards. /// /// \param san_buf The buffer holding the raw data item of the subject /// alternative name. /// \param san The target structure to populate with the parsed presentation - /// of the subject alternative name encoded in \p san_raw. + /// of the subject alternative name encoded in \p san_buf. /// /// \note Supported GeneralName types, as defined in RFC 5280: - /// "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + /// "rfc822Name", "dnsName", "directoryName", + /// "uniformResourceIdentifier" and "hardware_module_name" /// of type "otherName", as defined in RFC 4108. /// /// \note This function should be called on a single raw data of /// subject alternative name. For example, after successful /// certificate parsing, one must iterate on every item in the - /// \p crt->subject_alt_names sequence, and pass it to + /// \c crt->subject_alt_names sequence, and pass it to /// this function. /// /// \warning The target structure contains pointers to the raw data of the @@ -18887,173 +20151,29 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \} addtogroup x509_module - pub fn mbedtls_x509_get_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - cur: *mut mbedtls_x509_name, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg_null( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - params: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_rsassa_pss_params( - params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - mgf_md: *mut mbedtls_md_type_t, - salt_len: *mut ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - sig: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig_alg( - sig_oid: *const mbedtls_x509_buf, - sig_params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - pk_alg: *mut mbedtls_pk_type_t, - sig_opts: *mut *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_time( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - t: *mut mbedtls_x509_time, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_serial( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - serial: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ext( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ext: *mut mbedtls_x509_buf, - tag: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_sig_alg_gets( - buf: *mut ::core::ffi::c_char, - size: usize, - sig_oid: *const mbedtls_x509_buf, - pk_alg: mbedtls_pk_type_t, - md_alg: mbedtls_md_type_t, - sig_opts: *const ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_key_size_helper( - buf: *mut ::core::ffi::c_char, - buf_size: usize, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_string_to_names( - head: *mut *mut mbedtls_asn1_named_data, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_set_extension( - head: *mut *mut mbedtls_asn1_named_data, - oid: *const ::core::ffi::c_char, - oid_len: usize, - critical: ::core::ffi::c_int, - val: *const ::core::ffi::c_uchar, - val_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_extensions( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_names( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_sig( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - oid: *const ::core::ffi::c_char, - oid_len: usize, - sig: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ns_cert_type( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ns_cert_type: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_key_usage( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - key_usage: *mut ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_subject_alt_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - subject_alt_name: *mut mbedtls_x509_sequence, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_subject_alt_name( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - subject_alt_name: *const mbedtls_x509_sequence, - prefix: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_cert_type( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - ns_cert_type: ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \brief Unallocate all data related to subject alternative name + /// + /// \param san SAN structure - extra memory owned by this structure will be freed + pub fn mbedtls_x509_free_subject_alt_name(san: *mut mbedtls_x509_subject_alternative_name); } unsafe extern "C" { - pub fn mbedtls_x509_info_key_usage( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - key_usage: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \brief This function parses a CN string as an IP address. + /// + /// \param cn The CN string to parse. CN string MUST be null-terminated. + /// \param dst The target buffer to populate with the binary IP address. + /// The buffer MUST be 16 bytes to save IPv6, and should be + /// 4-byte aligned if the result will be used as struct in_addr. + /// e.g. uint32_t dst[4] + /// + /// \note \p cn is parsed as an IPv6 address if string contains ':', + /// else \p cn is parsed as an IPv4 address. + /// + /// \return Length of binary IP address; num bytes written to target. + /// \return \c 0 on failure to parse CN string as an IP address. + pub fn mbedtls_x509_crt_parse_cn_inet_pton( + cn: *const ::core::ffi::c_char, + dst: *mut ::core::ffi::c_void, + ) -> usize; } /// Certificate revocation list entry. /// Contains the CA-specific serial numbers and revocation dates. @@ -19245,8 +20365,12 @@ pub struct mbedtls_x509_crt { pub subject_id: mbedtls_x509_buf, ///< Optional X.509 v3 extensions. pub v3_ext: mbedtls_x509_buf, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, + ///< Optional X.509 v3 extension subject key identifier. + pub subject_key_id: mbedtls_x509_buf, + ///< Optional X.509 v3 extension authority key identifier. + pub authority_key_id: mbedtls_x509_authority, ///< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). pub certificate_policies: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions @@ -19345,6 +20469,22 @@ impl Default for mbedtls_x509write_cert { } } } +unsafe extern "C" { + /// \brief Set Subject Alternative Name + /// + /// \param ctx Certificate context to use + /// \param san_list List of SAN values + /// + /// \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + /// + /// \note "dnsName", "uniformResourceIdentifier", "IP address", + /// "otherName", and "DirectoryName", as defined in RFC 5280, + /// are supported. + pub fn mbedtls_x509write_crt_set_subject_alternative_name( + ctx: *mut mbedtls_x509write_cert, + san_list: *const mbedtls_x509_san_list, + ) -> ::core::ffi::c_int; +} /// Item in a verification chain: cert and flags for it #[repr(C)] #[derive(Copy, Clone)] @@ -19683,8 +20823,12 @@ unsafe extern "C" { /// \param cn The expected Common Name. This will be checked to be /// present in the certificate's subjectAltNames extension or, /// if this extension is absent, as a CN component in its - /// Subject name. Currently only DNS names are supported. This - /// may be \c NULL if the CN need not be verified. + /// Subject name. DNS names and IP addresses are fully + /// supported, while the URI subtype is partially supported: + /// only exact matching, without any normalization procedures + /// described in 7.4 of RFC5280, will result in a positive + /// URI verification. + /// This may be \c NULL if the CN need not be verified. /// \param flags The address at which to store the result of the verification. /// If the verification couldn't be completed, the flag value is /// set to (uint32_t) -1. @@ -19915,6 +21059,16 @@ unsafe extern "C" { /// \param crt Certificate chain to free pub fn mbedtls_x509_crt_free(crt: *mut mbedtls_x509_crt); } +unsafe extern "C" { + /// \brief Access the ca_istrue field + /// + /// \param[in] crt Certificate to be queried, must not be \c NULL + /// + /// \return \c 1 if this a CA certificate \c 0 otherwise. + /// \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain + /// the Optional Basic Constraint extension. + pub fn mbedtls_x509_crt_get_ca_istrue(crt: *const mbedtls_x509_crt) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Initialize a CRT writing context /// @@ -19995,7 +21149,7 @@ unsafe extern "C" { /// \brief Set the issuer name for a Certificate /// Issuer names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS CA" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS CA" /// /// \param ctx CRT context to use /// \param issuer_name issuer name to set @@ -20011,7 +21165,7 @@ unsafe extern "C" { /// \brief Set the subject name for a Certificate /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CRT context to use /// \param subject_name subject name to set @@ -20181,13 +21335,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20207,13 +21355,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20334,13 +21476,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20413,13 +21549,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20453,13 +21583,7 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, output_size: usize, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20490,7 +21614,7 @@ unsafe extern "C" { /// initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p field is invalid. + /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid. /// \return An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails. pub fn mbedtls_dhm_get_value( ctx: *const mbedtls_dhm_context, @@ -20618,6 +21742,18 @@ impl Default for mbedtls_ecdh_context { } } } +unsafe extern "C" { + /// \brief Return the ECP group for provided context. + /// + /// \note To access group specific fields, users should use + /// `mbedtls_ecp_curve_info_from_grp_id` or + /// `mbedtls_ecp_group_load` on the extracted `group_id`. + /// + /// \param ctx The ECDH context to parse. This must not be \c NULL. + /// + /// \return The \c mbedtls_ecp_group_id of the context. + pub fn mbedtls_ecdh_get_grp_id(ctx: *mut mbedtls_ecdh_context) -> mbedtls_ecp_group_id; +} unsafe extern "C" { /// \brief Check whether a given group can be used for ECDH. /// @@ -20654,13 +21790,7 @@ unsafe extern "C" { grp: *mut mbedtls_ecp_group, d: *mut mbedtls_mpi, Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20699,13 +21829,7 @@ unsafe extern "C" { z: *mut mbedtls_mpi, Q: *const mbedtls_ecp_point, d: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20772,13 +21896,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20814,7 +21932,7 @@ unsafe extern "C" { /// \brief This function sets up an ECDH context from an EC key. /// /// It is used by clients and servers in place of the - /// ServerKeyEchange for static ECDH, and imports ECDH + /// ServerKeyExchange for static ECDH, and imports ECDH /// parameters from the EC key information of a certificate. /// /// \see ecp.h @@ -20863,13 +21981,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20930,19 +22042,14 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_ssl_premaster_secret { + pub dummy: ::core::ffi::c_uchar, pub _pms_rsa: [::core::ffi::c_uchar; 48usize], pub _pms_dhm: [::core::ffi::c_uchar; 1024usize], pub _pms_ecdh: [::core::ffi::c_uchar; 66usize], @@ -21214,6 +22321,8 @@ pub struct mbedtls_ssl_session { ///< MaxFragmentLength negotiated by peer pub private_mfl_code: ::core::ffi::c_uchar, pub private_exported: ::core::ffi::c_uchar, + ///< 0: client, 1: server + pub private_endpoint: u8, /// TLS version negotiated in the session. Used if and when renegotiating /// or resuming a session instead of the configured minor TLS version. pub private_tls_version: mbedtls_ssl_protocol_version, @@ -21232,15 +22341,13 @@ pub struct mbedtls_ssl_session { ///< RFC 5077 session ticket pub private_ticket: *mut ::core::ffi::c_uchar, ///< session ticket length - pub private_ticket_len: usize, - ///< ticket lifetime hint - pub private_ticket_lifetime: u32, - ///< 0: client, 1: server - pub private_endpoint: u8, - ///< Ticket flags - pub private_ticket_flags: u8, + pub private_ticket_len: usize, + ///< ticket lifetime hint + pub private_ticket_lifetime: u32, ///< Randomly generated value used to obscure the age of the ticket pub private_ticket_age_add: u32, + ///< Ticket flags + pub private_ticket_flags: u8, ///< resumption_key length pub private_resumption_key_len: u8, pub private_resumption_key: [::core::ffi::c_uchar; 48usize], @@ -21579,22 +22686,30 @@ pub struct mbedtls_ssl_context { ///number of retransmissions of request if ///renego_max_records is < 0 pub private_renego_records_seen: ::core::ffi::c_int, - /// Server: Negotiated TLS protocol version. - /// Client: Maximum TLS version to be negotiated, then negotiated TLS - /// version. - /// - /// It is initialized as the maximum TLS version to be negotiated in the - /// ClientHello writing preparation stage and used throughout the - /// ClientHello writing. For a fresh handshake not linked to any previous - /// handshake, it is initialized to the configured maximum TLS version - /// to be negotiated. When renegotiating or resuming a session, it is - /// initialized to the previously negotiated TLS version. - /// - /// Updated to the negotiated TLS version as soon as the ServerHello is - /// received. + /// Maximum TLS version to be negotiated, then negotiated TLS version. + /// + /// It is initialized as the configured maximum TLS version to be + /// negotiated by mbedtls_ssl_setup(). + /// + /// When renegotiating or resuming a session, it is overwritten in the + /// ClientHello writing preparation stage with the previously negotiated + /// TLS version. + /// + /// On client side, it is updated to the TLS version selected by the server + /// for the handshake when the ServerHello is received. + /// + /// On server side, it is updated to the TLS version the server selects for + /// the handshake when the ClientHello is received. pub private_tls_version: mbedtls_ssl_protocol_version, - ///< records with a bad MAC received - pub private_badmac_seen: ::core::ffi::c_uint, + /// Multipurpose field. + /// + /// - DTLS: records with a bad MAC received. + /// - TLS: accumulated length of handshake fragments (up to \c in_hslen). + /// + /// This field is multipurpose in order to preserve the ABI in the + /// Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS + /// and called `badmac_seen`. + pub private_badmac_seen_or_in_hsfraglen: ::core::ffi::c_uint, /// Callback to customize X.509 certificate chain verification pub private_f_vrfy: ::core::option::Option< unsafe extern "C" fn( @@ -21731,8 +22846,33 @@ pub struct mbedtls_ssl_context { pub private_cur_out_ctr: [::core::ffi::c_uchar; 8usize], ///< path mtu, used to fragment outgoing messages pub private_mtu: u16, - ///< expected peer CN for verification - ///(and SNI if available) + /// Expected peer CN for verification. + /// + /// Also used on clients for SNI, + /// and for TLS 1.3 session resumption using tickets. + /// + /// The value of this field can be: + /// - \p NULL in a newly initialized or reset context. + /// - A heap-allocated copy of the last value passed to + /// mbedtls_ssl_set_hostname(), if the last call had a non-null + /// \p hostname argument. + /// - A special value to indicate that mbedtls_ssl_set_hostname() + /// was called with \p NULL (as opposed to never having been called). + /// See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + /// + /// If this field contains the value \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is unset, on a TLS client, attempting to verify a server certificate + /// results in the error + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + /// + /// If this field contains the special value described above, or if + /// the value is \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is set, then the peer name verification is skipped, which may be + /// insecure, especially on a client. Furthermore, on a client, the + /// server_name extension is not sent, and the server name is ignored + /// in TLS 1.3 session resumption using tickets. pub private_hostname: *mut ::core::ffi::c_char, ///< negotiated protocol pub private_alpn_chosen: *const ::core::ffi::c_char, @@ -21828,6 +22968,14 @@ unsafe extern "C" { /// Calling mbedtls_ssl_setup again is not supported, even /// if no session is active. /// + /// \warning After setting up a client context, if certificate-based + /// authentication is enabled, you should call + /// mbedtls_ssl_set_hostname() to specifiy the expected + /// name of the server. Without this, in most scenarios, + /// the TLS connection is insecure. See + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more information. + /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. @@ -21931,18 +23079,16 @@ unsafe extern "C" { unsafe extern "C" { /// \brief Set the random number generator callback /// + /// \note The callback with its parameter must remain valid as + /// long as there is an SSL context that uses the + /// SSL configuration. + /// /// \param conf SSL configuration /// \param f_rng RNG function (mandatory) /// \param p_rng RNG parameter pub fn mbedtls_ssl_conf_rng( conf: *mut mbedtls_ssl_config, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ); } @@ -22045,10 +23191,10 @@ unsafe extern "C" { /// \param own_cid The address of the readable buffer holding the CID we want /// the peer to use when sending encrypted messages to us. /// This may be \c NULL if \p own_cid_len is \c 0. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// \param own_cid_len The length of \p own_cid. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// /// \note The value of \p own_cid_len must match the value of the @@ -22703,16 +23849,16 @@ unsafe extern "C" { /// a full handshake. /// /// \note This function can handle a variety of mechanisms for session - /// resumption: For TLS 1.2, both session ID-based resumption and - /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and loading - /// one or more sessions via this call will lead to their - /// corresponding tickets being advertised as resumption PSKs - /// by the client. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// resumption: For TLS 1.2, both session ID-based resumption + /// and ticket-based resumption will be considered. For TLS 1.3, + /// sessions equate to tickets, and loading one session by + /// calling this function will lead to its corresponding ticket + /// being advertised as resumption PSK by the client. This + /// depends on session tickets being enabled (see + /// #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + /// If session tickets are disabled, a call to this function + /// with a TLS 1.3 session, will not have any effect on the next + /// handshake for the SSL context \p ssl. /// /// \param ssl The SSL context representing the connection which should /// be attempted to be setup using session resumption. This @@ -22727,9 +23873,10 @@ unsafe extern "C" { /// /// \return \c 0 if successful. /// \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - /// could not be loaded because of an implementation limitation. - /// This error is non-fatal, and has no observable effect on - /// the SSL context or the session that was attempted to be loaded. + /// could not be loaded because one session has already been + /// loaded. This error is non-fatal, and has no observable + /// effect on the SSL context or the session that was attempted + /// to be loaded. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_get_session() @@ -22787,8 +23934,8 @@ unsafe extern "C" { /// /// \param session The session structure to be saved. /// \param buf The buffer to write the serialized data to. It must be a - /// writeable buffer of at least \p len bytes, or may be \c - /// NULL if \p len is \c 0. + /// writeable buffer of at least \p buf_len bytes, or may be \c + /// NULL if \p buf_len is \c 0. /// \param buf_len The number of bytes available for writing in \p buf. /// \param olen The size in bytes of the data that has been or would have /// been written. It must point to a valid \c size_t. @@ -22798,8 +23945,16 @@ unsafe extern "C" { /// to determine the necessary size by calling this function /// with \p buf set to \c NULL and \p buf_len to \c 0. /// + /// \note For TLS 1.3 sessions, this feature is supported only if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + /// as in TLS 1.3 session resumption is possible only with + /// tickets. + /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + /// and the session is a TLS 1.3 session. pub fn mbedtls_ssl_session_save( session: *const mbedtls_ssl_session, buf: *mut ::core::ffi::c_uchar, @@ -22925,7 +24080,7 @@ unsafe extern "C" { /// record headers. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len + /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len /// is too large. pub fn mbedtls_ssl_conf_cid( conf: *mut mbedtls_ssl_config, @@ -23252,6 +24407,8 @@ unsafe extern "C" { /// used for certificate signature are controlled by the /// verification profile, see \c mbedtls_ssl_conf_cert_profile(). /// + /// \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). + /// /// \note This list should be ordered by decreasing preference /// (preferred hash first). /// @@ -23276,27 +24433,43 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Configure allowed signature algorithms for use in TLS 1.3 + /// \brief Configure allowed signature algorithms for use in TLS /// /// \param conf The SSL configuration to use. /// \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - /// terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain - /// available throughout the lifetime of the conf object. Supported - /// values are available as \c MBEDTLS_TLS1_3_SIG_XXXX + /// terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain + /// available throughout the lifetime of the conf object. + /// - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be + /// used. + /// - For TLS 1.2, values should be given as + /// "(HashAlgorithm << 8) | SignatureAlgorithm". pub fn mbedtls_ssl_conf_sig_algs(conf: *mut mbedtls_ssl_config, sig_algs: *const u16); } unsafe extern "C" { /// \brief Set or reset the hostname to check against the received - /// server certificate. It sets the ServerName TLS extension, - /// too, if that extension is enabled. (client-side only) + /// peer certificate. On a client, this also sets the + /// ServerName TLS extension, if that extension is enabled. + /// On a TLS 1.3 client, this also sets the server name in + /// the session resumption ticket, if that feature is enabled. /// /// \param ssl SSL context - /// \param hostname the server hostname, may be NULL to clear hostname - /// - /// \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. - /// - /// \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - /// allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + /// \param hostname The server hostname. This may be \c NULL to clear + /// the hostname. + /// + /// \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + /// + /// \note If the hostname is \c NULL on a client, then the server + /// is not authenticated: it only needs to have a valid + /// certificate, not a certificate matching its name. + /// Therefore you should always call this function on a client, + /// unless the connection is set up to only allow + /// pre-shared keys, or in scenarios where server + /// impersonation is not a concern. See the documentation of + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more details. + /// + /// \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + /// allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on /// too long input hostname. /// /// Hostname set to the one provided on success (cleared @@ -23309,8 +24482,8 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief Retrieve SNI extension value for the current handshake. - /// Available in \p f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), - /// this is the same value passed to \p f_sni callback of + /// Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), + /// this is the same value passed to \c f_sni callback of /// \c mbedtls_ssl_conf_sni() and may be used instead of /// \c mbedtls_ssl_conf_sni(). /// @@ -23319,10 +24492,10 @@ unsafe extern "C" { /// 0 if SNI extension is not present or not yet processed. /// /// \return const pointer to SNI extension value. - /// - value is valid only when called in \p f_cert_cb + /// - value is valid only when called in \c f_cert_cb /// registered with \c mbedtls_ssl_conf_cert_cb(). /// - value is NULL if SNI extension is not present. - /// - value is not '\0'-terminated. Use \c name_len for len. + /// - value is not '\0'-terminated. Use \c name_len for len. /// - value must not be freed. pub fn mbedtls_ssl_get_hs_sni( ssl: *mut mbedtls_ssl_context, @@ -23572,6 +24745,10 @@ unsafe extern "C" { /// with \c mbedtls_ssl_read()), not handshake messages. /// With DTLS, this affects both ApplicationData and handshake. /// + /// \note Defragmentation of TLS handshake messages is supported + /// with some limitations. See the documentation of + /// mbedtls_ssl_handshake() for details. + /// /// \note This sets the maximum length for a record's payload, /// excluding record overhead that will be added to it, see /// \c mbedtls_ssl_get_record_expansion(). @@ -23605,19 +24782,48 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Enable / Disable session tickets (client only). - /// (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + /// \brief Enable / Disable TLS 1.2 session tickets (client only, + /// TLS 1.2 only). Enabled by default. /// /// \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). /// /// \param conf SSL configuration - /// \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - /// MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + /// \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) pub fn mbedtls_ssl_conf_session_tickets( conf: *mut mbedtls_ssl_config, use_tickets: ::core::ffi::c_int, ); } +unsafe extern "C" { + /// \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + /// (client only, TLS 1.3 only). + /// + /// The handling of TLS 1.3 NewSessionTicket messages is disabled by + /// default. + /// + /// In TLS 1.3, servers may send a NewSessionTicket message at any time, + /// and may send multiple NewSessionTicket messages. By default, TLS 1.3 + /// clients ignore NewSessionTicket messages. + /// + /// To support session tickets in TLS 1.3 clients, call this function + /// with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + /// this is enabled, when a client receives a NewSessionTicket message, + /// the next call to a message processing functions (notably + /// mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + /// call mbedtls_ssl_get_session() to retrieve the session ticket before + /// calling the same message processing function again. + /// + /// \param conf SSL configuration + /// \param signal_new_session_tickets Enable or disable + /// (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + pub fn mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf: *mut mbedtls_ssl_config, + signal_new_session_tickets: ::core::ffi::c_int, + ); +} unsafe extern "C" { /// \brief Number of NewSessionTicket messages for the server to send /// after handshake completion. @@ -23946,29 +25152,22 @@ unsafe extern "C" { /// \param ssl The SSL context representing the connection for which to /// to export a session structure for later resumption. /// \param session The target structure in which to store the exported session. - /// This must have been initialized with mbedtls_ssl_init_session() + /// This must have been initialized with mbedtls_ssl_session_init() /// but otherwise be unused. /// /// \note This function can handle a variety of mechanisms for session /// resumption: For TLS 1.2, both session ID-based resumption and /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and calling - /// this function multiple times will export the available - /// tickets one a time until no further tickets are available, - /// in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - /// be returned. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// sessions equate to tickets, and if session tickets are + /// enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + /// option), this function exports the last received ticket and + /// the exported session may be used to resume the TLS 1.3 + /// session. If session tickets are disabled, exported sessions + /// cannot be used to resume a TLS 1.3 session. /// /// \return \c 0 if successful. In this case, \p session can be used for /// session resumption by passing it to mbedtls_ssl_set_session(), /// and serialized for storage via mbedtls_ssl_session_save(). - /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - /// is available for export. - /// This error is a non-fatal, and has no observable effect on - /// the SSL context or the destination session. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_set_session() @@ -24000,6 +25199,17 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use /// and the client did not demonstrate reachability yet - in /// this case you must stop using the context (see below). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24008,7 +25218,9 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24028,10 +25240,31 @@ unsafe extern "C" { /// currently being processed might or might not contain further /// DTLS records. /// - /// \note If the context is configured to allow TLS 1.3, or if - /// #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. + /// Otherwise, the handshake may call psa_crypto_init() + /// if a negotiation involving TLS 1.3 takes place (this may + /// be the case even if TLS 1.3 is offered but eventually + /// not selected). + /// + /// \note In TLS, reception of fragmented handshake messages is + /// supported with some limitations (those limitations do + /// not apply to DTLS, where defragmentation is fully + /// supported): + /// - On an Mbed TLS server that only accepts TLS 1.2, + /// the initial ClientHello message must not be fragmented. + /// A TLS 1.2 ClientHello may be fragmented if the server + /// also accepts TLS 1.3 connections (meaning + /// that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + /// accepted versions have not been restricted with + /// mbedtls_ssl_conf_max_tls_version() or the like). + /// - The first fragment of a handshake message must be + /// at least 4 bytes long. + /// - Non-handshake records must not be interleaved between + /// the fragments of a handshake message. (This is permitted + /// in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + /// even in TLS 1.2.) pub fn mbedtls_ssl_handshake(ssl: *mut mbedtls_ssl_context) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -24060,8 +25293,10 @@ unsafe extern "C" { /// /// \warning If this function returns something other than \c 0, /// #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using /// the SSL context for reading or writing, and either free it /// or call \c mbedtls_ssl_session_reset() on it before /// re-using it for a new connection; the current connection @@ -24124,6 +25359,24 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server /// side of a DTLS connection and the client is initiating a /// new connection using the same source port. See below. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. + /// This error code is only returned on the client side. It is + /// only returned if handling of TLS 1.3 NewSessionTicket + /// messages has been enabled through + /// mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + /// This error code indicates that a TLS 1.3 NewSessionTicket + /// message has been received and parsed successfully by the + /// client. The ticket data can be retrieved from the SSL + /// context by calling mbedtls_ssl_get_session(). It remains + /// available until the next call to mbedtls_ssl_read(). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24132,8 +25385,10 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24200,6 +25455,17 @@ unsafe extern "C" { /// operation is in progress (see mbedtls_ecp_set_max_ops()) - /// in this case you must call this function again to complete /// the handshake when you're done attending other tasks. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24207,8 +25473,10 @@ unsafe extern "C" { /// a non-negative value, /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24449,381 +25717,64 @@ unsafe extern "C" { /// \brief Free an SSL configuration context /// /// \param conf SSL configuration context - pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); -} -unsafe extern "C" { - /// \brief Initialize SSL session structure - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief Free referenced items in an SSL session including the - /// peer certificate and clear memory - /// - /// \note A session object can be freed even if the SSL context - /// that was used to retrieve the session is still in use. - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief TLS-PRF function for key derivation. - /// - /// \param prf The tls_prf type function type to be used. - /// \param secret Secret for the key derivation function. - /// \param slen Length of the secret. - /// \param label String label for the key derivation function, - /// terminated with null character. - /// \param random Random bytes. - /// \param rlen Length of the random bytes buffer. - /// \param dstbuf The buffer holding the derived key. - /// \param dlen Length of the output buffer. - /// - /// \return 0 on success. An SSL specific error on failure. - pub fn mbedtls_ssl_tls_prf( - prf: mbedtls_tls_prf_types, - secret: *const ::core::ffi::c_uchar, - slen: usize, - label: *const ::core::ffi::c_char, - random: *const ::core::ffi::c_uchar, - rlen: usize, - dstbuf: *mut ::core::ffi::c_uchar, - dlen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the threshold error level to handle globally all debug output. - /// Debug messages that have a level over the threshold value are - /// discarded. - /// (Default value: 0 = No debug ) - /// - /// \param threshold threshold level of messages to filter on. Messages at a - /// higher level will be discarded. - /// - Debug levels - /// - 0 No debug - /// - 1 Error - /// - 2 State change - /// - 3 Informational - /// - 4 Verbose - pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); -} -unsafe extern "C" { - /// \brief Print a message to the debug output. This function is always used - /// through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - /// context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the message has occurred in - /// \param line line number the message has occurred at - /// \param format format specifier, in printf format - /// \param ... variables used by the format specifier - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_msg( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - format: *const ::core::ffi::c_char, - ... - ); -} -unsafe extern "C" { - /// \brief Print the return value of a function to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text the name of the function that returned the error - /// \param ret the return code value - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ret( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - ret: ::core::ffi::c_int, - ); -} -unsafe extern "C" { - /// \brief Output a buffer of size len bytes to the debug output. This function - /// is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the buffer being dumped. Normally the - /// variable or buffer name - /// \param buf the buffer to be outputted - /// \param len length of the buffer - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_buf( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - buf: *const ::core::ffi::c_uchar, - len: usize, - ); -} -unsafe extern "C" { - /// \brief Print a MPI variable to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the MPI being output. Normally the - /// variable name - /// \param X the MPI variable - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_mpi( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_mpi, - ); -} -unsafe extern "C" { - /// \brief Print an ECP point to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the ECP point being output. Normally the - /// variable name - /// \param X the ECP point - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ecp( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_ecp_point, - ); -} -unsafe extern "C" { - /// \brief Print a X.509 certificate structure to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the certificate being output - /// \param crt X.509 certificate structure - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_crt( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - crt: *const mbedtls_x509_crt, - ); -} -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Q: mbedtls_debug_ecdh_attr = 0; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_QP: mbedtls_debug_ecdh_attr = 1; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Z: mbedtls_debug_ecdh_attr = 2; -pub type mbedtls_debug_ecdh_attr = ::core::ffi::c_uint; -unsafe extern "C" { - /// \brief Print a field of the ECDH structure in the SSL context to the debug - /// output. This function is always used through the - /// MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - /// and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param ecdh the ECDH context - /// \param attr the identifier of the attribute being output - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_printf_ecdh( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - ecdh: *const mbedtls_ecdh_context, - attr: mbedtls_debug_ecdh_attr, - ); -} -/// \brief Entropy poll callback pointer -/// -/// \param data Callback-specific data pointer -/// \param output Data to fill -/// \param len Maximum size to provide -/// \param olen The actual amount of bytes put into the buffer (Can be 0) -/// -/// \return 0 if no critical failures occurred, -/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise -pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< - unsafe extern "C" fn( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - ) -> ::core::ffi::c_int, ->; -/// \brief Entropy source state -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_source_state { - ///< The entropy source callback - pub private_f_source: mbedtls_entropy_f_source_ptr, - ///< The callback data pointer - pub private_p_source: *mut ::core::ffi::c_void, - ///< Amount received in bytes - pub private_size: usize, - ///< Minimum bytes required before release - pub private_threshold: usize, - ///< Is the source strong? - pub private_strong: ::core::ffi::c_int, -} -impl Default for mbedtls_entropy_source_state { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief Entropy context structure -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_context { - pub private_accumulator_started: ::core::ffi::c_int, - pub __bindgen_padding_0: u64, - pub private_accumulator: mbedtls_sha512_context, - pub private_source_count: ::core::ffi::c_int, - pub private_source: [mbedtls_entropy_source_state; 20usize], -} -impl Default for mbedtls_entropy_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize the context - /// - /// \param ctx Entropy context to initialize - pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Free the data in the context - /// - /// \param ctx Entropy context to free - pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Adds an entropy source to poll - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context - /// \param f_source Entropy function - /// \param p_source Function data - /// \param threshold Minimum required from source before entropy is released - /// ( with mbedtls_entropy_func() ) (in bytes) - /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or - /// MBEDTLS_ENTROPY_SOURCE_WEAK. - /// At least one strong source needs to be added. - /// Weaker sources (such as the cycle counter) can be used as - /// a complement. - /// - /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES - pub fn mbedtls_entropy_add_source( - ctx: *mut mbedtls_entropy_context, - f_source: mbedtls_entropy_f_source_ptr, - p_source: *mut ::core::ffi::c_void, - threshold: usize, - strong: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); } unsafe extern "C" { - /// \brief Trigger an extra gather poll for the accumulator - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context + /// \brief Initialize SSL session structure /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Retrieve entropy from the accumulator - /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief Free referenced items in an SSL session including the + /// peer certificate and clear memory /// - /// \param data Entropy context - /// \param output Buffer to fill - /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE + /// \note A session object can be freed even if the SSL context + /// that was used to retrieve the session is still in use. /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_func( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Add data to the accumulator manually - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief TLS-PRF function for key derivation. /// - /// \param ctx Entropy context - /// \param data Data to add - /// \param len Length of data + /// \param prf The tls_prf type function type to be used. + /// \param secret Secret for the key derivation function. + /// \param slen Length of the secret. + /// \param label String label for the key derivation function, + /// terminated with null character. + /// \param random Random bytes. + /// \param rlen Length of the random bytes buffer. + /// \param dstbuf The buffer holding the derived key. + /// \param dlen Length of the output buffer. /// - /// \return 0 if successful - pub fn mbedtls_entropy_update_manual( - ctx: *mut mbedtls_entropy_context, - data: *const ::core::ffi::c_uchar, - len: usize, + /// \return 0 on success. An SSL specific error on failure. + pub fn mbedtls_ssl_tls_prf( + prf: mbedtls_tls_prf_types, + secret: *const ::core::ffi::c_uchar, + slen: usize, + label: *const ::core::ffi::c_char, + random: *const ::core::ffi::c_uchar, + rlen: usize, + dstbuf: *mut ::core::ffi::c_uchar, + dlen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Checkup routine - /// - /// This module self-test also calls the entropy self-test, - /// mbedtls_entropy_source_self_test(); + /// \brief Set the threshold error level to handle globally all debug output. + /// Debug messages that have a level over the threshold value are + /// discarded. + /// (Default value: 0 = No debug ) /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; + /// \param threshold threshold level of messages to filter on. Messages at a + /// higher level will be discarded. + /// - Debug levels + /// - 0 No debug + /// - 1 Error + /// - 2 State change + /// - 3 Informational + /// - 4 Verbose + pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); } unsafe extern "C" { /// \brief This is the HMAC-based Extract-and-Expand Key Derivation Function @@ -24992,8 +25943,8 @@ unsafe extern "C" { /// \param len The length of the personalization string. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 + /// where \c entropy_len is the entropy length /// described above. /// /// \return \c 0 if successful. @@ -25118,8 +26069,8 @@ unsafe extern "C" { /// \param len The length of the additional data. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length /// (see mbedtls_hmac_drbg_set_entropy_len()). /// /// \return \c 0 if successful. @@ -25602,6 +26553,28 @@ unsafe extern "C" { oid: *const mbedtls_asn1_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate a string containing a dotted-decimal + /// representation of an ASN.1 OID into its encoded form + /// (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D"). + /// On success, this function allocates oid->buf from the + /// heap. It must be freed by the caller using mbedtls_free(). + /// + /// \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID + /// \param oid_str string representation of the OID to parse + /// \param size length of the OID string, not including any null terminator + /// + /// \return 0 if successful + /// \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not + /// represent a valid OID + /// \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to + /// allocate oid->buf + pub fn mbedtls_oid_from_numeric_string( + oid: *mut mbedtls_asn1_buf, + oid_str: *const ::core::ffi::c_char, + size: usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate an X.509 extension OID into local values /// @@ -25679,6 +26652,34 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate AlgorithmIdentifier OID into an EC group identifier, + /// for curves that are directly encoded at this level + /// + /// \param oid OID to use + /// \param grp_id place to store group id + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_ec_grp_algid( + oid: *const mbedtls_asn1_buf, + grp_id: *mut mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Translate EC group identifier into AlgorithmIdentifier OID, + /// for curves that are directly encoded at this level + /// + /// \param grp_id EC group identifier + /// \param oid place to store ASN.1 OID string pointer + /// \param olen length of the OID + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_oid_by_ec_grp_algid( + grp_id: mbedtls_ecp_group_id, + oid: *mut *const ::core::ffi::c_char, + olen: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate SignatureAlgorithm OID into md_type and pk_type /// @@ -25846,11 +26847,11 @@ unsafe extern "C" { /// \param data source data to look in (must be nul-terminated) /// \param pwd password for decryption (can be NULL) /// \param pwdlen length of password - /// \param use_len destination for total length used (set after header is - /// correctly read, so unless you get + /// \param use_len destination for total length used from data buffer. It is + /// set after header is correctly read, so unless you get /// MBEDTLS_ERR_PEM_BAD_INPUT_DATA or /// MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - /// the length to skip) + /// the length to skip. /// /// \note Attempts to check password correctness by verifying if /// the decrypted text starts with an ASN.1 sequence of @@ -25915,13 +26916,40 @@ unsafe extern "C" { unsafe extern "C" { /// \brief PKCS#5 PBES2 function /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs5_pbes2_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params the ASN.1 algorithm parameters - /// \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT /// \param pwd password to use when generating key /// \param pwdlen length of password /// \param data data to process /// \param datalen length of data - /// \param output output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. pub fn mbedtls_pkcs5_pbes2( @@ -25934,6 +26962,50 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief PKCS#5 PBES2 function + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params the ASN.1 algorithm parameters + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT + /// \param pwd password to use when generating key + /// \param pwdlen length of password + /// \param data data to process + /// \param datalen length of data + /// \param output Output buffer. + /// On success, it contains the decrypted data. + /// On failure, the content is indetermidate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails. + pub fn mbedtls_pkcs5_pbes2_ext( + pbe_params: *const mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, + datalen: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context /// @@ -26165,6 +27237,25 @@ unsafe extern "C" { /// \brief PKCS12 Password Based function (encryption / decryption) /// for cipher-based and mbedtls_md-based PBE's /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs12_pbe_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or /// #MBEDTLS_PKCS12_PBE_DECRYPT @@ -26173,9 +27264,17 @@ unsafe extern "C" { /// \param pwd Latin1-encoded password used. This may only be \c NULL when /// \p pwdlen is 0. No null terminator should be used. /// \param pwdlen length of the password (may be 0) - /// \param input the input data + /// \param data the input data /// \param len data length - /// \param output the output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \return 0 if successful, or a MBEDTLS_ERR_XXX code pub fn mbedtls_pkcs12_pbe( @@ -26185,9 +27284,62 @@ unsafe extern "C" { md_type: mbedtls_md_type_t, pwd: *const ::core::ffi::c_uchar, pwdlen: usize, - input: *const ::core::ffi::c_uchar, + data: *const ::core::ffi::c_uchar, + len: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief PKCS12 Password Based function (encryption / decryption) + /// for cipher-based and mbedtls_md-based PBE's + /// + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + /// #MBEDTLS_PKCS12_PBE_DECRYPT + /// \param cipher_type the cipher used + /// \param md_type the mbedtls_md used + /// \param pwd Latin1-encoded password used. This may only be \c NULL when + /// \p pwdlen is 0. No null terminator should be used. + /// \param pwdlen length of the password (may be 0) + /// \param data the input data + /// \param len data length + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \return 0 if successful, or a MBEDTLS_ERR_XXX code + pub fn mbedtls_pkcs12_pbe_ext( + pbe_params: *mut mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + cipher_type: mbedtls_cipher_type_t, + md_type: mbedtls_md_type_t, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, len: usize, output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -26286,6 +27438,11 @@ unsafe extern "C" { /// \param session_id_len The length of \p session_id in bytes. /// \param session The address at which to store the session /// associated with \p session_id, if present. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is + /// no cache entry with specified session ID found, or + /// any other negative error code for other failures. pub fn mbedtls_ssl_cache_get( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26302,6 +27459,9 @@ unsafe extern "C" { /// associated to \p session. /// \param session_id_len The length of \p session_id in bytes. /// \param session The session to store. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_set( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26315,12 +27475,13 @@ unsafe extern "C" { /// /// \param data The SSL cache context to use. /// \param session_id The pointer to the buffer holding the session ID - /// associated to \p session. + /// associated to session. /// \param session_id_len The length of \p session_id in bytes. /// - /// \return 0: The cache entry for session with provided ID - /// is removed or does not exist. - /// Otherwise: fail. + /// \return \c 0 on success. This indicates the cache entry for + /// the session with provided ID is removed or does not + /// exist. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_remove( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26373,13 +27534,7 @@ unsafe extern "C" { /// \brief Setup cookie context (generate keys) pub fn mbedtls_ssl_cookie_setup( ctx: *mut mbedtls_ssl_cookie_ctx, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26425,6 +27580,9 @@ unsafe extern "C" { #[derive(Copy, Clone)] pub struct mbedtls_ssl_ticket_key { pub private_name: [::core::ffi::c_uchar; 4usize], + /// Lifetime of the key in seconds. This is also the lifetime of the + /// tickets created under that key. + pub private_lifetime: u32, ///< context for auth enc/decryption pub private_ctx: mbedtls_cipher_context_t, } @@ -26480,7 +27638,9 @@ unsafe extern "C" { /// /// \param ctx Context to be set up /// \param f_rng RNG callback function (mandatory) - /// \param p_rng RNG callback context + /// \param p_rng RNG callback context. + /// Note that the RNG callback must remain valid + /// until the ticket context is freed. /// \param cipher AEAD cipher to use for ticket protection. /// Recommended value: MBEDTLS_CIPHER_AES_256_GCM. /// \param lifetime Tickets lifetime in seconds @@ -26490,21 +27650,21 @@ unsafe extern "C" { /// least as strong as the strongest ciphersuite /// supported. Usually that means a 256-bit key. /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_setup( ctx: *mut mbedtls_ssl_ticket_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, cipher: mbedtls_cipher_type_t, lifetime: u32, @@ -26535,10 +27695,16 @@ unsafe extern "C" { /// \note \c klength must be sufficient for use by cipher specified /// to \c mbedtls_ssl_ticket_setup /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_rotate( @@ -26604,7 +27770,7 @@ pub struct mbedtls_x509_csr { pub key_usage: ::core::ffi::c_uint, ///< Optional Netscape certificate type extension value: See the values in x509.h pub ns_cert_type: ::core::ffi::c_uchar, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions pub private_ext_types: ::core::ffi::c_int, @@ -26644,25 +27810,12 @@ impl Default for mbedtls_x509write_csr { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_x509_san_list { - pub node: mbedtls_x509_subject_alternative_name, - pub next: *mut mbedtls_x509_san_list, -} -impl Default for mbedtls_x509_san_list { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR) in DER format /// - /// \note CSR attributes (if any) are currently silently ignored. + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the CSR is rejected. /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling @@ -26679,6 +27832,70 @@ unsafe extern "C" { buflen: usize, ) -> ::core::ffi::c_int; } +/// \brief The type of certificate extension callbacks. +/// +/// Callbacks of this type are passed to and used by the +/// mbedtls_x509_csr_parse_der_with_ext_cb() routine when +/// it encounters either an unsupported extension. +/// Future versions of the library may invoke the callback +/// in other cases, if and when the need arises. +/// +/// \param p_ctx An opaque context passed to the callback. +/// \param csr The CSR being parsed. +/// \param oid The OID of the extension. +/// \param critical Whether the extension is critical. +/// \param p Pointer to the start of the extension value +/// (the content of the OCTET STRING). +/// \param end End of extension value. +/// +/// \note The callback must fail and return a negative error code +/// if it can not parse or does not support the extension. +/// When the callback fails to parse a critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() also fails. +/// When the callback fails to parse a non critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() simply skips +/// the extension and continues parsing. +/// +/// \return \c 0 on success. +/// \return A negative error code on failure. +pub type mbedtls_x509_csr_ext_cb_t = ::core::option::Option< + unsafe extern "C" fn( + p_ctx: *mut ::core::ffi::c_void, + csr: *const mbedtls_x509_csr, + oid: *const mbedtls_x509_buf, + critical: ::core::ffi::c_int, + p: *const ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +unsafe extern "C" { + /// \brief Load a Certificate Signing Request (CSR) in DER format + /// + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the result of the callback function decides whether + /// CSR is rejected. + /// + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. + /// + /// \param csr CSR context to fill + /// \param buf buffer holding the CRL data + /// \param buflen size of the buffer + /// \param cb A callback invoked for every unsupported certificate + /// extension. + /// \param p_ctx An opaque context passed to the callback. + /// + /// \return 0 if successful, or a specific X509 error code + pub fn mbedtls_x509_csr_parse_der_with_ext_cb( + csr: *mut mbedtls_x509_csr, + buf: *const ::core::ffi::c_uchar, + buflen: usize, + cb: mbedtls_x509_csr_ext_cb_t, + p_ctx: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR), DER or PEM format /// @@ -26740,7 +27957,7 @@ unsafe extern "C" { /// \brief Set the subject name for a CSR /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CSR context to use /// \param subject_name subject name to set @@ -26871,13 +28088,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26898,13 +28109,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } diff --git a/esp-mbedtls-sys/src/include/xtensa-esp32s3-none-elf.rs b/esp-mbedtls-sys/src/include/xtensa-esp32s3-none-elf.rs index 8a8f52f3..f6ce94cd 100644 --- a/esp-mbedtls-sys/src/include/xtensa-esp32s3-none-elf.rs +++ b/esp-mbedtls-sys/src/include/xtensa-esp32s3-none-elf.rs @@ -137,6 +137,36 @@ where } } } +#[repr(C)] +#[derive(Default)] +pub struct __IncompleteArrayField(::core::marker::PhantomData, [T; 0]); +impl __IncompleteArrayField { + #[inline] + pub const fn new() -> Self { + __IncompleteArrayField(::core::marker::PhantomData, []) + } + #[inline] + pub fn as_ptr(&self) -> *const T { + self as *const _ as *const T + } + #[inline] + pub fn as_mut_ptr(&mut self) -> *mut T { + self as *mut _ as *mut T + } + #[inline] + pub unsafe fn as_slice(&self, len: usize) -> &[T] { + ::core::slice::from_raw_parts(self.as_ptr(), len) + } + #[inline] + pub unsafe fn as_mut_slice(&mut self, len: usize) -> &mut [T] { + ::core::slice::from_raw_parts_mut(self.as_mut_ptr(), len) + } +} +impl ::core::fmt::Debug for __IncompleteArrayField { + fn fmt(&self, fmt: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { + fmt.write_str("__IncompleteArrayField") + } +} pub const MBEDTLS_CONFIG_FILE: &[u8; 9] = b"config.h\0"; pub const MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT: u32 = 0; pub const MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: u32 = 1024; @@ -144,14 +174,33 @@ pub const MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE: u32 = 6000; pub const MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH: u32 = 32; pub const MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS: u32 = 1; pub const MBEDTLS_VERSION_MAJOR: u32 = 3; -pub const MBEDTLS_VERSION_MINOR: u32 = 4; -pub const MBEDTLS_VERSION_PATCH: u32 = 0; -pub const MBEDTLS_VERSION_NUMBER: u32 = 50593792; -pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.4.0\0"; -pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"mbed TLS 3.4.0\0"; +pub const MBEDTLS_VERSION_MINOR: u32 = 6; +pub const MBEDTLS_VERSION_PATCH: u32 = 5; +pub const MBEDTLS_VERSION_NUMBER: u32 = 50726144; +pub const MBEDTLS_VERSION_STRING: &[u8; 6] = b"3.6.5\0"; +pub const MBEDTLS_VERSION_STRING_FULL: &[u8; 15] = b"Mbed TLS 3.6.5\0"; +pub const PSA_WANT_ALG_MD5: u32 = 1; +pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; +pub const PSA_WANT_ALG_SHA_1: u32 = 1; +pub const PSA_WANT_ALG_SHA_224: u32 = 1; +pub const PSA_WANT_ALG_SHA_256: u32 = 1; +pub const PSA_WANT_ALG_SHA_384: u32 = 1; +pub const PSA_WANT_ALG_SHA_512: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_256: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_384: u32 = 1; +pub const PSA_WANT_ECC_BRAINPOOL_P_R1_512: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_255: u32 = 1; +pub const PSA_WANT_ECC_MONTGOMERY_448: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_224: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_256: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_384: u32 = 1; +pub const PSA_WANT_ECC_SECP_R1_521: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_192: u32 = 1; +pub const PSA_WANT_ECC_SECP_K1_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CCM: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const PSA_WANT_ALG_CCM_STAR_NO_TAG: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CMAC: u32 = 1; pub const PSA_WANT_ALG_CMAC: u32 = 1; @@ -162,10 +211,40 @@ pub const PSA_WANT_ALG_ECDSA: u32 = 1; pub const PSA_WANT_ALG_ECDSA_ANY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA: u32 = 1; pub const PSA_WANT_ALG_DETERMINISTIC_ECDSA: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const PSA_WANT_ALG_FFDH: u32 = 1; +pub const PSA_WANT_DH_RFC7919_2048: u32 = 1; +pub const PSA_WANT_DH_RFC7919_3072: u32 = 1; +pub const PSA_WANT_DH_RFC7919_4096: u32 = 1; +pub const PSA_WANT_DH_RFC7919_6144: u32 = 1; +pub const PSA_WANT_DH_RFC7919_8192: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_ALG_FFDH: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_GCM: u32 = 1; pub const PSA_WANT_ALG_GCM: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HMAC: u32 = 1; @@ -176,17 +255,16 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXTRACT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND: u32 = 1; pub const PSA_WANT_ALG_HKDF_EXPAND: u32 = 1; +pub const PSA_WANT_KEY_TYPE_HMAC: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF: u32 = 1; pub const PSA_WANT_ALG_TLS12_PRF: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const PSA_WANT_ALG_TLS12_PSK_TO_MS: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_MD5: u32 = 1; -pub const PSA_WANT_ALG_MD5: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_PAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_JPAKE: u32 = 1; pub const PSA_WANT_ALG_JPAKE: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160: u32 = 1; -pub const PSA_WANT_ALG_RIPEMD160: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const PSA_WANT_ALG_RSA_PKCS1V15_CRYPT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN: u32 = 1; @@ -196,20 +274,19 @@ pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP: u32 = 1; pub const PSA_WANT_ALG_RSA_OAEP: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS: u32 = 1; pub const PSA_WANT_ALG_RSA_PSS: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; -pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT: u32 = 1; +pub const PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_1: u32 = 1; -pub const PSA_WANT_ALG_SHA_1: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_224: u32 = 1; -pub const PSA_WANT_ALG_SHA_224: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_256: u32 = 1; -pub const PSA_WANT_ALG_SHA_256: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_384: u32 = 1; -pub const PSA_WANT_ALG_SHA_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_SHA_512: u32 = 1; -pub const PSA_WANT_ALG_SHA_512: u32 = 1; pub const PSA_WANT_KEY_TYPE_AES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES: u32 = 1; pub const PSA_WANT_KEY_TYPE_ARIA: u32 = 1; @@ -221,8 +298,8 @@ pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS: u32 = 1; pub const PSA_WANT_KEY_TYPE_CHACHA20: u32 = 1; -pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20: u32 = 1; +pub const PSA_WANT_ALG_STREAM_CIPHER: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER: u32 = 1; pub const PSA_WANT_ALG_CHACHA20_POLY1305: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305: u32 = 1; @@ -250,8 +327,7 @@ pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192: u32 = 1; pub const MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256: u32 = 1; -pub const PSA_HAVE_FULL_ECDSA: u32 = 1; -pub const PSA_HAVE_FULL_JPAKE: u32 = 1; +pub const PSA_WANT_ALG_SOME_PAKE: u32 = 1; pub const PSA_WANT_KEY_TYPE_DERIVE: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD: u32 = 1; pub const PSA_WANT_KEY_TYPE_PASSWORD_HASH: u32 = 1; @@ -272,7 +348,7 @@ pub const MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: i32 = -12; pub const MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: i32 = -14; pub const MBEDTLS_ERR_MPI_ALLOC_FAILED: i32 = -16; pub const MBEDTLS_MPI_MAX_LIMBS: u32 = 10000; -pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 2; +pub const MBEDTLS_MPI_WINDOW_SIZE: u32 = 3; pub const MBEDTLS_MPI_MAX_SIZE: u32 = 1024; pub const MBEDTLS_MPI_MAX_BITS: u32 = 8192; pub const MBEDTLS_MPI_MAX_BITS_SCALE100: u32 = 819200; @@ -320,6 +396,8 @@ pub const MBEDTLS_CIPHER_VARIABLE_KEY_LEN: u32 = 2; pub const MBEDTLS_MAX_IV_LENGTH: u32 = 16; pub const MBEDTLS_MAX_BLOCK_LENGTH: u32 = 16; pub const MBEDTLS_MAX_KEY_LENGTH: u32 = 64; +pub const MBEDTLS_KEY_BITLEN_SHIFT: u32 = 6; +pub const MBEDTLS_IV_SIZE_SHIFT: u32 = 2; pub const MBEDTLS_CCM_DECRYPT: u32 = 0; pub const MBEDTLS_CCM_ENCRYPT: u32 = 1; pub const MBEDTLS_CCM_STAR_DECRYPT: u32 = 2; @@ -332,7 +410,26 @@ pub const MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: i32 = -84; pub const MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: i32 = -86; pub const MBEDTLS_AES_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_DES3_BLOCK_SIZE: u32 = 8; +pub const MBEDTLS_CMAC_MAX_BLOCK_SIZE: u32 = 16; pub const MBEDTLS_CIPHER_BLKSIZE_MAX: u32 = 16; +pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; +pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; +pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; +pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; +pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; +pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; +pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; +pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; +pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; +pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; +pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; +pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; +pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; +pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; +pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; +pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; +pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; +pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: i32 = -52; pub const MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: i32 = -54; pub const MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: i32 = -56; @@ -367,12 +464,6 @@ pub const MBEDTLS_ECP_MAX_PT_LEN: u32 = 133; pub const MBEDTLS_ECP_PF_UNCOMPRESSED: u32 = 0; pub const MBEDTLS_ECP_PF_COMPRESSED: u32 = 1; pub const MBEDTLS_ECP_TLS_NAMED_CURVE: u32 = 3; -pub const MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: i32 = -20608; -pub const MBEDTLS_ERR_MD_BAD_INPUT_DATA: i32 = -20736; -pub const MBEDTLS_ERR_MD_ALLOC_FAILED: i32 = -20864; -pub const MBEDTLS_ERR_MD_FILE_IO_ERROR: i32 = -20992; -pub const MBEDTLS_MD_MAX_SIZE: u32 = 64; -pub const MBEDTLS_MD_MAX_BLOCK_SIZE: u32 = 128; pub const MBEDTLS_ERR_RSA_BAD_INPUT_DATA: i32 = -16512; pub const MBEDTLS_ERR_RSA_INVALID_PADDING: i32 = -16640; pub const MBEDTLS_ERR_RSA_KEY_GEN_FAILED: i32 = -16768; @@ -387,6 +478,55 @@ pub const MBEDTLS_RSA_PKCS_V21: u32 = 1; pub const MBEDTLS_RSA_SIGN: u32 = 1; pub const MBEDTLS_RSA_CRYPT: u32 = 2; pub const MBEDTLS_RSA_SALT_LEN_ANY: i32 = -1; +pub const MBEDTLS_RSA_GEN_KEY_MIN_BITS: u32 = 1024; +pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; +pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; +pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; +pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; +pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; +pub const PSA_HASH_MAX_SIZE: u32 = 64; +pub const PSA_MAC_MAX_SIZE: u32 = 64; +pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; +pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; +pub const PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: u32 = 1024; +pub const PSA_VENDOR_FFDH_MAX_KEY_BITS: u32 = 8192; +pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; +pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; +pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; +pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; +pub const PSA_VENDOR_PBKDF2_MAX_ITERATIONS: u32 = 4294967295; +pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; +pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; +pub const PSA_SIGNATURE_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_KEY_PAIR_MAX_SIZE: u32 = 1; +pub const PSA_EXPORT_PUBLIC_KEY_MAX_SIZE: u32 = 1; +pub const PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE: u32 = 1; +pub const PSA_CIPHER_MAX_KEY_LENGTH: u32 = 32; +pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; +pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; +pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; +pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; +pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; +pub const MBEDTLS_ERR_SHA3_BAD_INPUT_DATA: i32 = -118; +pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; +pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; +pub const MBEDTLS_GCM_DECRYPT: u32 = 0; +pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; +pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; +pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; +pub const MBEDTLS_GCM_HTABLE_SIZE: u32 = 16; +pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; +pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; +pub const PSA_MAX_KEY_BITS: u32 = 65528; +pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; +pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; +pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; +pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; +pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; +pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; +pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_ERR_PK_ALLOC_FAILED: i32 = -16256; pub const MBEDTLS_ERR_PK_TYPE_MISMATCH: i32 = -16128; pub const MBEDTLS_ERR_PK_BAD_INPUT_DATA: i32 = -16000; @@ -597,45 +737,6 @@ pub const MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256: u32 = 4869; pub const MBEDTLS_CIPHERSUITE_WEAK: u32 = 1; pub const MBEDTLS_CIPHERSUITE_SHORT_TAG: u32 = 2; pub const MBEDTLS_CIPHERSUITE_NODTLS: u32 = 4; -pub const PSA_CRYPTO_API_VERSION_MAJOR: u32 = 1; -pub const PSA_CRYPTO_API_VERSION_MINOR: u32 = 0; -pub const PSA_MAC_TRUNCATION_OFFSET: u32 = 16; -pub const PSA_AEAD_TAG_LENGTH_OFFSET: u32 = 16; -pub const PSA_HASH_MAX_SIZE: u32 = 64; -pub const PSA_HMAC_MAX_HASH_BLOCK_SIZE: u32 = 128; -pub const PSA_MAC_MAX_SIZE: u32 = 64; -pub const PSA_AEAD_TAG_MAX_SIZE: u32 = 16; -pub const PSA_VENDOR_RSA_MAX_KEY_BITS: u32 = 4096; -pub const PSA_VENDOR_ECC_MAX_CURVE_BITS: u32 = 521; -pub const PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE: u32 = 128; -pub const PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE: u32 = 65; -pub const PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE: u32 = 32; -pub const PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_NONCE_MAX_SIZE: u32 = 13; -pub const PSA_AEAD_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_IV_MAX_SIZE: u32 = 16; -pub const PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE: u32 = 16; -pub const MBEDTLS_GCM_ENCRYPT: u32 = 1; -pub const MBEDTLS_GCM_DECRYPT: u32 = 0; -pub const MBEDTLS_ERR_GCM_AUTH_FAILED: i32 = -18; -pub const MBEDTLS_ERR_GCM_BAD_INPUT: i32 = -20; -pub const MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: i32 = -22; -pub const MBEDTLS_ERR_SHA1_BAD_INPUT_DATA: i32 = -115; -pub const MBEDTLS_ERR_SHA256_BAD_INPUT_DATA: i32 = -116; -pub const MBEDTLS_ERR_SHA512_BAD_INPUT_DATA: i32 = -117; -pub const MBEDTLS_PSA_BUILTIN_CIPHER: u32 = 1; -pub const MBEDTLS_PSA_BUILTIN_AEAD: u32 = 1; -pub const MBEDTLS_PSA_JPAKE_BUFFER_SIZE: u32 = 336; -pub const PSA_MAX_KEY_BITS: u32 = 65528; -pub const MBEDTLS_PSA_KA_MASK_DUAL_USE: u32 = 0; -pub const PSA_CRYPTO_ITS_RANDOM_SEED_UID: u32 = 4294967122; -pub const MBEDTLS_PSA_KEY_SLOT_COUNT: u32 = 32; -pub const PSA_PAKE_OPERATION_STAGE_SETUP: u32 = 0; -pub const PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS: u32 = 1; -pub const PSA_PAKE_OPERATION_STAGE_COMPUTATION: u32 = 2; -pub const PSA_PAKE_OUTPUT_MAX_SIZE: u32 = 65; -pub const PSA_PAKE_INPUT_MAX_SIZE: u32 = 65; pub const MBEDTLS_X509_MAX_INTERMEDIATE_CA: u32 = 8; pub const MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: i32 = -8320; pub const MBEDTLS_ERR_X509_UNKNOWN_OID: i32 = -8448; @@ -743,7 +844,9 @@ pub const MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: i32 = -30848; pub const MBEDTLS_ERR_SSL_BAD_CERTIFICATE: i32 = -31232; pub const MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET: i32 = -31488; pub const MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA: i32 = -31616; -pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA: i32 = -31744; +pub const MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA: i32 = -31872; +pub const MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND: i32 = -32384; pub const MBEDTLS_ERR_SSL_ALLOC_FAILED: i32 = -32512; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FAILED: i32 = -32640; pub const MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: i32 = -28544; @@ -770,6 +873,7 @@ pub const MBEDTLS_ERR_SSL_EARLY_MESSAGE: i32 = -25728; pub const MBEDTLS_ERR_SSL_UNEXPECTED_CID: i32 = -24576; pub const MBEDTLS_ERR_SSL_VERSION_MISMATCH: i32 = -24320; pub const MBEDTLS_ERR_SSL_BAD_CONFIG: i32 = -24192; +pub const MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME: i32 = -23936; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: u32 = 1; pub const MBEDTLS_SSL_IANA_TLS_GROUP_NONE: u32 = 0; @@ -841,6 +945,8 @@ pub const MBEDTLS_SSL_TRUNC_HMAC_ENABLED: u32 = 1; pub const MBEDTLS_SSL_TRUNCATED_HMAC_LEN: u32 = 10; pub const MBEDTLS_SSL_SESSION_TICKETS_DISABLED: u32 = 0; pub const MBEDTLS_SSL_SESSION_TICKETS_ENABLED: u32 = 1; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED: u32 = 0; +pub const MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED: u32 = 1; pub const MBEDTLS_SSL_PRESET_DEFAULT: u32 = 0; pub const MBEDTLS_SSL_PRESET_SUITEB: u32 = 2; pub const MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED: u32 = 1; @@ -854,6 +960,9 @@ pub const MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER: u32 = 0; pub const MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN: u32 = 48; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN: u32 = 1000; pub const MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX: u32 = 60000; +pub const MBEDTLS_SSL_EARLY_DATA_NO_DISCARD: u32 = 0; +pub const MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD: u32 = 1; +pub const MBEDTLS_SSL_EARLY_DATA_DISCARD: u32 = 2; pub const MBEDTLS_SSL_IN_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_OUT_CONTENT_LEN: u32 = 16384; pub const MBEDTLS_SSL_DTLS_MAX_BUFFERING: u32 = 32768; @@ -988,18 +1097,6 @@ pub const MBEDTLS_SSL_UNEXPECTED_CID_IGNORE: u32 = 0; pub const MBEDTLS_SSL_UNEXPECTED_CID_FAIL: u32 = 1; pub const MBEDTLS_PRINTF_SIZET: &[u8; 3] = b"zu\0"; pub const MBEDTLS_PRINTF_LONGLONG: &[u8; 4] = b"lld\0"; -pub const MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: i32 = -60; -pub const MBEDTLS_ERR_ENTROPY_MAX_SOURCES: i32 = -62; -pub const MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: i32 = -64; -pub const MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: i32 = -61; -pub const MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR: i32 = -63; -pub const MBEDTLS_ENTROPY_MAX_SOURCES: u32 = 20; -pub const MBEDTLS_ENTROPY_MAX_GATHER: u32 = 128; -pub const MBEDTLS_ENTROPY_BLOCK_SIZE: u32 = 64; -pub const MBEDTLS_ENTROPY_MAX_SEED_SIZE: u32 = 1024; -pub const MBEDTLS_ENTROPY_SOURCE_MANUAL: u32 = 20; -pub const MBEDTLS_ENTROPY_SOURCE_STRONG: u32 = 1; -pub const MBEDTLS_ENTROPY_SOURCE_WEAK: u32 = 0; pub const MBEDTLS_ERR_HKDF_BAD_INPUT_DATA: i32 = -24448; pub const MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: i32 = -3; pub const MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: i32 = -5; @@ -1041,6 +1138,7 @@ pub const MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS: u32 = 4096; pub const MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY: u32 = 8192; pub const MBEDTLS_OID_X509_EXT_FRESHEST_CRL: u32 = 16384; pub const MBEDTLS_OID_X509_EXT_NS_CERT_TYPE: u32 = 65536; +pub const MBEDTLS_OID_MAX_COMPONENTS: u32 = 128; pub const MBEDTLS_OID_ISO_MEMBER_BODIES: &[u8; 2] = b"*\0"; pub const MBEDTLS_OID_ISO_IDENTIFIED_ORG: &[u8; 2] = b"+\0"; pub const MBEDTLS_OID_ISO_CCITT_DS: &[u8; 2] = b"U\0"; @@ -1055,6 +1153,8 @@ pub const MBEDTLS_OID_ORG_OIW: &[u8; 2] = b"\x0E\0"; pub const MBEDTLS_OID_OIW_SECSIG: &[u8; 3] = b"\x0E\x03\0"; pub const MBEDTLS_OID_OIW_SECSIG_ALG: &[u8; 4] = b"\x0E\x03\x02\0"; pub const MBEDTLS_OID_OIW_SECSIG_SHA1: &[u8; 5] = b"\x0E\x03\x02\x1A\0"; +pub const MBEDTLS_OID_ORG_THAWTE: &[u8; 2] = b"e\0"; +pub const MBEDTLS_OID_THAWTE: &[u8; 3] = b"+e\0"; pub const MBEDTLS_OID_ORG_CERTICOM: &[u8; 3] = b"\x81\x04\0"; pub const MBEDTLS_OID_CERTICOM: &[u8; 4] = b"+\x81\x04\0"; pub const MBEDTLS_OID_ORG_TELETRUST: &[u8; 2] = b"$\0"; @@ -1153,14 +1253,26 @@ pub const MBEDTLS_OID_DIGEST_ALG_SHA256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x pub const MBEDTLS_OID_DIGEST_ALG_SHA384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x02\0"; pub const MBEDTLS_OID_DIGEST_ALG_SHA512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x03\0"; pub const MBEDTLS_OID_DIGEST_ALG_RIPEMD160: &[u8; 6] = b"+$\x03\x02\x01\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x07\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x08\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\t\0"; +pub const MBEDTLS_OID_DIGEST_ALG_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA1: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x07\0"; pub const MBEDTLS_OID_HMAC_SHA224: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x08\0"; pub const MBEDTLS_OID_HMAC_SHA256: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\t\0"; pub const MBEDTLS_OID_HMAC_SHA384: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\n\0"; pub const MBEDTLS_OID_HMAC_SHA512: &[u8; 9] = b"*\x86H\x86\xF7\r\x02\x0B\0"; +pub const MBEDTLS_OID_HMAC_SHA3_224: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\r\0"; +pub const MBEDTLS_OID_HMAC_SHA3_256: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0E\0"; +pub const MBEDTLS_OID_HMAC_SHA3_384: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x0F\0"; +pub const MBEDTLS_OID_HMAC_SHA3_512: &[u8; 10] = b"`\x86H\x01e\x03\x04\x02\x10\0"; +pub const MBEDTLS_OID_HMAC_RIPEMD160: &[u8; 9] = b"+\x06\x01\x05\x05\x08\x01\x04\0"; pub const MBEDTLS_OID_DES_CBC: &[u8; 6] = b"+\x0E\x03\x02\x07\0"; pub const MBEDTLS_OID_DES_EDE3_CBC: &[u8; 9] = b"*\x86H\x86\xF7\r\x03\x07\0"; pub const MBEDTLS_OID_AES: &[u8; 9] = b"`\x86H\x01e\x03\x04\x01\0"; +pub const MBEDTLS_OID_AES_128_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x02\0"; +pub const MBEDTLS_OID_AES_192_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x16\0"; +pub const MBEDTLS_OID_AES_256_CBC: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01*\0"; pub const MBEDTLS_OID_AES128_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x05\0"; pub const MBEDTLS_OID_AES128_KWP: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x08\0"; pub const MBEDTLS_OID_AES192_KW: &[u8; 10] = b"`\x86H\x01e\x03\x04\x01\x19\0"; @@ -1213,6 +1325,10 @@ pub const MBEDTLS_OID_ECDSA_SHA224: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x01\0"; pub const MBEDTLS_OID_ECDSA_SHA256: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x02\0"; pub const MBEDTLS_OID_ECDSA_SHA384: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x03\0"; pub const MBEDTLS_OID_ECDSA_SHA512: &[u8; 9] = b"*\x86H\xCE=\x04\x03\x04\0"; +pub const MBEDTLS_OID_X25519: &[u8; 4] = b"+en\0"; +pub const MBEDTLS_OID_X448: &[u8; 4] = b"+eo\0"; +pub const MBEDTLS_OID_ED25519: &[u8; 4] = b"+ep\0"; +pub const MBEDTLS_OID_ED448: &[u8; 4] = b"+eq\0"; pub const MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT: i32 = -4224; pub const MBEDTLS_ERR_PEM_INVALID_DATA: i32 = -4352; pub const MBEDTLS_ERR_PEM_ALLOC_FAILED: i32 = -4480; @@ -1226,8 +1342,6 @@ pub const MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA: i32 = -12160; pub const MBEDTLS_ERR_PKCS5_INVALID_FORMAT: i32 = -12032; pub const MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE: i32 = -11904; pub const MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH: i32 = -11776; -pub const MBEDTLS_PKCS5_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS5_ENCRYPT: u32 = 1; pub const MBEDTLS_ERR_PKCS7_INVALID_FORMAT: i32 = -21248; pub const MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE: i32 = -21376; pub const MBEDTLS_ERR_PKCS7_INVALID_VERSION: i32 = -21504; @@ -1248,8 +1362,6 @@ pub const MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH: i32 = -7680; pub const MBEDTLS_PKCS12_DERIVE_KEY: u32 = 1; pub const MBEDTLS_PKCS12_DERIVE_IV: u32 = 2; pub const MBEDTLS_PKCS12_DERIVE_MAC_KEY: u32 = 3; -pub const MBEDTLS_PKCS12_PBE_DECRYPT: u32 = 0; -pub const MBEDTLS_PKCS12_PBE_ENCRYPT: u32 = 1; pub const MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT: u32 = 86400; pub const MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES: u32 = 50; pub const MBEDTLS_SSL_COOKIE_TIMEOUT: u32 = 60; @@ -1373,6 +1485,59 @@ unsafe extern "C" { /// \param len Length of the buffer in bytes pub fn mbedtls_platform_zeroize(buf: *mut ::core::ffi::c_void, len: usize); } +/// \brief The type of custom random generator (RNG) callbacks. +/// +/// Many Mbed TLS functions take two parameters +/// `mbedtls_f_rng_t *f_rng, void *p_rng`. The +/// library will call \c f_rng to generate +/// random values. +/// +/// \note This is typically one of the following: +/// - mbedtls_ctr_drbg_random() with \c p_rng +/// pointing to a #mbedtls_ctr_drbg_context; +/// - mbedtls_hmac_drbg_random() with \c p_rng +/// pointing to a #mbedtls_hmac_drbg_context; +/// - mbedtls_psa_get_random() with +/// `prng = MBEDTLS_PSA_RANDOM_STATE`. +/// +/// \note Generally, given a call +/// `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback +/// and the context only need to remain valid until +/// the call to `mbedtls_foo` returns. However, there +/// are a few exceptions where the callback is stored +/// in for future use. Check the documentation of +/// the calling function. +/// +/// \warning In a multithreaded environment, calling the +/// function should be thread-safe. The standard +/// functions provided by the library are thread-safe +/// when #MBEDTLS_THREADING_C is enabled. +/// +/// \warning This function must either provide as many +/// bytes as requested of **cryptographic quality** +/// random data, or return a negative error code. +/// +/// \param p_rng The \c p_rng argument that was passed along \c f_rng. +/// The library always passes \c p_rng unchanged. +/// This is typically a pointer to the random generator +/// state, or \c NULL if the custom random generator +/// doesn't need a context-specific state. +/// \param[out] output On success, this must be filled with \p output_size +/// bytes of cryptographic-quality random data. +/// \param output_size The number of bytes to output. +/// +/// \return \c 0 on success, or a negative error code on failure. +/// Library functions will generally propagate this +/// error code, so \c MBEDTLS_ERR_xxx values are +/// recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is +/// typically sensible for RNG failures. +pub type mbedtls_f_rng_t = ::core::option::Option< + unsafe extern "C" fn( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + ) -> ::core::ffi::c_int, +>; /// \brief The AES context-type definition. #[repr(C)] #[derive(Copy, Clone)] @@ -1931,6 +2096,10 @@ pub type mbedtls_t_udbl = u64; #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_mpi { + /// Pointer to limbs. + /// + /// This may be \c NULL if \c n is 0. + pub private_p: *mut mbedtls_mpi_uint, /// Sign: -1 if the mpi is negative, 1 otherwise. /// /// The number 0 must be represented with `s = +1`. Although many library @@ -1941,13 +2110,9 @@ pub struct mbedtls_mpi { /// /// Note that this implies that calloc() or `... = {0}` does not create /// a valid MPI representation. You must call mbedtls_mpi_init(). - pub private_s: ::core::ffi::c_int, + pub private_s: ::core::ffi::c_short, /// Total number of limbs in \c p. - pub private_n: usize, - /// Pointer to limbs. - /// - /// This may be \c NULL if \c n is 0. - pub private_p: *mut mbedtls_mpi_uint, + pub private_n: ::core::ffi::c_ushort, } impl Default for mbedtls_mpi { fn default() -> Self { @@ -2222,7 +2387,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2239,7 +2404,7 @@ unsafe extern "C" { /// \param X The destination MPI. This must point to an initialized MPI. /// \param buf The input buffer. This must be a readable buffer of length /// \p buflen Bytes. - /// \param buflen The length of the input buffer \p p in Bytes. + /// \param buflen The length of the input buffer \p buf in Bytes. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. @@ -2294,6 +2459,8 @@ unsafe extern "C" { /// \brief Perform a left-shift on an MPI: X <<= count /// /// \param X The MPI to shift. This must point to an initialized MPI. + /// The MPI pointed by \p X may be resized to fit + /// the resulting number. /// \param count The number of bits to shift by. /// /// \return \c 0 if successful. @@ -2586,7 +2753,7 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Perform a sliding-window exponentiation: X = A^E mod N + /// \brief Perform a modular exponentiation: X = A^E mod N /// /// \param X The destination MPI. This must point to an initialized MPI. /// This must not alias E or N. @@ -2637,13 +2804,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_fill_random( X: *mut mbedtls_mpi, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2683,13 +2844,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, min: mbedtls_mpi_sint, N: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2697,6 +2852,7 @@ unsafe extern "C" { /// \brief Compute the greatest common divisor: G = gcd(A, B) /// /// \param G The destination MPI. This must point to an initialized MPI. + /// This will always be positive or 0. /// \param A The first operand. This must point to an initialized MPI. /// \param B The second operand. This must point to an initialized MPI. /// @@ -2713,17 +2869,19 @@ unsafe extern "C" { /// \brief Compute the modular inverse: X = A^-1 mod N /// /// \param X The destination MPI. This must point to an initialized MPI. + /// The value returned on success will be between [1, N-1]. /// \param A The MPI to calculate the modular inverse of. This must point - /// to an initialized MPI. + /// to an initialized MPI. This value can be negative, in which + /// case a positive answer will still be returned in \p X. /// \param N The base of the modular inversion. This must point to an - /// initialized MPI. + /// initialized MPI and be greater than one. /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. /// \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than /// or equal to one. - /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse - /// with respect to \p N. + /// \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular + /// inverse with respect to \p N. pub fn mbedtls_mpi_inv_mod( X: *mut mbedtls_mpi, A: *const mbedtls_mpi, @@ -2746,7 +2904,7 @@ unsafe extern "C" { /// This must point to an initialized MPI. /// \param rounds The number of bases to perform the Miller-Rabin primality /// test for. The probability of returning 0 on a composite is - /// at most 2-2*\p rounds. + /// at most 2-2*\p rounds . /// \param f_rng The RNG function to use. This must not be \c NULL. /// \param p_rng The RNG parameter to be passed to \p f_rng. /// This may be \c NULL if \p f_rng doesn't use @@ -2759,13 +2917,7 @@ unsafe extern "C" { pub fn mbedtls_mpi_is_prime_ext( X: *const mbedtls_mpi, rounds: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -2802,13 +2954,7 @@ unsafe extern "C" { X: *mut mbedtls_mpi, nbits: usize, flags: ::core::ffi::c_int, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -3185,7 +3331,7 @@ unsafe extern "C" { /// on a successful invocation. /// \param end The end of the ASN.1 SEQUENCE container. /// \param tag_must_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_must_value. + /// the SEQUENCE before comparing to \p tag_must_val. /// \param tag_must_val The required value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_must_mask. /// Mismatching tags lead to an error. @@ -3194,7 +3340,7 @@ unsafe extern "C" { /// while a value of \c 0xFF for \p tag_must_mask means /// that \p tag_must_val is the only allowed tag. /// \param tag_may_mask A mask to be applied to the ASN.1 tags found within - /// the SEQUENCE before comparing to \p tag_may_value. + /// the SEQUENCE before comparing to \p tag_may_val. /// \param tag_may_val The desired value of each ASN.1 tag found in the /// SEQUENCE, after masking with \p tag_may_mask. /// Mismatching tags will be silently ignored. @@ -3487,6 +3633,30 @@ unsafe extern "C" { par_len: usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Write an AlgorithmIdentifier sequence in ASN.1 format. + /// + /// \note This function works backwards in data buffer. + /// + /// \param p The reference to the current position pointer. + /// \param start The start of the buffer, for bounds-checking. + /// \param oid The OID of the algorithm to write. + /// \param oid_len The length of the algorithm's OID. + /// \param par_len The length of the parameters, which must be already written. + /// \param has_par If there are any parameters. If 0, par_len must be 0. If 1 + /// and \p par_len is 0, NULL parameters are added. + /// + /// \return The number of bytes written to \p p on success. + /// \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_asn1_write_algorithm_identifier_ext( + p: *mut *mut ::core::ffi::c_uchar, + start: *const ::core::ffi::c_uchar, + oid: *const ::core::ffi::c_char, + oid_len: usize, + par_len: usize, + has_par: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value /// in ASN.1 format. @@ -3989,32 +4159,17 @@ pub struct mbedtls_cipher_base_t { /// mbedtls_cipher_info_from_type(), /// mbedtls_cipher_info_from_values(), /// mbedtls_cipher_info_from_psa(). +/// +/// \note Some fields store a value that has been right-shifted to save +/// code-size, so should not be used directly. The accessor +/// functions adjust for this and return the "natural" value. #[repr(C)] #[derive(Copy, Clone)] pub struct mbedtls_cipher_info_t { - /// Full cipher identifier. For example, - /// MBEDTLS_CIPHER_AES_256_CBC. - pub private_type: mbedtls_cipher_type_t, - /// The cipher mode. For example, MBEDTLS_MODE_CBC. - pub private_mode: mbedtls_cipher_mode_t, - /// The cipher key length, in bits. This is the - /// default length for variable sized ciphers. - /// Includes parity bits for ciphers like DES. - pub private_key_bitlen: ::core::ffi::c_uint, /// Name of the cipher. pub private_name: *const ::core::ffi::c_char, - /// IV or nonce size, in Bytes. - /// For ciphers that accept variable IV sizes, - /// this is the recommended size. - pub private_iv_size: ::core::ffi::c_uint, - /// Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and - /// MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the - /// cipher supports variable IV or variable key sizes, respectively. - pub private_flags: ::core::ffi::c_int, - /// The block size, in Bytes. - pub private_block_size: ::core::ffi::c_uint, - /// Struct for base cipher information and functions. - pub private_base: *const mbedtls_cipher_base_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 4usize]>, } impl Default for mbedtls_cipher_info_t { fn default() -> Self { @@ -4025,46 +4180,321 @@ impl Default for mbedtls_cipher_info_t { } } } -/// Generic cipher context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_cipher_context_t { - /// Information about the associated cipher. - pub private_cipher_info: *const mbedtls_cipher_info_t, - /// Key length to use. - pub private_key_bitlen: ::core::ffi::c_int, - /// Operation that the key of the context has been - /// initialized for. - pub private_operation: mbedtls_operation_t, - /// Padding functions to use, if relevant for - /// the specific cipher mode. - pub private_add_padding: ::core::option::Option< - unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), - >, - pub private_get_padding: ::core::option::Option< - unsafe extern "C" fn( - input: *mut ::core::ffi::c_uchar, - ilen: usize, - data_len: *mut usize, - ) -> ::core::ffi::c_int, - >, - /// Buffer for input that has not been processed yet. - pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], - /// Number of Bytes that have not been processed yet. - pub private_unprocessed_len: usize, - /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number - /// for XTS-mode. - pub private_iv: [::core::ffi::c_uchar; 16usize], - /// IV size in Bytes, for ciphers with variable-length IVs. - pub private_iv_size: usize, - /// The cipher-specific context. - pub private_cipher_ctx: *mut ::core::ffi::c_void, - /// CMAC-specific context. - pub private_cmac_ctx: *mut mbedtls_cmac_context_t, -} -impl Default for mbedtls_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); +impl mbedtls_cipher_info_t { + #[inline] + pub fn private_block_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_block_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_block_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_block_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_size(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(5usize, 3u8) as u32) } + } + #[inline] + pub fn set_private_iv_size(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(5usize, 3u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_size_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 5usize, + 3u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_size_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 5usize, + 3u8, + val as u64, + ) + } + } + #[inline] + pub fn private_key_bitlen(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(8usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_key_bitlen(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(8usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_key_bitlen_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 8usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_key_bitlen_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 8usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_mode(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(12usize, 4u8) as u32) } + } + #[inline] + pub fn set_private_mode(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(12usize, 4u8, val as u64) + } + } + #[inline] + pub unsafe fn private_mode_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 12usize, + 4u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_mode_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 12usize, + 4u8, + val as u64, + ) + } + } + #[inline] + pub fn private_type(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(16usize, 8u8) as u32) } + } + #[inline] + pub fn set_private_type(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(16usize, 8u8, val as u64) + } + } + #[inline] + pub unsafe fn private_type_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 16usize, + 8u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_type_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 16usize, + 8u8, + val as u64, + ) + } + } + #[inline] + pub fn private_flags(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(24usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_flags(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(24usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_flags_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 24usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_flags_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 24usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_base_idx(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(26usize, 5u8) as u32) } + } + #[inline] + pub fn set_private_base_idx(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(26usize, 5u8, val as u64) + } + } + #[inline] + pub unsafe fn private_base_idx_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 4usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 26usize, + 5u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_base_idx_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 4usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 26usize, + 5u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_block_size: ::core::ffi::c_uint, + private_iv_size: ::core::ffi::c_uint, + private_key_bitlen: ::core::ffi::c_uint, + private_mode: ::core::ffi::c_uint, + private_type: ::core::ffi::c_uint, + private_flags: ::core::ffi::c_uint, + private_base_idx: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 4usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 4usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 5u8, { + let private_block_size: u32 = unsafe { ::core::mem::transmute(private_block_size) }; + private_block_size as u64 + }); + __bindgen_bitfield_unit.set(5usize, 3u8, { + let private_iv_size: u32 = unsafe { ::core::mem::transmute(private_iv_size) }; + private_iv_size as u64 + }); + __bindgen_bitfield_unit.set(8usize, 4u8, { + let private_key_bitlen: u32 = unsafe { ::core::mem::transmute(private_key_bitlen) }; + private_key_bitlen as u64 + }); + __bindgen_bitfield_unit.set(12usize, 4u8, { + let private_mode: u32 = unsafe { ::core::mem::transmute(private_mode) }; + private_mode as u64 + }); + __bindgen_bitfield_unit.set(16usize, 8u8, { + let private_type: u32 = unsafe { ::core::mem::transmute(private_type) }; + private_type as u64 + }); + __bindgen_bitfield_unit.set(24usize, 2u8, { + let private_flags: u32 = unsafe { ::core::mem::transmute(private_flags) }; + private_flags as u64 + }); + __bindgen_bitfield_unit.set(26usize, 5u8, { + let private_base_idx: u32 = unsafe { ::core::mem::transmute(private_base_idx) }; + private_base_idx as u64 + }); + __bindgen_bitfield_unit + } +} +/// Generic cipher context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_cipher_context_t { + /// Information about the associated cipher. + pub private_cipher_info: *const mbedtls_cipher_info_t, + /// Key length to use. + pub private_key_bitlen: ::core::ffi::c_int, + /// Operation that the key of the context has been + /// initialized for. + pub private_operation: mbedtls_operation_t, + /// Padding functions to use, if relevant for + /// the specific cipher mode. + pub private_add_padding: ::core::option::Option< + unsafe extern "C" fn(output: *mut ::core::ffi::c_uchar, olen: usize, data_len: usize), + >, + pub private_get_padding: ::core::option::Option< + unsafe extern "C" fn( + input: *mut ::core::ffi::c_uchar, + ilen: usize, + data_len: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int, + >, + /// Buffer for input that has not been processed yet. + pub private_unprocessed_data: [::core::ffi::c_uchar; 16usize], + /// Number of Bytes that have not been processed yet. + pub private_unprocessed_len: usize, + /// Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number + /// for XTS-mode. + pub private_iv: [::core::ffi::c_uchar; 16usize], + /// IV size in Bytes, for ciphers with variable-length IVs. + pub private_iv_size: usize, + /// The cipher-specific context. + pub private_cipher_ctx: *mut ::core::ffi::c_void, + /// CMAC-specific context. + pub private_cmac_ctx: *mut mbedtls_cmac_context_t, +} +impl Default for mbedtls_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); s.assume_init() @@ -4132,7 +4562,7 @@ unsafe extern "C" { ) -> *const mbedtls_cipher_info_t; } unsafe extern "C" { - /// \brief This function initializes a \p cipher_context as NONE. + /// \brief This function initializes a \p ctx as NONE. /// /// \param ctx The context to be initialized. This must not be \c NULL. pub fn mbedtls_cipher_init(ctx: *mut mbedtls_cipher_context_t); @@ -4203,7 +4633,6 @@ unsafe extern "C" { /// \brief This function sets the padding mode, for cipher modes /// that use padding. /// - /// The default passing mode is PKCS7 padding. /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a cipher information structure. @@ -4253,23 +4682,24 @@ unsafe extern "C" { /// /// \note With non-AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update() one or more times - /// 4. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update() zero, one or more times; + /// 4. mbedtls_cipher_finish_padded() (recommended for decryption + /// if the mode uses padding) or mbedtls_cipher_finish(). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. /// /// \note With AEAD ciphers, the order of calls for each message /// is as follows: - /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce. - /// 2. mbedtls_cipher_reset() - /// 3. mbedtls_cipher_update_ad() - /// 4. mbedtls_cipher_update() one or more times - /// 5. mbedtls_cipher_finish() + /// 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce; + /// 2. mbedtls_cipher_reset(); + /// 3. mbedtls_cipher_update_ad(); + /// 4. mbedtls_cipher_update() zero, one or more times; + /// 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded()); /// 6. mbedtls_cipher_check_tag() (for decryption) or - /// mbedtls_cipher_write_tag() (for encryption). + /// mbedtls_cipher_write_tag() (for encryption). /// . /// This sequence can be repeated to encrypt or decrypt multiple /// messages with the same key. @@ -4304,7 +4734,8 @@ unsafe extern "C" { /// many block-sized blocks of data as possible to output. /// Any data that cannot be written immediately is either /// added to the next block, or flushed when - /// mbedtls_cipher_finish() is called. + /// mbedtls_cipher_finish() or mbedtls_cipher_finish_padded() + /// is called. /// Exception: For MBEDTLS_MODE_ECB, expects a single block /// in size. For example, 16 Bytes for AES. /// @@ -4340,12 +4771,30 @@ unsafe extern "C" { /// contained in it is padded to the size of /// the last block, and written to the \p output buffer. /// + /// \warning This function reports invalid padding through an error + /// code. Adversaries may be able to decrypt encrypted + /// data if they can submit chosen ciphertexts and + /// detect whether it has valid padding or not, + /// either through direct observation or through a side + /// channel such as timing. This is known as a + /// padding oracle attack. + /// Therefore applications that call this function for + /// decryption with a cipher that involves padding + /// should take care around error handling. Preferably, + /// such applications should use + /// mbedtls_cipher_finish_padded() instead of this function. + /// /// \param ctx The generic cipher context. This must be initialized and /// bound to a key. /// \param output The buffer to write data to. This needs to be a writable - /// buffer of at least \p block_size Bytes. + /// buffer of at least block_size Bytes. /// \param olen The length of the data written to the \p output buffer. /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// above), although less efficiently than through + /// the invalid-padding condition. /// /// \return \c 0 on success. /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -4353,7 +4802,8 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption /// expecting a full block but not receiving one. /// \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - /// while decrypting. + /// while decrypting. Note that invalid-padding errors + /// should be handled carefully; see the warning above. /// \return A cipher-specific error code on failure. pub fn mbedtls_cipher_finish( ctx: *mut mbedtls_cipher_context_t, @@ -4361,10 +4811,60 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief The generic cipher finalization function. If data still + /// needs to be flushed from an incomplete block, the data + /// contained in it is padded to the size of + /// the last block, and written to the \p output buffer. + /// + /// \note This function is similar to mbedtls_cipher_finish(). + /// The only difference is that it reports invalid padding + /// decryption differently, through the \p invalid_padding + /// parameter rather than an error code. + /// For encryption, and in modes without padding (including + /// all authenticated modes), this function is identical + /// to mbedtls_cipher_finish(). + /// + /// \param[in,out] ctx The generic cipher context. This must be initialized and + /// bound to a key. + /// \param[out] output The buffer to write data to. This needs to be a writable + /// buffer of at least block_size Bytes. + /// \param[out] olen The length of the data written to the \p output buffer. + /// This may not be \c NULL. + /// Note that when decrypting in a mode with padding, + /// the actual output length is sensitive and may be + /// used to mount a padding oracle attack (see warning + /// on mbedtls_cipher_finish()). + /// \param[out] invalid_padding + /// If this function returns \c 0 on decryption, + /// \p *invalid_padding is \c 0 if the ciphertext was + /// valid, and all-bits-one if the ciphertext had invalid + /// padding. + /// On encryption, or in a mode without padding (including + /// all authenticated modes), \p *invalid_padding is \c 0 + /// on success. + /// The value in \p *invalid_padding is unspecified if + /// this function returns a nonzero status. + /// + /// \return \c 0 on success. + /// Also \c 0 for decryption with invalid padding. + /// \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + /// parameter-verification failure. + /// \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption + /// expecting a full block but not receiving one. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_cipher_finish_padded( + ctx: *mut mbedtls_cipher_context_t, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + invalid_padding: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief This function writes a tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized, /// bound to a key, and have just completed a cipher @@ -4385,7 +4885,8 @@ unsafe extern "C" { unsafe extern "C" { /// \brief This function checks the tag for AEAD ciphers. /// Currently supported with GCM and ChaCha20+Poly1305. - /// This must be called after mbedtls_cipher_finish(). + /// This must be called after mbedtls_cipher_finish() + /// or mbedtls_cipher_finish_padded(). /// /// \param ctx The generic cipher context. This must be initialized. /// \param tag The buffer holding the tag. This must be a readable @@ -4570,8 +5071,6 @@ pub struct mbedtls_ccm_context { pub private_y: [::core::ffi::c_uchar; 16usize], ///< The counter buffer pub private_ctr: [::core::ffi::c_uchar; 16usize], - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Total plaintext length pub private_plaintext_len: usize, ///< Total authentication data length @@ -4586,16 +5085,17 @@ pub struct mbedtls_ccm_context { ///auth data input is finished. pub private_processed: usize, ///< The Q working value - pub private_q: ::core::ffi::c_uchar, + pub private_q: ::core::ffi::c_uint, ///< The operation to perform: ///#MBEDTLS_CCM_ENCRYPT or ///#MBEDTLS_CCM_DECRYPT or ///#MBEDTLS_CCM_STAR_ENCRYPT or ///#MBEDTLS_CCM_STAR_DECRYPT. - pub private_mode: ::core::ffi::c_uchar, + pub private_mode: ::core::ffi::c_uint, + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, ///< Working value holding context's - ///state. Used for chunked data - ///input + ///state. Used for chunked data input pub private_state: ::core::ffi::c_int, } impl Default for mbedtls_ccm_context { @@ -5838,47 +6338,59 @@ unsafe extern "C" { /// \return \c 1 on failure. pub fn mbedtls_cmac_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -/// \brief The CTR_DRBG context structure. +///< None. +pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; +///< The MD5 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 3; +///< The RIPEMD-160 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 4; +///< The SHA-1 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 5; +///< The SHA-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 8; +///< The SHA-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 9; +///< The SHA-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 10; +///< The SHA-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 11; +///< The SHA3-224 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_224: mbedtls_md_type_t = 16; +///< The SHA3-256 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_256: mbedtls_md_type_t = 17; +///< The SHA3-384 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_384: mbedtls_md_type_t = 18; +///< The SHA3-512 message digest. +pub const mbedtls_md_type_t_MBEDTLS_MD_SHA3_512: mbedtls_md_type_t = 19; +/// \brief Supported message digests. +/// +/// \warning MD5 and SHA-1 are considered weak message digests and +/// their use constitutes a security risk. We recommend considering +/// stronger message digests instead. +pub type mbedtls_md_type_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct mbedtls_ctr_drbg_context { - ///< The counter (V). - pub private_counter: [::core::ffi::c_uchar; 16usize], - ///< The reseed counter. - /// This is the number of requests that have - /// been made since the last (re)seeding, - /// minus one. - /// Before the initial seeding, this field - /// contains the amount of entropy in bytes - /// to use as a nonce for the initial seeding, - /// or -1 if no nonce length has been explicitly - /// set (see mbedtls_ctr_drbg_set_nonce_len()). - pub private_reseed_counter: ::core::ffi::c_int, - ///< This determines whether prediction - ///resistance is enabled, that is - ///whether to systematically reseed before - ///each random generation. - pub private_prediction_resistance: ::core::ffi::c_int, - ///< The amount of entropy grabbed on each - ///seed or reseed operation, in bytes. - pub private_entropy_len: usize, - ///< The reseed interval. - /// This is the maximum number of requests - /// that can be made between reseedings. - pub private_reseed_interval: ::core::ffi::c_int, - ///< The AES context. - pub private_aes_ctx: mbedtls_aes_context, - pub private_f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - ///< The context for the entropy function. - pub private_p_entropy: *mut ::core::ffi::c_void, +pub struct mbedtls_md_info_t { + _unused: [u8; 0], } -impl Default for mbedtls_ctr_drbg_context { +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; +pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; +/// Used internally to indicate whether a context uses legacy or PSA. +/// +/// Internal use only. +pub type mbedtls_md_engine_t = ::core::ffi::c_uint; +/// The generic message-digest context. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md_context_t { + /// Information about the associated message digest. + pub private_md_info: *const mbedtls_md_info_t, + /// The digest-specific context (legacy) or the PSA operation. + pub private_md_ctx: *mut ::core::ffi::c_void, + /// The HMAC part of the context. + pub private_hmac_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_md_context_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -5888,4389 +6400,3745 @@ impl Default for mbedtls_ctr_drbg_context { } } unsafe extern "C" { - /// \brief This function initializes the CTR_DRBG context, - /// and prepares it for mbedtls_ctr_drbg_seed() - /// or mbedtls_ctr_drbg_free(). + /// \brief This function returns the message-digest information + /// associated with the given digest type. /// - /// \note The reseed interval is - /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. - /// You can override it by calling - /// mbedtls_ctr_drbg_set_reseed_interval(). + /// \param md_type The type of digest to search for. /// - /// \param ctx The CTR_DRBG context to initialize. - pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); + /// \return The message-digest information associated with \p md_type. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// - The \p custom string. - /// - /// \note To achieve the nominal security strength permitted - /// by CTR_DRBG, the entropy length must be: - /// - at least 16 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 32 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// In addition, if you do not pass a nonce in \p custom, - /// the sum of the entropy length - /// and the entropy nonce length must be: - /// - at least 24 bytes for a 128-bit strength - /// (maximum achievable strength when using AES-128); - /// - at least 48 bytes for a 256-bit strength - /// (maximum achievable strength when using AES-256). - /// - /// \param ctx The CTR_DRBG context to seed. - /// It must have been initialized with - /// mbedtls_ctr_drbg_init(). - /// After a successful call to mbedtls_ctr_drbg_seed(), - /// you may not call mbedtls_ctr_drbg_seed() again on - /// the same context unless you call - /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() - /// again first. - /// After a failed call to mbedtls_ctr_drbg_seed(), - /// you must call mbedtls_ctr_drbg_free(). - /// \param f_entropy The entropy callback, taking as arguments the - /// \p p_entropy context, the buffer to fill, and the - /// length of the buffer. - /// \p f_entropy is always called with a buffer size - /// less than or equal to the entropy length. - /// \param p_entropy The entropy context to pass to \p f_entropy. - /// \param custom The personalization string. - /// This can be \c NULL, in which case the personalization - /// string is empty regardless of the value of \p len. - /// \param len The length of the personalization string. - /// This must be at most - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function initializes a message-digest context without + /// binding it to a particular message-digest algorithm. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_seed( - ctx: *mut mbedtls_ctr_drbg_context, - f_entropy: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_entropy: *mut ::core::ffi::c_void, - custom: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// This function should always be called first. It prepares the + /// context for mbedtls_md_setup() for binding it to a + /// message-digest algorithm. + pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function resets CTR_DRBG context to the state immediately - /// after initial call of mbedtls_ctr_drbg_init(). + /// \brief This function clears the internal structure of \p ctx and + /// frees any embedded internal structure, but does not free + /// \p ctx itself. /// - /// \param ctx The CTR_DRBG context to clear. - pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); + /// If you have called mbedtls_md_setup() on \p ctx, you must + /// call mbedtls_md_free() when you are no longer using the + /// context. + /// Calling this function if you have previously + /// called mbedtls_md_init() and nothing else is optional. + /// You must not call this function if you have not called + /// mbedtls_md_init(). + pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); } unsafe extern "C" { - /// \brief This function turns prediction resistance on or off. - /// The default value is off. + /// \brief This function selects the message digest algorithm to use, + /// and allocates internal structures. /// - /// \note If enabled, entropy is gathered at the beginning of - /// every call to mbedtls_ctr_drbg_random_with_add() - /// or mbedtls_ctr_drbg_random(). - /// Only use this if your entropy source has sufficient - /// throughput. + /// It should be called after mbedtls_md_init() or + /// mbedtls_md_free(). Makes it necessary to call + /// mbedtls_md_free() later. /// - /// \param ctx The CTR_DRBG context. - /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. - pub fn mbedtls_ctr_drbg_set_prediction_resistance( - ctx: *mut mbedtls_ctr_drbg_context, - resistance: ::core::ffi::c_int, - ); + /// \param ctx The context to set up. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), + /// or non-zero: HMAC is used with this context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. + pub fn mbedtls_md_setup( + ctx: *mut mbedtls_md_context_t, + md_info: *const mbedtls_md_info_t, + hmac: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed on each - /// seed or reseed. - /// - /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// \brief This function clones the state of a message-digest + /// context. /// - /// \note The security strength of CTR_DRBG is bounded by the - /// entropy length. Thus: - /// - When using AES-256 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, - /// which is the default), - /// \p len must be at least 32 (in bytes) - /// to achieve a 256-bit strength. - /// - When using AES-128 - /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) - /// \p len must be at least 16 (in bytes) - /// to achieve a 128-bit strength. + /// \note You must call mbedtls_md_setup() on \c dst before calling + /// this function. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. - pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); -} -unsafe extern "C" { - /// \brief This function sets the amount of entropy grabbed - /// as a nonce for the initial seeding. + /// \note The two contexts must have the same type, + /// for example, both are SHA-256. /// - /// Call this function before calling mbedtls_ctr_drbg_seed() to read - /// a nonce from the entropy source during the initial seeding. + /// \warning This function clones the message-digest state, not the + /// HMAC state. /// - /// \param ctx The CTR_DRBG context. - /// \param len The amount of entropy to grab for the nonce, in bytes. - /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - /// and at most the maximum length accepted by the - /// entropy function that is set in the context. + /// \param dst The destination context. + /// \param src The context to be cloned. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is - /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED - /// if the initial seeding has already taken place. - pub fn mbedtls_ctr_drbg_set_nonce_len( - ctx: *mut mbedtls_ctr_drbg_context, - len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. + /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are + /// not using the same engine. This can be avoided by moving + /// the call to psa_crypto_init() before the first call to + /// mbedtls_md_setup(). + pub fn mbedtls_md_clone( + dst: *mut mbedtls_md_context_t, + src: *const mbedtls_md_context_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the reseed interval. - /// - /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() - /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function - /// is called again. + /// \brief This function extracts the message-digest size from the + /// message-digest information structure. /// - /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param interval The reseed interval. - pub fn mbedtls_ctr_drbg_set_reseed_interval( - ctx: *mut mbedtls_ctr_drbg_context, - interval: ::core::ffi::c_int, - ); + /// \return The size of the message-digest output in Bytes. + pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; } unsafe extern "C" { - /// \brief This function reseeds the CTR_DRBG context, that is - /// extracts data from the entropy source. + /// \brief This function extracts the message-digest type from the + /// message-digest information structure. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// \param md_info The information structure of the message-digest algorithm + /// to use. /// - /// \param ctx The CTR_DRBG context. - /// \param additional Additional data to add to the state. Can be \c NULL. - /// \param len The length of the additional data. - /// This must be less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \return The type of the message digest. + pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; +} +unsafe extern "C" { + /// \brief This function starts a message-digest computation. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. - pub fn mbedtls_ctr_drbg_reseed( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// You must call this function after setting up the context + /// with mbedtls_md_setup(), and before passing data with + /// mbedtls_md_update(). + /// + /// \param ctx The generic message-digest context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates the state of the CTR_DRBG context. + /// \brief This function feeds an input buffer into an ongoing + /// message-digest computation. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// You must call mbedtls_md_starts() before calling this + /// function. You may call this function multiple times. + /// Afterwards, call mbedtls_md_finish(). /// - /// \param ctx The CTR_DRBG context. - /// \param additional The data to update the state with. This must not be - /// \c NULL unless \p add_len is \c 0. - /// \param add_len Length of \p additional in bytes. This must be at - /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \param ctx The generic message-digest context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if - /// \p add_len is more than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. - /// \return An error from the underlying AES cipher on failure. - pub fn mbedtls_ctr_drbg_update( - ctx: *mut mbedtls_ctr_drbg_context, - additional: *const ::core::ffi::c_uchar, - add_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function updates a CTR_DRBG instance with additional - /// data and uses it to generate random data. - /// - /// This function automatically reseeds if the reseed counter is exceeded - /// or prediction resistance is enabled. + /// \brief This function finishes the digest operation, + /// and writes the result to the output buffer. /// - /// \note This function is not thread-safe. It is not safe - /// to call this function if another thread might be - /// concurrently obtaining random numbers from the same - /// context or updating or reseeding the same context. + /// Call this function after a call to mbedtls_md_starts(), + /// followed by any number of calls to mbedtls_md_update(). + /// Afterwards, you may either clear the context with + /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse + /// the context for another digest operation with the same + /// algorithm. /// - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. - /// \param additional Additional data to update. Can be \c NULL, in which - /// case the additional data is empty regardless of - /// the value of \p add_len. - /// \param add_len The length of the additional data - /// if \p additional is not \c NULL. - /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT - /// and less than - /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len - /// where \c entropy_len is the entropy length - /// configured for the context. + /// \param ctx The generic message-digest context. + /// \param output The buffer for the generic message-digest checksum result. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random_with_add( - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_finish( + ctx: *mut mbedtls_md_context_t, output: *mut ::core::ffi::c_uchar, - output_len: usize, - additional: *const ::core::ffi::c_uchar, - add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \param p_rng The CTR_DRBG context. This must be a pointer to a - /// #mbedtls_ctr_drbg_context structure. - /// \param output The buffer to fill. - /// \param output_len The length of the buffer in bytes. + /// \brief This function calculates the message-digest of a buffer, + /// with respect to a configurable message-digest algorithm + /// in a single call. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. - pub fn mbedtls_ctr_drbg_random( - p_rng: *mut ::core::ffi::c_void, + /// The result is calculated as + /// Output = message_digest(input buffer). + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param input The buffer holding the data. + /// \param ilen The length of the input data. + /// \param output The generic message-digest checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md( + md_info: *const mbedtls_md_info_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, output: *mut ::core::ffi::c_uchar, - output_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The CTR_DRBG checkup routine. + /// \brief This function returns the list of digests supported by the + /// generic digest module. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< Curve not defined. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; -///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; -///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; -///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; -///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; -///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; -///< Domain parameters for 256-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; -///< Domain parameters for 384-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; -///< Domain parameters for 512-bit Brainpool curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; -///< Domain parameters for Curve25519. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; -///< Domain parameters for 192-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; -///< Domain parameters for 224-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; -///< Domain parameters for 256-bit "Koblitz" curve. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; -///< Domain parameters for Curve448. -pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; -/// Domain-parameter identifiers: curve, subgroup, and generator. -/// -/// \note Only curves over prime fields are supported. -/// -/// \warning This library does not support validation of arbitrary domain -/// parameters. Therefore, only standardized domain parameters from trusted -/// sources should be used. See mbedtls_ecp_group_load(). -pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; -pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; -pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_NONE: mbedtls_ecp_modulus_type = 0; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_COORDINATE: mbedtls_ecp_modulus_type = 1; -pub const mbedtls_ecp_modulus_type_MBEDTLS_ECP_MOD_SCALAR: mbedtls_ecp_modulus_type = 2; -pub type mbedtls_ecp_modulus_type = ::core::ffi::c_uint; -/// Curve information, for use by other modules. -/// -/// The fields of this structure are part of the public API and can be -/// accessed directly by applications. Future versions of the library may -/// add extra fields or reorder existing fields. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_curve_info { - ///< An internal identifier. - pub grp_id: mbedtls_ecp_group_id, - ///< The TLS NamedCurve identifier. - pub tls_id: u16, - ///< The curve size in bits. - pub bit_size: u16, - ///< A human-friendly name. - pub name: *const ::core::ffi::c_char, + /// \note The list starts with the strongest available hashes. + /// + /// \return A statically allocated array of digests. Each element + /// in the returned list is an integer belonging to the + /// message-digest enumeration #mbedtls_md_type_t. + /// The last entry is 0. + pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; } -impl Default for mbedtls_ecp_curve_info { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief This function returns the message-digest information + /// associated with the given digest name. + /// + /// \param md_name The name of the digest to search for. + /// + /// \return The message-digest information associated with \p md_name. + /// \return NULL if the associated message-digest information is not found. + pub fn mbedtls_md_info_from_string( + md_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_md_info_t; } -/// \brief The ECP point structure, in Jacobian coordinates. -/// -/// \note All functions expect and return points satisfying -/// the following condition: Z == 0 or -/// Z == 1. Other values of \p Z are -/// used only by internal functions. -/// The point is zero, or "at infinity", if Z == 0. -/// Otherwise, \p X and \p Y are its standard (affine) -/// coordinates. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_point { - ///< The X coordinate of the ECP point. - pub private_X: mbedtls_mpi, - ///< The Y coordinate of the ECP point. - pub private_Y: mbedtls_mpi, - ///< The Z coordinate of the ECP point. - pub private_Z: mbedtls_mpi, -} -impl Default for mbedtls_ecp_point { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief The ECP group structure. -/// -/// We consider two types of curve equations: -///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P -/// (SEC1 + RFC-4492)
    • -///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, -/// Curve448)
-/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. -/// -/// For Short Weierstrass, this subgroup is the whole curve, and its -/// cardinality is denoted by \p N. Our code requires that \p N is an -/// odd prime as mbedtls_ecp_mul() requires an odd number, and -/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. -/// -/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, -/// which is the quantity used in the formulas. Additionally, \p nbits is -/// not the size of \p N but the required size for private keys. -/// -/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. -/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the -/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer -/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits -/// in size, so that it may be efficiently brought in the 0..P-1 range by a few -/// additions or subtractions. Therefore, it is only an approximative modular -/// reduction. It must return 0 on success and non-zero on failure. -/// -/// \note Alternative implementations of the ECP module must obey the -/// following constraints. -/// * Group IDs must be distinct: if two group structures have -/// the same ID, then they must be identical. -/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, -/// \c pbits and \c nbits must have the same type and semantics -/// as in the built-in implementation. -/// They must be available for reading, but direct modification -/// of these fields does not need to be supported. -/// They do not need to be at the same offset in the structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_group { - ///< An internal group identifier. - pub id: mbedtls_ecp_group_id, - ///< The prime modulus of the base field. - pub P: mbedtls_mpi, - ///< For Short Weierstrass: \p A in the equation. For - ///Montgomery curves: (A + 2) / 4. - pub A: mbedtls_mpi, - ///< For Short Weierstrass: \p B in the equation. - ///For Montgomery curves: unused. - pub B: mbedtls_mpi, - ///< The generator of the subgroup used. - pub G: mbedtls_ecp_point, - ///< The order of \p G. - pub N: mbedtls_mpi, - ///< The number of bits in \p P. - pub pbits: usize, - ///< For Short Weierstrass: The number of bits in \p P. - ///For Montgomery curves: the number of bits in the - ///private keys. - pub nbits: usize, - ///< \internal 1 if the constants are static. - pub private_h: ::core::ffi::c_uint, - ///< The function for fast pseudo-reduction - ///mod \p P (see above). - pub private_modp: - ::core::option::Option ::core::ffi::c_int>, - ///< Unused. - pub private_t_pre: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_post: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut mbedtls_ecp_point, - arg2: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int, - >, - ///< Unused. - pub private_t_data: *mut ::core::ffi::c_void, - ///< Pre-computed points for ecp_mul_comb(). - pub private_T: *mut mbedtls_ecp_point, - ///< The number of dynamic allocated pre-computed points. - pub private_T_size: usize, -} -impl Default for mbedtls_ecp_group { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; -/// \brief The ECP key-pair structure. -/// -/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. -/// -/// \note Members are deliberately in the same order as in the -/// ::mbedtls_ecdsa_context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecp_keypair { - ///< Elliptic curve and base point - pub private_grp: mbedtls_ecp_group, - ///< our secret value - pub private_d: mbedtls_mpi, - ///< our public value - pub private_Q: mbedtls_ecp_point, -} -impl Default for mbedtls_ecp_keypair { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +unsafe extern "C" { + /// \brief This function returns the name of the message digest for + /// the message-digest information structure given. + /// + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// + /// \return The name of the message digest. + pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; } unsafe extern "C" { - /// \brief This function retrieves the information defined in - /// mbedtls_ecp_curve_info() for all supported curves. + /// \brief This function returns the message-digest information + /// from the given context. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// \param ctx The context from which to extract the information. + /// This must be initialized (or \c NULL). /// - /// \return A statically allocated array. The last entry is 0. - pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; + /// \return The message-digest information associated with \p ctx. + /// \return \c NULL if \p ctx is \c NULL. + pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; } unsafe extern "C" { - /// \brief This function retrieves the list of internal group - /// identifiers of all supported curves in the order of - /// preference. + /// \brief This function sets the HMAC key and prepares to + /// authenticate a new message. /// - /// \note This function returns information about all curves - /// supported by the library. Some curves may not be - /// supported for all algorithms. Call mbedtls_ecdh_can_do() - /// or mbedtls_ecdsa_can_do() to check if a curve is - /// supported for ECDH or ECDSA. + /// Call this function after mbedtls_md_setup(), to use + /// the MD context for an HMAC calculation, then call + /// mbedtls_md_hmac_update() to provide the input data, and + /// mbedtls_md_hmac_finish() to get the HMAC value. /// - /// \return A statically allocated array, - /// terminated with MBEDTLS_ECP_DP_NONE. - pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC key in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_starts( + ctx: *mut mbedtls_md_context_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from an internal - /// group identifier. + /// \brief This function feeds an input buffer into an ongoing HMAC + /// computation. /// - /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + /// before calling this function. + /// You may call this function multiple times to pass the + /// input piecewise. + /// Afterwards, call mbedtls_md_hmac_finish(). /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_grp_id( - grp_id: mbedtls_ecp_group_id, - ) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_update( + ctx: *mut mbedtls_md_context_t, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a TLS - /// NamedCurve value. + /// \brief This function finishes the HMAC operation, and writes + /// the result to the output buffer. /// - /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. + /// Call this function after mbedtls_md_hmac_starts() and + /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards + /// you may either call mbedtls_md_free() to clear the context, + /// or call mbedtls_md_hmac_reset() to reuse the context with + /// the same HMAC key. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; + /// \param ctx The message digest context containing an embedded HMAC + /// context. + /// \param output The generic HMAC checksum result. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_finish( + ctx: *mut mbedtls_md_context_t, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves curve information from a - /// human-readable name. + /// \brief This function prepares to authenticate a new message with + /// the same key as the previous HMAC operation. /// - /// \param name The human-readable name. + /// You may call this function after mbedtls_md_hmac_finish(). + /// Afterwards call mbedtls_md_hmac_update() to pass the new + /// input. /// - /// \return The associated curve information on success. - /// \return NULL on failure. - pub fn mbedtls_ecp_curve_info_from_name( - name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ecp_curve_info; -} -unsafe extern "C" { - /// \brief This function initializes a point as zero. + /// \param ctx The message digest context containing an embedded HMAC + /// context. /// - /// \param pt The point to initialize. - pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECP group context - /// without loading any domain parameters. + /// \brief This function calculates the full generic HMAC + /// on the input buffer with the provided key. /// - /// \note After this function is called, domain parameters - /// for various ECP groups can be loaded through the - /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() - /// functions. - pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); -} -unsafe extern "C" { - /// \brief This function initializes a key pair as an invalid one. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param key The key pair to initialize. - pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); -} -unsafe extern "C" { - /// \brief This function frees the components of a point. + /// The HMAC result is calculated as + /// output = generic HMAC(hmac key, input buffer). /// - /// \param pt The point to free. - pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); -} -unsafe extern "C" { - /// \brief This function frees the components of an ECP group. + /// \param md_info The information structure of the message-digest algorithm + /// to use. + /// \param key The HMAC secret key. + /// \param keylen The length of the HMAC secret key in Bytes. + /// \param input The buffer holding the input data. + /// \param ilen The length of the input data. + /// \param output The generic HMAC result. /// - /// \param grp The group to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP group. - pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification + /// failure. + pub fn mbedtls_md_hmac( + md_info: *const mbedtls_md_info_t, + key: *const ::core::ffi::c_uchar, + keylen: usize, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function frees the components of a key pair. - /// - /// \param key The key pair to free. This may be \c NULL, in which - /// case this function returns immediately. If it is not - /// \c NULL, it must point to an initialized ECP key pair. - pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +/// \brief Entropy poll callback pointer +/// +/// \param data Callback-specific data pointer +/// \param output Data to fill +/// \param len Maximum size to provide +/// \param olen The actual amount of bytes put into the buffer (Can be 0) +/// +/// \return 0 if no critical failures occurred, +/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise +pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< + unsafe extern "C" fn( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + ) -> ::core::ffi::c_int, +>; +/// \brief Entropy source state +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_source_state { + ///< The entropy source callback + pub private_f_source: mbedtls_entropy_f_source_ptr, + ///< The callback data pointer + pub private_p_source: *mut ::core::ffi::c_void, + ///< Amount received in bytes + pub private_size: usize, + ///< Minimum bytes required before release + pub private_threshold: usize, + ///< Is the source strong? + pub private_strong: ::core::ffi::c_int, } -unsafe extern "C" { - /// \brief This function copies the contents of point \p Q into - /// point \p P. - /// - /// \param P The destination point. This must be initialized. - /// \param Q The source point. This must be initialized. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code for other kinds of failure. - pub fn mbedtls_ecp_copy( - P: *mut mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_entropy_source_state { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +/// \brief Entropy context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_entropy_context { + pub private_accumulator: mbedtls_md_context_t, + pub private_accumulator_started: ::core::ffi::c_int, + pub private_source_count: ::core::ffi::c_int, + pub private_source: [mbedtls_entropy_source_state; 20usize], +} +impl Default for mbedtls_entropy_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function copies the contents of group \p src into - /// group \p dst. - /// - /// \param dst The destination group. This must be initialized. - /// \param src The source group. This must be initialized. + /// \brief Initialize the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_copy( - dst: *mut mbedtls_ecp_group, - src: *const mbedtls_ecp_group, - ) -> ::core::ffi::c_int; + /// \param ctx Entropy context to initialize + pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function sets a point to the point at infinity. - /// - /// \param pt The point to set. This must be initialized. + /// \brief Free the data in the context /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \param ctx Entropy context to free + pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); } unsafe extern "C" { - /// \brief This function checks if a point is the point at infinity. + /// \brief Adds an entropy source to poll + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param pt The point to test. This must be initialized. + /// \param ctx Entropy context + /// \param f_source Entropy function + /// \param p_source Function data + /// \param threshold Minimum required from source before entropy is released + /// ( with mbedtls_entropy_func() ) (in bytes) + /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or + /// MBEDTLS_ENTROPY_SOURCE_WEAK. + /// At least one strong source needs to be added. + /// Weaker sources (such as the cycle counter) can be used as + /// a complement. /// - /// \return \c 1 if the point is zero. - /// \return \c 0 if the point is non-zero. - /// \return A negative error code on failure. - pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; + /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES + pub fn mbedtls_entropy_add_source( + ctx: *mut mbedtls_entropy_context, + f_source: mbedtls_entropy_f_source_ptr, + p_source: *mut ::core::ffi::c_void, + threshold: usize, + strong: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function compares two points. - /// - /// \note This assumes that the points are normalized. Otherwise, - /// they may compare as "not equal" even if they are. + /// \brief Trigger an extra gather poll for the accumulator + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The first point to compare. This must be initialized. - /// \param Q The second point to compare. This must be initialized. + /// \param ctx Entropy context /// - /// \return \c 0 if the points are equal. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. - pub fn mbedtls_ecp_point_cmp( - P: *const mbedtls_ecp_point, - Q: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a non-zero point from two ASCII - /// strings. + /// \brief Retrieve entropy from the accumulator + /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param P The destination point. This must be initialized. - /// \param radix The numeric base of the input. - /// \param x The first affine coordinate, as a null-terminated string. - /// \param y The second affine coordinate, as a null-terminated string. + /// \param data Entropy context + /// \param output Buffer to fill + /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. - pub fn mbedtls_ecp_point_read_string( - P: *mut mbedtls_ecp_point, - radix: ::core::ffi::c_int, - x: *const ::core::ffi::c_char, - y: *const ::core::ffi::c_char, + /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + pub fn mbedtls_entropy_func( + data: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point into unsigned binary data. + /// \brief Add data to the accumulator manually + /// (Thread-safe if MBEDTLS_THREADING_C is enabled) /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The point to export. This must be initialized. - /// \param format The point format. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// (For groups without these formats, this parameter is - /// ignored. But it still has to be either of the above - /// values.) - /// \param olen The address at which to store the length of - /// the output in Bytes. This must not be \c NULL. - /// \param buf The output buffer. This must be a writable buffer - /// of length \p buflen Bytes. - /// \param buflen The length of the output buffer \p buf in Bytes. + /// \param ctx Entropy context + /// \param data Data to add + /// \param len Length of data /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer - /// is too small to hold the point. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format - /// or the export for the given group is not implemented. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_point_write_binary( - grp: *const mbedtls_ecp_group, - P: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, + /// \return 0 if successful + pub fn mbedtls_entropy_update_manual( + ctx: *mut mbedtls_entropy_context, + data: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports a point from unsigned binary data. + /// \brief Checkup routine /// - /// \note This function does not check that the point actually - /// belongs to the given group, see mbedtls_ecp_check_pubkey() - /// for that. + /// This module self-test also calls the entropy self-test, + /// mbedtls_entropy_source_self_test(); /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The CTR_DRBG context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ctr_drbg_context { + ///< The counter (V). + pub private_counter: [::core::ffi::c_uchar; 16usize], + ///< The reseed counter. + /// This is the number of requests that have + /// been made since the last (re)seeding, + /// minus one. + /// Before the initial seeding, this field + /// contains the amount of entropy in bytes + /// to use as a nonce for the initial seeding, + /// or -1 if no nonce length has been explicitly + /// set (see mbedtls_ctr_drbg_set_nonce_len()). + pub private_reseed_counter: ::core::ffi::c_int, + ///< This determines whether prediction + ///resistance is enabled, that is + ///whether to systematically reseed before + ///each random generation. + pub private_prediction_resistance: ::core::ffi::c_int, + ///< The amount of entropy grabbed on each + ///seed or reseed operation, in bytes. + pub private_entropy_len: usize, + ///< The reseed interval. + /// This is the maximum number of requests + /// that can be made between reseedings. + pub private_reseed_interval: ::core::ffi::c_int, + ///< The AES context. + pub private_aes_ctx: mbedtls_aes_context, + pub private_f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + ///< The context for the entropy function. + pub private_p_entropy: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_ctr_drbg_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes the CTR_DRBG context, + /// and prepares it for mbedtls_ctr_drbg_seed() + /// or mbedtls_ctr_drbg_free(). /// - /// \param grp The group to which the point should belong. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param P The destination context to import the point to. - /// This must be initialized. - /// \param buf The input buffer. This must be a readable buffer - /// of length \p ilen Bytes. - /// \param ilen The length of the input buffer \p buf in Bytes. + /// \note The reseed interval is + /// #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. + /// You can override it by calling + /// mbedtls_ctr_drbg_set_reseed_interval(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the - /// given group is not implemented. - pub fn mbedtls_ecp_point_read_binary( - grp: *const mbedtls_ecp_group, - P: *mut mbedtls_ecp_point, - buf: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to initialize. + pub fn mbedtls_ctr_drbg_init(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function imports a point from a TLS ECPoint record. + /// - The \p custom string. /// - /// \note On function return, \p *buf is updated to point immediately - /// after the ECPoint record. + /// \note To achieve the nominal security strength permitted + /// by CTR_DRBG, the entropy length must be: + /// - at least 16 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 32 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The destination point. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the buffer. + /// In addition, if you do not pass a nonce in \p custom, + /// the sum of the entropy length + /// and the entropy nonce length must be: + /// - at least 24 bytes for a 128-bit strength + /// (maximum achievable strength when using AES-128); + /// - at least 48 bytes for a 256-bit strength + /// (maximum achievable strength when using AES-256). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization - /// failure. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - pub fn mbedtls_ecp_tls_read_point( - grp: *const mbedtls_ecp_group, - pt: *mut mbedtls_ecp_point, - buf: *mut *const ::core::ffi::c_uchar, + /// \param ctx The CTR_DRBG context to seed. + /// It must have been initialized with + /// mbedtls_ctr_drbg_init(). + /// After a successful call to mbedtls_ctr_drbg_seed(), + /// you may not call mbedtls_ctr_drbg_seed() again on + /// the same context unless you call + /// mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + /// again first. + /// After a failed call to mbedtls_ctr_drbg_seed(), + /// you must call mbedtls_ctr_drbg_free(). + /// \param f_entropy The entropy callback, taking as arguments the + /// \p p_entropy context, the buffer to fill, and the + /// length of the buffer. + /// \p f_entropy is always called with a buffer size + /// less than or equal to the entropy length. + /// \param p_entropy The entropy context to pass to \p f_entropy. + /// \param custom The personalization string. + /// This can be \c NULL, in which case the personalization + /// string is empty regardless of the value of \p len. + /// \param len The length of the personalization string. + /// This must be at most + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// - #MBEDTLS_CTR_DRBG_ENTROPY_LEN. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_seed( + ctx: *mut mbedtls_ctr_drbg_context, + f_entropy: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut ::core::ffi::c_void, + arg2: *mut ::core::ffi::c_uchar, + arg3: usize, + ) -> ::core::ffi::c_int, + >, + p_entropy: *mut ::core::ffi::c_void, + custom: *const ::core::ffi::c_uchar, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports a point as a TLS ECPoint record - /// defined in RFC 4492, Section 5.4. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to be exported. This must be initialized. - /// \param format The point format to use. This must be either - /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. - /// \param olen The address at which to store the length in Bytes - /// of the data written. - /// \param buf The target buffer. This must be a writable buffer of - /// length \p blen Bytes. - /// \param blen The length of the target buffer \p buf in Bytes. + /// \brief This function resets CTR_DRBG context to the state immediately + /// after initial call of mbedtls_ctr_drbg_init(). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer - /// is too small to hold the exported point. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_point( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - format: ::core::ffi::c_int, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context to clear. + pub fn mbedtls_ctr_drbg_free(ctx: *mut mbedtls_ctr_drbg_context); } unsafe extern "C" { - /// \brief This function sets up an ECP group context - /// from a standardized set of domain parameters. - /// - /// \note The index should be a value of the NamedCurve enum, - /// as defined in RFC-4492: Elliptic Curve Cryptography - /// (ECC) Cipher Suites for Transport Layer Security (TLS), - /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. + /// \brief This function turns prediction resistance on or off. + /// The default value is off. /// - /// \param grp The group context to setup. This must be initialized. - /// \param id The identifier of the domain parameter set to load. + /// \note If enabled, entropy is gathered at the beginning of + /// every call to mbedtls_ctr_drbg_random_with_add() + /// or mbedtls_ctr_drbg_random(). + /// Only use this if your entropy source has sufficient + /// throughput. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_group_load( - grp: *mut mbedtls_ecp_group, - id: mbedtls_ecp_group_id, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. + pub fn mbedtls_ctr_drbg_set_prediction_resistance( + ctx: *mut mbedtls_ctr_drbg_context, + resistance: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function sets up an ECP group context from a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed on each + /// seed or reseed. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. /// - /// \param grp The group context to setup. This must be initialized. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \note The security strength of CTR_DRBG is bounded by the + /// entropy length. Thus: + /// - When using AES-256 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, + /// which is the default), + /// \p len must be at least 32 (in bytes) + /// to achieve a 256-bit strength. + /// - When using AES-128 + /// (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) + /// \p len must be at least 16 (in bytes) + /// to achieve a 128-bit strength. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group( - grp: *mut mbedtls_ecp_group, - buf: *mut *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. + pub fn mbedtls_ctr_drbg_set_entropy_len(ctx: *mut mbedtls_ctr_drbg_context, len: usize); } unsafe extern "C" { - /// \brief This function extracts an elliptic curve group ID from a - /// TLS ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the amount of entropy grabbed + /// as a nonce for the initial seeding. /// - /// \note The read pointer \p buf is updated to point right after - /// the ECParameters record on exit. + /// Call this function before calling mbedtls_ctr_drbg_seed() to read + /// a nonce from the entropy source during the initial seeding. /// - /// \param grp The address at which to store the group id. - /// This must not be \c NULL. - /// \param buf The address of the pointer to the start of the input buffer. - /// \param len The length of the input buffer \c *buf in Bytes. + /// \param ctx The CTR_DRBG context. + /// \param len The amount of entropy to grab for the nonce, in bytes. + /// This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + /// and at most the maximum length accepted by the + /// entropy function that is set in the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not - /// recognized. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_read_group_id( - grp: *mut mbedtls_ecp_group_id, - buf: *mut *const ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is + /// more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + /// if the initial seeding has already taken place. + pub fn mbedtls_ctr_drbg_set_nonce_len( + ctx: *mut mbedtls_ctr_drbg_context, len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports an elliptic curve as a TLS - /// ECParameters record as defined in RFC 4492, Section 5.4. + /// \brief This function sets the reseed interval. /// - /// \param grp The ECP group to be exported. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param olen The address at which to store the number of Bytes written. - /// This must not be \c NULL. - /// \param buf The buffer to write to. This must be a writable buffer - /// of length \p blen Bytes. - /// \param blen The length of the output buffer \p buf in Bytes. + /// The reseed interval is the number of calls to mbedtls_ctr_drbg_random() + /// or mbedtls_ctr_drbg_random_with_add() after which the entropy function + /// is called again. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output - /// buffer is too small to hold the exported group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_tls_write_group( - grp: *const mbedtls_ecp_group, - olen: *mut usize, - buf: *mut ::core::ffi::c_uchar, - blen: usize, - ) -> ::core::ffi::c_int; + /// The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. + /// + /// \param ctx The CTR_DRBG context. + /// \param interval The reseed interval. + pub fn mbedtls_ctr_drbg_set_reseed_interval( + ctx: *mut mbedtls_ctr_drbg_context, + interval: ::core::ffi::c_int, + ); } unsafe extern "C" { - /// \brief This function performs a scalar multiplication of a point - /// by an integer: \p R = \p m * \p P. - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function reseeds the CTR_DRBG context, that is + /// extracts data from the entropy source. /// - /// \note To prevent timing attacks, this function - /// executes the exact same sequence of base-field - /// operations for any valid \p m. It avoids any if-branch or - /// array index depending on the value of \p m. It also uses - /// \p f_rng to randomize some intermediate results. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param ctx The CTR_DRBG context. + /// \param additional Additional data to add to the state. Can be \c NULL. + /// \param len The length of the additional data. + /// This must be less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. + pub fn mbedtls_ctr_drbg_reseed( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication of a point by - /// an integer: \p R = \p m * \p P in a restartable way. - /// - /// \see mbedtls_ecp_mul() + /// \brief This function updates the state of the CTR_DRBG context. /// - /// \note This function does the same as \c mbedtls_ecp_mul(), but - /// it can return early and restart according to the limit set - /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply. This must be initialized. - /// \param P The point to multiply. This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. - /// \param rs_ctx The restart context (NULL disables restart). + /// \param ctx The CTR_DRBG context. + /// \param additional The data to update the state with. This must not be + /// \c NULL unless \p add_len is \c 0. + /// \param add_len Length of \p additional in bytes. This must be at + /// most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private - /// key, or \p P is not a valid public key. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_mul_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecp_restart_ctx, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if + /// \p add_len is more than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT. + /// \return An error from the underlying AES cipher on failure. + pub fn mbedtls_ctr_drbg_update( + ctx: *mut mbedtls_ctr_drbg_context, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q - /// - /// It is not thread-safe to use same group in multiple threads. + /// \brief This function updates a CTR_DRBG instance with additional + /// data and uses it to generate random data. /// - /// \note In contrast to mbedtls_ecp_mul(), this function does not - /// guarantee a constant execution flow and timing. + /// This function automatically reseeds if the reseed counter is exceeded + /// or prediction resistance is enabled. /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. + /// \note This function is not thread-safe. It is not safe + /// to call this function if another thread might be + /// concurrently obtaining random numbers from the same + /// context or updating or reseeding the same context. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. + /// \param additional Additional data to update. Can be \c NULL, in which + /// case the additional data is empty regardless of + /// the value of \p add_len. + /// \param add_len The length of the additional data + /// if \p additional is not \c NULL. + /// This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT + /// and less than + /// #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length + /// configured for the context. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random_with_add( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + additional: *const ::core::ffi::c_uchar, + add_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs multiplication and addition of two - /// points by integers: \p R = \p m * \p P + \p n * \p Q in a - /// restartable way. + /// \param p_rng The CTR_DRBG context. This must be a pointer to a + /// #mbedtls_ctr_drbg_context structure. + /// \param output The buffer to fill. + /// \param output_len The length of the buffer in bytes. /// - /// \see \c mbedtls_ecp_muladd() + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + /// #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. + pub fn mbedtls_ctr_drbg_random( + p_rng: *mut ::core::ffi::c_void, + output: *mut ::core::ffi::c_uchar, + output_len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The CTR_DRBG checkup routine. /// - /// \note This function works the same as \c mbedtls_ecp_muladd(), - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. - /// - /// \note This function is only defined for short Weierstrass curves. - /// It may not be included in builds without any short - /// Weierstrass curve. - /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param R The point in which to store the result of the calculation. - /// This must be initialized. - /// \param m The integer by which to multiply \p P. - /// This must be initialized. - /// \param P The point to multiply by \p m. This must be initialized. - /// \param n The integer by which to multiply \p Q. - /// This must be initialized. - /// \param Q The point to be multiplied by \p n. - /// This must be initialized. - /// \param rs_ctx The restart context (NULL disables restart). - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not - /// valid private keys, or \p P or \p Q are not valid public - /// keys. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not - /// designate a short Weierstrass curve. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_muladd_restartable( - grp: *mut mbedtls_ecp_group, - R: *mut mbedtls_ecp_point, - m: *const mbedtls_mpi, - P: *const mbedtls_ecp_point, - n: *const mbedtls_mpi, - Q: *const mbedtls_ecp_point, - rs_ctx: *mut mbedtls_ecp_restart_ctx, - ) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_ctr_drbg_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief This function checks that a point is a valid public key - /// on this curve. - /// - /// It only checks that the point is non-zero, has - /// valid coordinates and lies on the curve. It does not verify - /// that it is indeed a multiple of \p G. This additional - /// check is computationally more expensive, is not required - /// by standards, and should not be necessary if the group - /// used has a small cofactor. In particular, it is useless for - /// the NIST groups which all have a cofactor of 1. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure, to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the point should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param pt The point to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid public key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not - /// a valid public key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_pubkey( - grp: *const mbedtls_ecp_group, - pt: *const mbedtls_ecp_point, - ) -> ::core::ffi::c_int; +///< Curve not defined. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_NONE: mbedtls_ecp_group_id = 0; +///< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192R1: mbedtls_ecp_group_id = 1; +///< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224R1: mbedtls_ecp_group_id = 2; +///< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256R1: mbedtls_ecp_group_id = 3; +///< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP384R1: mbedtls_ecp_group_id = 4; +///< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP521R1: mbedtls_ecp_group_id = 5; +///< Domain parameters for 256-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP256R1: mbedtls_ecp_group_id = 6; +///< Domain parameters for 384-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP384R1: mbedtls_ecp_group_id = 7; +///< Domain parameters for 512-bit Brainpool curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_BP512R1: mbedtls_ecp_group_id = 8; +///< Domain parameters for Curve25519. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE25519: mbedtls_ecp_group_id = 9; +///< Domain parameters for 192-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP192K1: mbedtls_ecp_group_id = 10; +///< Domain parameters for 224-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP224K1: mbedtls_ecp_group_id = 11; +///< Domain parameters for 256-bit "Koblitz" curve. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_SECP256K1: mbedtls_ecp_group_id = 12; +///< Domain parameters for Curve448. +pub const mbedtls_ecp_group_id_MBEDTLS_ECP_DP_CURVE448: mbedtls_ecp_group_id = 13; +/// Domain-parameter identifiers: curve, subgroup, and generator. +/// +/// \note Only curves over prime fields are supported. +/// +/// \warning This library does not support validation of arbitrary domain +/// parameters. Therefore, only standardized domain parameters from trusted +/// sources should be used. See mbedtls_ecp_group_load(). +pub type mbedtls_ecp_group_id = ::core::ffi::c_uint; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_NONE: mbedtls_ecp_curve_type = 0; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: mbedtls_ecp_curve_type = 1; +pub const mbedtls_ecp_curve_type_MBEDTLS_ECP_TYPE_MONTGOMERY: mbedtls_ecp_curve_type = 2; +pub type mbedtls_ecp_curve_type = ::core::ffi::c_uint; +/// Curve information, for use by other modules. +/// +/// The fields of this structure are part of the public API and can be +/// accessed directly by applications. Future versions of the library may +/// add extra fields or reorder existing fields. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_curve_info { + ///< An internal identifier. + pub grp_id: mbedtls_ecp_group_id, + ///< The TLS NamedCurve identifier. + pub tls_id: u16, + ///< The curve size in bits. + pub bit_size: u16, + ///< A human-friendly name. + pub name: *const ::core::ffi::c_char, } -unsafe extern "C" { - /// \brief This function checks that an \p mbedtls_mpi is a - /// valid private key for this curve. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group the private key should belong to. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The integer to check. This must be initialized. - /// - /// \return \c 0 if the point is a valid private key. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid - /// private key for the given curve. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_check_privkey( - grp: *const mbedtls_ecp_group, - d: *const mbedtls_mpi, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_curve_info { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates a private key. - /// - /// \param grp The ECP group to generate a private key for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_privkey( - grp: *const mbedtls_ecp_group, - d: *mut mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +/// \brief The ECP point structure, in Jacobian coordinates. +/// +/// \note All functions expect and return points satisfying +/// the following condition: Z == 0 or +/// Z == 1. Other values of \p Z are +/// used only by internal functions. +/// The point is zero, or "at infinity", if Z == 0. +/// Otherwise, \p X and \p Y are its standard (affine) +/// coordinates. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_point { + ///< The X coordinate of the ECP point. + pub private_X: mbedtls_mpi, + ///< The Y coordinate of the ECP point. + pub private_Y: mbedtls_mpi, + ///< The Z coordinate of the ECP point. + pub private_Z: mbedtls_mpi, } -unsafe extern "C" { - /// \brief This function generates a keypair with a configurable base - /// point. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param G The base point to use. This must be initialized - /// and belong to \p grp. It replaces the default base - /// point \c grp->G used by mbedtls_ecp_gen_keypair(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair_base( - grp: *mut mbedtls_ecp_group, - G: *const mbedtls_ecp_point, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; +impl Default for mbedtls_ecp_point { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief This function generates an ECP keypair. - /// - /// \note This function uses bare components rather than an - /// ::mbedtls_ecp_keypair structure to ease use with other - /// structures, such as ::mbedtls_ecdh_context or - /// ::mbedtls_ecdsa_context. - /// - /// \param grp The ECP group to generate a key pair for. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param d The destination MPI (secret part). - /// This must be initialized. - /// \param Q The destination point (public part). - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. +/// \brief The ECP group structure. +/// +/// We consider two types of curve equations: +///
  • Short Weierstrass: y^2 = x^3 + A x + B mod P +/// (SEC1 + RFC-4492)
    • +///
  • Montgomery: y^2 = x^3 + A x^2 + x mod P (Curve25519, +/// Curve448)
+/// In both cases, the generator (\p G) for a prime-order subgroup is fixed. +/// +/// For Short Weierstrass, this subgroup is the whole curve, and its +/// cardinality is denoted by \p N. Our code requires that \p N is an +/// odd prime as mbedtls_ecp_mul() requires an odd number, and +/// mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. +/// +/// The default implementation only initializes \p A without setting it to the +/// authentic value for curves with A = -3(SECP256R1, etc), in which +/// case you need to load \p A by yourself when using domain parameters directly, +/// for example: +/// \code +/// mbedtls_mpi_init(&A); +/// mbedtls_ecp_group_init(&grp); +/// CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id)); +/// if (mbedtls_ecp_group_a_is_minus_3(&grp)) { +/// CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3)); +/// } else { +/// CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A)); +/// } +/// +/// do_something_with_a(&A); +/// +/// cleanup: +/// mbedtls_mpi_free(&A); +/// mbedtls_ecp_group_free(&grp); +/// \endcode +/// +/// For Montgomery curves, we do not store \p A, but (A + 2) / 4, +/// which is the quantity used in the formulas. Additionally, \p nbits is +/// not the size of \p N but the required size for private keys. +/// +/// If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. +/// Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the +/// range of 0..2^(2*pbits)-1, and transforms it in-place to an integer +/// which is congruent mod \p P to the given MPI, and is close enough to \p pbits +/// in size, so that it may be efficiently brought in the 0..P-1 range by a few +/// additions or subtractions. Therefore, it is only an approximate modular +/// reduction. It must return 0 on success and non-zero on failure. +/// +/// \note Alternative implementations of the ECP module must obey the +/// following constraints. +/// * Group IDs must be distinct: if two group structures have +/// the same ID, then they must be identical. +/// * The fields \c id, \c P, \c A, \c B, \c G, \c N, +/// \c pbits and \c nbits must have the same type and semantics +/// as in the built-in implementation. +/// They must be available for reading, but direct modification +/// of these fields does not need to be supported. +/// They do not need to be at the same offset in the structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_group { + ///< An internal group identifier. + pub id: mbedtls_ecp_group_id, + ///< The prime modulus of the base field. + pub P: mbedtls_mpi, + ///< For Short Weierstrass: \p A in the equation. Note that + ///\p A is not set to the authentic value in some cases. + ///Refer to detailed description of ::mbedtls_ecp_group if + ///using domain parameters in the structure. + ///For Montgomery curves: (A + 2) / 4. + pub A: mbedtls_mpi, + ///< For Short Weierstrass: \p B in the equation. + ///For Montgomery curves: unused. + pub B: mbedtls_mpi, + ///< The generator of the subgroup used. + pub G: mbedtls_ecp_point, + ///< The order of \p G. + pub N: mbedtls_mpi, + ///< The number of bits in \p P. + pub pbits: usize, + ///< For Short Weierstrass: The number of bits in \p P. + ///For Montgomery curves: the number of bits in the + ///private keys. + pub nbits: usize, + ///< \internal 1 if the constants are static. + pub private_h: ::core::ffi::c_uint, + ///< The function for fast pseudo-reduction + ///mod \p P (see above). + pub private_modp: + ::core::option::Option ::core::ffi::c_int>, + ///< Unused. + pub private_t_pre: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_post: ::core::option::Option< + unsafe extern "C" fn( + arg1: *mut mbedtls_ecp_point, + arg2: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int, + >, + ///< Unused. + pub private_t_data: *mut ::core::ffi::c_void, + ///< Pre-computed points for ecp_mul_comb(). + pub private_T: *mut mbedtls_ecp_point, + ///< The number of dynamic allocated pre-computed points. + pub private_T_size: usize, +} +impl Default for mbedtls_ecp_group { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type mbedtls_ecp_restart_ctx = ::core::ffi::c_void; +/// \brief The ECP key-pair structure. +/// +/// A generic key-pair that may be used for ECDSA and fixed ECDH, for example. +/// +/// \note Members are deliberately in the same order as in the +/// ::mbedtls_ecdsa_context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecp_keypair { + ///< Elliptic curve and base point + pub private_grp: mbedtls_ecp_group, + ///< our secret value + pub private_d: mbedtls_mpi, + ///< our public value + pub private_Q: mbedtls_ecp_point, +} +impl Default for mbedtls_ecp_keypair { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + pub fn mbedtls_ecp_get_type(grp: *const mbedtls_ecp_group) -> mbedtls_ecp_curve_type; +} +unsafe extern "C" { + /// \brief This function retrieves the information defined in + /// mbedtls_ecp_curve_info() for all supported curves. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_keypair( - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. + /// + /// \return A statically allocated array. The last entry is 0. + pub fn mbedtls_ecp_curve_list() -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function generates an ECP key. + /// \brief This function retrieves the list of internal group + /// identifiers of all supported curves in the order of + /// preference. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. This must be initialized. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. + /// \note This function returns information about all curves + /// supported by the library. Some curves may not be + /// supported for all algorithms. Call mbedtls_ecdh_can_do() + /// or mbedtls_ecdsa_can_do() to check if a curve is + /// supported for ECDH or ECDSA. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code - /// on failure. - pub fn mbedtls_ecp_gen_key( - grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return A statically allocated array, + /// terminated with MBEDTLS_ECP_DP_NONE. + pub fn mbedtls_ecp_grp_id_list() -> *const mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function reads an elliptic curve private key. + /// \brief This function retrieves curve information from an internal + /// group identifier. /// - /// \param grp_id The ECP group identifier. - /// \param key The destination key. - /// \param buf The buffer containing the binary representation of the - /// key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The length of the buffer in bytes. + /// \param grp_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is - /// invalid. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_read_key( + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_grp_id( grp_id: mbedtls_ecp_group_id, - key: *mut mbedtls_ecp_keypair, - buf: *const ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports an elliptic curve private key. + /// \brief This function retrieves curve information from a TLS + /// NamedCurve value. /// - /// \param key The private key. - /// \param buf The output buffer for containing the binary representation - /// of the key. (Big endian integer for Weierstrass curves, byte - /// string for Montgomery curves.) - /// \param buflen The total length of the buffer in bytes. + /// \param tls_id An \c MBEDTLS_ECP_DP_XXX value. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - ///representation is larger than the available space in \p buf. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - /// the group is not implemented. - /// \return Another negative error code on different kinds of failure. - pub fn mbedtls_ecp_write_key( - key: *mut mbedtls_ecp_keypair, - buf: *mut ::core::ffi::c_uchar, - buflen: usize, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_tls_id(tls_id: u16) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function checks that the keypair objects - /// \p pub and \p prv have the same group and the - /// same public point, and that the private key in - /// \p prv is consistent with the public key. + /// \brief This function retrieves curve information from a + /// human-readable name. /// - /// \param pub The keypair structure holding the public key. This - /// must be initialized. If it contains a private key, that - /// part is ignored. - /// \param prv The keypair structure holding the full keypair. - /// This must be initialized. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c - /// NULL if \p f_rng doesn't need a context. + /// \param name The human-readable name. /// - /// \return \c 0 on success, meaning that the keys are valid and match. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. - /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX - /// error code on calculation failure. - pub fn mbedtls_ecp_check_pub_priv( - pub_: *const mbedtls_ecp_keypair, - prv: *const mbedtls_ecp_keypair, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// \return The associated curve information on success. + /// \return NULL on failure. + pub fn mbedtls_ecp_curve_info_from_name( + name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ecp_curve_info; } unsafe extern "C" { - /// \brief This function exports generic key-pair parameters. - /// - /// \param key The key pair to export from. - /// \param grp Slot for exported ECP group. - /// It must point to an initialized ECP group. - /// \param d Slot for the exported secret value. - /// It must point to an initialized mpi. - /// \param Q Slot for the exported public value. - /// It must point to an initialized ECP point. + /// \brief This function initializes a point as zero. /// - /// \return \c 0 on success, - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. - /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't - /// correspond to a known group. - /// \return Another negative error code on other kinds of failure. - pub fn mbedtls_ecp_export( - key: *const mbedtls_ecp_keypair, - grp: *mut mbedtls_ecp_group, - d: *mut mbedtls_mpi, - Q: *mut mbedtls_ecp_point, - ) -> ::core::ffi::c_int; + /// \param pt The point to initialize. + pub fn mbedtls_ecp_point_init(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief The ECP checkup routine. + /// \brief This function initializes an ECP group context + /// without loading any domain parameters. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -///< None. -pub const mbedtls_md_type_t_MBEDTLS_MD_NONE: mbedtls_md_type_t = 0; -///< The MD5 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_MD5: mbedtls_md_type_t = 1; -///< The SHA-1 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA1: mbedtls_md_type_t = 2; -///< The SHA-224 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA224: mbedtls_md_type_t = 3; -///< The SHA-256 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA256: mbedtls_md_type_t = 4; -///< The SHA-384 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA384: mbedtls_md_type_t = 5; -///< The SHA-512 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_SHA512: mbedtls_md_type_t = 6; -///< The RIPEMD-160 message digest. -pub const mbedtls_md_type_t_MBEDTLS_MD_RIPEMD160: mbedtls_md_type_t = 7; -/// \brief Supported message digests. -/// -/// \warning MD5 and SHA-1 are considered weak message digests and -/// their use constitutes a security risk. We recommend considering -/// stronger message digests instead. -pub type mbedtls_md_type_t = ::core::ffi::c_uint; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_info_t { - _unused: [u8; 0], -} -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_LEGACY: mbedtls_md_engine_t = 0; -pub const mbedtls_md_engine_t_MBEDTLS_MD_ENGINE_PSA: mbedtls_md_engine_t = 1; -/// Used internally to indicate whether a context uses legacy or PSA. -/// -/// Internal use only. -pub type mbedtls_md_engine_t = ::core::ffi::c_uint; -/// The generic message-digest context. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md_context_t { - /// Information about the associated message digest. - pub private_md_info: *const mbedtls_md_info_t, - /// The digest-specific context (legacy) or the PSA operation. - pub private_md_ctx: *mut ::core::ffi::c_void, - /// The HMAC part of the context. - pub private_hmac_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_md_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \note After this function is called, domain parameters + /// for various ECP groups can be loaded through the + /// mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() + /// functions. + pub fn mbedtls_ecp_group_init(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest type. - /// - /// \param md_type The type of digest to search for. + /// \brief This function initializes a key pair as an invalid one. /// - /// \return The message-digest information associated with \p md_type. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_type(md_type: mbedtls_md_type_t) -> *const mbedtls_md_info_t; + /// \param key The key pair to initialize. + pub fn mbedtls_ecp_keypair_init(key: *mut mbedtls_ecp_keypair); } unsafe extern "C" { - /// \brief This function initializes a message-digest context without - /// binding it to a particular message-digest algorithm. + /// \brief This function frees the components of a point. /// - /// This function should always be called first. It prepares the - /// context for mbedtls_md_setup() for binding it to a - /// message-digest algorithm. - pub fn mbedtls_md_init(ctx: *mut mbedtls_md_context_t); + /// \param pt The point to free. + pub fn mbedtls_ecp_point_free(pt: *mut mbedtls_ecp_point); } unsafe extern "C" { - /// \brief This function clears the internal structure of \p ctx and - /// frees any embedded internal structure, but does not free - /// \p ctx itself. + /// \brief This function frees the components of an ECP group. /// - /// If you have called mbedtls_md_setup() on \p ctx, you must - /// call mbedtls_md_free() when you are no longer using the - /// context. - /// Calling this function if you have previously - /// called mbedtls_md_init() and nothing else is optional. - /// You must not call this function if you have not called - /// mbedtls_md_init(). - pub fn mbedtls_md_free(ctx: *mut mbedtls_md_context_t); + /// \param grp The group to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP group. + pub fn mbedtls_ecp_group_free(grp: *mut mbedtls_ecp_group); } unsafe extern "C" { - /// \brief This function selects the message digest algorithm to use, - /// and allocates internal structures. + /// \brief This function frees the components of a key pair. /// - /// It should be called after mbedtls_md_init() or - /// mbedtls_md_free(). Makes it necessary to call - /// mbedtls_md_free() later. + /// \param key The key pair to free. This may be \c NULL, in which + /// case this function returns immediately. If it is not + /// \c NULL, it must point to an initialized ECP key pair. + pub fn mbedtls_ecp_keypair_free(key: *mut mbedtls_ecp_keypair); +} +unsafe extern "C" { + /// \brief This function copies the contents of point \p Q into + /// point \p P. /// - /// \param ctx The context to set up. - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param hmac Defines if HMAC is used. 0: HMAC is not used (saves some memory), - /// or non-zero: HMAC is used with this context. + /// \param P The destination point. This must be initialized. + /// \param Q The source point. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - /// \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. - pub fn mbedtls_md_setup( - ctx: *mut mbedtls_md_context_t, - md_info: *const mbedtls_md_info_t, - hmac: ::core::ffi::c_int, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code for other kinds of failure. + pub fn mbedtls_ecp_copy( + P: *mut mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function clones the state of a message-digest - /// context. - /// - /// \note You must call mbedtls_md_setup() on \c dst before calling - /// this function. - /// - /// \note The two contexts must have the same type, - /// for example, both are SHA-256. - /// - /// \warning This function clones the message-digest state, not the - /// HMAC state. + /// \brief This function copies the contents of group \p src into + /// group \p dst. /// - /// \param dst The destination context. - /// \param src The context to be cloned. + /// \param dst The destination group. This must be initialized. + /// \param src The source group. This must be initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. - /// \return #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are - /// not using the same engine. This can be avoided by moving - /// the call to psa_crypto_init() before the first call to - /// mbedtls_md_setup(). - pub fn mbedtls_md_clone( - dst: *mut mbedtls_md_context_t, - src: *const mbedtls_md_context_t, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_copy( + dst: *mut mbedtls_ecp_group, + src: *const mbedtls_ecp_group, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest size from the - /// message-digest information structure. + /// \brief This function sets a point to the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to set. This must be initialized. /// - /// \return The size of the message-digest output in Bytes. - pub fn mbedtls_md_get_size(md_info: *const mbedtls_md_info_t) -> ::core::ffi::c_uchar; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest type from the - /// message-digest information structure. + /// \brief This function checks if a point is the point at infinity. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param pt The point to test. This must be initialized. /// - /// \return The type of the message digest. - pub fn mbedtls_md_get_type(md_info: *const mbedtls_md_info_t) -> mbedtls_md_type_t; + /// \return \c 1 if the point is zero. + /// \return \c 0 if the point is non-zero. + /// \return A negative error code on failure. + pub fn mbedtls_ecp_is_zero(pt: *mut mbedtls_ecp_point) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function starts a message-digest computation. + /// \brief This function compares two points. /// - /// You must call this function after setting up the context - /// with mbedtls_md_setup(), and before passing data with - /// mbedtls_md_update(). + /// \note This assumes that the points are normalized. Otherwise, + /// they may compare as "not equal" even if they are. /// - /// \param ctx The generic message-digest context. + /// \param P The first point to compare. This must be initialized. + /// \param Q The second point to compare. This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_starts(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return \c 0 if the points are equal. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. + pub fn mbedtls_ecp_point_cmp( + P: *const mbedtls_ecp_point, + Q: *const mbedtls_ecp_point, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// message-digest computation. - /// - /// You must call mbedtls_md_starts() before calling this - /// function. You may call this function multiple times. - /// Afterwards, call mbedtls_md_finish(). + /// \brief This function imports a non-zero point from two ASCII + /// strings. /// - /// \param ctx The generic message-digest context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param P The destination point. This must be initialized. + /// \param radix The numeric base of the input. + /// \param x The first affine coordinate, as a null-terminated string. + /// \param y The second affine coordinate, as a null-terminated string. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. + pub fn mbedtls_ecp_point_read_string( + P: *mut mbedtls_ecp_point, + radix: ::core::ffi::c_int, + x: *const ::core::ffi::c_char, + y: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the digest operation, - /// and writes the result to the output buffer. - /// - /// Call this function after a call to mbedtls_md_starts(), - /// followed by any number of calls to mbedtls_md_update(). - /// Afterwards, you may either clear the context with - /// mbedtls_md_free(), or call mbedtls_md_starts() to reuse - /// the context for another digest operation with the same - /// algorithm. + /// \brief This function exports a point into unsigned binary data. /// - /// \param ctx The generic message-digest context. - /// \param output The buffer for the generic message-digest checksum result. + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The point to export. This must be initialized. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_point_write_binary( + grp: *const mbedtls_ecp_group, + P: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the message-digest of a buffer, - /// with respect to a configurable message-digest algorithm - /// in a single call. + /// \brief This function imports a point from unsigned binary data. /// - /// The result is calculated as - /// Output = message_digest(input buffer). + /// \note This function does not check that the point actually + /// belongs to the given group, see mbedtls_ecp_check_pubkey() + /// for that. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param input The buffer holding the data. - /// \param ilen The length of the input data. - /// \param output The generic message-digest checksum result. + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md( - md_info: *const mbedtls_md_info_t, - input: *const ::core::ffi::c_uchar, + /// \param grp The group to which the point should belong. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param P The destination context to import the point to. + /// This must be initialized. + /// \param buf The input buffer. This must be a readable buffer + /// of length \p ilen Bytes. + /// \param ilen The length of the input buffer \p buf in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the + /// given group is not implemented. + pub fn mbedtls_ecp_point_read_binary( + grp: *const mbedtls_ecp_group, + P: *mut mbedtls_ecp_point, + buf: *const ::core::ffi::c_uchar, ilen: usize, - output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the list of digests supported by the - /// generic digest module. - /// - /// \note The list starts with the strongest available hashes. + /// \brief This function imports a point from a TLS ECPoint record. /// - /// \return A statically allocated array of digests. Each element - /// in the returned list is an integer belonging to the - /// message-digest enumeration #mbedtls_md_type_t. - /// The last entry is 0. - pub fn mbedtls_md_list() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function returns the message-digest information - /// associated with the given digest name. + /// \note On function return, \p *buf is updated to point immediately + /// after the ECPoint record. /// - /// \param md_name The name of the digest to search for. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The destination point. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the buffer. /// - /// \return The message-digest information associated with \p md_name. - /// \return NULL if the associated message-digest information is not found. - pub fn mbedtls_md_info_from_string( - md_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_md_info_t; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization + /// failure. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + pub fn mbedtls_ecp_tls_read_point( + grp: *const mbedtls_ecp_group, + pt: *mut mbedtls_ecp_point, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function extracts the message-digest name from the - /// message-digest information structure. + /// \brief This function exports a point as a TLS ECPoint record + /// defined in RFC 4492, Section 5.4. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to be exported. This must be initialized. + /// \param format The point format to use. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// \param olen The address at which to store the length in Bytes + /// of the data written. + /// \param buf The target buffer. This must be a writable buffer of + /// length \p blen Bytes. + /// \param blen The length of the target buffer \p buf in Bytes. /// - /// \return The name of the message digest. - pub fn mbedtls_md_get_name(md_info: *const mbedtls_md_info_t) -> *const ::core::ffi::c_char; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer + /// is too small to hold the exported point. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_point( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function returns the message-digest information - /// from the given context. + /// \brief This function sets up an ECP group context + /// from a standardized set of domain parameters. /// - /// \param ctx The context from which to extract the information. - /// This must be initialized (or \c NULL). + /// \note The index should be a value of the NamedCurve enum, + /// as defined in RFC-4492: Elliptic Curve Cryptography + /// (ECC) Cipher Suites for Transport Layer Security (TLS), + /// usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. /// - /// \return The message-digest information associated with \p ctx. - /// \return \c NULL if \p ctx is \c NULL. - pub fn mbedtls_md_info_from_ctx(ctx: *const mbedtls_md_context_t) -> *const mbedtls_md_info_t; + /// \param grp The group context to setup. This must be initialized. + /// \param id The identifier of the domain parameter set to load. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_group_load( + grp: *mut mbedtls_ecp_group, + id: mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets the HMAC key and prepares to - /// authenticate a new message. + /// \brief This function sets up an ECP group context from a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_setup(), to use - /// the MD context for an HMAC calculation, then call - /// mbedtls_md_hmac_update() to provide the input data, and - /// mbedtls_md_hmac_finish() to get the HMAC value. + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC key in Bytes. + /// \param grp The group context to setup. This must be initialized. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_starts( - ctx: *mut mbedtls_md_context_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group( + grp: *mut mbedtls_ecp_group, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing HMAC - /// computation. + /// \brief This function extracts an elliptic curve group ID from a + /// TLS ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - /// before calling this function. - /// You may call this function multiple times to pass the - /// input piecewise. - /// Afterwards, call mbedtls_md_hmac_finish(). + /// \note The read pointer \p buf is updated to point right after + /// the ECParameters record on exit. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. + /// \param grp The address at which to store the group id. + /// This must not be \c NULL. + /// \param buf The address of the pointer to the start of the input buffer. + /// \param len The length of the input buffer \c *buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_update( - ctx: *mut mbedtls_md_context_t, - input: *const ::core::ffi::c_uchar, - ilen: usize, + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not + /// recognized. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_read_group_id( + grp: *mut mbedtls_ecp_group_id, + buf: *mut *const ::core::ffi::c_uchar, + len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function finishes the HMAC operation, and writes - /// the result to the output buffer. + /// \brief This function exports an elliptic curve as a TLS + /// ECParameters record as defined in RFC 4492, Section 5.4. /// - /// Call this function after mbedtls_md_hmac_starts() and - /// mbedtls_md_hmac_update() to get the HMAC value. Afterwards - /// you may either call mbedtls_md_free() to clear the context, - /// or call mbedtls_md_hmac_reset() to reuse the context with - /// the same HMAC key. - /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. - /// \param output The generic HMAC checksum result. + /// \param grp The ECP group to be exported. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param olen The address at which to store the number of Bytes written. + /// This must not be \c NULL. + /// \param buf The buffer to write to. This must be a writable buffer + /// of length \p blen Bytes. + /// \param blen The length of the output buffer \p buf in Bytes. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_finish( - ctx: *mut mbedtls_md_context_t, - output: *mut ::core::ffi::c_uchar, + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output + /// buffer is too small to hold the exported group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_tls_write_group( + grp: *const mbedtls_ecp_group, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + blen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function prepares to authenticate a new message with - /// the same key as the previous HMAC operation. + /// \brief This function performs a scalar multiplication of a point + /// by an integer: \p R = \p m * \p P. /// - /// You may call this function after mbedtls_md_hmac_finish(). - /// Afterwards call mbedtls_md_hmac_update() to pass the new - /// input. + /// It is not thread-safe to use same group in multiple threads. /// - /// \param ctx The message digest context containing an embedded HMAC - /// context. + /// \note To prevent timing attacks, this function + /// executes the exact same sequence of base-field + /// operations for any valid \p m. It avoids any if-branch or + /// array index depending on the value of \p m. It also uses + /// \p f_rng to randomize some intermediate results. + /// + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac_reset(ctx: *mut mbedtls_md_context_t) -> ::core::ffi::c_int; + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function calculates the full generic HMAC - /// on the input buffer with the provided key. + /// \brief This function performs multiplication of a point by + /// an integer: \p R = \p m * \p P in a restartable way. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// \see mbedtls_ecp_mul() /// - /// The HMAC result is calculated as - /// output = generic HMAC(hmac key, input buffer). + /// \note This function does the same as \c mbedtls_ecp_mul(), but + /// it can return early and restart according to the limit set + /// with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param md_info The information structure of the message-digest algorithm - /// to use. - /// \param key The HMAC secret key. - /// \param keylen The length of the HMAC secret key in Bytes. - /// \param input The buffer holding the input data. - /// \param ilen The length of the input data. - /// \param output The generic HMAC result. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply. This must be initialized. + /// \param P The point to multiply. This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification - /// failure. - pub fn mbedtls_md_hmac( - md_info: *const mbedtls_md_info_t, - key: *const ::core::ffi::c_uchar, - keylen: usize, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private + /// key, or \p P is not a valid public key. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_mul_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecp_restart_ctx, ) -> ::core::ffi::c_int; } -/// \brief The RSA context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_rsa_context { - ///< Reserved for internal purposes. - /// Do not set this field in application - /// code. Its meaning might change without - /// notice. - pub private_ver: ::core::ffi::c_int, - ///< The size of \p N in Bytes. - pub private_len: usize, - ///< The public modulus. - pub private_N: mbedtls_mpi, - ///< The public exponent. - pub private_E: mbedtls_mpi, - ///< The private exponent. - pub private_D: mbedtls_mpi, - ///< The first prime factor. - pub private_P: mbedtls_mpi, - ///< The second prime factor. - pub private_Q: mbedtls_mpi, - ///< D % (P - 1). - pub private_DP: mbedtls_mpi, - ///< D % (Q - 1). - pub private_DQ: mbedtls_mpi, - ///< 1 / (Q % P). - pub private_QP: mbedtls_mpi, - ///< cached R^2 mod N. - pub private_RN: mbedtls_mpi, - ///< cached R^2 mod P. - pub private_RP: mbedtls_mpi, - ///< cached R^2 mod Q. - pub private_RQ: mbedtls_mpi, - ///< The cached blinding value. - pub private_Vi: mbedtls_mpi, - ///< The cached un-blinding value. - pub private_Vf: mbedtls_mpi, - ///< Selects padding mode: - ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. - pub private_padding: ::core::ffi::c_int, - ///< Hash identifier of mbedtls_md_type_t type, - ///as specified in md.h for use in the MGF - ///mask generating function used in the - ///EME-OAEP and EMSA-PSS encodings. - pub private_hash_id: ::core::ffi::c_int, -} -impl Default for mbedtls_rsa_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes an RSA context. - /// - /// \note This function initializes the padding and the hash - /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and - /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more - /// information about those parameters. - /// - /// \param ctx The RSA context to initialize. This must not be \c NULL. - pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); -} -unsafe extern "C" { - /// \brief This function sets padding for an already initialized RSA - /// context. - /// - /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP - /// encryption scheme and the RSASSA-PSS signature scheme. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q /// - /// \note The \p hash_id parameter is ignored when using - /// #MBEDTLS_RSA_PKCS_V15 padding. + /// It is not thread-safe to use same group in multiple threads. /// - /// \note The choice of padding mode is strictly enforced for private - /// key operations, since there might be security concerns in - /// mixing padding modes. For public key operations it is - /// a default value, which can be overridden by calling specific - /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx - /// functions. + /// \note In contrast to mbedtls_ecp_mul(), this function does not + /// guarantee a constant execution flow and timing. /// - /// \note The hash selected in \p hash_id is always used for OEAP - /// encryption. For PSS signatures, it is always used for - /// making signatures, but can be overridden for verifying them. - /// If set to #MBEDTLS_MD_NONE, it is always overridden. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \param ctx The initialized RSA context to be configured. - /// \param padding The padding mode to use. This must be either - /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is - /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this - /// function but may be not suitable for some operations. - /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - /// \p padding or \p hash_id is invalid. - pub fn mbedtls_rsa_set_padding( - ctx: *mut mbedtls_rsa_context, - padding: ::core::ffi::c_int, - hash_id: mbedtls_md_type_t, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves padding mode of initialized - /// RSA context. - /// - /// \param ctx The initialized RSA context. + /// \brief This function performs multiplication and addition of two + /// points by integers: \p R = \p m * \p P + \p n * \p Q in a + /// restartable way. /// - /// \return RSA padding mode. - pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function retrieves hash identifier of mbedtls_md_type_t - /// type. + /// \see \c mbedtls_ecp_muladd() /// - /// \param ctx The initialized RSA context. + /// \note This function works the same as \c mbedtls_ecp_muladd(), + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return Hash identifier of mbedtls_md_type_t type. - pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function imports a set of core parameters into an - /// RSA context. + /// \note This function is only defined for short Weierstrass curves. + /// It may not be included in builds without any short + /// Weierstrass curve. /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param R The point in which to store the result of the calculation. + /// This must be initialized. + /// \param m The integer by which to multiply \p P. + /// This must be initialized. + /// \param P The point to multiply by \p m. This must be initialized. + /// \param n The integer by which to multiply \p Q. + /// This must be initialized. + /// \param Q The point to be multiplied by \p n. + /// This must be initialized. + /// \param rs_ctx The restart context (NULL disables restart). /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not + /// valid private keys, or \p P or \p Q are not valid public + /// keys. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not + /// designate a short Weierstrass curve. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_muladd_restartable( + grp: *mut mbedtls_ecp_group, + R: *mut mbedtls_ecp_point, + m: *const mbedtls_mpi, + P: *const mbedtls_ecp_point, + n: *const mbedtls_mpi, + Q: *const mbedtls_ecp_point, + rs_ctx: *mut mbedtls_ecp_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function checks that a point is a valid public key + /// on this curve. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// It only checks that the point is non-zero, has + /// valid coordinates and lies on the curve. It does not verify + /// that it is indeed a multiple of \c G. This additional + /// check is computationally more expensive, is not required + /// by standards, and should not be necessary if the group + /// used has a small cofactor. In particular, it is useless for + /// the NIST groups which all have a cofactor of 1. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure, to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param E The public exponent. This may be \c NULL. + /// \param grp The ECP group the point should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param pt The point to check. This must be initialized. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import( - ctx: *mut mbedtls_rsa_context, - N: *const mbedtls_mpi, - P: *const mbedtls_mpi, - Q: *const mbedtls_mpi, - D: *const mbedtls_mpi, - E: *const mbedtls_mpi, + /// \return \c 0 if the point is a valid public key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not + /// a valid public key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_pubkey( + grp: *const mbedtls_ecp_group, + pt: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function imports core RSA parameters, in raw big-endian - /// binary format, into an RSA context. - /// - /// \note This function can be called multiple times for successive - /// imports, if the parameters are not simultaneously present. + /// \brief This function checks that an \c mbedtls_mpi is a + /// valid private key for this curve. /// - /// Any sequence of calls to this function should be followed - /// by a call to mbedtls_rsa_complete(), which checks and - /// completes the provided information to a ready-for-use - /// public or private RSA key. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \note See mbedtls_rsa_complete() for more information on which - /// parameters are necessary to set up a private or public - /// RSA key. + /// \param grp The ECP group the private key should belong to. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The integer to check. This must be initialized. /// - /// \note The imported parameters are copied and need not be preserved - /// for the lifetime of the RSA context being set up. + /// \return \c 0 if the point is a valid private key. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid + /// private key for the given curve. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_check_privkey( + grp: *const mbedtls_ecp_group, + d: *const mbedtls_mpi, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates a private key. /// - /// \param ctx The initialized RSA context to store the parameters in. - /// \param N The RSA modulus. This may be \c NULL. - /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. - /// \param P The first prime factor of \p N. This may be \c NULL. - /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. - /// \param Q The second prime factor of \p N. This may be \c NULL. - /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. - /// \param D The private exponent. This may be \c NULL. - /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. - /// \param E The public exponent. This may be \c NULL. - /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// \param grp The ECP group to generate a private key for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_import_raw( - ctx: *mut mbedtls_rsa_context, - N: *const ::core::ffi::c_uchar, - N_len: usize, - P: *const ::core::ffi::c_uchar, - P_len: usize, - Q: *const ::core::ffi::c_uchar, - Q_len: usize, - D: *const ::core::ffi::c_uchar, - D_len: usize, - E: *const ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_privkey( + grp: *const mbedtls_ecp_group, + d: *mut mbedtls_mpi, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function completes an RSA context from - /// a set of imported core parameters. - /// - /// To setup an RSA public key, precisely \p N and \p E - /// must have been imported. + /// \brief This function generates a keypair with a configurable base + /// point. /// - /// To setup an RSA private key, sufficient information must - /// be present for the other parameters to be derivable. + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// The default implementation supports the following: - ///
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • - ///
  • Derive \p N, \p D from \p P, \p Q, \p E.
- /// Alternative implementations need not support these. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param G The base point to use. This must be initialized + /// and belong to \p grp. It replaces the default base + /// point \c grp->G used by mbedtls_ecp_gen_keypair(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// If this function runs successfully, it guarantees that - /// the RSA context can be used for RSA operations without - /// the risk of failure or crash. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair_base( + grp: *mut mbedtls_ecp_group, + G: *const mbedtls_ecp_point, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function generates an ECP keypair. /// - /// \warning This function need not perform consistency checks - /// for the imported parameters. In particular, parameters that - /// are not needed by the implementation might be silently - /// discarded and left unchecked. To check the consistency - /// of the key material, see mbedtls_rsa_check_privkey(). + /// \note This function uses bare components rather than an + /// ::mbedtls_ecp_keypair structure to ease use with other + /// structures, such as ::mbedtls_ecdh_context or + /// ::mbedtls_ecdsa_context. /// - /// \param ctx The initialized RSA context holding imported parameters. + /// \param grp The ECP group to generate a key pair for. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param d The destination MPI (secret part). + /// This must be initialized. + /// \param Q The destination point (public part). + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations - /// failed. - pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_keypair( + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports the core parameters of an RSA key. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. - /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// - /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \brief This function generates an ECP key. /// - /// \param ctx The initialized RSA context. - /// \param N The MPI to hold the RSA modulus. - /// This may be \c NULL if this field need not be exported. - /// \param P The MPI to hold the first prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param Q The MPI to hold the second prime factor of \p N. - /// This may be \c NULL if this field need not be exported. - /// \param D The MPI to hold the private exponent. - /// This may be \c NULL if this field need not be exported. - /// \param E The MPI to hold the public exponent. - /// This may be \c NULL if this field need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. This must be initialized. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export( - ctx: *const mbedtls_rsa_context, - N: *mut mbedtls_mpi, - P: *mut mbedtls_mpi, - Q: *mut mbedtls_mpi, - D: *mut mbedtls_mpi, - E: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code + /// on failure. + pub fn mbedtls_ecp_gen_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports core parameters of an RSA key - /// in raw big-endian binary format. - /// - /// If this function runs successfully, the non-NULL buffers - /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully - /// written, with additional unused space filled leading by - /// zero Bytes. + /// \brief Set the public key in a key pair object. /// - /// Possible reasons for returning - /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    - ///
  • An alternative RSA implementation is in use, which - /// stores the key externally, and either cannot or should - /// not export it into RAM.
    • - ///
  • A SW or HW implementation might not support a certain - /// deduction. For example, \p P, \p Q from \p N, \p D, - /// and \p E if the former are not part of the - /// implementation.
- /// If the function fails due to an unsupported operation, - /// the RSA context stays intact and remains usable. + /// \note This function does not check that the point actually + /// belongs to the given group. Call mbedtls_ecp_check_pubkey() + /// on \p Q before calling this function to check that. /// - /// \note The length parameters are ignored if the corresponding - /// buffer pointers are NULL. + /// \note This function does not check that the public key matches + /// the private key that is already in \p key, if any. + /// To check the consistency of the resulting key pair object, + /// call mbedtls_ecp_check_pub_priv() after setting both + /// the public key and the private key. /// - /// \param ctx The initialized RSA context. - /// \param N The Byte array to store the RSA modulus, - /// or \c NULL if this field need not be exported. - /// \param N_len The size of the buffer for the modulus. - /// \param P The Byte array to hold the first prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param P_len The size of the buffer for the first prime factor. - /// \param Q The Byte array to hold the second prime factor of \p N, - /// or \c NULL if this field need not be exported. - /// \param Q_len The size of the buffer for the second prime factor. - /// \param D The Byte array to hold the private exponent, - /// or \c NULL if this field need not be exported. - /// \param D_len The size of the buffer for the private exponent. - /// \param E The Byte array to hold the public exponent, - /// or \c NULL if this field need not be exported. - /// \param E_len The size of the buffer for the public exponent. + /// \param grp_id The ECP group identifier. + /// \param key The key pair object. It must be initialized. + /// If its group has already been set, it must match \p grp_id. + /// If its group has not been set, it will be set to \p grp_id. + /// If the public key has already been set, it is overwritten. + /// \param Q The public key to copy. This must be a point on the + /// curve indicated by \p grp_id. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the - /// requested parameters cannot be done due to missing - /// functionality or because of security policies. - /// \return A non-zero return code on any other failure. - pub fn mbedtls_rsa_export_raw( - ctx: *const mbedtls_rsa_context, - N: *mut ::core::ffi::c_uchar, - N_len: usize, - P: *mut ::core::ffi::c_uchar, - P_len: usize, - Q: *mut ::core::ffi::c_uchar, - Q_len: usize, - D: *mut ::core::ffi::c_uchar, - D_len: usize, - E: *mut ::core::ffi::c_uchar, - E_len: usize, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not + /// match \p grp_id. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_set_public_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + Q: *const mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function exports CRT parameters of a private RSA key. + /// \brief This function reads an elliptic curve private key. /// - /// \note Alternative RSA implementations not using CRT-parameters - /// internally can implement this function based on - /// mbedtls_rsa_deduce_opt(). + /// \note This function does not set the public key in the + /// key pair object. Without a public key, the key pair object + /// cannot be used with operations that require the public key. + /// Call mbedtls_ecp_keypair_calc_public() to set the public + /// key from the private key. Alternatively, you can call + /// mbedtls_ecp_set_public_key() to set the public key part, + /// and then optionally mbedtls_ecp_check_pub_priv() to check + /// that the private and public parts are consistent. + /// + /// \note If a public key has already been set in the key pair + /// object, this function does not check that it is consistent + /// with the private key. Call mbedtls_ecp_check_pub_priv() + /// after setting both the public key and the private key + /// to make that check. /// - /// \param ctx The initialized RSA context. - /// \param DP The MPI to hold \c D modulo `P-1`, - /// or \c NULL if it need not be exported. - /// \param DQ The MPI to hold \c D modulo `Q-1`, - /// or \c NULL if it need not be exported. - /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, - /// or \c NULL if it need not be exported. + /// \param grp_id The ECP group identifier. + /// \param key The destination key. + /// \param buf The buffer containing the binary representation of the + /// key. (Big endian integer for Weierstrass curves, byte + /// string for Montgomery curves.) + /// \param buflen The length of the buffer in bytes. /// - /// \return \c 0 on success. - /// \return A non-zero error code on failure. - pub fn mbedtls_rsa_export_crt( - ctx: *const mbedtls_rsa_context, - DP: *mut mbedtls_mpi, - DQ: *mut mbedtls_mpi, - QP: *mut mbedtls_mpi, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is + /// invalid. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for + /// the group is not implemented. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_read_key( + grp_id: mbedtls_ecp_group_id, + key: *mut mbedtls_ecp_keypair, + buf: *const ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function retrieves the length of RSA modulus in Bytes. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context. + /// \deprecated Note that although this function accepts an output + /// buffer that is smaller or larger than the key, most key + /// import interfaces require the output to have exactly + /// key's nominal length. It is generally simplest to + /// pass the key's nominal length as \c buflen, after + /// checking that the output buffer is large enough. + /// See the description of the \p buflen parameter for + /// how to calculate the nominal length. + /// To avoid this difficulty, use mbedtls_ecp_write_key_ext() + /// instead. + /// mbedtls_ecp_write_key() is deprecated and will be + /// removed in a future version of the library. + /// + /// \note If the private key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \return The length of the RSA modulus in Bytes. - pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; + /// \param key The private key. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// For Weierstrass curves, this is the big-endian + /// representation, padded with null bytes at the beginning + /// to reach \p buflen bytes. + /// For Montgomery curves, this is the standard byte string + /// representation (which is little-endian), padded with + /// null bytes at the end to reach \p buflen bytes. + /// \param buflen The total length of the buffer in bytes. + /// The length of the output is + /// (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// For Weierstrass keys, if the output buffer is smaller, + /// leading zeros are trimmed to fit if possible. For + /// Montgomery keys, the output buffer must always be large + /// enough for the nominal length. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + /// #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key( + key: *mut mbedtls_ecp_keypair, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an RSA keypair. - /// - /// \note mbedtls_rsa_init() must be called before this function, - /// to set up the RSA context. + /// \brief This function exports an elliptic curve private key. /// - /// \param ctx The initialized RSA context used to hold the key. - /// \param f_rng The RNG function to be used for key generation. - /// This is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. - /// This may be \c NULL if \p f_rng doesn't need a context. - /// \param nbits The size of the public key in bits. - /// \param exponent The public exponent to use. For example, \c 65537. - /// This must be odd and greater than \c 1. + /// \param key The private key. + /// \param olen On success, the length of the private key. + /// This is always (`grp->nbits` + 7) / 8 bytes + /// where `grp->nbits` is the private key size in bits. + /// \param buf The output buffer for containing the binary representation + /// of the key. + /// \param buflen The total length of the buffer in bytes. + /// #MBEDTLS_ECP_MAX_BYTES is always sufficient. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_gen_key( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - nbits: ::core::ffi::c_uint, - exponent: ::core::ffi::c_int, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + /// representation is larger than the available space in \p buf. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + /// set in \p key. + /// \return Another negative error code on different kinds of failure. + pub fn mbedtls_ecp_write_key_ext( + key: *const mbedtls_ecp_keypair, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains at least an RSA - /// public key. + /// \brief This function exports an elliptic curve public key. /// - /// If the function runs successfully, it is guaranteed that - /// enough information is present to perform an RSA public key - /// operation using mbedtls_rsa_public(). + /// \note If the public key was not set in \p key, + /// the output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to check. + /// \param key The public key. + /// \param format The point format. This must be either + /// #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. + /// (For groups without these formats, this parameter is + /// ignored. But it still has to be either of the above + /// values.) + /// \param olen The address at which to store the length of + /// the output in Bytes. This must not be \c NULL. + /// \param buf The output buffer. This must be a writable buffer + /// of length \p buflen Bytes. + /// \param buflen The length of the output buffer \p buf in Bytes. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer + /// is too small to hold the point. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format + /// or the export for the given group is not implemented. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_write_public_key( + key: *const mbedtls_ecp_keypair, + format: ::core::ffi::c_int, + olen: *mut usize, + buf: *mut ::core::ffi::c_uchar, + buflen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks if a context contains an RSA private key - /// and perform basic consistency checks. - /// - /// \note The consistency checks performed by this function not only - /// ensure that mbedtls_rsa_private() can be called successfully - /// on the given context, but that the various parameters are - /// mutually consistent with high probability, in the sense that - /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// \brief This function checks that the keypair objects + /// \p pub and \p prv have the same group and the + /// same public point, and that the private key in + /// \p prv is consistent with the public key. /// - /// \warning This function should catch accidental misconfigurations - /// like swapping of parameters, but it cannot establish full - /// trust in neither the quality nor the consistency of the key - /// material that was used to setup the given RSA context: - ///
  • Consistency: Imported parameters that are irrelevant - /// for the implementation might be silently dropped. If dropped, - /// the current function does not have access to them, - /// and therefore cannot check them. See mbedtls_rsa_complete(). - /// If you want to check the consistency of the entire - /// content of a PKCS1-encoded RSA private key, for example, you - /// should use mbedtls_rsa_validate_params() before setting - /// up the RSA context. - /// Additionally, if the implementation performs empirical checks, - /// these checks substantiate but do not guarantee consistency.
    • - ///
  • Quality: This function is not expected to perform - /// extended quality assessments like checking that the prime - /// factors are safe. Additionally, it is the responsibility of the - /// user to ensure the trustworthiness of the source of his RSA - /// parameters, which goes beyond what is effectively checkable - /// by the library.
- /// - /// \param ctx The initialized RSA context to check. + /// \param pub The keypair structure holding the public key. This + /// must be initialized. If it contains a private key, that + /// part is ignored. + /// \param prv The keypair structure holding the full keypair. + /// This must be initialized. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; + /// \return \c 0 on success, meaning that the keys are valid and match. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_check_pub_priv( + pub_: *const mbedtls_ecp_keypair, + prv: *const mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function checks a public-private RSA key pair. - /// - /// It checks each of the contexts, and makes sure they match. + /// \brief Calculate the public key from a private key in a key pair. /// - /// \param pub The initialized RSA context holding the public key. - /// \param prv The initialized RSA context holding the private key. + /// \param key A keypair structure. It must have a private key set. + /// If the public key is set, it will be overwritten. + /// \param f_rng The RNG function. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c + /// NULL if \p f_rng doesn't need a context. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_check_pub_priv( - pub_: *const mbedtls_rsa_context, - prv: *const mbedtls_rsa_context, + /// \return \c 0 on success. The key pair object can be used for + /// operations that require the public key. + /// \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX + /// error code on calculation failure. + pub fn mbedtls_ecp_keypair_calc_public( + key: *mut mbedtls_ecp_keypair, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs an RSA public key operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// - /// \note This function does not handle message padding. + /// \brief Query the group that a key pair belongs to. /// - /// \note Make sure to set \p input[0] = 0 or ensure that - /// input is smaller than \p N. + /// \param key The key pair to query. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_public( - ctx: *mut mbedtls_rsa_context, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The group ID for the group registered in the key pair + /// object. + /// This is \c MBEDTLS_ECP_DP_NONE if no group has been set + /// in the key pair object. + pub fn mbedtls_ecp_keypair_get_group_id( + key: *const mbedtls_ecp_keypair, + ) -> mbedtls_ecp_group_id; } unsafe extern "C" { - /// \brief This function performs an RSA private key operation. - /// - /// \note Blinding is used if and only if a PRNG is provided. + /// \brief This function exports generic key-pair parameters. /// - /// \note If blinding is used, both the base of exponentiation - /// and the exponent are blinded, providing protection - /// against some side-channel attacks. + /// Each of the output parameters can be a null pointer + /// if you do not need that parameter. /// - /// \warning It is deprecated and a security risk to not provide - /// a PRNG here and thereby prevent the use of blinding. - /// Future versions of the library may enforce the presence - /// of a PRNG. + /// \note If the private key or the public key was not set in \p key, + /// the corresponding output is unspecified. Future versions + /// may return an error in that case. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function, used for blinding. It is mandatory. - /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context. - /// \param input The input buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param key The key pair to export from. + /// \param grp Slot for exported ECP group. + /// It must either be null or point to an initialized ECP group. + /// \param d Slot for the exported secret value. + /// It must either be null or point to an initialized mpi. + /// \param Q Slot for the exported public value. + /// It must either be null or point to an initialized ECP point. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_private( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, + /// \return \c 0 on success, + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. + /// \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't + /// correspond to a known group. + /// \return Another negative error code on other kinds of failure. + pub fn mbedtls_ecp_export( + key: *const mbedtls_ecp_keypair, + grp: *mut mbedtls_ecp_group, + d: *mut mbedtls_mpi, + Q: *mut mbedtls_ecp_point, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function adds the message padding, then performs an RSA - /// operation. - /// - /// It is the generic wrapper for performing a PKCS#1 encryption - /// operation. - /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG to use. It is used for padding generation - /// and it is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. May be - /// \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \brief The ECP checkup routine. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return \c 1 on failure. + pub fn mbedtls_ecp_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief The RSA context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_rsa_context { + ///< Reserved for internal purposes. + /// Do not set this field in application + /// code. Its meaning might change without + /// notice. + pub private_ver: ::core::ffi::c_int, + ///< The size of \p N in Bytes. + pub private_len: usize, + ///< The public modulus. + pub private_N: mbedtls_mpi, + ///< The public exponent. + pub private_E: mbedtls_mpi, + ///< The private exponent. + pub private_D: mbedtls_mpi, + ///< The first prime factor. + pub private_P: mbedtls_mpi, + ///< The second prime factor. + pub private_Q: mbedtls_mpi, + ///< D % (P - 1). + pub private_DP: mbedtls_mpi, + ///< D % (Q - 1). + pub private_DQ: mbedtls_mpi, + ///< 1 / (Q % P). + pub private_QP: mbedtls_mpi, + ///< cached R^2 mod N. + pub private_RN: mbedtls_mpi, + ///< cached R^2 mod P. + pub private_RP: mbedtls_mpi, + ///< cached R^2 mod Q. + pub private_RQ: mbedtls_mpi, + ///< The cached blinding value. + pub private_Vi: mbedtls_mpi, + ///< The cached un-blinding value. + pub private_Vf: mbedtls_mpi, + ///< Selects padding mode: + ///#MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + ///#MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. + pub private_padding: ::core::ffi::c_int, + ///< Hash identifier of mbedtls_md_type_t type, + ///as specified in md.h for use in the MGF + ///mask generating function used in the + ///EME-OAEP and EMSA-PSS encodings. + pub private_hash_id: ::core::ffi::c_int, +} +impl Default for mbedtls_rsa_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 encryption operation - /// (RSAES-PKCS1-v1_5-ENCRYPT). + /// \brief This function initializes an RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. It is mandatory and used for - /// padding generation. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param ilen The length of the plaintext in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note This function initializes the padding and the hash + /// identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + /// #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + /// information about those parameters. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The RSA context to initialize. This must not be \c NULL. + pub fn mbedtls_rsa_init(ctx: *mut mbedtls_rsa_context); } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP encryption - /// operation (RSAES-OAEP-ENCRYPT). - /// - /// \note The output buffer must be as large as the size - /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \brief This function sets padding for an already initialized RSA + /// context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is needed for padding - /// generation and is mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may - /// be \c NULL if \p f_rng doesn't need a context argument. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param ilen The length of the plaintext buffer \p input in Bytes. - /// \param input The input data to encrypt. This must be a readable - /// buffer of size \p ilen Bytes. It may be \c NULL if - /// `ilen == 0`. - /// \param output The output buffer. This must be a writable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + /// encryption scheme and the RSASSA-PSS signature scheme. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_encrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - ilen: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs an RSA operation, then removes the - /// message padding. + /// \note The \p hash_id parameter is ignored when using + /// #MBEDTLS_RSA_PKCS_V15 padding. /// - /// It is the generic wrapper for performing a PKCS#1 decryption - /// operation. + /// \note The choice of padding mode is strictly enforced for private + /// key operations, since there might be security concerns in + /// mixing padding modes. For public key operations it is + /// a default value, which can be overridden by calling specific + /// \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + /// functions. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N (for example, - /// 128 Bytes if RSA-1024 is used) to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note The hash selected in \p hash_id is always used for OEAP + /// encryption. For PSS signatures, it is always used for + /// making signatures, but can be overridden for verifying them. + /// If set to #MBEDTLS_MD_NONE, it is always overridden. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \param ctx The initialized RSA context to be configured. + /// \param padding The padding mode to use. This must be either + /// #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. + /// \param hash_id The hash identifier for PSS or OAEP, if \p padding is + /// #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + /// function but may be not suitable for some operations. + /// Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_decrypt( + /// \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + /// \p padding or \p hash_id is invalid. + pub fn mbedtls_rsa_set_padding( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + padding: ::core::ffi::c_int, + hash_id: mbedtls_md_type_t, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 decryption - /// operation (RSAES-PKCS1-v1_5-DECRYPT). + /// \brief This function retrieves padding mode of initialized + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for example, - /// 128 Bytes if RSA-1024 is used, to be able to hold an - /// arbitrary decrypted message. If it is not large enough to - /// hold the decryption of the particular ciphertext provided, - /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \param ctx The initialized RSA context. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// \return RSA padding mode. + pub fn mbedtls_rsa_get_padding_mode(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function retrieves hash identifier of mbedtls_md_type_t + /// type. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context. + /// + /// \return Hash identifier of mbedtls_md_type_t type. + pub fn mbedtls_rsa_get_md_alg(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 OAEP decryption - /// operation (RSAES-OAEP-DECRYPT). + /// \brief This function imports a set of core parameters into an + /// RSA context. /// - /// \note The output buffer length \c output_max_len should be - /// as large as the size \p ctx->len of \p ctx->N, for - /// example, 128 Bytes if RSA-1024 is used, to be able to - /// hold an arbitrary decrypted message. If it is not - /// large enough to hold the decryption of the particular - /// ciphertext provided, the function returns - /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context. - /// \param label The buffer holding the custom label to use. - /// This must be a readable buffer of length \p label_len - /// Bytes. It may be \c NULL if \p label_len is \c 0. - /// \param label_len The length of the label in Bytes. - /// \param olen The address at which to store the length of - /// the plaintext. This must not be \c NULL. - /// \param input The ciphertext buffer. This must be a readable buffer - /// of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. - /// \param output The buffer used to hold the plaintext. This must - /// be a writable buffer of length \p output_max_len Bytes. - /// \param output_max_len The length in Bytes of the output buffer \p output. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. + /// + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. + /// + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. + /// + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param E The public exponent. This may be \c NULL. /// /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsaes_oaep_decrypt( + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - label: *const ::core::ffi::c_uchar, - label_len: usize, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, + N: *const mbedtls_mpi, + P: *const mbedtls_mpi, + Q: *const mbedtls_mpi, + D: *const mbedtls_mpi, + E: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a private RSA operation to sign - /// a message digest using PKCS#1. + /// \brief This function imports core RSA parameters, in raw big-endian + /// binary format, into an RSA context. /// - /// It is the generic wrapper for performing a PKCS#1 - /// signature. + /// \note This function can be called multiple times for successive + /// imports, if the parameters are not simultaneously present. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// Any sequence of calls to this function should be followed + /// by a call to mbedtls_rsa_complete(), which checks and + /// completes the provided information to a ready-for-use + /// public or private RSA key. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_sign() for details on - /// \p md_alg and \p hash_id. + /// \note See mbedtls_rsa_complete() for more information on which + /// parameters are necessary to set up a private or public + /// RSA key. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function to use. This is mandatory and - /// must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \note The imported parameters are copied and need not be preserved + /// for the lifetime of the RSA context being set up. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_sign( + /// \param ctx The initialized RSA context to store the parameters in. + /// \param N The RSA modulus. This may be \c NULL. + /// \param N_len The Byte length of \p N; it is ignored if \p N == NULL. + /// \param P The first prime factor of \p N. This may be \c NULL. + /// \param P_len The Byte length of \p P; it is ignored if \p P == NULL. + /// \param Q The second prime factor of \p N. This may be \c NULL. + /// \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. + /// \param D The private exponent. This may be \c NULL. + /// \param D_len The Byte length of \p D; it is ignored if \p D == NULL. + /// \param E The public exponent. This may be \c NULL. + /// \param E_len The Byte length of \p E; it is ignored if \p E == NULL. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_import_raw( ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + N: *const ::core::ffi::c_uchar, + N_len: usize, + P: *const ::core::ffi::c_uchar, + P_len: usize, + Q: *const ::core::ffi::c_uchar, + Q_len: usize, + D: *const ::core::ffi::c_uchar, + D_len: usize, + E: *const ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 signature - /// operation (RSASSA-PKCS1-v1_5-SIGN). + /// \brief This function completes an RSA context from + /// a set of imported core parameters. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. This is used for blinding and is - /// mandatory; see mbedtls_rsa_private() for more. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// To setup an RSA public key, precisely \c N and \c E + /// must have been imported. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// To setup an RSA private key, sufficient information must + /// be present for the other parameters to be derivable. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// The default implementation supports the following: + ///
  • Derive \c P, \c Q from \c N, \c D, \c E.
    • + ///
  • Derive \c N, \c D from \c P, \c Q, \c E.
+ /// Alternative implementations need not support these. /// - /// \note This function enforces that the provided salt length complies - /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 - /// step 3. The constraint is that the hash length plus the salt - /// length plus 2 bytes must be at most the key length. If this - /// constraint is not met, this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// If this function runs successfully, it guarantees that + /// the RSA context can be used for RSA operations without + /// the risk of failure or crash. /// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param saltlen The length of the salt that should be used. - /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use - /// the largest possible salt length up to the hash length, - /// which is the largest permitted by some standards including - /// FIPS 186-4 §5.5. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// \warning This function need not perform consistency checks + /// for the imported parameters. In particular, parameters that + /// are not needed by the implementation might be silently + /// discarded and left unchecked. To check the consistency + /// of the key material, see mbedtls_rsa_check_privkey(). /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign_ext( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - saltlen: ::core::ffi::c_int, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param ctx The initialized RSA context holding imported parameters. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations + /// failed. + pub fn mbedtls_rsa_complete(ctx: *mut mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS signature - /// operation (RSASSA-PSS-SIGN). + /// \brief This function exports the core parameters of an RSA key. /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \note This function always uses the maximum possible salt size, - /// up to the length of the payload hash. This choice of salt - /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 - /// v2.2) §9.1.1 step 3. Furthermore this function enforces a - /// minimum salt size which is the hash size minus 2 bytes. If - /// this minimum size is too large given the key size (the salt - /// size, plus the hash size, plus 2 bytes must be no more than - /// the key size in bytes), this function returns - /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
/// - /// \param ctx The initialized RSA context to use. - /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - /// if \p f_rng doesn't need a context argument. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer to hold the signature. This must be a writable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. A buffer length of - /// #MBEDTLS_MPI_MAX_SIZE is always safe. + /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the signing operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_sign( - ctx: *mut mbedtls_rsa_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param N The MPI to hold the RSA modulus. + /// This may be \c NULL if this field need not be exported. + /// \param P The MPI to hold the first prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param Q The MPI to hold the second prime factor of \p N. + /// This may be \c NULL if this field need not be exported. + /// \param D The MPI to hold the private exponent. + /// This may be \c NULL if this field need not be exported. + /// \param E The MPI to hold the public exponent. + /// This may be \c NULL if this field need not be exported. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export( + ctx: *const mbedtls_rsa_context, + N: *mut mbedtls_mpi, + P: *mut mbedtls_mpi, + Q: *mut mbedtls_mpi, + D: *mut mbedtls_mpi, + E: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a public RSA operation and checks - /// the message digest. - /// - /// This is the generic wrapper for performing a PKCS#1 - /// verification. + /// \brief This function exports core parameters of an RSA key + /// in raw big-endian binary format. /// - /// \note For PKCS#1 v2.1 encoding, see comments on - /// mbedtls_rsa_rsassa_pss_verify() about \p md_alg and - /// \p hash_id. + /// If this function runs successfully, the non-NULL buffers + /// pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + /// written, with additional unused space filled leading by + /// zero Bytes. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// Possible reasons for returning + /// #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
    + ///
  • An alternative RSA implementation is in use, which + /// stores the key externally, and either cannot or should + /// not export it into RAM.
    • + ///
  • A SW or HW implementation might not support a certain + /// deduction. For example, \p P, \p Q from \p N, \p D, + /// and \p E if the former are not part of the + /// implementation.
+ /// If the function fails due to an unsupported operation, + /// the RSA context stays intact and remains usable. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_pkcs1_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \note The length parameters are ignored if the corresponding + /// buffer pointers are NULL. + /// + /// \param ctx The initialized RSA context. + /// \param N The Byte array to store the RSA modulus, + /// or \c NULL if this field need not be exported. + /// \param N_len The size of the buffer for the modulus. + /// \param P The Byte array to hold the first prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param P_len The size of the buffer for the first prime factor. + /// \param Q The Byte array to hold the second prime factor of \p N, + /// or \c NULL if this field need not be exported. + /// \param Q_len The size of the buffer for the second prime factor. + /// \param D The Byte array to hold the private exponent, + /// or \c NULL if this field need not be exported. + /// \param D_len The size of the buffer for the private exponent. + /// \param E The Byte array to hold the public exponent, + /// or \c NULL if this field need not be exported. + /// \param E_len The size of the buffer for the public exponent. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the + /// requested parameters cannot be done due to missing + /// functionality or because of security policies. + /// \return A non-zero return code on any other failure. + pub fn mbedtls_rsa_export_raw( + ctx: *const mbedtls_rsa_context, + N: *mut ::core::ffi::c_uchar, + N_len: usize, + P: *mut ::core::ffi::c_uchar, + P_len: usize, + Q: *mut ::core::ffi::c_uchar, + Q_len: usize, + D: *mut ::core::ffi::c_uchar, + D_len: usize, + E: *mut ::core::ffi::c_uchar, + E_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v1.5 verification - /// operation (RSASSA-PKCS1-v1_5-VERIFY). + /// \brief This function exports CRT parameters of a private RSA key. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note Alternative RSA implementations not using CRT-parameters + /// internally can implement this function based on + /// mbedtls_rsa_deduce_opt(). /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, + /// \param ctx The initialized RSA context. + /// \param DP The MPI to hold \c D modulo `P-1`, + /// or \c NULL if it need not be exported. + /// \param DQ The MPI to hold \c D modulo `Q-1`, + /// or \c NULL if it need not be exported. + /// \param QP The MPI to hold modular inverse of \c Q modulo \c P, + /// or \c NULL if it need not be exported. + /// + /// \return \c 0 on success. + /// \return A non-zero error code on failure. + pub fn mbedtls_rsa_export_crt( + ctx: *const mbedtls_rsa_context, + DP: *mut mbedtls_mpi, + DQ: *mut mbedtls_mpi, + QP: *mut mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). - /// - /// \note The \c hash_id set in \p ctx by calling - /// mbedtls_rsa_set_padding() selects the hash used for the - /// encoding operation and for the mask generation function - /// (MGF1). For more details on the encoding operation and the - /// mask generation function, consult RFC-3447: Public-Key - /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. If the \c hash_id set in \p ctx by - /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg - /// parameter is used. + /// \brief This function retrieves the length of the RSA modulus in bits. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \param ctx The initialized RSA context. /// - /// \return \c 0 if the verify operation was successful. - /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify( - ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \return The length of the RSA modulus in bits. + pub fn mbedtls_rsa_get_bitlen(ctx: *const mbedtls_rsa_context) -> usize; } unsafe extern "C" { - /// \brief This function performs a PKCS#1 v2.1 PSS verification - /// operation (RSASSA-PSS-VERIFY). + /// \brief This function retrieves the length of RSA modulus in Bytes. /// - /// \note The \p sig buffer must be as large as the size - /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. + /// \param ctx The initialized RSA context. /// - /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is - /// ignored. + /// \return The length of the RSA modulus in Bytes. + pub fn mbedtls_rsa_get_len(ctx: *const mbedtls_rsa_context) -> usize; +} +unsafe extern "C" { + /// \brief This function generates an RSA keypair. /// - /// \param ctx The initialized RSA public key context to use. - /// \param md_alg The message-digest algorithm used to hash the original data. - /// Use #MBEDTLS_MD_NONE for signing raw data. - /// \param hashlen The length of the message digest or raw data in Bytes. - /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the - /// output length of the corresponding hash algorithm. - /// \param hash The buffer holding the message digest or raw data. - /// This must be a readable buffer of at least \p hashlen Bytes. - /// \param mgf1_hash_id The message digest algorithm used for the - /// verification operation and the mask generation - /// function (MGF1). For more details on the encoding - /// operation and the mask generation function, consult - /// RFC-3447: Public-Key Cryptography Standards - /// (PKCS) #1 v2.1: RSA Cryptography - /// Specifications. - /// \param expected_salt_len The length of the salt used in padding. Use - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// \param sig The buffer holding the signature. This must be a readable - /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - /// for an 2048-bit RSA modulus. + /// \note mbedtls_rsa_init() must be called before this function, + /// to set up the RSA context. /// - /// \return \c 0 if the verify operation was successful. + /// \param ctx The initialized RSA context used to hold the key. + /// \param f_rng The RNG function to be used for key generation. + /// This is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. + /// This may be \c NULL if \p f_rng doesn't need a context. + /// \param nbits The size of the public key in bits. + /// \param exponent The public exponent to use. For example, \c 65537. + /// This must be odd and greater than \c 1. + /// + /// \return \c 0 on success. /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. - pub fn mbedtls_rsa_rsassa_pss_verify_ext( + pub fn mbedtls_rsa_gen_key( ctx: *mut mbedtls_rsa_context, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - mgf1_hash_id: mbedtls_md_type_t, - expected_salt_len: ::core::ffi::c_int, - sig: *const ::core::ffi::c_uchar, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + nbits: ::core::ffi::c_uint, + exponent: ::core::ffi::c_int, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function copies the components of an RSA context. + /// \brief This function checks if a context contains at least an RSA + /// public key. /// - /// \param dst The destination context. This must be initialized. - /// \param src The source context. This must be initialized. + /// If the function runs successfully, it is guaranteed that + /// enough information is present to perform an RSA public key + /// operation using mbedtls_rsa_public(). + /// + /// \param ctx The initialized RSA context to check. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. - pub fn mbedtls_rsa_copy( - dst: *mut mbedtls_rsa_context, - src: *const mbedtls_rsa_context, - ) -> ::core::ffi::c_int; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pubkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees the components of an RSA key. + /// \brief This function checks if a context contains an RSA private key + /// and perform basic consistency checks. /// - /// \param ctx The RSA context to free. May be \c NULL, in which case - /// this function is a no-op. If it is not \c NULL, it must - /// point to an initialized RSA context. - pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); + /// \note The consistency checks performed by this function not only + /// ensure that mbedtls_rsa_private() can be called successfully + /// on the given context, but that the various parameters are + /// mutually consistent with high probability, in the sense that + /// mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. + /// + /// \warning This function should catch accidental misconfigurations + /// like swapping of parameters, but it cannot establish full + /// trust in neither the quality nor the consistency of the key + /// material that was used to setup the given RSA context: + ///
  • Consistency: Imported parameters that are irrelevant + /// for the implementation might be silently dropped. If dropped, + /// the current function does not have access to them, + /// and therefore cannot check them. See mbedtls_rsa_complete(). + /// If you want to check the consistency of the entire + /// content of a PKCS1-encoded RSA private key, for example, you + /// should use mbedtls_rsa_validate_params() before setting + /// up the RSA context. + /// Additionally, if the implementation performs empirical checks, + /// these checks substantiate but do not guarantee consistency.
    • + ///
  • Quality: This function is not expected to perform + /// extended quality assessments like checking that the prime + /// factors are safe. Additionally, it is the responsibility of the + /// user to ensure the trustworthiness of the source of his RSA + /// parameters, which goes beyond what is effectively checkable + /// by the library.
+ /// + /// \param ctx The initialized RSA context to check. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_privkey(ctx: *const mbedtls_rsa_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief The RSA checkup routine. + /// \brief This function checks a public-private RSA key pair. + /// + /// It checks each of the contexts, and makes sure they match. + /// + /// \param pub The initialized RSA context holding the public key. + /// \param prv The initialized RSA context holding the private key. /// /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief The ECDSA context structure. -/// -/// \warning Performing multiple operations concurrently on the same -/// ECDSA context is not supported; objects of this type -/// should not be shared between multiple threads. -/// -/// \note pk_wrap module assumes that "ecdsa_context" is identical -/// to "ecp_keypair" (see for example structure -/// "mbedtls_eckey_info" where ECDSA sign/verify functions -/// are used also for EC key) -pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; -pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_check_pub_priv( + pub_: *const mbedtls_rsa_context, + prv: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { - /// \brief This function checks whether a given group can be used - /// for ECDSA. + /// \brief This function performs an RSA public key operation. /// - /// \param gid The ECP group ID to check. + /// \param ctx The initialized RSA context to use. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 1 if the group can be used, \c 0 otherwise - pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; + /// \note This function does not handle message padding. + /// + /// \note Make sure to set \p input[0] = 0 or ensure that + /// input is smaller than \c N. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_public( + ctx: *mut mbedtls_rsa_context, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message. + /// \brief This function performs an RSA private key operation. /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_ext() is usually preferred. + /// \note Blinding is used if and only if a PRNG is provided. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated - /// as defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \note If blinding is used, both the base of exponentiation + /// and the exponent are blinded, providing protection + /// against some side-channel attacks. /// - /// \see ecp.h + /// \warning It is deprecated and a security risk to not provide + /// a PRNG here and thereby prevent the use of blinding. + /// Future versions of the library may enforce the presence + /// of a PRNG. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized. - /// \param buf The content to be signed. This is usually the hash of - /// the original data to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function, used for blinding. It is mandatory. + /// \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context. + /// \param input The input buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX - /// or \c MBEDTLS_MPI_XXX error code on failure. - pub fn mbedtls_ecdsa_sign( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_private( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, deterministic version. + /// \brief This function adds the message padding, then performs an RSA + /// operation. /// - /// For more information, see RFC-6979: Deterministic - /// Usage of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). + /// It is the generic wrapper for performing a PKCS#1 encryption + /// operation. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG to use. It is used for padding generation + /// and it is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. May be + /// \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \see ecp.h + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v1.5 encryption operation + /// (RSAES-PKCS1-v1_5-ENCRYPT). /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. It is mandatory and used for + /// padding generation. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param ilen The length of the plaintext in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_ext( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 OAEP encryption + /// operation (RSAES-OAEP-ENCRYPT). /// - /// \note The deterministic version implemented in - /// mbedtls_ecdsa_sign_det_restartable() is usually - /// preferred. + /// \note The output buffer must be as large as the size + /// of ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \note This function is like \c mbedtls_ecdsa_sign() but - /// it can return early and restart according to the - /// limit set with \c mbedtls_ecp_set_max_ops() to - /// reduce blocking. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is needed for padding + /// generation and is mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may + /// be \c NULL if \p f_rng doesn't need a context argument. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param ilen The length of the plaintext buffer \p input in Bytes. + /// \param input The input data to encrypt. This must be a readable + /// buffer of size \p ilen Bytes. It may be \c NULL if + /// `ilen == 0`. + /// \param output The output buffer. This must be a writable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_encrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + ilen: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs an RSA operation, then removes the + /// message padding. /// - /// \see ecp.h + /// It is the generic wrapper for performing a PKCS#1 decryption + /// operation. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param f_rng The RNG function. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15, + /// mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an + /// inherently dangerous function (CWE-242). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N (for example, + /// 128 Bytes if RSA-1024 is used) to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + /// + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature of a - /// previously-hashed message, in a restartable way. - /// - /// \note This function is like \c - /// mbedtls_ecdsa_sign_det_ext() but it can return - /// early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 decryption + /// operation (RSAES-PKCS1-v1_5-DECRYPT). /// - /// \note If the bitlength of the message hash is larger - /// than the bitlength of the group order, then the - /// hash is truncated as defined in Standards for - /// Efficient Cryptography Group (SECG): SEC1 Elliptic - /// Curve Cryptography, section 4.1.3, step 5. + /// \warning This is an inherently dangerous function (CWE-242). Unless + /// it is used in a side channel free and safe way (eg. + /// implementing the TLS protocol as per 7.4.7.1 of RFC 5246), + /// the calling code is vulnerable. /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for example, + /// 128 Bytes if RSA-1024 is used, to be able to hold an + /// arbitrary decrypted message. If it is not large enough to + /// hold the decryption of the particular ciphertext provided, + /// the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The context for the elliptic curve to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param r The MPI context in which to store the first part - /// the signature. This must be initialized. - /// \param s The MPI context in which to store the second part - /// the signature. This must be initialized. - /// \param d The private signing key. This must be initialized - /// and setup, for example through - /// mbedtls_ecp_gen_privkey(). - /// \param buf The hashed content to be signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param md_alg The hash algorithm used to hash the original data. - /// \param f_rng_blind The RNG function used for blinding. This must not be - /// \c NULL. - /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context parameter. - /// \param rs_ctx The restart context to use. This may be \c NULL - /// to disable restarting. If it is not \c NULL, it - /// must point to an initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c - /// mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c - /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_sign_det_restartable( - grp: *mut mbedtls_ecp_group, - r: *mut mbedtls_mpi, - s: *mut mbedtls_mpi, - d: *const mbedtls_mpi, - buf: *const ::core::ffi::c_uchar, - blen: usize, - md_alg: mbedtls_md_type_t, - f_rng_blind: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng_blind: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_pkcs1_v15_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message. - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \brief This function performs a PKCS#1 v2.1 OAEP decryption + /// operation (RSAES-OAEP-DECRYPT). /// - /// \see ecp.h + /// \note The output buffer length \c output_max_len should be + /// as large as the size \p ctx->len of \p ctx->N, for + /// example, 128 Bytes if RSA-1024 is used, to be able to + /// hold an arbitrary decrypted message. If it is not + /// large enough to hold the decryption of the particular + /// ciphertext provided, the function returns + /// #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context. + /// \param label The buffer holding the custom label to use. + /// This must be a readable buffer of length \p label_len + /// Bytes. It may be \c NULL if \p label_len is \c 0. + /// \param label_len The length of the label in Bytes. + /// \param olen The address at which to store the length of + /// the plaintext. This must not be \c NULL. + /// \param input The ciphertext buffer. This must be a readable buffer + /// of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// \param output The buffer used to hold the plaintext. This must + /// be a writable buffer of length \p output_max_len Bytes. + /// \param output_max_len The length in Bytes of the output buffer \p output. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsaes_oaep_decrypt( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + label: *const ::core::ffi::c_uchar, + label_len: usize, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function verifies the ECDSA signature of a - /// previously-hashed message, in a restartable manner + /// \brief This function performs a private RSA operation to sign + /// a message digest using PKCS#1. /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// It is the generic wrapper for performing a PKCS#1 + /// signature. /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param grp The ECP group to use. - /// This must be initialized and have group parameters - /// set, for example through mbedtls_ecp_group_load(). - /// \param buf The hashed content that was signed. This must be a readable - /// buffer of length \p blen Bytes. It may be \c NULL if - /// \p blen is zero. - /// \param blen The length of \p buf in Bytes. - /// \param Q The public key to use for verification. This must be - /// initialized and setup. - /// \param r The first integer of the signature. - /// This must be initialized. - /// \param s The second integer of the signature. - /// This must be initialized. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. - /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - /// error code on failure. - pub fn mbedtls_ecdsa_verify_restartable( - grp: *mut mbedtls_ecp_group, - buf: *const ::core::ffi::c_uchar, - blen: usize, - Q: *const mbedtls_ecp_point, - r: *const mbedtls_mpi, - s: *const mbedtls_mpi, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, serialized as defined in RFC-4492: - /// Elliptic Curve Cryptography (ECC) Cipher Suites for - /// Transport Layer Security (TLS). - /// - /// \warning It is not thread-safe to use the same context in - /// multiple threads. - /// - /// \note The deterministic version is used if - /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more - /// information, see RFC-6979: Deterministic Usage - /// of the Digital Signature Algorithm (DSA) and Elliptic - /// Curve Digital Signature Algorithm (ECDSA). - /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.3, step 5. - /// - /// \see ecp.h + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_sign() for details on + /// \p md_alg and \p hash_id. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is used only for blinding and may be set to \c NULL, but - /// doing so is DEPRECATED. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function to use. This is mandatory and + /// must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function computes the ECDSA signature and writes it - /// to a buffer, in a restartable way. - /// - /// \see \c mbedtls_ecdsa_write_signature() - /// - /// \note This function is like \c mbedtls_ecdsa_write_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \brief This function performs a PKCS#1 v1.5 signature + /// operation (RSASSA-PKCS1-v1_5-SIGN). /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and private key bound to it, for example - /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). - /// \param md_alg The message digest that was used to hash the message. - /// \param hash The message hash to be signed. This must be a readable - /// buffer of length \p blen Bytes. - /// \param hlen The length of the hash \p hash in Bytes. - /// \param sig The buffer to which to write the signature. This must be a - /// writable buffer of length at least twice as large as the - /// size of the curve used, plus 9. For example, 73 Bytes if - /// a 256-bit curve is used. A buffer length of - /// #MBEDTLS_ECDSA_MAX_LEN is always safe. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param slen The address at which to store the actual length of - /// the signature written. Must not be \c NULL. - /// \param f_rng The RNG function. This must not be \c NULL if - /// #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, - /// it is unused and may be set to \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng is \c NULL or doesn't use a context. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. This is used for blinding and is + /// mandatory; see mbedtls_rsa_private() for more. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or - /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. - pub fn mbedtls_ecdsa_write_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - slen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \note If the bitlength of the message hash is larger than the - /// bitlength of the group order, then the hash is truncated as - /// defined in Standards for Efficient Cryptography Group - /// (SECG): SEC1 Elliptic Curve Cryptography, section - /// 4.1.4, step 3. + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \see ecp.h + /// \note This function enforces that the provided salt length complies + /// with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 + /// step 3. The constraint is that the hash length plus the salt + /// length plus 2 bytes must be at most the key length. If this + /// constraint is not met, this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param saltlen The length of the salt that should be used. + /// If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use + /// the largest possible salt length up to the hash length, + /// which is the largest permitted by some standards including + /// FIPS 186-4 §5.5. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign_ext( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, - sig: *const ::core::ffi::c_uchar, - slen: usize, + saltlen: ::core::ffi::c_int, + sig: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function reads and verifies an ECDSA signature, - /// in a restartable way. + /// \brief This function performs a PKCS#1 v2.1 PSS signature + /// operation (RSASSA-PSS-SIGN). /// - /// \see \c mbedtls_ecdsa_read_signature() + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. /// - /// \note This function is like \c mbedtls_ecdsa_read_signature() - /// but it can return early and restart according to the limit - /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// \note This function always uses the maximum possible salt size, + /// up to the length of the payload hash. This choice of salt + /// size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 + /// v2.2) §9.1.1 step 3. Furthermore this function enforces a + /// minimum salt size which is the hash size minus 2 bytes. If + /// this minimum size is too large given the key size (the salt + /// size, plus the hash size, plus 2 bytes must be no more than + /// the key size in bytes), this function returns + /// #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. /// - /// \param ctx The ECDSA context to use. This must be initialized - /// and have a group and public key bound to it. - /// \param hash The message hash that was signed. This must be a readable - /// buffer of length \p size Bytes. - /// \param hlen The size of the hash \p hash. - /// \param sig The signature to read and verify. This must be a readable - /// buffer of length \p slen Bytes. - /// \param slen The size of \p sig in Bytes. - /// \param rs_ctx The restart context to use. This may be \c NULL to disable - /// restarting. If it is not \c NULL, it must point to an - /// initialized restart context. + /// \param ctx The initialized RSA context to use. + /// \param f_rng The RNG function. It is mandatory and must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL + /// if \p f_rng doesn't need a context argument. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer to hold the signature. This must be a writable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. A buffer length of + /// #MBEDTLS_MPI_MAX_SIZE is always safe. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. - /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid - /// signature in \p sig, but its length is less than \p siglen. - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX - /// error code on failure for any other reason. - pub fn mbedtls_ecdsa_read_signature_restartable( - ctx: *mut mbedtls_ecdsa_context, + /// \return \c 0 if the signing operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_sign( + ctx: *mut mbedtls_rsa_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a public RSA operation and checks + /// the message digest. + /// + /// This is the generic wrapper for performing a PKCS#1 + /// verification. + /// + /// \note For PKCS#1 v2.1 encoding, see comments on + /// mbedtls_rsa_rsassa_pss_verify() about \c md_alg and + /// \c hash_id. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_pkcs1_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, hash: *const ::core::ffi::c_uchar, - hlen: usize, sig: *const ::core::ffi::c_uchar, - slen: usize, - rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function generates an ECDSA keypair on the given curve. + /// \brief This function performs a PKCS#1 v1.5 verification + /// operation (RSASSA-PKCS1-v1_5-VERIFY). /// - /// \see ecp.h + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. /// - /// \param ctx The ECDSA context to store the keypair in. - /// This must be initialized. - /// \param gid The elliptic curve to use. One of the various - /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG context to be passed to \p f_rng. This may be - /// \c NULL if \p f_rng doesn't need a context argument. + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pkcs1_v15_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_genkey( - ctx: *mut mbedtls_ecdsa_context, - gid: mbedtls_ecp_group_id, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \note The \c hash_id set in \p ctx by calling + /// mbedtls_rsa_set_padding() selects the hash used for the + /// encoding operation and for the mask generation function + /// (MGF1). For more details on the encoding operation and the + /// mask generation function, consult RFC-3447: Public-Key + /// Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. If the \c hash_id set in \p ctx by + /// mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg + /// parameter is used. + /// + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function sets up an ECDSA context from an EC key pair. + /// \brief This function performs a PKCS#1 v2.1 PSS verification + /// operation (RSASSA-PSS-VERIFY). /// - /// \see ecp.h + /// \note The \p sig buffer must be as large as the size + /// of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. /// - /// \param ctx The ECDSA context to setup. This must be initialized. - /// \param key The EC key to use. This must be initialized and hold - /// a private-public key pair or a public key. In the former - /// case, the ECDSA context may be used for signature creation - /// and verification after this call. In the latter case, it - /// may be used for signature verification. + /// \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is + /// ignored. /// - /// \return \c 0 on success. - /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. - pub fn mbedtls_ecdsa_from_keypair( - ctx: *mut mbedtls_ecdsa_context, - key: *const mbedtls_ecp_keypair, + /// \param ctx The initialized RSA public key context to use. + /// \param md_alg The message-digest algorithm used to hash the original data. + /// Use #MBEDTLS_MD_NONE for signing raw data. + /// \param hashlen The length of the message digest or raw data in Bytes. + /// If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + /// output length of the corresponding hash algorithm. + /// \param hash The buffer holding the message digest or raw data. + /// This must be a readable buffer of at least \p hashlen Bytes. + /// \param mgf1_hash_id The message digest algorithm used for the + /// verification operation and the mask generation + /// function (MGF1). For more details on the encoding + /// operation and the mask generation function, consult + /// RFC-3447: Public-Key Cryptography Standards + /// (PKCS) #1 v2.1: RSA Cryptography + /// Specifications. + /// \param expected_salt_len The length of the salt used in padding. Use + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + /// \param sig The buffer holding the signature. This must be a readable + /// buffer of length \c ctx->len Bytes. For example, \c 256 Bytes + /// for an 2048-bit RSA modulus. + /// + /// \return \c 0 if the verify operation was successful. + /// \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. + pub fn mbedtls_rsa_rsassa_pss_verify_ext( + ctx: *mut mbedtls_rsa_context, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + mgf1_hash_id: mbedtls_md_type_t, + expected_salt_len: ::core::ffi::c_int, + sig: *const ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function initializes an ECDSA context. + /// \brief This function copies the components of an RSA context. /// - /// \param ctx The ECDSA context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); + /// \param dst The destination context. This must be initialized. + /// \param src The source context. This must be initialized. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. + pub fn mbedtls_rsa_copy( + dst: *mut mbedtls_rsa_context, + src: *const mbedtls_rsa_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief This function frees an ECDSA context. + /// \brief This function frees the components of an RSA key. /// - /// \param ctx The ECDSA context to free. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must be initialized. - pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); + /// \param ctx The RSA context to free. May be \c NULL, in which case + /// this function is a no-op. If it is not \c NULL, it must + /// point to an initialized RSA context. + pub fn mbedtls_rsa_free(ctx: *mut mbedtls_rsa_context); } -pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; -pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; -pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; -pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; -/// \brief Public key types -pub type mbedtls_pk_type_t = ::core::ffi::c_uint; -/// \brief Options for RSASSA-PSS signature verification. -/// See \c mbedtls_rsa_rsassa_pss_verify_ext() -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_rsassa_pss_options { - /// The digest to use for MGF1 in PSS. +unsafe extern "C" { + /// \brief The RSA checkup routine. /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is - /// disabled, this must be equal to the \c md_alg argument passed - /// to mbedtls_pk_verify_ext(). In a future version of the library, - /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is - /// enabled regardless of the status of #MBEDTLS_RSA_C. - pub mgf1_hash_id: mbedtls_md_type_t, - /// The expected length of the salt, in bytes. This may be - /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. - /// - /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only - /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be - /// ignored (allowing any salt length). - pub expected_salt_len: ::core::ffi::c_int, -} -impl Default for mbedtls_pk_rsassa_pss_options { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; -pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; -/// \brief Types for interfacing with the debug module -pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; -/// \brief Item to send to the debug module -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_debug_item { - pub private_type: mbedtls_pk_debug_type, - pub private_name: *const ::core::ffi::c_char, - pub private_value: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_debug_item { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_info_t { - _unused: [u8; 0], -} -/// \brief Public key container -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_pk_context { - ///< Public key information - pub private_pk_info: *const mbedtls_pk_info_t, - ///< Underlying public key context - pub private_pk_ctx: *mut ::core::ffi::c_void, -} -impl Default for mbedtls_pk_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_rsa_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; -/// \brief Types for RSA-alt abstraction -pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - olen: *mut usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - output_max_len: usize, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< - unsafe extern "C" fn( - ctx: *mut ::core::ffi::c_void, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - md_alg: mbedtls_md_type_t, - hashlen: ::core::ffi::c_uint, - hash: *const ::core::ffi::c_uchar, - sig: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int, ->; -pub type mbedtls_pk_rsa_alt_key_len_func = - ::core::option::Option usize>; +/// \brief The ECDSA context structure. +/// +/// \warning Performing multiple operations concurrently on the same +/// ECDSA context is not supported; objects of this type +/// should not be shared between multiple threads. +/// +/// \note pk_wrap module assumes that "ecdsa_context" is identical +/// to "ecp_keypair" (see for example structure +/// "mbedtls_eckey_info" where ECDSA sign/verify functions +/// are used also for EC key) +pub type mbedtls_ecdsa_context = mbedtls_ecp_keypair; +pub type mbedtls_ecdsa_restart_ctx = ::core::ffi::c_void; unsafe extern "C" { - /// \brief Return information associated with the given PK type - /// - /// \param pk_type PK type to search for. + /// \brief This function checks whether a given group can be used + /// for ECDSA. /// - /// \return The PK info associated with the type or NULL if not found. - pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; -} -unsafe extern "C" { - /// \brief Initialize a #mbedtls_pk_context (as NONE). + /// \param gid The ECP group ID to check. /// - /// \param ctx The context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); + /// \return \c 1 if the group can be used, \c 0 otherwise + pub fn mbedtls_ecdsa_can_do(gid: mbedtls_ecp_group_id) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Free the components of a #mbedtls_pk_context. + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message. /// - /// \param ctx The context to clear. It must have been initialized. - /// If this is \c NULL, this function does nothing. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_ext() is usually preferred. /// - /// \note For contexts that have been set up with - /// mbedtls_pk_setup_opaque(), this does not free the underlying - /// PSA key and you still need to call psa_destroy_key() - /// independently if you want to destroy that key. - pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); -} -unsafe extern "C" { - /// \brief Initialize a PK context with the information given - /// and allocates the type-specific PK subcontext. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated + /// as defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param info Information to use + /// \see ecp.h /// - /// \return 0 on success, - /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, - /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized. + /// \param buf The content to be signed. This is usually the hash of + /// the original data to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function, used both to generate the ECDSA nonce + /// and for blinding. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. /// - /// \note For contexts holding an RSA-alt key, use - /// \c mbedtls_pk_setup_rsa_alt() instead. - pub fn mbedtls_pk_setup( - ctx: *mut mbedtls_pk_context, - info: *const mbedtls_pk_info_t, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX + /// or \c MBEDTLS_MPI_XXX error code on failure. + pub fn mbedtls_ecdsa_sign( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Initialize an RSA-alt context + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, deterministic version. /// - /// \param ctx Context to initialize. It must not have been set - /// up yet (type #MBEDTLS_PK_NONE). - /// \param key RSA key pointer - /// \param decrypt_func Decryption function - /// \param sign_func Signing function - /// \param key_len_func Function returning key length in bytes + /// For more information, see RFC-6979: Deterministic + /// Usage of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the - /// context wasn't already initialized as RSA_ALT. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. - pub fn mbedtls_pk_setup_rsa_alt( - ctx: *mut mbedtls_pk_context, - key: *mut ::core::ffi::c_void, - decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, - sign_func: mbedtls_pk_rsa_alt_sign_func, - key_len_func: mbedtls_pk_rsa_alt_key_len_func, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Get the size in bits of the underlying key + /// \see ecp.h /// - /// \param ctx The context to query. It must have been initialized. + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This + /// may be \c NULL if \p f_rng_blind doesn't need a context + /// parameter. /// - /// \return Key size in bits, or 0 on error - pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_ext( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + md_alg: mbedtls_md_type_t, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Tell if a context can do the operation given by type + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \param ctx The context to query. It must have been initialized. - /// \param type The desired type. + /// \note The deterministic version implemented in + /// mbedtls_ecdsa_sign_det_restartable() is usually + /// preferred. /// - /// \return 1 if the context can do operations on the given type. - /// \return 0 if the context cannot do the operations on the given - /// type. This is always the case for a context that has - /// been initialized but not set up, or that has been - /// cleared with mbedtls_pk_free(). - pub fn mbedtls_pk_can_do( - ctx: *const mbedtls_pk_context, - type_: mbedtls_pk_type_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Verify signature (including padding if relevant). + /// \note This function is like \c mbedtls_ecdsa_sign() but + /// it can return early and restart according to the + /// limit set with \c mbedtls_ecp_set_max_ops() to + /// reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used. - /// This can be #MBEDTLS_MD_NONE if the signature algorithm - /// does not rely on a hash algorithm (non-deterministic - /// ECDSA, RSA PKCS#1 v1.5). - /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then - /// \p hash is the DigestInfo structure used by RFC 8017 - /// §9.2 steps 3–6. If \p md_alg is a valid hash - /// algorithm then \p hash is the digest itself, and this - /// function calculates the DigestInfo encoding internally. - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \see ecp.h /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - /// to verify RSASSA_PSS signatures. - pub fn mbedtls_pk_verify( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param f_rng The RNG function used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_verify() + /// \brief This function computes the ECDSA signature of a + /// previously-hashed message, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_verify(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_verify(). + /// \note This function is like \c + /// mbedtls_ecdsa_sign_det_ext() but it can return + /// early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length - /// \param rs_ctx Restart context (NULL to disable restart) + /// \note If the bitlength of the message hash is larger + /// than the bitlength of the group order, then the + /// hash is truncated as defined in Standards for + /// Efficient Cryptography Group (SECG): SEC1 Elliptic + /// Curve Cryptography, section 4.1.3, step 5. /// - /// \return See \c mbedtls_pk_verify(), or - /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_verify_restartable( - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param grp The context for the elliptic curve to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param r The MPI context in which to store the first part + /// the signature. This must be initialized. + /// \param s The MPI context in which to store the second part + /// the signature. This must be initialized. + /// \param d The private signing key. This must be initialized + /// and setup, for example through + /// mbedtls_ecp_gen_privkey(). + /// \param buf The hashed content to be signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param md_alg The hash algorithm used to hash the original data. + /// \param f_rng_blind The RNG function used for blinding. This must not be + /// \c NULL. + /// \param p_rng_blind The RNG context to be passed to \p f_rng_blind. This may be + /// \c NULL if \p f_rng_blind doesn't need a context parameter. + /// \param rs_ctx The restart context to use. This may be \c NULL + /// to disable restarting. If it is not \c NULL, it + /// must point to an initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c + /// mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c + /// MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_sign_det_restartable( + grp: *mut mbedtls_ecp_group, + r: *mut mbedtls_mpi, + s: *mut mbedtls_mpi, + d: *const mbedtls_mpi, + buf: *const ::core::ffi::c_uchar, + blen: usize, md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, - rs_ctx: *mut mbedtls_pk_restart_ctx, + f_rng_blind: mbedtls_f_rng_t, + p_rng_blind: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify signature, with options. - /// (Includes verification of the padding depending on type.) - /// - /// \param type Signature type (inc. possible padding type) to verify - /// \param options Pointer to type-specific options, or NULL - /// \param ctx The PK context to use. It must have been set up. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length or 0 (see notes) - /// \param sig Signature to verify - /// \param sig_len Signature length + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message. /// - /// \return 0 on success (signature is valid), - /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be - /// used for this type of signatures, - /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid - /// signature in sig but its length is less than \p siglen, - /// or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note If hash_len is 0, then the length associated with md_alg - /// is used instead, or an error returned if it is invalid. + /// \see ecp.h /// - /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. /// - /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point - /// to a mbedtls_pk_rsassa_pss_options structure, - /// otherwise it must be NULL. Note that if - /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not - /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. - pub fn mbedtls_pk_verify_ext( - type_: mbedtls_pk_type_t, - options: *const ::core::ffi::c_void, - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *const ::core::ffi::c_uchar, - sig_len: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature, including padding if relevant. - /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function verifies the ECDSA signature of a + /// previously-hashed message, in a restartable manner /// - /// \return 0 on success, or a specific error code. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. - /// There is no interface in the PK module to make RSASSA-PSS - /// signatures yet. + /// \see ecp.h /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign( - ctx: *mut mbedtls_pk_context, - md_alg: mbedtls_md_type_t, - hash: *const ::core::ffi::c_uchar, - hash_len: usize, - sig: *mut ::core::ffi::c_uchar, - sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param grp The ECP group to use. + /// This must be initialized and have group parameters + /// set, for example through mbedtls_ecp_group_load(). + /// \param buf The hashed content that was signed. This must be a readable + /// buffer of length \p blen Bytes. It may be \c NULL if + /// \p blen is zero. + /// \param blen The length of \p buf in Bytes. + /// \param Q The public key to use for verification. This must be + /// initialized and setup. + /// \param r The first integer of the signature. + /// This must be initialized. + /// \param s The second integer of the signature. + /// This must be initialized. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + /// error code on failure. + pub fn mbedtls_ecdsa_verify_restartable( + grp: *mut mbedtls_ecp_group, + buf: *const ::core::ffi::c_uchar, + blen: usize, + Q: *const mbedtls_ecp_point, + r: *const mbedtls_mpi, + s: *const mbedtls_mpi, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Make signature given a signature type. + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, serialized as defined in RFC-4492: + /// Elliptic Curve Cryptography (ECC) Cipher Suites for + /// Transport Layer Security (TLS). /// - /// \param pk_type Signature type. - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. - /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \warning It is not thread-safe to use the same context in + /// multiple threads. /// - /// \return 0 on success, or a specific error code. + /// \note The deterministic version is used if + /// #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + /// information, see RFC-6979: Deterministic Usage + /// of the Digital Signature Algorithm (DSA) and Elliptic + /// Curve Digital Signature Algorithm (ECDSA). /// - /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, - /// see #PSA_ALG_RSA_PSS for a description of PSS options used. + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.3, step 5. /// - /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. - /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. - pub fn mbedtls_pk_sign_ext( - pk_type: mbedtls_pk_type_t, - ctx: *mut mbedtls_pk_context, + /// \see ecp.h + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Restartable version of \c mbedtls_pk_sign() + /// \brief This function computes the ECDSA signature and writes it + /// to a buffer, in a restartable way. /// - /// \note Performs the same job as \c mbedtls_pk_sign(), but can - /// return early and restart according to the limit set with - /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC - /// operations. For RSA, same as \c mbedtls_pk_sign(). + /// \see \c mbedtls_ecdsa_write_signature() /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) - /// \param hash Hash of the message to sign - /// \param hash_len Hash length - /// \param sig Place to write the signature. - /// It must have enough room for the signature. - /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. - /// You may use a smaller buffer if it is large enough - /// given the key type. + /// \note This function is like \c mbedtls_ecdsa_write_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. + /// + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and private key bound to it, for example + /// via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). + /// \param md_alg The message digest that was used to hash the message. + /// \param hash The message hash to be signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The length of the hash \p hash in Bytes. + /// \param sig The buffer to which to write the signature. This must be a + /// writable buffer of length at least twice as large as the + /// size of the curve used, plus 9. For example, 73 Bytes if + /// a 256-bit curve is used. A buffer length of + /// #MBEDTLS_ECDSA_MAX_LEN is always safe. /// \param sig_size The size of the \p sig buffer in bytes. - /// \param sig_len On successful return, - /// the number of bytes written to \p sig. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// \param rs_ctx Restart context (NULL to disable restart) + /// \param slen The address at which to store the actual length of + /// the signature written. Must not be \c NULL. + /// \param f_rng The RNG function. This is used for blinding. + /// If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also + /// used to generate the ECDSA nonce. + /// This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng is \c NULL or doesn't use a context. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return See \c mbedtls_pk_sign(). + /// \return \c 0 on success. /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of /// operations was reached: see \c mbedtls_ecp_set_max_ops(). - pub fn mbedtls_pk_sign_restartable( - ctx: *mut mbedtls_pk_context, + /// \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + /// \c MBEDTLS_ERR_ASN1_XXX error code on failure. + pub fn mbedtls_ecdsa_write_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, md_alg: mbedtls_md_type_t, hash: *const ::core::ffi::c_uchar, - hash_len: usize, + hlen: usize, sig: *mut ::core::ffi::c_uchar, sig_size: usize, - sig_len: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + slen: *mut usize, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, - rs_ctx: *mut mbedtls_pk_restart_ctx, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Decrypt message (including padding if relevant). + /// \brief This function reads and verifies an ECDSA signature. /// - /// \param ctx The PK context to use. It must have been set up - /// with a private key. - /// \param input Input to decrypt - /// \param ilen Input size - /// \param output Decrypted output - /// \param olen Decrypted message length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \note If the bitlength of the message hash is larger than the + /// bitlength of the group order, then the hash is truncated as + /// defined in Standards for Efficient Cryptography Group + /// (SECG): SEC1 Elliptic Curve Cryptography, section + /// 4.1.4, step 3. /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \see ecp.h /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_decrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Encrypt message (including padding if relevant). - /// - /// \param ctx The PK context to use. It must have been set up. - /// \param input Message to encrypt - /// \param ilen Message size - /// \param output Encrypted output - /// \param olen Encrypted output length - /// \param osize Size of the output buffer - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter + /// \brief This function reads and verifies an ECDSA signature, + /// in a restartable way. /// - /// \note \p f_rng is used for padding generation. + /// \see \c mbedtls_ecdsa_read_signature() /// - /// \note For RSA keys, the default padding type is PKCS#1 v1.5. + /// \note This function is like \c mbedtls_ecdsa_read_signature() + /// but it can return early and restart according to the limit + /// set with \c mbedtls_ecp_set_max_ops() to reduce blocking. /// - /// \return 0 on success, or a specific error code. - pub fn mbedtls_pk_encrypt( - ctx: *mut mbedtls_pk_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - olen: *mut usize, - osize: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if a public-private pair of keys matches. - /// - /// \param pub Context holding a public key. - /// \param prv Context holding a private (and public) key. - /// \param f_rng RNG function, must not be \c NULL. - /// \param p_rng RNG parameter - /// - /// \return \c 0 on success (keys were checked and match each other). - /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not - /// be checked - in that case they may or may not match. - /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. - /// \return Another non-zero value if the keys do not match. - pub fn mbedtls_pk_check_pair( - pub_: *const mbedtls_pk_context, - prv: *const mbedtls_pk_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Export debug information - /// - /// \param ctx The PK context to use. It must have been initialized. - /// \param items Place to write debug items + /// \param ctx The ECDSA context to use. This must be initialized + /// and have a group and public key bound to it. + /// \param hash The message hash that was signed. This must be a readable + /// buffer of length \p hlen Bytes. + /// \param hlen The size of the hash \p hash. + /// \param sig The signature to read and verify. This must be a readable + /// buffer of length \p slen Bytes. + /// \param slen The size of \p sig in Bytes. + /// \param rs_ctx The restart context to use. This may be \c NULL to disable + /// restarting. If it is not \c NULL, it must point to an + /// initialized restart context. /// - /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA - pub fn mbedtls_pk_debug( - ctx: *const mbedtls_pk_context, - items: *mut mbedtls_pk_debug_item, + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. + /// \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig, but its length is less than \p siglen. + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + /// \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + /// error code on failure for any other reason. + pub fn mbedtls_ecdsa_read_signature_restartable( + ctx: *mut mbedtls_ecdsa_context, + hash: *const ::core::ffi::c_uchar, + hlen: usize, + sig: *const ::core::ffi::c_uchar, + slen: usize, + rs_ctx: *mut mbedtls_ecdsa_restart_ctx, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Access the type name - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type name on success, or "invalid PK" - pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; -} -unsafe extern "C" { - /// \brief Get the key type - /// - /// \param ctx The PK context to use. It must have been initialized. - /// - /// \return Type on success. - /// \return #MBEDTLS_PK_NONE for a context that has not been set up. - pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a private key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// \param pwd Optional password for decryption. - /// Pass \c NULL if expecting a non-encrypted key. - /// Pass a string of \p pwdlen bytes if expecting an encrypted - /// key; a non-encrypted key will also be accepted. - /// The empty password is not supported. - /// \param pwdlen Size of the password in bytes. - /// Ignored if \p pwd is \c NULL. - /// \param f_rng RNG function, must not be \c NULL. Used for blinding. - /// \param p_rng RNG parameter + /// \brief This function generates an ECDSA keypair on the given curve. /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to store the keypair in. + /// This must be initialized. + /// \param gid The elliptic curve to use. One of the various + /// \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG context to be passed to \p f_rng. This may be + /// \c NULL if \p f_rng doesn't need a context argument. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, - pwd: *const ::core::ffi::c_uchar, - pwdlen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_genkey( + ctx: *mut mbedtls_ecdsa_context, + gid: mbedtls_ecp_group_id, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \ingroup pk_module */ - ////** - /// \brief Parse a public key in PEM or DER format - /// - /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto - /// subsystem must have been initialized by calling - /// psa_crypto_init() before calling this function. - /// - /// \param ctx The PK context to fill. It must have been initialized - /// but not set up. - /// \param key Input buffer to parse. - /// The buffer must contain the input exactly, with no - /// extra trailing material. For PEM, the buffer must - /// contain a null-terminated string. - /// \param keylen Size of \b key in bytes. - /// For PEM data, this includes the terminating null byte, - /// so \p keylen must be equal to `strlen(key) + 1`. - /// - /// \note On entry, ctx must be empty, either freshly initialised - /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a - /// specific key type, check the result with mbedtls_pk_can_do(). + /// \brief This function sets up an ECDSA context from an EC key pair. /// - /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for - /// limitations. + /// \see ecp.h /// - /// \note The key is also checked for correctness. + /// \param ctx The ECDSA context to setup. This must be initialized. + /// \param key The EC key to use. This must be initialized and hold + /// a private-public key pair or a public key. In the former + /// case, the ECDSA context may be used for signature creation + /// and verification after this call. In the latter case, it + /// may be used for signature verification. /// - /// \return 0 if successful, or a specific PK or PEM error code - pub fn mbedtls_pk_parse_public_key( - ctx: *mut mbedtls_pk_context, - key: *const ::core::ffi::c_uchar, - keylen: usize, + /// \return \c 0 on success. + /// \return An \c MBEDTLS_ERR_ECP_XXX code on failure. + pub fn mbedtls_ecdsa_from_keypair( + ctx: *mut mbedtls_ecdsa_context, + key: *const mbedtls_ecp_keypair, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function initializes an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_key_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecdsa_init(ctx: *mut mbedtls_ecdsa_context); } unsafe extern "C" { - /// \brief Write a public key to a SubjectPublicKeyInfo DER structure - /// Note: data is written at the end of the buffer! Use the - /// return value to determine where you should start - /// using the buffer - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf buffer to write to - /// \param size size of the buffer + /// \brief This function frees an ECDSA context. /// - /// \return length of data written if successful, or a specific - /// error code - pub fn mbedtls_pk_write_pubkey_der( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; + /// \param ctx The ECDSA context to free. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must be initialized. + pub fn mbedtls_ecdsa_free(ctx: *mut mbedtls_ecdsa_context); } -unsafe extern "C" { - /// \brief Write a public key to a PEM string - /// - /// \param ctx PK context which must contain a valid public or private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_pubkey_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a private key to a PKCS#1 or SEC1 PEM string - /// - /// \param ctx PK context which must contain a valid private key. - /// \param buf Buffer to write to. The output includes a - /// terminating null byte. - /// \param size Size of the buffer in bytes. - /// - /// \return 0 if successful, or a specific error code - pub fn mbedtls_pk_write_key_pem( - ctx: *const mbedtls_pk_context, - buf: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Parse a SubjectPublicKeyInfo DER structure - /// - /// \param p the position in the ASN.1 data - /// \param end end of the buffer - /// \param pk The PK context to fill. It must have been initialized - /// but not set up. - /// - /// \return 0 if successful, or a specific PK error code - pub fn mbedtls_pk_parse_subpubkey( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - pk: *mut mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write a subjectPublicKey to ASN.1 data - /// Note: function works backwards in data buffer - /// - /// \param p reference to current position pointer - /// \param start start of the buffer (for bounds-checking) - /// \param key PK context which must contain a valid public or private key. - /// - /// \return the length written or a negative error code - pub fn mbedtls_pk_write_pubkey( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - key: *const mbedtls_pk_context, - ) -> ::core::ffi::c_int; -} -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = - 3; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - mbedtls_key_exchange_type_t = 4; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = - 8; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = - 9; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = - 10; -pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = - 11; -pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; -/// \brief This structure is used for storing ciphersuite information -/// -/// \note members are defined using integral types instead of enums -/// in order to pack structure and reduce memory usage by internal -/// \c ciphersuite_definitions[] -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ssl_ciphersuite_t { - pub private_id: ::core::ffi::c_int, - pub private_name: *const ::core::ffi::c_char, - pub private_cipher: u8, - pub private_mac: u8, - pub private_key_exchange: u8, - pub private_flags: u8, - pub private_min_tls_version: u16, - pub private_max_tls_version: u16, -} -impl Default for mbedtls_ssl_ciphersuite_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_string( - ciphersuite_name: *const ::core::ffi::c_char, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_from_id( - ciphersuite_id: ::core::ffi::c_int, - ) -> *const mbedtls_ssl_ciphersuite_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_pk_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_get_ciphersuite_sig_alg( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> mbedtls_pk_type_t; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_ec( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_uses_psk( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( - info: *const mbedtls_ssl_ciphersuite_t, - ) -> usize; -} -/// The type of the context passed to mbedtls_psa_external_get_random(). -/// -/// Mbed TLS initializes the context to all-bits-zero before calling -/// mbedtls_psa_external_get_random() for the first time. -/// -/// The definition of this type in the Mbed TLS source code is for -/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() -/// are expected to replace it with a custom definition. -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_external_random_context_t { - pub private_opaque: [usize; 2usize], +/// The type of the context passed to mbedtls_psa_external_get_random(). +/// +/// Mbed TLS initializes the context to all-bits-zero before calling +/// mbedtls_psa_external_get_random() for the first time. +/// +/// The definition of this type in the Mbed TLS source code is for +/// demonstration purposes. Implementers of mbedtls_psa_external_get_random() +/// are expected to replace it with a custom definition. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_external_random_context_t { + pub private_opaque: [usize; 2usize], } pub type psa_status_t = i32; /// \brief Encoding of a key type. @@ -10577,6478 +10445,7672 @@ pub type psa_key_attributes_t = psa_key_attributes_s; /// Values of this type are generally constructed by macros called /// `PSA_KEY_DERIVATION_INPUT_xxx`. pub type psa_key_derivation_step_t = u16; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following field: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// +/// Functions that take such a structure as input also take an associated +/// input buffer \c custom_data of length \c custom_data_length. +/// +/// The interpretation of this structure and the associated \c custom_data +/// parameter depend on the type of the created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c custom_data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_custom_key_parameters_t = psa_custom_key_parameters_s; +/// \brief Custom parameters for key generation or key derivation. +/// +/// This is a structure type with at least the following fields: +/// +/// - \c flags: an unsigned integer type. 0 for the default production parameters. +/// - \c data: a flexible array of bytes. +/// +/// The interpretation of this structure depend on the type of the +/// created key. +/// +/// - #PSA_KEY_TYPE_RSA_KEY_PAIR: +/// - \c flags: must be 0. +/// - \c data: the public exponent, in little-endian order. +/// This must be an odd integer and must not be 1. +/// Implementations must support 65537, should support 3 and may +/// support other values. +/// When not using a driver, Mbed TLS supports values up to \c INT_MAX. +/// If this is empty or if the custom production parameters are omitted +/// altogether, the default value 65537 is used. +/// - Other key types: reserved for future use. \c flags must be 0. +pub type psa_key_production_parameters_t = psa_key_production_parameters_s; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; +pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; +/// For encrypt-decrypt functions, whether the operation is an encryption +/// or a decryption. +pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; +/// \brief MD5 context structure +/// +/// \warning MD5 is considered a weak message digest and its use +/// constitutes a security risk. We recommend considering +/// stronger message digests instead. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_md5_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 4usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_md5_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { - /// \brief Library initialization. - /// - /// Applications must call this function before calling any other - /// function in this module. - /// - /// Applications may call this function more than once. Once a call - /// succeeds, subsequent calls are guaranteed to succeed. + /// \brief Initialize MD5 context /// - /// If the application calls other functions before calling psa_crypto_init(), - /// the behavior is undefined. Implementations are encouraged to either perform - /// the operation as if the library had been initialized or to return - /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, - /// implementations should not return a success status if the lack of - /// initialization may have security implications, for example due to improper - /// seeding of the random number generator. + /// \param ctx MD5 context to be initialized /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - pub fn psa_crypto_init() -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Retrieve the attributes of a key. - /// - /// This function first resets the attribute structure as with - /// psa_reset_key_attributes(). It then copies the attributes of - /// the given key into the given attribute structure. - /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \brief Clear MD5 context /// - /// \param[in] key Identifier of the key to query. - /// \param[in,out] attributes On success, the attributes of the key. - /// On failure, equivalent to a - /// freshly-initialized structure. + /// \param ctx MD5 context to be cleared /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_get_key_attributes( - key: mbedtls_svc_key_id_t, - attributes: *mut psa_key_attributes_t, - ) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); } unsafe extern "C" { - /// Reset a key attribute structure to a freshly initialized state. - /// - /// You must initialize the attribute structure as described in the - /// documentation of the type #psa_key_attributes_t before calling this - /// function. Once the structure has been initialized, you may call this - /// function at any time. + /// \brief Clone (the state of) an MD5 context /// - /// This function frees any auxiliary resources that the structure - /// may contain. + /// \param dst The destination context + /// \param src The context to be cloned /// - /// \param[in,out] attributes The attribute structure to reset. - pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); } unsafe extern "C" { - /// Remove non-essential copies of key material from memory. + /// \brief MD5 context setup /// - /// If the key identifier designates a volatile key, this functions does not do - /// anything and returns successfully. - /// - /// If the key identifier designates a persistent key, then this function will - /// free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and the key can still be used. + /// \param ctx context to be initialized /// - /// \param key Identifier of the key to purge. + /// \return 0 if successful /// - /// \retval #PSA_SUCCESS - /// The key material will have been removed from memory if it is not - /// currently required. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid key identifier. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Make a copy of a key. + /// \brief MD5 process buffer /// - /// Copy key material from one location to another. + /// \param ctx MD5 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// This function is primarily useful to copy a key from one location - /// to another, since it populates a key using the material from - /// another key which may have a different lifetime. + /// \return 0 if successful /// - /// This function may be used to share a key with a different party, - /// subject to implementation-defined restrictions on key sharing. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_update( + ctx: *mut mbedtls_md5_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 final digest /// - /// The policy on the source key must have the usage flag - /// #PSA_KEY_USAGE_COPY set. - /// This flag is sufficient to permit the copy if the key has the lifetime - /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. - /// Some secure elements do not provide a way to copy a key without - /// making it extractable from the secure element. If a key is located - /// in such a secure element, then the key must have both usage flags - /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make - /// a copy of the key outside the secure element. + /// \param ctx MD5 context + /// \param output MD5 checksum result /// - /// The resulting key may only be used in a way that conforms to - /// both the policy of the original key and the policy specified in - /// the \p attributes parameter: - /// - The usage flags on the resulting key are the bitwise-and of the - /// usage flags on the source policy and the usage flags in \p attributes. - /// - If both allow the same algorithm or wildcard-based - /// algorithm policy, the resulting key has the same algorithm policy. - /// - If either of the policies allows an algorithm and the other policy - /// allows a wildcard-based algorithm policy that includes this algorithm, - /// the resulting key allows the same algorithm. - /// - If the policies do not allow any algorithm in common, this function - /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// \return 0 if successful /// - /// The effect of this function on implementation-defined attributes is - /// implementation-defined. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_finish( + ctx: *mut mbedtls_md5_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief MD5 process data block (internal use only) /// - /// \param source_key The key to copy. It must allow the usage - /// #PSA_KEY_USAGE_COPY. If a private or secret key is - /// being copied outside of a secure element it must - /// also allow #PSA_KEY_USAGE_EXPORT. - /// \param[in] attributes The attributes for the new key. - /// They are used as follows: - /// - The key type and size may be 0. If either is - /// nonzero, it must match the corresponding - /// attribute of the source key. - /// - The key location (the lifetime and, for - /// persistent keys, the key identifier) is - /// used directly. - /// - The policy constraints (usage flags and - /// algorithm policy) are combined from - /// the source key and \p attributes so that - /// both sets of restrictions apply, as - /// described in the documentation of this function. - /// \param[out] target_key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param ctx MD5 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p source_key is invalid. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The lifetime or identifier in \p attributes are invalid, or - /// the policy constraints on the source and specified in - /// \p attributes are incompatible, or - /// \p attributes specifies a key type or key size - /// which does not match the attributes of the source key. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or - /// the source key is not exportable and its lifetime does not - /// allow copying it to the target's lifetime. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_copy_key( - source_key: mbedtls_svc_key_id_t, - attributes: *const psa_key_attributes_t, - target_key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + /// + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_internal_md5_process( + ctx: *mut mbedtls_md5_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Destroy a key. + /// \brief Output = MD5( input buffer ) /// - /// This function destroys a key from both volatile - /// memory and, if applicable, non-volatile storage. Implementations shall - /// make a best effort to ensure that the key material cannot be recovered. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output MD5 checksum result /// - /// This function also erases any metadata such as policies and frees - /// resources associated with the key. + /// \return 0 if successful /// - /// If a key is currently in use in a multipart operation, then destroying the - /// key will cause the multipart operation to fail. + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \param key Identifier of the key to erase. If this is \c 0, do nothing and - /// return #PSA_SUCCESS. + /// \return 0 if successful, or 1 if the test failed /// - /// \retval #PSA_SUCCESS - /// \p key was a valid identifier and the key material that it - /// referred to has been erased. Alternatively, \p key is \c 0. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key cannot be erased because it is - /// read-only, either due to a policy or due to physical restrictions. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p key is not a valid identifier nor \c 0. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE - /// There was a failure in communication with the cryptoprocessor. - /// The key material may still be present in the cryptoprocessor. - /// \retval #PSA_ERROR_DATA_INVALID - /// This error is typically a result of either storage corruption on a - /// cleartext storage backend, or an attempt to read data that was - /// written by an incompatible version of the library. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The storage is corrupted. Implementations shall make a best effort - /// to erase key material even in this stage, however applications - /// should be aware that it may be impossible to guarantee that the - /// key material is not recoverable in such cases. - /// \retval #PSA_ERROR_CORRUPTION_DETECTED - /// An unexpected condition which is not a storage corruption or - /// a communication failure occurred. The cryptoprocessor may have - /// been compromised. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; + /// \warning MD5 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. + pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +/// \brief RIPEMD-160 context structure +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ripemd160_context { + ///< number of bytes processed + pub private_total: [u32; 2usize], + ///< intermediate digest state + pub private_state: [u32; 5usize], + ///< data block being processed + pub private_buffer: [::core::ffi::c_uchar; 64usize], +} +impl Default for mbedtls_ripemd160_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// \brief Import a key in binary format. + /// \brief Initialize RIPEMD-160 context /// - /// This function supports any output from psa_export_key(). Refer to the - /// documentation of psa_export_public_key() for the format of public keys - /// and to the documentation of psa_export_key() for the format for - /// other key types. + /// \param ctx RIPEMD-160 context to be initialized + pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clear RIPEMD-160 context /// - /// The key data determines the key size. The attributes may optionally - /// specify a key size; in this case it must match the size determined - /// from the key data. A key size of 0 in \p attributes indicates that - /// the key size is solely determined by the key data. + /// \param ctx RIPEMD-160 context to be cleared + pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); +} +unsafe extern "C" { + /// \brief Clone (the state of) a RIPEMD-160 context /// - /// Implementations must reject an attempt to import a key of size 0. + /// \param dst The destination context + /// \param src The context to be cloned + pub fn mbedtls_ripemd160_clone( + dst: *mut mbedtls_ripemd160_context, + src: *const mbedtls_ripemd160_context, + ); +} +unsafe extern "C" { + /// \brief RIPEMD-160 context setup /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. - /// - /// \param[in] attributes The attributes for the new key. - /// The key size is always determined from the - /// \p data buffer. - /// If the key size in \p attributes is nonzero, - /// it must be equal to the size from \p data. - /// \param[out] key On success, an identifier to the newly created key. - /// For persistent keys, this is the key identifier - /// defined in \p attributes. - /// \c 0 on failure. - /// \param[in] data Buffer containing the key data. The content of this - /// buffer is interpreted according to the type declared - /// in \p attributes. - /// All implementations must support at least the format - /// described in the documentation - /// of psa_export_key() or psa_export_public_key() for - /// the chosen type. Implementations may allow other - /// formats, but should be conservative: implementations - /// should err on the side of rejecting content if it - /// may be erroneous (e.g. wrong type or truncated data). - /// \param data_length Size of the \p data buffer in bytes. + /// \param ctx context to be initialized /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular persistent location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key attributes, as a whole, are invalid, or - /// the key data is not correctly formatted, or - /// the size in \p attributes is nonzero and does not match the size - /// of the key data. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_import_key( - attributes: *const psa_key_attributes_t, - data: *const u8, - data_length: usize, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a key in binary format. - /// - /// The output of this function can be passed to psa_import_key() to - /// create an equivalent object. + /// \brief RIPEMD-160 process buffer /// - /// If the implementation of psa_import_key() supports other formats - /// beyond the format specified here, the output from psa_export_key() - /// must use the representation specified here, not the original - /// representation. + /// \param ctx RIPEMD-160 context + /// \param input buffer holding the data + /// \param ilen length of the input data /// - /// For standard key types, the output format is as follows: + /// \return 0 if successful + pub fn mbedtls_ripemd160_update( + ctx: *mut mbedtls_ripemd160_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 final digest /// - /// - For symmetric keys (including MAC keys), the format is the - /// raw bytes of the key. - /// - For DES, the key data consists of 8 bytes. The parity bits must be - /// correct. - /// - For Triple-DES, the format is the concatenation of the - /// two or three DES keys. - /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format - /// is the non-encrypted DER encoding of the representation defined by - /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. - /// ``` - /// RSAPrivateKey ::= SEQUENCE { - /// version INTEGER, -- must be 0 - /// modulus INTEGER, -- n - /// publicExponent INTEGER, -- e - /// privateExponent INTEGER, -- d - /// prime1 INTEGER, -- p - /// prime2 INTEGER, -- q - /// exponent1 INTEGER, -- d mod (p-1) - /// exponent2 INTEGER, -- d mod (q-1) - /// coefficient INTEGER, -- (inverse of q) mod p - /// } - /// ``` - /// - For elliptic curve key pairs (key types for which - /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is - /// a representation of the private value as a `ceiling(m/8)`-byte string - /// where `m` is the bit size associated with the curve, i.e. the bit size - /// of the order of the curve's coordinate field. This byte string is - /// in little-endian order for Montgomery curves (curve types - /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass - /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` - /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). - /// For Weierstrass curves, this is the content of the `privateKey` field of - /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, - /// the format is defined by RFC 7748, and output is masked according to §5. - /// For twisted Edwards curves, the private key is as defined by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For Diffie-Hellman key exchange key pairs (key types for which - /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the - /// format is the representation of the private key `x` as a big-endian byte - /// string. The length of the byte string is the private key size in bytes - /// (leading zeroes are not stripped). - /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is - /// true), the format is the same as for psa_export_public_key(). + /// \param ctx RIPEMD-160 context + /// \param output RIPEMD-160 checksum result /// - /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// \return 0 if successful + pub fn mbedtls_ripemd160_finish( + ctx: *mut mbedtls_ripemd160_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief RIPEMD-160 process data block (internal use only) /// - /// \param key Identifier of the key to export. It must allow the - /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public - /// key. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. + /// \param ctx RIPEMD-160 context + /// \param data buffer holding one block of data /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \return 0 if successful + pub fn mbedtls_internal_ripemd160_process( + ctx: *mut mbedtls_ripemd160_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Export a public key or the public part of a key pair in binary format. + /// \brief Output = RIPEMD-160( input buffer ) /// - /// The output of this function can be passed to psa_import_key() to - /// create an object that is equivalent to the public key. + /// \param input buffer holding the data + /// \param ilen length of the input data + /// \param output RIPEMD-160 checksum result /// - /// This specification supports a single format for each key type. - /// Implementations may support other formats as long as the standard - /// format is supported. Implementations that support other formats - /// should ensure that the formats are clearly unambiguous so as to - /// minimize the risk that an invalid input is accidentally interpreted - /// according to a different format. + /// \return 0 if successful + pub fn mbedtls_ripemd160( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// For standard key types, the output format is as follows: - /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of - /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. - /// ``` - /// RSAPublicKey ::= SEQUENCE { - /// modulus INTEGER, -- n - /// publicExponent INTEGER } -- e - /// ``` - /// - For elliptic curve keys on a twisted Edwards curve (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY - /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined - /// by RFC 8032 - /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). - /// - For other elliptic curve public keys (key types for which - /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed - /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. - /// Let `m` be the bit size associated with the curve, i.e. the bit size of - /// `q` for a curve over `F_q`. The representation consists of: - /// - The byte 0x04; - /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; - /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. - /// - For Diffie-Hellman key exchange public keys (key types for which - /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), - /// the format is the representation of the public key `y = g^x mod p` as a - /// big-endian byte string. The length of the byte string is the length of the - /// base prime `p` in bytes. + /// \return 0 if successful, or 1 if the test failed + pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha1_context { + pub work_area: [::core::ffi::c_uchar; 208usize], +} +impl Default for mbedtls_sha1_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-1 context. /// - /// Exporting a public key object or the public part of a key pair is - /// always permitted, regardless of the key's usage flags. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param key Identifier of the key to export. - /// \param[out] data Buffer where the key data is to be written. - /// \param data_size Size of the \p data buffer in bytes. - /// \param[out] data_length On success, the number of bytes - /// that make up the key data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key is neither a public key nor a key pair. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p data buffer is too small. You can determine a - /// sufficient buffer size by calling - /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) - /// where \c type is the key type - /// and \c bits is the key size in bits. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_export_public_key( - key: mbedtls_svc_key_id_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message. - /// - /// \note To verify the hash of a message against an - /// expected value, use psa_hash_compare() instead. + /// \brief This function clears a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\p alg). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p hash_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compute( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it is + /// not \c NULL, it must point to an initialized + /// SHA-1 context. + pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); } unsafe extern "C" { - /// Calculate the hash (digest) of a message and compare it with a - /// reference value. + /// \brief This function clones the state of a SHA-1 context. /// - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). - /// \param[in] input Buffer containing the message to hash. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p input_length or \p hash_length do not match the hash size for \p alg - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_compare( - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \param dst The SHA-1 context to clone to. This must be initialized. + /// \param src The SHA-1 context to clone from. This must be initialized. + pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); } -/// The type of the state data structure for multipart hash operations. -/// -/// Before calling any function on a hash operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_hash_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_hash_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, -/// for example: -/// \code -/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_hash_operation_init() -/// to the structure, for example: -/// \code -/// psa_hash_operation_t operation; -/// operation = psa_hash_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_hash_operation_t = psa_hash_operation_s; unsafe extern "C" { - /// Set up a multipart hash operation. - /// - /// The sequence of operations to calculate a hash (message digest) - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. - /// -# Call psa_hash_setup() to specify the algorithm. - /// -# Call psa_hash_update() zero, one or more times, passing a fragment - /// of the message each time. The hash that is calculated is the hash - /// of the concatenation of these messages in order. - /// -# To calculate the hash, call psa_hash_finish(). - /// To compare the hash with an expected value, call psa_hash_verify(). - /// - /// If an error occurs at any step after a call to psa_hash_setup(), the - /// operation will need to be reset by a call to psa_hash_abort(). The - /// application may call psa_hash_abort() at any time after the operation - /// has been initialized. + /// \brief This function starts a SHA-1 checksum calculation. /// - /// After a successful call to psa_hash_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_hash_finish() or psa_hash_verify(). - /// - A call to psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_hash_operation_t and not yet in use. - /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param ctx The SHA-1 context to initialize. This must be initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported hash algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a hash algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_setup( - operation: *mut psa_hash_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart hash operation. - /// - /// The application must call psa_hash_setup() before calling this function. + /// \brief This function feeds an input buffer into an ongoing SHA-1 + /// checksum calculation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] input Buffer containing the message fragment to hash. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-1 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_update( - operation: *mut psa_hash_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_update( + ctx: *mut mbedtls_sha1_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message. + /// \brief This function finishes the SHA-1 operation, and writes + /// the result to the output buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// \param ctx The SHA-1 context to use. This must be initialized and + /// have a hash operation started. + /// \param output The SHA-1 checksum result. This must be a writable + /// buffer of length \c 20 Bytes. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the hash. Call psa_hash_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// hash values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the hashed data which could allow an attacker to guess - /// a valid hash and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1_finish( + ctx: *mut mbedtls_sha1_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief SHA-1 process data block (internal use only). /// - /// \param[in,out] operation Active hash operation. - /// \param[out] hash Buffer where the hash is to be written. - /// \param hash_size Size of the \p hash buffer in bytes. - /// \param[out] hash_length On success, the number of bytes - /// that make up the hash value. This is always - /// #PSA_HASH_LENGTH(\c alg) where \c alg is the - /// hash algorithm that is calculated. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p hash buffer is too small. You can determine a - /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) - /// where \c alg is the hash algorithm that is calculated. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_finish( - operation: *mut psa_hash_operation_t, - hash: *mut u8, - hash_size: usize, - hash_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-1 context to use. This must be initialized. + /// \param data The data block being processed. This must be a + /// readable buffer of length \c 64 Bytes. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha1_process( + ctx: *mut mbedtls_sha1_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the hash of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-1 checksum of a buffer. /// - /// The application must call psa_hash_setup() before calling this function. - /// This function calculates the hash of the message formed by concatenating - /// the inputs passed to preceding calls to psa_hash_update(). It then - /// compares the calculated hash with the expected hash passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_hash_abort(). + /// The SHA-1 result is calculated as + /// output = SHA-1(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual hash and the expected hash is performed - /// in constant time. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// \param[in,out] operation Active hash operation. - /// \param[in] hash Buffer containing the expected hash value. - /// \param hash_length Size of the \p hash buffer in bytes. + /// \param input The buffer holding the input data. + /// This must be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data \p input in Bytes. + /// \param output The SHA-1 checksum result. + /// This must be a writable buffer of length \c 20 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected hash is identical to the actual hash of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The hash of the message was calculated successfully, but it - /// differs from the expected hash. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_verify( - operation: *mut psa_hash_operation_t, - hash: *const u8, - hash_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha1( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a hash operation. + /// \brief The SHA-1 checkup routine. /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_hash_setup() again. + /// \warning SHA-1 is considered a weak message digest and its use + /// constitutes a security risk. We recommend considering + /// stronger message digests instead. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_hash_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha256_context { + pub work_area: [::core::ffi::c_uchar; 208usize], + pub is224: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha256_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +unsafe extern "C" { + /// \brief This function initializes a SHA-256 context. /// - /// In particular, calling psa_hash_abort() after the operation has been - /// terminated by a call to psa_hash_abort(), psa_hash_finish() or - /// psa_hash_verify() is safe and has no effect. + /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-256 context. /// - /// \param[in,out] operation Initialized hash operation. + /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-256 context. + pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-256 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha256_clone( + dst: *mut mbedtls_sha256_context, + src: *const mbedtls_sha256_context, + ); } unsafe extern "C" { - /// Clone a hash operation. + /// \brief This function starts a SHA-224 or SHA-256 checksum + /// calculation. /// - /// This function copies the state of an ongoing hash operation to - /// a new operation object. In other words, this function is equivalent - /// to calling psa_hash_setup() on \p target_operation with the same - /// algorithm that \p source_operation was set up for, then - /// psa_hash_update() on \p target_operation with the same input that - /// that was passed to \p source_operation. After this function returns, the - /// two objects are independent, i.e. subsequent calls involving one of - /// the objects do not affect the other object. + /// \param ctx The context to use. This must be initialized. + /// \param is224 This determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// \param[in] source_operation The active hash operation to clone. - /// \param[in,out] target_operation The operation object to set up. - /// It must be initialized but not active. + /// \note is224 must be defined accordingly to the enabled + /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The \p source_operation state is not valid (it must be active), or - /// the \p target_operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_hash_clone( - source_operation: *const psa_hash_operation_t, - target_operation: *mut psa_hash_operation_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_starts( + ctx: *mut mbedtls_sha256_context, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC (message authentication code) of a message. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-256 checksum calculation. /// - /// \note To verify the MAC of a message against an - /// expected value, use psa_mac_verify() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_update( + ctx: *mut mbedtls_sha256_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function finishes the SHA-256 operation, and writes + /// the result to the output buffer. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p mac_size is too small - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_compute( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The SHA-256 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256_finish( + ctx: *mut mbedtls_sha256_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Calculate the MAC of a message and compare it with a reference value. + /// \brief This function processes a single data block within + /// the ongoing SHA-256 computation. This function is for + /// internal use only. /// - /// \param key Identifier of the key to use for the operation. It - /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). - /// \param[in] input Buffer containing the input message. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \param ctx The SHA-256 context. This must be initialized. + /// \param data The buffer holding one block of data. This must + /// be a readable buffer of length \c 64 Bytes. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the input. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected value. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha256_process( + ctx: *mut mbedtls_sha256_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart MAC operations. -/// -/// Before calling any function on a MAC operation object, the application must -/// initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_mac_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_mac_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, -/// for example: -/// \code -/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_mac_operation_init() -/// to the structure, for example: -/// \code -/// psa_mac_operation_t operation; -/// operation = psa_mac_operation_init(); -/// \endcode -/// -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Set up a multipart MAC calculation operation. + /// \brief This function calculates the SHA-224 or SHA-256 + /// checksum of a buffer. /// - /// This function sets up the calculation of the MAC - /// (message authentication code) of a byte string. - /// To verify the MAC of a message against an - /// expected value, use psa_mac_verify_setup() instead. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// The sequence of operations to calculate a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_sign_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_sign_finish() to finish - /// calculating the MAC value and retrieve it. + /// The SHA-256 result is calculated as + /// output = SHA-256(input buffer). /// - /// If an error occurs at any step after a call to psa_mac_sign_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-224 or SHA-256 checksum result. + /// This must be a writable buffer of length \c 32 bytes + /// for SHA-256, \c 28 bytes for SHA-224. + /// \param is224 Determines which function to use. This must be + /// either \c 0 for SHA-256, or \c 1 for SHA-224. /// - /// After a successful call to psa_mac_sign_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_sign_finish(). - /// - A call to psa_mac_abort(). + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha256( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is224: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-224 checkup routine. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-256 checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_sha512_context { + pub work_area: [::core::ffi::c_uchar; 304usize], + pub is384: ::core::ffi::c_uchar, +} +impl Default for mbedtls_sha512_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Set up a multipart MAC verification operation. + /// \brief This function initializes a SHA-512 context. /// - /// This function sets up the verification of the MAC - /// (message authentication code) of a byte string against an expected value. + /// \param ctx The SHA-512 context to initialize. This must + /// not be \c NULL. + pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-512 context. /// - /// The sequence of operations to verify a MAC is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. - /// -# Call psa_mac_verify_setup() to specify the algorithm and key. - /// -# Call psa_mac_update() zero, one or more times, passing a fragment - /// of the message each time. The MAC that is calculated is the MAC - /// of the concatenation of these messages in order. - /// -# At the end of the message, call psa_mac_verify_finish() to finish - /// calculating the actual MAC of the message and verify it against - /// the expected value. + /// \param ctx The SHA-512 context to clear. This may be \c NULL, + /// in which case this function does nothing. If it + /// is not \c NULL, it must point to an initialized + /// SHA-512 context. + pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); +} +unsafe extern "C" { + /// \brief This function clones the state of a SHA-512 context. /// - /// If an error occurs at any step after a call to psa_mac_verify_setup(), the - /// operation will need to be reset by a call to psa_mac_abort(). The - /// application may call psa_mac_abort() at any time after the operation - /// has been initialized. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha512_clone( + dst: *mut mbedtls_sha512_context, + src: *const mbedtls_sha512_context, + ); +} +unsafe extern "C" { + /// \brief This function starts a SHA-384 or SHA-512 checksum + /// calculation. /// - /// After a successful call to psa_mac_verify_setup(), the application must - /// eventually terminate the operation through one of the following methods: - /// - A successful call to psa_mac_verify_finish(). - /// - A call to psa_mac_abort(). + /// \param ctx The SHA-512 context to use. This must be initialized. + /// \param is384 Determines which function to use. This must be + /// either \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_mac_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. It - /// must remain valid until the operation terminates. - /// It must allow the usage - /// PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value - /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \note is384 must be defined accordingly to the enabled + /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the + /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c key is not compatible with \c alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a MAC algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The key could not be retrieved from storage. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_setup( - operation: *mut psa_mac_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_starts( + ctx: *mut mbedtls_sha512_context, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Add a message fragment to a multipart MAC operation. - /// - /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() - /// before calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \brief This function feeds an input buffer into an ongoing + /// SHA-512 checksum calculation. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] input Buffer containing the message fragment to add to - /// the MAC calculation. - /// \param input_length Size of the \p input buffer in bytes. + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the input data. This must + /// be a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_update( - operation: *mut psa_mac_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_update( + ctx: *mut mbedtls_sha512_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message. - /// - /// The application must call psa_mac_sign_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). + /// \brief This function finishes the SHA-512 operation, and writes + /// the result to the output buffer. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// \param ctx The SHA-512 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. /// - /// \warning Applications should not call this function if they expect - /// a specific value for the MAC. Call psa_mac_verify_finish() instead. - /// Beware that comparing integrity or authenticity data such as - /// MAC values with a function such as \c memcmp is risky - /// because the time taken by the comparison may leak information - /// about the MAC value which could allow an attacker to guess - /// a valid MAC and thereby bypass security controls. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512_finish( + ctx: *mut mbedtls_sha512_context, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function processes a single data block within + /// the ongoing SHA-512 computation. + /// This function is for internal use only. /// - /// \param[in,out] operation Active MAC operation. - /// \param[out] mac Buffer where the MAC value is to be written. - /// \param mac_size Size of the \p mac buffer in bytes. - /// \param[out] mac_length On success, the number of bytes - /// that make up the MAC value. This is always - /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of the key and \c alg is the - /// MAC algorithm that is calculated. + /// \param ctx The SHA-512 context. This must be initialized. + /// \param data The buffer holding one block of data. This + /// must be a readable buffer of length \c 128 Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p mac buffer is too small. You can determine a - /// sufficient buffer size by calling PSA_MAC_LENGTH(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac sign - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_sign_finish( - operation: *mut psa_mac_operation_t, - mac: *mut u8, - mac_size: usize, - mac_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_internal_sha512_process( + ctx: *mut mbedtls_sha512_context, + data: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish the calculation of the MAC of a message and compare it with - /// an expected value. + /// \brief This function calculates the SHA-512 or SHA-384 + /// checksum of a buffer. /// - /// The application must call psa_mac_verify_setup() before calling this function. - /// This function calculates the MAC of the message formed by concatenating - /// the inputs passed to preceding calls to psa_mac_update(). It then - /// compares the calculated MAC with the expected MAC passed as a - /// parameter to this function. + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_mac_abort(). + /// The SHA-512 result is calculated as + /// output = SHA-512(input buffer). /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual MAC and the expected MAC is performed - /// in constant time. + /// \param input The buffer holding the input data. This must be + /// a readable buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-384 or SHA-512 checksum result. + /// This must be a writable buffer of length \c 64 bytes + /// for SHA-512, \c 48 bytes for SHA-384. + /// \param is384 Determines which function to use. This must be either + /// \c 0 for SHA-512, or \c 1 for SHA-384. /// - /// \param[in,out] operation Active MAC operation. - /// \param[in] mac Buffer containing the expected MAC value. - /// \param mac_length Size of the \p mac buffer in bytes. + /// \note is384 must be defined accordingly with the supported + /// symbols in the config file. If: + /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or + /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined + /// then the function will return + /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. /// - /// \retval #PSA_SUCCESS - /// The expected MAC is identical to the actual MAC of the message. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The MAC of the message was calculated successfully, but it - /// differs from the expected MAC. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active mac verify - /// operation), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_verify_finish( - operation: *mut psa_mac_operation_t, - mac: *const u8, - mac_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha512( + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + is384: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a MAC operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_mac_sign_setup() or psa_mac_verify_setup() again. + /// \brief The SHA-384 checkup routine. /// - /// You may call this function any time after the operation object has - /// been initialized by one of the methods described in #psa_mac_operation_t. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief The SHA-512 checkup routine. /// - /// In particular, calling psa_mac_abort() after the operation has been - /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or - /// psa_mac_verify_finish() is safe and has no effect. + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +///< Operation not defined. +pub const mbedtls_sha3_id_MBEDTLS_SHA3_NONE: mbedtls_sha3_id = 0; +///< SHA3-224 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_224: mbedtls_sha3_id = 1; +///< SHA3-256 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_256: mbedtls_sha3_id = 2; +///< SHA3-384 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_384: mbedtls_sha3_id = 3; +///< SHA3-512 +pub const mbedtls_sha3_id_MBEDTLS_SHA3_512: mbedtls_sha3_id = 4; +/// SHA-3 family id. +/// +/// It identifies the family (SHA3-256, SHA3-512, etc.) +pub type mbedtls_sha3_id = ::core::ffi::c_uint; +/// \brief The SHA-3 context structure. +/// +/// The structure is used SHA-3 checksum calculations. +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_sha3_context { + pub private_state: [u64; 25usize], + pub private_index: u32, + pub private_olen: u16, + pub private_max_block_size: u16, +} +unsafe extern "C" { + /// \brief This function initializes a SHA-3 context. /// - /// \param[in,out] operation Initialized MAC operation. + /// \param ctx The SHA-3 context to initialize. This must not be \c NULL. + pub fn mbedtls_sha3_init(ctx: *mut mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function clears a SHA-3 context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; + /// \param ctx The SHA-3 context to clear. This may be \c NULL, in which + /// case this function returns immediately. If it is not \c NULL, + /// it must point to an initialized SHA-3 context. + pub fn mbedtls_sha3_free(ctx: *mut mbedtls_sha3_context); } unsafe extern "C" { - /// Encrypt a message using a symmetric cipher. + /// \brief This function clones the state of a SHA-3 context. /// - /// This function encrypts a message with a random IV (initialization - /// vector). Use the multipart operation interface with a - /// #psa_cipher_operation_t object to provide other forms of IV. + /// \param dst The destination context. This must be initialized. + /// \param src The context to clone. This must be initialized. + pub fn mbedtls_sha3_clone(dst: *mut mbedtls_sha3_context, src: *const mbedtls_sha3_context); +} +unsafe extern "C" { + /// \brief This function starts a SHA-3 checksum + /// calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// The output contains the IV followed by - /// the ciphertext proper. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The context to use. This must be initialized. + /// \param id The id of the SHA-3 family. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_starts( + ctx: *mut mbedtls_sha3_context, + id: mbedtls_sha3_id, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Decrypt a message using a symmetric cipher. - /// - /// This function decrypts a message encrypted with a symmetric cipher. + /// \brief This function feeds an input buffer into an ongoing + /// SHA-3 checksum calculation. /// - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// \param[in] input Buffer containing the message to decrypt. - /// This consists of the IV followed by the - /// ciphertext proper. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the plaintext is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the output. + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_update( + ctx: *mut mbedtls_sha3_context, input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + ilen: usize, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart cipher operations. -/// -/// Before calling any function on a cipher operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_cipher_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_cipher_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, -/// for example: -/// \code -/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_cipher_operation_init() -/// to the structure, for example: -/// \code -/// psa_cipher_operation_t operation; -/// operation = psa_cipher_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// Set the key for a multipart symmetric encryption operation. + /// \brief This function finishes the SHA-3 operation, and writes + /// the result to the output buffer. /// - /// The sequence of operations to encrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. - /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to - /// generate or set the IV (initialization vector). You should use - /// psa_cipher_generate_iv() unless the protocol you are implementing - /// requires a specific IV value. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). + /// \param ctx The SHA-3 context. This must be initialized + /// and have a hash operation started. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. /// - /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3_finish( + ctx: *mut mbedtls_sha3_context, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief This function calculates the SHA-3 + /// checksum of a buffer. /// - /// After a successful call to psa_cipher_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). + /// The function allocates the context, performs the + /// calculation, and frees the context. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// The SHA-3 result is calculated as + /// output = SHA-3(id, input buffer, d). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_encrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \param id The id of the SHA-3 family. + /// \param input The buffer holding the data. This must be a readable + /// buffer of length \p ilen Bytes. + /// \param ilen The length of the input data in Bytes. + /// \param output The SHA-3 checksum result. + /// This must be a writable buffer of length \c olen bytes. + /// \param olen Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256, + /// SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64, + /// respectively. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. + pub fn mbedtls_sha3( + id: mbedtls_sha3_id, + input: *const u8, + ilen: usize, + output: *mut u8, + olen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart symmetric decryption operation. + /// \brief Checkup routine for the algorithms implemented + /// by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512. /// - /// The sequence of operations to decrypt a message with a symmetric cipher - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_cipher_operation_t, e.g. - /// #PSA_CIPHER_OPERATION_INIT. - /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. - /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the - /// decryption. If the IV is prepended to the ciphertext, you can call - /// psa_cipher_update() on a buffer containing the IV followed by the - /// beginning of the message. - /// -# Call psa_cipher_update() zero, one or more times, passing a fragment - /// of the message each time. - /// -# Call psa_cipher_finish(). - /// - /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), - /// the operation will need to be reset by a call to psa_cipher_abort(). The - /// application may call psa_cipher_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_cipher_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_cipher_finish(). - /// - A call to psa_cipher_abort(). - /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_cipher_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The cipher algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_CIPHER(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not a cipher algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_decrypt_setup( - operation: *mut psa_cipher_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if the test failed. + pub fn mbedtls_sha3_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// Generate an IV for a symmetric encryption operation. - /// - /// This function generates a random IV (initialization vector), nonce - /// or initial counter value for the encryption operation as appropriate - /// for the chosen algorithm, key type and key size. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] iv Buffer where the generated IV is to be written. - /// \param iv_size Size of the \p iv buffer in bytes. - /// \param[out] iv_length On success, the number of bytes of the - /// generated IV. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p iv buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no IV set), - /// or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_generate_iv( - operation: *mut psa_cipher_operation_t, - iv: *mut u8, - iv_size: usize, - iv_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hash_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// Set the IV for a symmetric encryption or decryption operation. - /// - /// This function sets the IV (initialization vector), nonce - /// or initial counter value for the encryption or decryption operation. - /// - /// The application must call psa_cipher_encrypt_setup() before - /// calling this function. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \note When encrypting, applications should use psa_cipher_generate_iv() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] iv Buffer containing the IV to use. - /// \param iv_length Size of the IV in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p iv is not acceptable for the chosen algorithm, - /// or the chosen algorithm does not use an IV. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active cipher - /// encrypt operation, with no IV set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_set_iv( - operation: *mut psa_cipher_operation_t, - iv: *const u8, - iv_length: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub md5: mbedtls_md5_context, + pub ripemd160: mbedtls_ripemd160_context, + pub sha1: mbedtls_sha1_context, + pub sha256: mbedtls_sha256_context, + pub sha512: mbedtls_sha512_context, } -unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active cipher operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() - /// (recommended when encrypting) or psa_cipher_set_iv(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_update( - operation: *mut psa_cipher_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Finish encrypting or decrypting a message in a cipher operation. - /// - /// The application must call psa_cipher_encrypt_setup() or - /// psa_cipher_decrypt_setup() before calling this function. The choice - /// of setup function determines whether this function encrypts or - /// decrypts its input. - /// - /// This function finishes the encryption or decryption of the message - /// formed by concatenating the inputs passed to preceding calls to - /// psa_cipher_update(). - /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_cipher_abort(). - /// - /// \param[in,out] operation Active cipher operation. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input size passed to this operation is not valid for - /// this particular algorithm. For example, the algorithm is a based - /// on block cipher and requires a whole number of blocks, but the - /// total input size is not a multiple of the block size. - /// \retval #PSA_ERROR_INVALID_PADDING - /// This is a decryption operation for an algorithm that includes - /// padding, and the ciphertext does not contain valid padding. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with an IV set - /// if required for the algorithm), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_finish( - operation: *mut psa_cipher_operation_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_hash_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_cipher_operation_t { + pub private_alg: psa_algorithm_t, + pub private_iv_length: u8, + pub private_block_length: u8, + pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_cipher: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_cipher_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_hash_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_hash_operation_t, +} +impl Default for psa_driver_hash_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_cipher_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, +} +impl Default for psa_driver_cipher_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hash_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h. + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. the driver context is not active, in use). + pub private_id: ::core::ffi::c_uint, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_hash_context_t, +} +impl Default for psa_hash_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_cipher_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_default_iv_length: u8, + pub private_ctx: psa_driver_cipher_context_t, +} +impl Default for psa_cipher_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_cipher_operation_s { + #[inline] + pub fn private_iv_required(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_iv_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_iv_required: ::core::ffi::c_uint, + private_iv_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; + private_iv_required as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; + private_iv_set as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The GCM context structure. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_gcm_context { + ///< The cipher context used. + pub private_cipher_ctx: mbedtls_cipher_context_t, + ///< Precalculated HTable. + pub private_H: [[u64; 2usize]; 16usize], + ///< The total length of the encrypted data. + pub private_len: u64, + ///< The total length of the additional data. + pub private_add_len: u64, + ///< The first ECTR for tag. + pub private_base_ectr: [::core::ffi::c_uchar; 16usize], + ///< The Y working value. + pub private_y: [::core::ffi::c_uchar; 16usize], + ///< The buf working value. + pub private_buf: [::core::ffi::c_uchar; 16usize], + ///< The operation to perform: + ///#MBEDTLS_GCM_ENCRYPT or + ///#MBEDTLS_GCM_DECRYPT. + pub private_mode: ::core::ffi::c_uchar, + ///< The acceleration to use. + pub private_acceleration: ::core::ffi::c_uchar, +} +impl Default for mbedtls_gcm_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Abort a cipher operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. - /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_cipher_operation_t. - /// - /// In particular, calling psa_cipher_abort() after the operation has been - /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() - /// is safe and has no effect. + /// \brief This function initializes the specified GCM context, + /// to make references valid, and prepares the context + /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). /// - /// \param[in,out] operation Initialized cipher operation. + /// The function does not bind the GCM context to a particular + /// cipher, nor set the key. For this purpose, use + /// mbedtls_gcm_setkey(). /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; + /// \param ctx The GCM context to initialize. This must not be \c NULL. + pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Process an authenticated encryption operation. + /// \brief This function associates a GCM context with a + /// cipher algorithm and a key. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that will be authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] plaintext Data that will be authenticated and - /// encrypted. - /// \param plaintext_length Size of \p plaintext in bytes. - /// \param[out] ciphertext Output buffer for the authenticated and - /// encrypted data. The additional data is not - /// part of this output. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate outputs, the - /// authentication tag is appended to the - /// encrypted data. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p plaintext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p - /// plaintext_length) evaluates to the maximum - /// ciphertext size of any supported AEAD - /// encryption. - /// \param[out] ciphertext_length On success, the size of the output - /// in the \p ciphertext buffer. + /// \param ctx The GCM context. This must be initialized. + /// \param cipher The 128-bit block cipher to use. + /// \param key The encryption key. This must be a readable buffer of at + /// least \p keybits bits. + /// \param keybits The key size in bits. Valid options are: + ///
  • 128 bits
    • + ///
  • 192 bits
    • + ///
  • 256 bits
/// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p ciphertext_size is too small. - /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p plaintext_length) or - /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - plaintext: *const u8, - plaintext_length: usize, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return A cipher-specific error code on failure. + pub fn mbedtls_gcm_setkey( + ctx: *mut mbedtls_gcm_context, + cipher: mbedtls_cipher_id_t, + key: *const ::core::ffi::c_uchar, + keybits: ::core::ffi::c_uint, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Process an authenticated decryption operation. + /// \brief This function performs GCM encryption or decryption of a buffer. /// - /// \param key Identifier of the key to use for the - /// operation. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). - /// \param[in] nonce Nonce or IV to use. - /// \param nonce_length Size of the \p nonce buffer in bytes. - /// \param[in] additional_data Additional data that has been authenticated - /// but not encrypted. - /// \param additional_data_length Size of \p additional_data in bytes. - /// \param[in] ciphertext Data that has been authenticated and - /// encrypted. For algorithms where the - /// encrypted data and the authentication tag - /// are defined as separate inputs, the buffer - /// must contain the encrypted data followed - /// by the authentication tag. - /// \param ciphertext_length Size of \p ciphertext in bytes. - /// \param[out] plaintext Output buffer for the decrypted data. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, - /// \p alg, \p ciphertext_length) where - /// \c key_type is the type of \p key. - /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p - /// ciphertext_length) evaluates to the maximum - /// plaintext size of any supported AEAD - /// decryption. - /// \param[out] plaintext_length On success, the size of the output - /// in the \p plaintext buffer. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The ciphertext is not authentic. - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p plaintext_size is too small. - /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, - /// \p ciphertext_length) or - /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used - /// to determine the required buffer size. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - nonce: *const u8, - nonce_length: usize, - additional_data: *const u8, - additional_data_length: usize, - ciphertext: *const u8, - ciphertext_length: usize, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - ) -> psa_status_t; + /// \warning When this function performs a decryption, it outputs the + /// authentication tag and does not verify that the data is + /// authentic. You should use this function to perform encryption + /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// + /// \param ctx The GCM context to use for encryption or decryption. This + /// must be initialized. + /// \param mode The operation to perform: + /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. + /// The ciphertext is written to \p output and the + /// authentication tag is written to \p tag. + /// - #MBEDTLS_GCM_DECRYPT to perform decryption. + /// The plaintext is written to \p output and the + /// authentication tag is written to \p tag. + /// Note that this mode is not recommended, because it does + /// not verify the authenticity of the data. For this reason, + /// you should use mbedtls_gcm_auth_decrypt() instead of + /// calling this function in decryption mode. + /// \param length The length of the input data, which is equal to the length + /// of the output data. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param input The buffer holding the input data. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size in Bytes. + /// \param output The buffer for holding the output data. If \p length is greater + /// than zero, this must be a writable buffer of at least that + /// size in Bytes. + /// \param tag_len The length of the tag to generate. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// + /// \return \c 0 if the encryption or decryption was performed + /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, + /// this does not indicate that the data is authentic. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the encryption + /// or decryption failed. + pub fn mbedtls_gcm_crypt_and_tag( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + tag_len: usize, + tag: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } -/// The type of the state data structure for multipart AEAD operations. -/// -/// Before calling any function on an AEAD operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_aead_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_aead_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, -/// for example: -/// \code -/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_aead_operation_init() -/// to the structure, for example: -/// \code -/// psa_aead_operation_t operation; -/// operation = psa_aead_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// Set the key for a multipart authenticated encryption operation. + /// \brief This function performs a GCM authenticated decryption of a + /// buffer. /// - /// The sequence of operations to encrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to - /// generate or set the nonce. You should use - /// psa_aead_generate_nonce() unless the protocol you are implementing - /// requires a specific nonce value. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the message to encrypt each time. - /// -# Call psa_aead_finish(). - /// - /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_encrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_finish(). - /// - A call to psa_aead_abort(). + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param length The length of the ciphertext to decrypt, which is also + /// the length of the decrypted plaintext. + /// \param iv The initialization vector. This must be a readable buffer + /// of at least \p iv_len Bytes. + /// \param iv_len The length of the IV. + /// \param add The buffer holding the additional data. This must be of at + /// least that size in Bytes. + /// \param add_len The length of the additional data. + /// \param tag The buffer holding the tag to verify. This must be a + /// readable buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to verify. + /// \param input The buffer holding the ciphertext. If \p length is greater + /// than zero, this must be a readable buffer of at least that + /// size. + /// \param output The buffer for holding the decrypted plaintext. If \p length + /// is greater than zero, this must be a writable buffer of at + /// least that size. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_encrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 if successful and authenticated. + /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are + /// not valid or a cipher-specific error code if the decryption + /// failed. + pub fn mbedtls_gcm_auth_decrypt( + ctx: *mut mbedtls_gcm_context, + length: usize, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + add: *const ::core::ffi::c_uchar, + add_len: usize, + tag: *const ::core::ffi::c_uchar, + tag_len: usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the key for a multipart authenticated decryption operation. - /// - /// The sequence of operations to decrypt a message with authentication - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_aead_operation_t, e.g. - /// #PSA_AEAD_OPERATION_INIT. - /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - /// -# If needed, call psa_aead_set_lengths() to specify the length of the - /// inputs to the subsequent calls to psa_aead_update_ad() and - /// psa_aead_update(). See the documentation of psa_aead_set_lengths() - /// for details. - /// -# Call psa_aead_set_nonce() with the nonce for the decryption. - /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment - /// of the non-encrypted additional authenticated data each time. - /// -# Call psa_aead_update() zero, one or more times, passing a fragment - /// of the ciphertext to decrypt each time. - /// -# Call psa_aead_verify(). - /// - /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), - /// the operation will need to be reset by a call to psa_aead_abort(). The - /// application may call psa_aead_abort() at any time after the operation - /// has been initialized. - /// - /// After a successful call to psa_aead_decrypt_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A successful call to psa_aead_verify(). - /// - A call to psa_aead_abort(). + /// \brief This function starts a GCM encryption or decryption + /// operation. /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized as per the documentation for - /// #psa_aead_operation_t and not yet in use. - /// \param key Identifier of the key to use for the operation. - /// It must remain valid until the operation - /// terminates. It must allow the usage - /// #PSA_KEY_USAGE_DECRYPT. - /// \param alg The AEAD algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param ctx The GCM context. This must be initialized. + /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + /// #MBEDTLS_GCM_DECRYPT. + /// \param iv The initialization vector. This must be a readable buffer of + /// at least \p iv_len Bytes. + /// \param iv_len The length of the IV. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not compatible with \p alg. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not supported or is not an AEAD algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_decrypt_setup( - operation: *mut psa_aead_operation_t, - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_starts( + ctx: *mut mbedtls_gcm_context, + mode: ::core::ffi::c_int, + iv: *const ::core::ffi::c_uchar, + iv_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Generate a random nonce for an authenticated encryption operation. - /// - /// This function generates a random nonce for the authenticated encryption - /// operation with an appropriate size for the chosen algorithm, key type - /// and key size. - /// - /// The application must call psa_aead_encrypt_setup() before - /// calling this function. + /// \brief This function feeds an input buffer as associated data + /// (authenticated but not encrypted data) in a GCM + /// encryption or decryption operation. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// Call this function after mbedtls_gcm_starts() to pass + /// the associated data. If the associated data is empty, + /// you do not need to call this function. You may not + /// call this function after calling mbedtls_cipher_update(). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] nonce Buffer where the generated nonce is to be - /// written. - /// \param nonce_size Size of the \p nonce buffer in bytes. - /// \param[out] nonce_length On success, the number of bytes of the - /// generated nonce. + /// \param ctx The GCM context. This must have been started with + /// mbedtls_gcm_starts() and must not have yet received + /// any input with mbedtls_gcm_update(). + /// \param add The buffer holding the additional data, or \c NULL + /// if \p add_len is \c 0. + /// \param add_len The length of the additional data. If \c 0, + /// \p add may be \c NULL. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p nonce buffer is too small. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active aead encrypt - /// operation, with no nonce set), or the library has not been - /// previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_generate_nonce( - operation: *mut psa_aead_operation_t, - nonce: *mut u8, - nonce_size: usize, - nonce_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + pub fn mbedtls_gcm_update_ad( + ctx: *mut mbedtls_gcm_context, + add: *const ::core::ffi::c_uchar, + add_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the nonce for an authenticated encryption or decryption operation. + /// \brief This function feeds an input buffer into an ongoing GCM + /// encryption or decryption operation. /// - /// This function sets the nonce for the authenticated - /// encryption or decryption operation. + /// You may call this function zero, one or more times + /// to pass successive parts of the input: the plaintext to + /// encrypt, or the ciphertext (not including the tag) to + /// decrypt. After the last part of the input, call + /// mbedtls_gcm_finish(). /// - /// The application must call psa_aead_encrypt_setup() or - /// psa_aead_decrypt_setup() before calling this function. + /// This function may produce output in one of the following + /// ways: + /// - Immediate output: the output length is always equal + /// to the input length. + /// - Buffered output: the output consists of a whole number + /// of 16-byte blocks. If the total input length so far + /// (not including associated data) is 16 \* *B* + *A* + /// with *A* < 16 then the total output length is 16 \* *B*. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// In particular: + /// - It is always correct to call this function with + /// \p output_size >= \p input_length + 15. + /// - If \p input_length is a multiple of 16 for all the calls + /// to this function during an operation, then it is + /// correct to use \p output_size = \p input_length. /// - /// \note When encrypting, applications should use psa_aead_generate_nonce() - /// instead of this function, unless implementing a protocol that requires - /// a non-random IV. + /// \note The output buffer \p output can be the same as the input + /// buffer \p input. If \p output is greater than \p input, they + /// cannot overlap. Implementations which require + /// MBEDTLS_GCM_ALT to be enabled may not provide support for + /// overlapping buffers. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] nonce Buffer containing the nonce to use. - /// \param nonce_length Size of the nonce in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param input The buffer holding the input data. If \p input_length + /// is greater than zero, this must be a readable buffer + /// of at least \p input_length bytes. + /// \param input_length The length of the input data in bytes. + /// \param output The buffer for the output data. If \p output_size + /// is greater than zero, this must be a writable buffer of + /// of at least \p output_size bytes. + /// \param output_size The size of the output buffer in bytes. + /// See the function description regarding the output size. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The size of \p nonce is not acceptable for the chosen algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, with no nonce - /// set), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_nonce( - operation: *mut psa_aead_operation_t, - nonce: *const u8, - nonce_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// total input length too long, + /// unsupported input/output buffer overlap detected, + /// or \p output_size too small. + pub fn mbedtls_gcm_update( + ctx: *mut mbedtls_gcm_context, + input: *const ::core::ffi::c_uchar, + input_length: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Declare the lengths of the message and additional data for AEAD. - /// - /// The application must call this function before calling - /// psa_aead_update_ad() or psa_aead_update() if the algorithm for - /// the operation requires it. If the algorithm does not require it, - /// calling this function is optional, but if this function is called - /// then the implementation must enforce the lengths. - /// - /// You may call this function before or after setting the nonce with - /// psa_aead_set_nonce() or psa_aead_generate_nonce(). - /// - /// - For #PSA_ALG_CCM, calling this function is required. - /// - For the other AEAD algorithms defined in this specification, calling - /// this function is not required. - /// - For vendor-defined algorithm, refer to the vendor documentation. + /// \brief This function finishes the GCM operation and generates + /// the authentication tag. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// It wraps up the GCM stream, and generates the + /// tag. The tag can have a maximum length of 16 Bytes. /// - /// \param[in,out] operation Active AEAD operation. - /// \param ad_length Size of the non-encrypted additional - /// authenticated data in bytes. - /// \param plaintext_length Size of the plaintext to encrypt in bytes. + /// \param ctx The GCM context. This must be initialized. + /// \param tag The buffer for holding the tag. This must be a writable + /// buffer of at least \p tag_len Bytes. + /// \param tag_len The length of the tag to generate. This must be at least + /// four. + /// \param output The buffer for the final output. + /// If \p output_size is nonzero, this must be a writable + /// buffer of at least \p output_size bytes. + /// \param output_size The size of the \p output buffer in bytes. + /// This must be large enough for the output that + /// mbedtls_gcm_update() has not produced. In particular: + /// - If mbedtls_gcm_update() produces immediate output, + /// or if the total input size is a multiple of \c 16, + /// then mbedtls_gcm_finish() never produces any output, + /// so \p output_size can be \c 0. + /// - \p output_size never needs to be more than \c 15. + /// \param output_length On success, \p *output_length contains the actual + /// length of the output written in \p output. + /// On failure, the content of \p *output_length is + /// unspecified. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// At least one of the lengths is not acceptable for the chosen - /// algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and - /// psa_aead_update_ad() and psa_aead_update() must not have been - /// called yet), or the library has not been previously initialized - /// by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_set_lengths( - operation: *mut psa_aead_operation_t, - ad_length: usize, - plaintext_length: usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: + /// invalid value of \p tag_len, + /// or \p output_size too small. + pub fn mbedtls_gcm_finish( + ctx: *mut mbedtls_gcm_context, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_length: *mut usize, + tag: *mut ::core::ffi::c_uchar, + tag_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Pass additional data to an active AEAD operation. - /// - /// Additional data is authenticated, but not encrypted. - /// - /// You may call this function multiple times to pass successive fragments - /// of the additional data. You may not call this function after passing - /// data to encrypt or decrypt with psa_aead_update(). - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, - /// treat the input as untrusted and prepare to undo any action that - /// depends on the input if psa_aead_verify() returns an error status. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the fragment of - /// additional data. - /// \param input_length Size of the \p input buffer in bytes. + /// \brief This function clears a GCM context and the underlying + /// cipher sub-context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total input length overflows the additional data length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, have lengths set if required by the algorithm, and - /// psa_aead_update() must not have been called yet), or the library - /// has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update_ad( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The GCM context to clear. If this is \c NULL, the call has + /// no effect. Otherwise, this must be initialized. + pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); } unsafe extern "C" { - /// Encrypt or decrypt a message fragment in an active AEAD operation. - /// - /// Before calling this function, you must: - /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). - /// The choice of setup function determines whether this function - /// encrypts or decrypts its input. - /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). - /// 3. Call psa_aead_update_ad() to pass all the additional data. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). - /// - /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, - /// there is no guarantee that the input is valid. Therefore, until - /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: - /// - Do not use the output in any way other than storing it in a - /// confidential location. If you take any action that depends - /// on the tentative decrypted data, this action will need to be - /// undone if the input turns out not to be valid. Furthermore, - /// if an adversary can observe that this action took place - /// (for example through timing), they may be able to use this - /// fact as an oracle to decrypt any message encrypted with the - /// same key. - /// - In particular, do not copy the output anywhere but to a - /// memory or storage space that you have exclusive access to. - /// - /// This function does not require the input to be aligned to any - /// particular block boundary. If the implementation can only process - /// a whole block at a time, it must consume all the input provided, but - /// it may delay the end of the corresponding output until a subsequent - /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() - /// provides sufficient input. The amount of data that can be delayed - /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. - /// - /// \param[in,out] operation Active AEAD operation. - /// \param[in] input Buffer containing the message fragment to - /// encrypt or decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[out] output Buffer where the output is to be written. - /// \param output_size Size of the \p output buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, - /// \c alg, \p input_length) where - /// \c key_type is the type of key and \c alg is - /// the algorithm that were used to set up the - /// operation. - /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p - /// input_length) evaluates to the maximum - /// output size of any supported AEAD - /// algorithm. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// \brief The GCM checkup routine. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or - /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to - /// determine the required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total input length overflows the plaintext length that - /// was previously specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, have a nonce - /// set, and have lengths set if required by the algorithm), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_update( - operation: *mut psa_aead_operation_t, - input: *const u8, - input_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success. + /// \return \c 1 on failure. + pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_hmac_operation_t { + /// The HMAC algorithm in use + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + /// The hash context. + pub hash_ctx: psa_hash_operation_s, + /// The HMAC part of the context. + pub private_opad: [u8; 128usize], +} +impl Default for mbedtls_psa_hmac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_mac_operation_t { + pub private_alg: psa_algorithm_t, + pub __bindgen_padding_0: u64, + pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_hmac: mbedtls_psa_hmac_operation_t, + pub private_cmac: mbedtls_cipher_context_t, +} +impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_mac_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_aead_operation_t { + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_tag_length: u8, + pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { + pub dummy: ::core::ffi::c_uint, + pub private_ccm: mbedtls_ccm_context, + pub private_gcm: mbedtls_gcm_context, + pub private_chachapoly: mbedtls_chachapoly_context, +} +impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for mbedtls_psa_aead_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl mbedtls_psa_aead_operation_t { + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_sign_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_verify_hash_interruptible_operation_t { + pub private_dummy: ::core::ffi::c_uint, +} +///< Client +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; +///< Server +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; +///< Undefined +pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_NONE: mbedtls_ecjpake_role = 2; +/// Roles in the EC J-PAKE exchange +pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; +/// EC J-PAKE context structure. +/// +/// J-PAKE is a symmetric protocol, except for the identifiers used in +/// Zero-Knowledge Proofs, and the serialization of the second message +/// (KeyExchange) as defined by the Thread spec. +/// +/// In order to benefit from this symmetry, we choose a different naming +/// convention from the Thread v1.0 spec. Correspondence is indicated in the +/// description as a pair C: client name, S: server name +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_ecjpake_context { + ///< Hash to use + pub private_md_type: mbedtls_md_type_t, + ///< Elliptic curve + pub private_grp: mbedtls_ecp_group, + ///< Are we client or server? + pub private_role: mbedtls_ecjpake_role, + ///< Format for point export + pub private_point_format: ::core::ffi::c_int, + ///< My public key 1 C: X1, S: X3 + pub private_Xm1: mbedtls_ecp_point, + ///< My public key 2 C: X2, S: X4 + pub private_Xm2: mbedtls_ecp_point, + ///< Peer public key 1 C: X3, S: X1 + pub private_Xp1: mbedtls_ecp_point, + ///< Peer public key 2 C: X4, S: X2 + pub private_Xp2: mbedtls_ecp_point, + ///< Peer public key C: Xs, S: Xc + pub private_Xp: mbedtls_ecp_point, + ///< My private key 1 C: x1, S: x3 + pub private_xm1: mbedtls_mpi, + ///< My private key 2 C: x2, S: x4 + pub private_xm2: mbedtls_mpi, + ///< Pre-shared secret (passphrase) + pub private_s: mbedtls_mpi, +} +impl Default for mbedtls_ecjpake_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } unsafe extern "C" { - /// Finish encrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_encrypt_setup(). + /// \brief Initialize an ECJPAKE context. /// - /// This function finishes the authentication of the additional data - /// formed by concatenating the inputs passed to preceding calls to - /// psa_aead_update_ad() with the plaintext formed by concatenating the - /// inputs passed to preceding calls to psa_aead_update(). + /// \param ctx The ECJPAKE context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Set up an ECJPAKE context for use. /// - /// This function has two output buffers: - /// - \p ciphertext contains trailing ciphertext that was buffered from - /// preceding calls to psa_aead_update(). - /// - \p tag contains the authentication tag. + /// \note Currently the only values for hash/curve allowed by the + /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to set up. This must be initialized. + /// \param role The role of the caller. This must be either + /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. + /// \param hash The identifier of the hash function to use, + /// for example #MBEDTLS_MD_SHA256. + /// \param curve The identifier of the elliptic curve to use, + /// for example #MBEDTLS_ECP_DP_SECP256R1. + /// \param secret The pre-shared secret (passphrase). This must be + /// a readable not empty buffer of length \p len Bytes. It need + /// only be valid for the duration of this call. + /// \param len The length of the pre-shared secret \p secret. /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] ciphertext Buffer where the last part of the ciphertext - /// is to be written. - /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] ciphertext_length On success, the number of bytes of - /// returned ciphertext. - /// \param[out] tag Buffer where the authentication tag is - /// to be written. - /// \param tag_size Size of the \p tag buffer in bytes. - /// This must be appropriate for the selected - /// algorithm and key: - /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c - /// key_type, \c key_bits, \c alg) where - /// \c key_type and \c key_bits are the type and - /// bit-size of the key, and \c alg is the - /// algorithm that were used in the call to - /// psa_aead_encrypt_setup(). - /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the - /// maximum tag size of any supported AEAD - /// algorithm. - /// \param[out] tag_length On success, the number of bytes - /// that make up the returned tag. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p ciphertext or \p tag buffer is too small. - /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the - /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, - /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to - /// determine the required \p tag buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active encryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_finish( - operation: *mut psa_aead_operation_t, - ciphertext: *mut u8, - ciphertext_size: usize, - ciphertext_length: *mut usize, - tag: *mut u8, - tag_size: usize, - tag_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_setup( + ctx: *mut mbedtls_ecjpake_context, + role: mbedtls_ecjpake_role, + hash: mbedtls_md_type_t, + curve: mbedtls_ecp_group_id, + secret: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Finish authenticating and decrypting a message in an AEAD operation. - /// - /// The operation must have been set up with psa_aead_decrypt_setup(). - /// - /// This function finishes the authenticated decryption of the message - /// components: + /// \brief Set the point format for future reads and writes. /// - /// - The additional data consisting of the concatenation of the inputs - /// passed to preceding calls to psa_aead_update_ad(). - /// - The ciphertext consisting of the concatenation of the inputs passed to - /// preceding calls to psa_aead_update(). - /// - The tag passed to this function call. + /// \param ctx The ECJPAKE context to configure. + /// \param point_format The point format to use: + /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) + /// or #MBEDTLS_ECP_PF_COMPRESSED. /// - /// If the authentication tag is correct, this function outputs any remaining - /// plaintext and reports success. If the authentication tag is not correct, - /// this function returns #PSA_ERROR_INVALID_SIGNATURE. + /// \return \c 0 if successful. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format + /// is invalid. + pub fn mbedtls_ecjpake_set_point_format( + ctx: *mut mbedtls_ecjpake_context, + point_format: ::core::ffi::c_int, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if an ECJPAKE context is ready for use. /// - /// When this function returns successfully, the operation becomes inactive. - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_aead_abort(). + /// \param ctx The ECJPAKE context to check. This must be + /// initialized. /// - /// \note Implementations shall make the best effort to ensure that the - /// comparison between the actual tag and the expected tag is performed - /// in constant time. + /// \return \c 0 if the context is ready for use. + /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. + pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// \param[in,out] operation Active AEAD operation. - /// \param[out] plaintext Buffer where the last part of the plaintext - /// is to be written. This is the remaining data - /// from previous calls to psa_aead_update() - /// that could not be processed until the end - /// of the input. - /// \param plaintext_size Size of the \p plaintext buffer in bytes. - /// This must be appropriate for the selected algorithm and key: - /// - A sufficient output size is - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - /// \c alg) where \c key_type is the type of key - /// and \c alg is the algorithm that were used to - /// set up the operation. - /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - /// the maximum output size of any supported AEAD - /// algorithm. - /// \param[out] plaintext_length On success, the number of bytes of - /// returned plaintext. - /// \param[in] tag Buffer containing the authentication tag. - /// \param tag_length Size of the \p tag buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be + /// initialized and set up. + /// \param buf The buffer to write the contents to. This must be a + /// writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number + /// of Bytes written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculations were successful, but the authentication tag is - /// not correct. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p plaintext buffer is too small. - /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or - /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the - /// required buffer size. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The total length of input to psa_aead_update_ad() so far is - /// less than the additional data length that was previously - /// specified with psa_aead_set_lengths(), or - /// the total length of input to psa_aead_update() so far is - /// less than the plaintext length that was previously - /// specified with psa_aead_set_lengths(). - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be an active decryption - /// operation with a nonce set), or the library has not been previously - /// initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_verify( - operation: *mut psa_aead_operation_t, - plaintext: *mut u8, - plaintext_size: usize, - plaintext_length: *mut usize, - tag: *const u8, - tag_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort an AEAD operation. - /// - /// Aborting an operation frees all associated resources except for the - /// \p operation structure itself. Once aborted, the operation object - /// can be reused for another operation by calling - /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// \brief Read and process the first round message + /// (TLS: contents of the Client/ServerHello extension, + /// excluding extension type and length bytes). /// - /// You may call this function any time after the operation object has - /// been initialized as described in #psa_aead_operation_t. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up. + /// \param buf The buffer holding the first round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// In particular, calling psa_aead_abort() after the operation has been - /// terminated by a call to psa_aead_abort(), psa_aead_finish() or - /// psa_aead_verify() is safe and has no effect. + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_one( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Generate and write the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \param[in,out] operation Initialized AEAD operation. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up, and already have performed round one. + /// \param buf The buffer to write the round two contents to. + /// This must be a writable buffer of length \p len Bytes. + /// \param len The size of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a message with a private key. For hash-and-sign algorithms, - /// this includes the hashing step. + /// \brief Read and process the second round message + /// (TLS: contents of the Client/ServerKeyExchange). /// - /// \note To perform a multi-part hash-and-sign signature algorithm, first use - /// a multi-part hash operation and then pass the resulting hash to - /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the - /// hash algorithm to use. - /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The input message to sign. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param[in] signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and - /// bit-size respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized + /// and set up and already have performed round one. + /// \param buf The buffer holding the second round message. This must + /// be a readable buffer of length \p len Bytes. + /// \param len The length in Bytes of \p buf. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_read_round_two( + ctx: *mut mbedtls_ecjpake_context, + buf: *const ::core::ffi::c_uchar, + len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a message with a public key, using - /// a hash-and-sign verification algorithm. - /// - /// \note To perform a multi-part hash-and-sign signature verification - /// algorithm, first use a multi-part hash operation to hash the message - /// and then pass the resulting hash to psa_verify_hash(). - /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm - /// to use. + /// \brief Derive the shared secret + /// (TLS: Pre-Master Secret). /// - /// \param[in] key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_MESSAGE. - /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) - /// is true), that is compatible with the type of - /// \p key. - /// \param[in] input The message whose signature is to be verified. - /// \param[in] input_length Size of the \p input buffer in bytes. - /// \param[out] signature Buffer containing the signature to verify. - /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of Bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, - /// or it does not permit the requested algorithm. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed signature - /// is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_message( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_derive_secret( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Sign a hash or short message with a private key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief Write the shared key material to be passed to a Key + /// Derivation Function as described in RFC8236. /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. - /// \param[out] signature_length On success, the number of bytes - /// that make up the returned signature value. + /// \param ctx The ECJPAKE context to use. This must be initialized, + /// set up and have performed both round one and two. + /// \param buf The buffer to write the derived secret to. This must + /// be a writable buffer of length \p len Bytes. + /// \param len The length of \p buf in Bytes. + /// \param olen The address at which to store the total number of bytes + /// written to \p buf. This must not be \c NULL. + /// \param f_rng The RNG function to use. This must not be \c NULL. + /// \param p_rng The RNG parameter to be passed to \p f_rng. This + /// may be \c NULL if \p f_rng doesn't use a context. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_sign_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 if successful. + /// \return A negative error code on failure. + pub fn mbedtls_ecjpake_write_shared_key( + ctx: *mut mbedtls_ecjpake_context, + buf: *mut ::core::ffi::c_uchar, + len: usize, + olen: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Verify the signature of a hash or short message using a public key. - /// - /// Note that to perform a hash-and-sign signature algorithm, you must - /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() - /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). - /// Then pass the resulting hash as the \p hash - /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) - /// to determine the hash algorithm to use. + /// \brief This clears an ECJPAKE context and frees any + /// embedded data structure. /// - /// \param key Identifier of the key to use for the operation. It - /// must be a public key or an asymmetric key pair. The - /// key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message whose signature is to be - /// verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// \param ctx The ECJPAKE context to free. This may be \c NULL, + /// in which case this function does nothing. If it is not + /// \c NULL, it must point to an initialized ECJPAKE context. + pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); +} +unsafe extern "C" { + /// \brief Checkup routine /// - /// \retval #PSA_SUCCESS - /// The signature is valid. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_verify_hash( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, - ) -> psa_status_t; + /// \return 0 if successful, or 1 if a test failed + pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; } -unsafe extern "C" { - /// \brief Encrypt a short message with a public key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be a public key or an asymmetric key - /// pair. It must allow the usage - /// #PSA_KEY_USAGE_ENCRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to encrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the encrypted message is to - /// be written. - /// \param output_size Size of the \p output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_encrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_psa_pake_operation_t { + pub private_alg: psa_algorithm_t, + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_role: mbedtls_ecjpake_role, + pub private_buffer: [u8; 336usize], + pub private_buffer_length: usize, + pub private_buffer_offset: usize, + pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, } -unsafe extern "C" { - /// \brief Decrypt a short message with a private key. - /// - /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. It must - /// allow the usage #PSA_KEY_USAGE_DECRYPT. - /// \param alg An asymmetric encryption algorithm that is - /// compatible with the type of \p key. - /// \param[in] input The message to decrypt. - /// \param input_length Size of the \p input buffer in bytes. - /// \param[in] salt A salt or label, if supported by the - /// encryption algorithm. - /// If the algorithm does not support a - /// salt, pass \c NULL. - /// If the algorithm supports an optional - /// salt and you do not want to pass a salt, - /// pass \c NULL. - /// - /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is - /// supported. - /// \param salt_length Size of the \p salt buffer in bytes. - /// If \p salt is \c NULL, pass 0. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_asymmetric_decrypt( - key: mbedtls_svc_key_id_t, - alg: psa_algorithm_t, - input: *const u8, - input_length: usize, - salt: *const u8, - salt_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { + pub private_dummy: ::core::ffi::c_uint, + pub private_jpake: mbedtls_ecjpake_context, } -/// The type of the state data structure for key derivation operations. -/// -/// Before calling any function on a key derivation operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_key_derivation_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, -/// for example: -/// \code -/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_key_derivation_operation_init() -/// to the structure, for example: -/// \code -/// psa_key_derivation_operation_t operation; -/// operation = psa_key_derivation_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_key_derivation_operation_t = psa_key_derivation_s; -unsafe extern "C" { - /// Set up a key derivation operation. - /// - /// A key derivation algorithm takes some inputs and uses them to generate - /// a byte stream in a deterministic way. - /// This byte stream can be used to produce keys and other - /// cryptographic material. - /// - /// To derive a key: - /// -# Start with an initialized object of type #psa_key_derivation_operation_t. - /// -# Call psa_key_derivation_setup() to select the algorithm. - /// -# Provide the inputs for the key derivation by calling - /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() - /// as appropriate. Which inputs are needed, in what order, and whether - /// they may be keys and if so of what type depends on the algorithm. - /// -# Optionally set the operation's maximum capacity with - /// psa_key_derivation_set_capacity(). You may do this before, in the middle - /// of or after providing inputs. For some algorithms, this step is mandatory - /// because the output depends on the maximum capacity. - /// -# To derive a key, call psa_key_derivation_output_key(). - /// To derive a byte string for a different purpose, call - /// psa_key_derivation_output_bytes(). - /// Successive calls to these functions use successive output bytes - /// calculated by the key derivation algorithm. - /// -# Clean up the key derivation operation object with - /// psa_key_derivation_abort(). - /// - /// If this function returns an error, the key derivation operation object is - /// not changed. - /// - /// If an error occurs at any step after a call to psa_key_derivation_setup(), - /// the operation will need to be reset by a call to psa_key_derivation_abort(). - /// - /// Implementations must reject an attempt to derive a key of size 0. - /// - /// \param[in,out] operation The key derivation operation object - /// to set up. It must - /// have been initialized but not set up yet. - /// \param alg The key derivation algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c alg is not a key derivation algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be inactive), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_setup( - operation: *mut psa_key_derivation_operation_t, - alg: psa_algorithm_t, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Retrieve the current capacity of a key derivation operation. - /// - /// The capacity of a key derivation is the maximum number of bytes that it can - /// return. When you get *N* bytes of output from a key derivation operation, - /// this reduces its capacity by *N*. - /// - /// \param[in] operation The operation to query. - /// \param[out] capacity On success, the capacity of the operation. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_get_capacity( - operation: *const psa_key_derivation_operation_t, - capacity: *mut usize, - ) -> psa_status_t; +impl Default for mbedtls_psa_pake_operation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Set the maximum capacity of a key derivation operation. - /// - /// The capacity of a key derivation operation is the maximum number of bytes - /// that the key derivation operation can return from this point onwards. - /// - /// \param[in,out] operation The key derivation operation object to modify. - /// \param capacity The new capacity of the operation. - /// It must be less or equal to the operation's - /// current capacity. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p capacity is larger than the operation's current capacity. - /// In this case, the operation object remains valid and its capacity - /// remains unchanged. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active), or the - /// library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_set_capacity( - operation: *mut psa_key_derivation_operation_t, - capacity: usize, - ) -> psa_status_t; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_mac_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_mac_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function passes direct inputs, which is usually correct for - /// non-secret inputs. To pass a secret input, which should be in a key - /// object, call psa_key_derivation_input_key() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] data Input data to use. - /// \param data_length Size of the \p data buffer in bytes. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow direct inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_bytes( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - data: *const u8, - data_length: usize, - ) -> psa_status_t; +impl Default for psa_driver_mac_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Provide a numeric input for key derivation or key agreement. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// However, when an algorithm requires a particular order, numeric inputs - /// usually come first as they tend to be configuration parameters. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function is used for inputs which are fixed-size non-negative - /// integers. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param[in] value The value of the numeric input. - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow numeric inputs. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_integer( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - value: u64, - ) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_aead_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_aead_operation_t, } -unsafe extern "C" { - /// Provide an input for key derivation in the form of a key. - /// - /// Which inputs are required and in what order depends on the algorithm. - /// Refer to the documentation of each key derivation or key agreement - /// algorithm for information. - /// - /// This function obtains input from a key object, which is usually correct for - /// secret inputs or for non-secret personalization strings kept in the key - /// store. To pass a non-secret parameter which is not in the key store, - /// call psa_key_derivation_input_bytes() instead of this function. - /// Refer to the documentation of individual step types - /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) - /// for more information. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() and must not - /// have produced any output yet. - /// \param step Which step the input data is for. - /// \param key Identifier of the key. It must have an - /// appropriate type for step and must allow the - /// usage #PSA_KEY_USAGE_DERIVE or - /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) - /// and the algorithm used by the operation. - /// - /// \note Once all inputs steps are completed, the operations will allow: - /// - psa_key_derivation_output_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_output_key() if the input for step - /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was - /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; - /// - psa_key_derivation_verify_bytes() if each input was either a direct input - /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - /// - psa_key_derivation_verify_key() under the same conditions as - /// psa_key_derivation_verify_bytes(). - /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key allows neither #PSA_KEY_USAGE_DERIVE nor - /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this - /// algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c step is not compatible with the operation's algorithm, or - /// \c step does not allow key inputs of the given type - /// or does not allow key inputs at all. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this input \p step, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_key_derivation_input_key( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - key: mbedtls_svc_key_id_t, - ) -> psa_status_t; +impl Default for psa_driver_aead_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// Perform a key agreement and use the shared secret as input to a key - /// derivation. - /// - /// A key agreement algorithm takes two inputs: a private key \p private_key - /// a public key \p peer_key. - /// The result of this function is passed as input to a key derivation. - /// The output of this key derivation can be extracted by reading from the - /// resulting operation to produce keys and other cryptographic material. - /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// \param[in,out] operation The key derivation operation object to use. - /// It must have been set up with - /// psa_key_derivation_setup() with a - /// key agreement and derivation algorithm - /// \c alg (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true - /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) - /// is false). - /// The operation must be ready for an - /// input of the type given by \p step. - /// \param step Which step the input data is for. - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. The peer key must be in the - /// same format that psa_import_key() accepts for the - /// public key type corresponding to the type of - /// private_key. That is, this function performs the - /// equivalent of - /// #psa_import_key(..., - /// `peer_key`, `peer_key_length`) where - /// with key attributes indicating the public key - /// type corresponding to the type of `private_key`. - /// For example, for EC keys, this means that peer_key - /// is interpreted as a point on the curve that the - /// private key is on. The standard formats for public - /// keys are documented in the documentation of - /// psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_sign_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, +} +impl Default for psa_driver_sign_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_verify_hash_interruptible_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, +} +impl Default for psa_driver_verify_hash_interruptible_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_driver_pake_context_t { + pub dummy: ::core::ffi::c_uint, + pub mbedtls_ctx: mbedtls_psa_pake_operation_t, +} +impl Default for psa_driver_pake_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_mac_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_mac_size: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub __bindgen_padding_0: u64, + pub private_ctx: psa_driver_mac_context_t, +} +impl Default for psa_mac_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_mac_operation_s { + #[inline] + pub fn private_is_sign(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_is_sign: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; + private_is_sign as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_aead_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_key_type: psa_key_type_t, + pub private_ad_remaining: usize, + pub private_body_remaining: usize, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_ctx: psa_driver_aead_context_t, +} +impl Default for psa_aead_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_aead_operation_s { + #[inline] + pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(1usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 1usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 1usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_ad_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_body_started(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(3usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 3usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 3usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(4usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 4usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 4usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_nonce_set: ::core::ffi::c_uint, + private_lengths_set: ::core::ffi::c_uint, + private_ad_started: ::core::ffi::c_uint, + private_body_started: ::core::ffi::c_uint, + private_is_encrypt: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; + private_nonce_set as u64 + }); + __bindgen_bitfield_unit.set(1usize, 1u8, { + let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; + private_lengths_set as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; + private_ad_started as u64 + }); + __bindgen_bitfield_unit.set(3usize, 1u8, { + let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; + private_body_started as u64 + }); + __bindgen_bitfield_unit.set(4usize, 1u8, { + let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; + private_is_encrypt as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_hkdf_key_derivation_t { + pub private_info: *mut u8, + pub private_info_length: usize, + pub private_offset_in_block: u8, + pub private_block_number: u8, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_output_block: [u8; 64usize], + pub private_prk: [u8; 64usize], + pub __bindgen_padding_0: [u64; 0usize], + pub private_hmac: psa_mac_operation_s, +} +impl Default for psa_hkdf_key_derivation_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_hkdf_key_derivation_t { + #[inline] + pub fn private_state(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } + } + #[inline] + pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 2u8, val as u64) + } + } + #[inline] + pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 2u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 2u8, + val as u64, + ) + } + } + #[inline] + pub fn private_info_set(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(2usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 2usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 2usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_state: ::core::ffi::c_uint, + private_info_set: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 2u8, { + let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; + private_state as u64 + }); + __bindgen_bitfield_unit.set(2usize, 1u8, { + let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; + private_info_set as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_tls12_ecjpake_to_pms_t { + pub private_data: [u8; 32usize], +} +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: + psa_tls12_prf_key_derivation_state_t = 0; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: + psa_tls12_prf_key_derivation_state_t = 1; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 2; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: + psa_tls12_prf_key_derivation_state_t = 3; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: + psa_tls12_prf_key_derivation_state_t = 4; +pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: + psa_tls12_prf_key_derivation_state_t = 5; +pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_tls12_prf_key_derivation_s { + pub private_left_in_block: u8, + pub private_block_number: u8, + pub private_state: psa_tls12_prf_key_derivation_state_t, + pub private_secret: *mut u8, + pub private_secret_length: usize, + pub private_seed: *mut u8, + pub private_seed_length: usize, + pub private_label: *mut u8, + pub private_label_length: usize, + pub private_other_secret: *mut u8, + pub private_other_secret_length: usize, + pub private_Ai: [u8; 64usize], + pub private_output_block: [u8; 64usize], +} +impl Default for psa_tls12_prf_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub union psa_driver_key_derivation_context_t { + pub dummy: ::core::ffi::c_uint, + pub private_hkdf: psa_hkdf_key_derivation_t, + pub private_tls12_prf: psa_tls12_prf_key_derivation_t, + pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +} +impl Default for psa_driver_key_derivation_context_t { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +#[repr(C)] +#[repr(align(16))] +#[derive(Copy, Clone)] +pub struct psa_key_derivation_s { + pub private_alg: psa_algorithm_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_capacity: usize, + pub __bindgen_padding_0: [u64; 0usize], + pub private_ctx: psa_driver_key_derivation_context_t, +} +impl Default for psa_key_derivation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_key_derivation_s { + #[inline] + pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_can_output_key: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_can_output_key: u32 = + unsafe { ::core::mem::transmute(private_can_output_key) }; + private_can_output_key as u64 + }); + __bindgen_bitfield_unit + } +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_custom_key_parameters_s { + pub flags: u32, +} +#[repr(C)] +#[derive(Default)] +pub struct psa_key_production_parameters_s { + pub flags: u32, + pub data: __IncompleteArrayField, +} +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_policy_s { + pub private_usage: psa_key_usage_t, + pub private_alg: psa_algorithm_t, + pub private_alg2: psa_algorithm_t, +} +pub type psa_key_policy_t = psa_key_policy_s; +pub type psa_key_bits_t = u16; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_key_attributes_s { + pub private_type: psa_key_type_t, + pub private_bits: psa_key_bits_t, + pub private_lifetime: psa_key_lifetime_t, + pub private_policy: psa_key_policy_t, + pub private_id: mbedtls_svc_key_id_t, +} +/// \brief The context for PSA interruptible hash signing. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_sign_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_sign_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_sign_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_sign_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +/// \brief The context for PSA interruptible hash verification. +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_verify_hash_interruptible_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_ctx: psa_driver_verify_hash_interruptible_context_t, + pub _bitfield_align_1: [u8; 0], + pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, + pub private_num_ops: u32, +} +impl Default for psa_verify_hash_interruptible_operation_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl psa_verify_hash_interruptible_operation_s { + #[inline] + pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { + unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } + } + #[inline] + pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + self._bitfield_1.set(0usize, 1u8, val as u64) + } + } + #[inline] + pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { + unsafe { + ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( + ::core::ptr::addr_of!((*this)._bitfield_1), + 0usize, + 1u8, + ) as u32) + } + } + #[inline] + pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { + unsafe { + let val: u32 = ::core::mem::transmute(val); + <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( + ::core::ptr::addr_of_mut!((*this)._bitfield_1), + 0usize, + 1u8, + val as u64, + ) + } + } + #[inline] + pub fn new_bitfield_1( + private_error_occurred: ::core::ffi::c_uint, + ) -> __BindgenBitfieldUnit<[u8; 1usize]> { + let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); + __bindgen_bitfield_unit.set(0usize, 1u8, { + let private_error_occurred: u32 = + unsafe { ::core::mem::transmute(private_error_occurred) }; + private_error_occurred as u64 + }); + __bindgen_bitfield_unit + } +} +unsafe extern "C" { + /// \brief Library initialization. + /// + /// Applications must call this function before calling any other + /// function in this module. + /// + /// Applications may call this function more than once. Once a call + /// succeeds, subsequent calls are guaranteed to succeed. + /// + /// If the application calls other functions before calling psa_crypto_init(), + /// the behavior is undefined. Implementations are encouraged to either perform + /// the operation as if the library had been initialized or to return + /// #PSA_ERROR_BAD_STATE or some other applicable error. In particular, + /// implementations should not return a success status if the lack of + /// initialization may have security implications, for example due to improper + /// seeding of the random number generator. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + pub fn psa_crypto_init() -> psa_status_t; +} +unsafe extern "C" { + /// Retrieve the attributes of a key. + /// + /// This function first resets the attribute structure as with + /// psa_reset_key_attributes(). It then copies the attributes of + /// the given key into the given attribute structure. + /// + /// \note This function may allocate memory or other resources. + /// Once you have called this function on an attribute structure, + /// you must call psa_reset_key_attributes() to free these resources. + /// + /// \param[in] key Identifier of the key to query. + /// \param[in,out] attributes On success, the attributes of the key. + /// On failure, equivalent to a + /// freshly-initialized structure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_get_key_attributes( + key: mbedtls_svc_key_id_t, + attributes: *mut psa_key_attributes_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Reset a key attribute structure to a freshly initialized state. + /// + /// You must initialize the attribute structure as described in the + /// documentation of the type #psa_key_attributes_t before calling this + /// function. Once the structure has been initialized, you may call this + /// function at any time. + /// + /// This function frees any auxiliary resources that the structure + /// may contain. + /// + /// \param[in,out] attributes The attribute structure to reset. + pub fn psa_reset_key_attributes(attributes: *mut psa_key_attributes_t); +} +unsafe extern "C" { + /// Remove non-essential copies of key material from memory. + /// + /// If the key identifier designates a volatile key, this functions does not do + /// anything and returns successfully. + /// + /// If the key identifier designates a persistent key, then this function will + /// free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and the key can still be used. + /// + /// \param key Identifier of the key to purge. + /// + /// \retval #PSA_SUCCESS + /// The key material will have been removed from memory if it is not + /// currently required. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid key identifier. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_purge_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// Make a copy of a key. + /// + /// Copy key material from one location to another. + /// + /// This function is primarily useful to copy a key from one location + /// to another, since it populates a key using the material from + /// another key which may have a different lifetime. + /// + /// This function may be used to share a key with a different party, + /// subject to implementation-defined restrictions on key sharing. + /// + /// The policy on the source key must have the usage flag + /// #PSA_KEY_USAGE_COPY set. + /// This flag is sufficient to permit the copy if the key has the lifetime + /// #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT. + /// Some secure elements do not provide a way to copy a key without + /// making it extractable from the secure element. If a key is located + /// in such a secure element, then the key must have both usage flags + /// #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make + /// a copy of the key outside the secure element. + /// + /// The resulting key may only be used in a way that conforms to + /// both the policy of the original key and the policy specified in + /// the \p attributes parameter: + /// - The usage flags on the resulting key are the bitwise-and of the + /// usage flags on the source policy and the usage flags in \p attributes. + /// - If both allow the same algorithm or wildcard-based + /// algorithm policy, the resulting key has the same algorithm policy. + /// - If either of the policies allows an algorithm and the other policy + /// allows a wildcard-based algorithm policy that includes this algorithm, + /// the resulting key allows the same algorithm. + /// - If the policies do not allow any algorithm in common, this function + /// fails with the status #PSA_ERROR_INVALID_ARGUMENT. + /// + /// The effect of this function on implementation-defined attributes is + /// implementation-defined. + /// + /// \param source_key The key to copy. It must allow the usage + /// #PSA_KEY_USAGE_COPY. If a private or secret key is + /// being copied outside of a secure element it must + /// also allow #PSA_KEY_USAGE_EXPORT. + /// \param[in] attributes The attributes for the new key. + /// They are used as follows: + /// - The key type and size may be 0. If either is + /// nonzero, it must match the corresponding + /// attribute of the source key. + /// - The key location (the lifetime and, for + /// persistent keys, the key identifier) is + /// used directly. + /// - The policy constraints (usage flags and + /// algorithm policy) are combined from + /// the source key and \p attributes so that + /// both sets of restrictions apply, as + /// described in the documentation of this function. + /// \param[out] target_key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p source_key is invalid. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The lifetime or identifier in \p attributes are invalid, or + /// the policy constraints on the source and specified in + /// \p attributes are incompatible, or + /// \p attributes specifies a key type or key size + /// which does not match the attributes of the source key. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or + /// the source key is not exportable and its lifetime does not + /// allow copying it to the target's lifetime. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_copy_key( + source_key: mbedtls_svc_key_id_t, + attributes: *const psa_key_attributes_t, + target_key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Destroy a key. + /// + /// This function destroys a key from both volatile + /// memory and, if applicable, non-volatile storage. Implementations shall + /// make a best effort to ensure that the key material cannot be recovered. + /// + /// This function also erases any metadata such as policies and frees + /// resources associated with the key. + /// + /// If a key is currently in use in a multipart operation, then destroying the + /// key will cause the multipart operation to fail. + /// + /// \warning We can only guarantee that the the key material will + /// eventually be wiped from memory. With threading enabled + /// and during concurrent execution, copies of the key material may + /// still exist until all threads have finished using the key. + /// + /// \param key Identifier of the key to erase. If this is \c 0, do nothing and + /// return #PSA_SUCCESS. + /// + /// \retval #PSA_SUCCESS + /// \p key was a valid identifier and the key material that it + /// referred to has been erased. Alternatively, \p key is \c 0. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key cannot be erased because it is + /// read-only, either due to a policy or due to physical restrictions. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p key is not a valid identifier nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE + /// There was a failure in communication with the cryptoprocessor. + /// The key material may still be present in the cryptoprocessor. + /// \retval #PSA_ERROR_DATA_INVALID + /// This error is typically a result of either storage corruption on a + /// cleartext storage backend, or an attempt to read data that was + /// written by an incompatible version of the library. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The storage is corrupted. Implementations shall make a best effort + /// to erase key material even in this stage, however applications + /// should be aware that it may be impossible to guarantee that the + /// key material is not recoverable in such cases. + /// \retval #PSA_ERROR_CORRUPTION_DETECTED + /// An unexpected condition which is not a storage corruption or + /// a communication failure occurred. The cryptoprocessor may have + /// been compromised. + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_destroy_key(key: mbedtls_svc_key_id_t) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Import a key in binary format. + /// + /// This function supports any output from psa_export_key(). Refer to the + /// documentation of psa_export_public_key() for the format of public keys + /// and to the documentation of psa_export_key() for the format for + /// other key types. + /// + /// The key data determines the key size. The attributes may optionally + /// specify a key size; in this case it must match the size determined + /// from the key data. A key size of 0 in \p attributes indicates that + /// the key size is solely determined by the key data. + /// + /// Implementations must reject an attempt to import a key of size 0. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// \param[in] attributes The attributes for the new key. + /// The key size is always determined from the + /// \p data buffer. + /// If the key size in \p attributes is nonzero, + /// it must be equal to the size from \p data. + /// \param[out] key On success, an identifier to the newly created key. + /// For persistent keys, this is the key identifier + /// defined in \p attributes. + /// \c 0 on failure. + /// \param[in] data Buffer containing the key data. The content of this + /// buffer is interpreted according to the type declared + /// in \p attributes. + /// All implementations must support at least the format + /// described in the documentation + /// of psa_export_key() or psa_export_public_key() for + /// the chosen type. Implementations may allow other + /// formats, but should be conservative: implementations + /// should err on the side of rejecting content if it + /// may be erroneous (e.g. wrong type or truncated data). + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular persistent location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key attributes, as a whole, are invalid, or + /// the key data is not correctly formatted, or + /// the size in \p attributes is nonzero and does not match the size + /// of the key data. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_import_key( + attributes: *const psa_key_attributes_t, + data: *const u8, + data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a key in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an equivalent object. + /// + /// If the implementation of psa_import_key() supports other formats + /// beyond the format specified here, the output from psa_export_key() + /// must use the representation specified here, not the original + /// representation. + /// + /// For standard key types, the output format is as follows: + /// + /// - For symmetric keys (including MAC keys), the format is the + /// raw bytes of the key. + /// - For DES, the key data consists of 8 bytes. The parity bits must be + /// correct. + /// - For Triple-DES, the format is the concatenation of the + /// two or three DES keys. + /// - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format + /// is the non-encrypted DER encoding of the representation defined by + /// PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. + /// ``` + /// RSAPrivateKey ::= SEQUENCE { + /// version INTEGER, -- must be 0 + /// modulus INTEGER, -- n + /// publicExponent INTEGER, -- e + /// privateExponent INTEGER, -- d + /// prime1 INTEGER, -- p + /// prime2 INTEGER, -- q + /// exponent1 INTEGER, -- d mod (p-1) + /// exponent2 INTEGER, -- d mod (q-1) + /// coefficient INTEGER, -- (inverse of q) mod p + /// } + /// ``` + /// - For elliptic curve key pairs (key types for which + /// #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is + /// a representation of the private value as a `ceiling(m/8)`-byte string + /// where `m` is the bit size associated with the curve, i.e. the bit size + /// of the order of the curve's coordinate field. This byte string is + /// in little-endian order for Montgomery curves (curve types + /// `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass + /// curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX` + /// and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`). + /// For Weierstrass curves, this is the content of the `privateKey` field of + /// the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves, + /// the format is defined by RFC 7748, and output is masked according to §5. + /// For twisted Edwards curves, the private key is as defined by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For Diffie-Hellman key exchange key pairs (key types for which + /// #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the + /// format is the representation of the private key `x` as a big-endian byte + /// string. The length of the byte string is the private key size in bytes + /// (leading zeroes are not stripped). + /// - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is + /// true), the format is the same as for psa_export_public_key(). + /// + /// The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set. + /// + /// \param key Identifier of the key to export. It must allow the + /// usage #PSA_KEY_USAGE_EXPORT, unless it is a public + /// key. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_EXPORT flag. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Export a public key or the public part of a key pair in binary format. + /// + /// The output of this function can be passed to psa_import_key() to + /// create an object that is equivalent to the public key. + /// + /// This specification supports a single format for each key type. + /// Implementations may support other formats as long as the standard + /// format is supported. Implementations that support other formats + /// should ensure that the formats are clearly unambiguous so as to + /// minimize the risk that an invalid input is accidentally interpreted + /// according to a different format. + /// + /// For standard key types, the output format is as follows: + /// - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of + /// the representation defined by RFC 3279 §2.3.1 as `RSAPublicKey`. + /// ``` + /// RSAPublicKey ::= SEQUENCE { + /// modulus INTEGER, -- n + /// publicExponent INTEGER } -- e + /// ``` + /// - For elliptic curve keys on a twisted Edwards curve (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY + /// returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined + /// by RFC 8032 + /// (a 32-byte string for Edwards25519, a 57-byte string for Edwards448). + /// - For other elliptic curve public keys (key types for which + /// #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed + /// representation defined by SEC1 §2.3.3 as the content of an ECPoint. + /// Let `m` be the bit size associated with the curve, i.e. the bit size of + /// `q` for a curve over `F_q`. The representation consists of: + /// - The byte 0x04; + /// - `x_P` as a `ceiling(m/8)`-byte string, big-endian; + /// - `y_P` as a `ceiling(m/8)`-byte string, big-endian. + /// - For Diffie-Hellman key exchange public keys (key types for which + /// #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true), + /// the format is the representation of the public key `y = g^x mod p` as a + /// big-endian byte string. The length of the byte string is the length of the + /// base prime `p` in bytes. + /// + /// Exporting a public key object or the public part of a key pair is + /// always permitted, regardless of the key's usage flags. + /// + /// \param key Identifier of the key to export. + /// \param[out] data Buffer where the key data is to be written. + /// \param data_size Size of the \p data buffer in bytes. + /// \param[out] data_length On success, the number of bytes + /// that make up the key data. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key is neither a public key nor a key pair. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p data buffer is too small. You can determine a + /// sufficient buffer size by calling + /// #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) + /// where \c type is the key type + /// and \c bits is the key size in bits. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_export_public_key( + key: mbedtls_svc_key_id_t, + data: *mut u8, + data_size: usize, + data_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message. + /// + /// \note To verify the hash of a message against an + /// expected value, use psa_hash_compare() instead. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\p alg). /// /// \retval #PSA_SUCCESS /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p hash_size is too small + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compute( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Calculate the hash (digest) of a message and compare it with a + /// reference value. + /// + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// \param[in] input Buffer containing the message to hash. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the input. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a hash algorithm. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \c private_key is not compatible with \c alg, - /// or \p peer_key is not valid for \c alg or not compatible with - /// \c private_key, or \c step does not allow an input resulting - /// from a key agreement. + /// \p input_length or \p hash_length do not match the hash size for \p alg + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_compare( + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; +} +/// The type of the state data structure for multipart hash operations. +/// +/// Before calling any function on a hash operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_hash_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_hash_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT, +/// for example: +/// \code +/// psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_hash_operation_init() +/// to the structure, for example: +/// \code +/// psa_hash_operation_t operation; +/// operation = psa_hash_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_hash_operation_t = psa_hash_operation_s; +unsafe extern "C" { + /// Set up a multipart hash operation. + /// + /// The sequence of operations to calculate a hash (message digest) + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT. + /// -# Call psa_hash_setup() to specify the algorithm. + /// -# Call psa_hash_update() zero, one or more times, passing a fragment + /// of the message each time. The hash that is calculated is the hash + /// of the concatenation of these messages in order. + /// -# To calculate the hash, call psa_hash_finish(). + /// To compare the hash with an expected value, call psa_hash_verify(). + /// + /// If an error occurs at any step after a call to psa_hash_setup(), the + /// operation will need to be reset by a call to psa_hash_abort(). The + /// application may call psa_hash_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_hash_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_hash_finish() or psa_hash_verify(). + /// - A call to psa_hash_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_hash_operation_t and not yet in use. + /// \param alg The hash algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_HASH(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \c alg is not supported or is not a key derivation algorithm. + /// \p alg is not a supported hash algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a hash algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid for this key agreement \p step, - /// or the library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_key_agreement( - operation: *mut psa_key_derivation_operation_t, - step: psa_key_derivation_step_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, + pub fn psa_hash_setup( + operation: *mut psa_hash_operation_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// Read some data from a key derivation operation. + /// Add a message fragment to a multipart hash operation. /// - /// This function calculates output bytes from a key derivation algorithm and - /// return those bytes. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the requested number of bytes from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. + /// The application must call psa_hash_setup() before calling this function. /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] output Buffer where the output will be written. - /// \param output_length Number of bytes to output. + /// \param[in,out] operation Active hash operation. + /// \param[in] input Buffer containing the message fragment to hash. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// no output is written to the output buffer. - /// The operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller output buffer. + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_update( + operation: *mut psa_hash_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \warning Applications should not call this function if they expect + /// a specific value for the hash. Call psa_hash_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// hash values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the hashed data which could allow an attacker to guess + /// a valid hash and thereby bypass security controls. + /// + /// \param[in,out] operation Active hash operation. + /// \param[out] hash Buffer where the hash is to be written. + /// \param hash_size Size of the \p hash buffer in bytes. + /// \param[out] hash_length On success, the number of bytes + /// that make up the hash value. This is always + /// #PSA_HASH_LENGTH(\c alg) where \c alg is the + /// hash algorithm that is calculated. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p hash buffer is too small. You can determine a + /// sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) + /// where \c alg is the hash algorithm that is calculated. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_finish( + operation: *mut psa_hash_operation_t, + hash: *mut u8, + hash_size: usize, + hash_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Finish the calculation of the hash of a message and compare it with + /// an expected value. + /// + /// The application must call psa_hash_setup() before calling this function. + /// This function calculates the hash of the message formed by concatenating + /// the inputs passed to preceding calls to psa_hash_update(). It then + /// compares the calculated hash with the expected hash passed as a + /// parameter to this function. + /// + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_hash_abort(). + /// + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual hash and the expected hash is performed + /// in constant time. + /// + /// \param[in,out] operation Active hash operation. + /// \param[in] hash Buffer containing the expected hash value. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected hash is identical to the actual hash of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The hash of the message was calculated successfully, but it + /// differs from the expected hash. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_bytes( - operation: *mut psa_key_derivation_operation_t, - output: *mut u8, - output_length: usize, + pub fn psa_hash_verify( + operation: *mut psa_hash_operation_t, + hash: *const u8, + hash_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// Derive a key from an ongoing key derivation operation. - /// - /// This function calculates output bytes from a key derivation algorithm - /// and uses those bytes to generate a key deterministically. - /// The key's location, usage policy, type and size are taken from - /// \p attributes. - /// - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads as many bytes as required from the - /// stream. - /// The operation's capacity decreases by the number of bytes read. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - /// state and must be aborted by calling psa_key_derivation_abort(). - /// - /// How much output is produced and consumed from the operation, and how - /// the key is derived, depends on the key type and on the key size - /// (denoted \c bits below): - /// - /// - For key types for which the key is an arbitrary sequence of bytes - /// of a given size, this function is functionally equivalent to - /// calling #psa_key_derivation_output_bytes - /// and passing the resulting output to #psa_import_key. - /// However, this function has a security benefit: - /// if the implementation provides an isolation boundary then - /// the key material is not exposed outside the isolation boundary. - /// As a consequence, for these key types, this function always consumes - /// exactly (\c bits / 8) bytes from the operation. - /// The following key types defined in this specification follow this scheme: - /// - /// - #PSA_KEY_TYPE_AES; - /// - #PSA_KEY_TYPE_ARIA; - /// - #PSA_KEY_TYPE_CAMELLIA; - /// - #PSA_KEY_TYPE_DERIVE; - /// - #PSA_KEY_TYPE_HMAC; - /// - #PSA_KEY_TYPE_PASSWORD_HASH. - /// - /// - For ECC keys on a Montgomery elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Montgomery curve), this function always draws a byte string whose - /// length is determined by the curve, and sets the mandatory bits - /// accordingly. That is: + /// Abort a hash operation. /// - /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte - /// string and process it as specified in RFC 7748 §5. - /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte - /// string and process it as specified in RFC 7748 §5. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_hash_setup() again. /// - /// - For key types for which the key is represented by a single sequence of - /// \c bits bits with constraints as to which bit sequences are acceptable, - /// this function draws a byte string of length (\c bits / 8) bytes rounded - /// up to the nearest whole number of bytes. If the resulting byte string - /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. - /// This process is repeated until an acceptable byte string is drawn. - /// The byte string drawn from the operation is interpreted as specified - /// for the output produced by psa_export_key(). - /// The following key types defined in this specification follow this scheme: + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_hash_operation_t. /// - /// - #PSA_KEY_TYPE_DES. - /// Force-set the parity bits, but discard forbidden weak keys. - /// For 2-key and 3-key triple-DES, the three keys are generated - /// successively (for example, for 3-key triple-DES, - /// if the first 8 bytes specify a weak key and the next 8 bytes do not, - /// discard the first 8 bytes, use the next 8 bytes as the first key, - /// and continue reading output from the operation to derive the other - /// two keys). - /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) - /// where \c group designates any Diffie-Hellman group) and - /// ECC keys on a Weierstrass elliptic curve - /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a - /// Weierstrass curve). - /// For these key types, interpret the byte string as integer - /// in big-endian order. Discard it if it is not in the range - /// [0, *N* - 2] where *N* is the boundary of the private key domain - /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, - /// or the order of the curve's base point for ECC). - /// Add 1 to the resulting integer and use this as the private key *x*. - /// This method allows compliance to NIST standards, specifically - /// the methods titled "key-pair generation by testing candidates" - /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, - /// in FIPS 186-4 §B.1.2 for DSA, and - /// in NIST SP 800-56A §5.6.1.2.2 or - /// FIPS 186-4 §B.4.2 for elliptic curve keys. + /// In particular, calling psa_hash_abort() after the operation has been + /// terminated by a call to psa_hash_abort(), psa_hash_finish() or + /// psa_hash_verify() is safe and has no effect. /// - /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, - /// the way in which the operation output is consumed is - /// implementation-defined. + /// \param[in,out] operation Initialized hash operation. /// - /// In all cases, the data that is read is discarded from the operation. - /// The operation's capacity is decreased by the number of bytes read. + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_hash_abort(operation: *mut psa_hash_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Clone a hash operation. /// - /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, - /// the input to that step must be provided with psa_key_derivation_input_key(). - /// Future versions of this specification may include additional restrictions - /// on the derived key based on the attributes and strength of the secret key. + /// This function copies the state of an ongoing hash operation to + /// a new operation object. In other words, this function is equivalent + /// to calling psa_hash_setup() on \p target_operation with the same + /// algorithm that \p source_operation was set up for, then + /// psa_hash_update() on \p target_operation with the same input that + /// that was passed to \p source_operation. After this function returns, the + /// two objects are independent, i.e. subsequent calls involving one of + /// the objects do not affect the other object. /// - /// \param[in] attributes The attributes for the new key. - /// If the key type to be created is - /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - /// the policy must be the same as in the current - /// operation. - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in] source_operation The active hash operation to clone. + /// \param[in,out] target_operation The operation object to set up. + /// It must be initialized but not active. /// - /// \retval #PSA_SUCCESS - /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// There was not enough data to create the desired key. - /// Note that in this case, no output is written to the output buffer. - /// The operation's capacity is set to 0, thus subsequent calls to - /// this function will not succeed, even with a smaller output buffer. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size is not supported, either by the - /// implementation in general or in this particular location. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The provided key attributes are not valid for the operation. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The #PSA_KEY_DERIVATION_INPUT_SECRET or - /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - /// key; or one of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_DERIVE. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_SUCCESS \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The \p source_operation state is not valid (it must be active), or + /// the \p target_operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_output_key( - attributes: *const psa_key_attributes_t, - operation: *mut psa_key_derivation_operation_t, - key: *mut mbedtls_svc_key_id_t, + pub fn psa_hash_clone( + source_operation: *const psa_hash_operation_t, + target_operation: *mut psa_hash_operation_t, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value in constant time. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the expected number of bytes from the - /// stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to the following code: - /// \code - /// psa_key_derivation_output_bytes(operation, tmp, output_length); - /// if (memcmp(output, tmp, output_length) != 0) - /// return PSA_ERROR_INVALID_SIGNATURE; - /// \endcode - /// except (1) it works even if the key's policy does not allow outputting the - /// bytes, and (2) the comparison will be done in constant time. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC (message authentication code) of a message. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected_output Buffer containing the expected derivation output. - /// \param output_length Length of the expected output; this is also the - /// number of bytes that will be read. + /// \note To verify the MAC of a message against an + /// expected value, use psa_mac_verify() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but it differs from the expected - /// output. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// One of the inputs was a key whose policy didn't allow - /// #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// \p output_length bytes. Note that in this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p mac_size is too small /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_bytes( - operation: *mut psa_key_derivation_operation_t, - expected_output: *const u8, - output_length: usize, + pub fn psa_mac_compute( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// Compare output data from a key derivation operation to an expected value - /// stored in a key object. - /// - /// This function calculates output bytes from a key derivation algorithm and - /// compares those bytes to an expected value, provided as key of type - /// #PSA_KEY_TYPE_PASSWORD_HASH. - /// If you view the key derivation's output as a stream of bytes, this - /// function destructively reads the number of bytes corresponding to the - /// length of the expected value from the stream before comparing them. - /// The operation's capacity decreases by the number of bytes read. - /// - /// This is functionally equivalent to exporting the key and calling - /// psa_key_derivation_verify_bytes() on the result, except that it - /// works even if the key cannot be exported. - /// - /// If this function returns an error status other than - /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, - /// the operation enters an error state and must be aborted by calling - /// psa_key_derivation_abort(). + /// Calculate the MAC of a message and compare it with a reference value. /// - /// \param[in,out] operation The key derivation operation object to read from. - /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH - /// containing the expected output. Its policy must - /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag - /// and the permitted algorithm must match the - /// operation. The value of this key was likely - /// computed by a previous call to - /// psa_key_derivation_output_key(). + /// \param key Identifier of the key to use for the operation. It + /// must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// \param[in] input Buffer containing the input message. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the input. /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The output was read successfully, but if differs from the expected - /// output. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// The key passed as the expected value does not exist. + /// The MAC of the message was calculated successfully, but it + /// differs from the expected value. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key passed as the expected value has an invalid type. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key passed as the expected value does not allow this usage or - /// this algorithm; or one of the inputs was a key whose policy didn't - /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. - /// \retval #PSA_ERROR_INSUFFICIENT_DATA - /// The operation's capacity was less than - /// the length of the expected value. In this case, - /// the operation's capacity is set to 0, thus - /// subsequent calls to this function will not - /// succeed, even with a smaller expected output. + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active and completed - /// all required input steps), or the library has not been previously - /// initialized by psa_crypto_init(). + /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_verify_key( - operation: *mut psa_key_derivation_operation_t, - expected: psa_key_id_t, + pub fn psa_mac_verify( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + mac: *const u8, + mac_length: usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart MAC operations. +/// +/// Before calling any function on a MAC operation object, the application must +/// initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_mac_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_mac_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT, +/// for example: +/// \code +/// psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_mac_operation_init() +/// to the structure, for example: +/// \code +/// psa_mac_operation_t operation; +/// operation = psa_mac_operation_init(); +/// \endcode +/// +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_mac_operation_t = psa_mac_operation_s; unsafe extern "C" { - /// Abort a key derivation operation. + /// Set up a multipart MAC calculation operation. /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_key_derivation_setup() again. + /// This function sets up the calculation of the MAC + /// (message authentication code) of a byte string. + /// To verify the MAC of a message against an + /// expected value, use psa_mac_verify_setup() instead. /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_key_derivation_operation_t. + /// The sequence of operations to calculate a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_sign_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_sign_finish() to finish + /// calculating the MAC value and retrieve it. /// - /// In particular, it is valid to call psa_key_derivation_abort() twice, or to - /// call psa_key_derivation_abort() on an operation that has not been set up. + /// If an error occurs at any step after a call to psa_mac_sign_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. /// - /// \param[in,out] operation The operation to abort. + /// After a successful call to psa_mac_sign_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_sign_finish(). + /// - A call to psa_mac_abort(). /// - /// \retval #PSA_SUCCESS \emptydescription + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a MAC algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) - -> psa_status_t; + pub fn psa_mac_sign_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Perform a key agreement and return the raw shared secret. + /// Set up a multipart MAC verification operation. /// - /// \warning The raw result of a key agreement algorithm such as finite-field - /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should - /// not be used directly as key material. It should instead be passed as - /// input to a key derivation algorithm. To chain a key agreement with - /// a key derivation, use psa_key_derivation_key_agreement() and other - /// functions from the key derivation interface. + /// This function sets up the verification of the MAC + /// (message authentication code) of a byte string against an expected value. /// - /// \param alg The key agreement algorithm to compute - /// (\c PSA_ALG_XXX value such that - /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) - /// is true). - /// \param private_key Identifier of the private key to use. It must - /// allow the usage #PSA_KEY_USAGE_DERIVE. - /// \param[in] peer_key Public key of the peer. It must be - /// in the same format that psa_import_key() - /// accepts. The standard formats for public - /// keys are documented in the documentation - /// of psa_export_public_key(). - /// \param peer_key_length Size of \p peer_key in bytes. - /// \param[out] output Buffer where the decrypted message is to - /// be written. - /// \param output_size Size of the \c output buffer in bytes. - /// \param[out] output_length On success, the number of bytes - /// that make up the returned output. + /// The sequence of operations to verify a MAC is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT. + /// -# Call psa_mac_verify_setup() to specify the algorithm and key. + /// -# Call psa_mac_update() zero, one or more times, passing a fragment + /// of the message each time. The MAC that is calculated is the MAC + /// of the concatenation of these messages in order. + /// -# At the end of the message, call psa_mac_verify_finish() to finish + /// calculating the actual MAC of the message and verify it against + /// the expected value. + /// + /// If an error occurs at any step after a call to psa_mac_verify_setup(), the + /// operation will need to be reset by a call to psa_mac_abort(). The + /// application may call psa_mac_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_mac_verify_setup(), the application must + /// eventually terminate the operation through one of the following methods: + /// - A successful call to psa_mac_verify_finish(). + /// - A call to psa_mac_abort(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_mac_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. It + /// must remain valid until the operation terminates. + /// It must allow the usage + /// PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value + /// such that #PSA_ALG_IS_MAC(\p alg) is true). /// /// \retval #PSA_SUCCESS /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p alg is not a key agreement algorithm, or - /// \p private_key is not compatible with \p alg, - /// or \p peer_key is not valid for \p alg or not compatible with - /// \p private_key. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// \p output_size is too small + /// \c key is not compatible with \c alg. /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p alg is not a supported key agreement algorithm. + /// \c alg is not supported or is not a MAC algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The key could not be retrieved from storage. /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_raw_key_agreement( + pub fn psa_mac_verify_setup( + operation: *mut psa_mac_operation_t, + key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - private_key: mbedtls_svc_key_id_t, - peer_key: *const u8, - peer_key_length: usize, - output: *mut u8, - output_size: usize, - output_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate random bytes. - /// - /// \warning This function **can** fail! Callers MUST check the return status - /// and MUST NOT use the content of the output buffer if the return - /// status is not #PSA_SUCCESS. - /// - /// \note To generate a key, use psa_generate_key() instead. - /// - /// \param[out] output Output buffer for the generated data. - /// \param output_size Number of bytes to generate and output. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Generate a key or key pair. - /// - /// The key is generated randomly. - /// Its location, usage policy, type and size are taken from \p attributes. + /// Add a message fragment to a multipart MAC operation. /// - /// Implementations must reject an attempt to generate a key of size 0. + /// The application must call psa_mac_sign_setup() or psa_mac_verify_setup() + /// before calling this function. /// - /// The following type-specific considerations apply: - /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the public exponent is 65537. - /// The modulus is a product of two probabilistic primes - /// between 2^{n-1} and 2^n where n is the bit size specified in the - /// attributes. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param[in] attributes The attributes for the new key. - /// \param[out] key On success, an identifier for the newly created - /// key. For persistent keys, this is the key - /// identifier defined in \p attributes. - /// \c 0 on failure. + /// \param[in,out] operation Active MAC operation. + /// \param[in] input Buffer containing the message fragment to add to + /// the MAC calculation. + /// \param input_length Size of the \p input buffer in bytes. /// /// \retval #PSA_SUCCESS /// Success. - /// If the key is persistent, the key material and the key's metadata - /// have been saved to persistent storage. - /// \retval #PSA_ERROR_ALREADY_EXISTS - /// This is an attempt to create a persistent key, and there is - /// already a persistent key with the given identifier. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_generate_key( - attributes: *const psa_key_attributes_t, - key: *mut mbedtls_svc_key_id_t, - ) -> psa_status_t; -} -/// The type of the state data structure for interruptible hash -/// signing operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation = -/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_sign_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_sign_hash_interruptible_operation_t operation; -/// operation = psa_sign_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; -/// The type of the state data structure for interruptible hash -/// verification operations. -/// -/// Before calling any function on a sign hash operation object, the -/// application must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer -/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation = -/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function -/// psa_verify_hash_interruptible_operation_init() to the structure, for -/// example: -/// \code -/// psa_verify_hash_interruptible_operation_t operation; -/// operation = psa_verify_hash_interruptible_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; -unsafe extern "C" { - /// \brief Set the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note The time taken to execute a single op is - /// implementation specific and depends on - /// software, hardware, the algorithm, key type and - /// curve chosen. Even within a single operation, - /// successive ops can take differing amounts of - /// time. The only guarantee is that lower values - /// for \p max_ops means functions will block for a - /// lesser maximum amount of time. The functions - /// \c psa_sign_interruptible_get_num_ops() and - /// \c psa_verify_interruptible_get_num_ops() are - /// provided to help with tuning this value. - /// - /// \note This value defaults to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which - /// means the whole operation will be done in one - /// go, regardless of the number of ops required. - /// - /// \note If more ops are needed to complete a - /// computation, #PSA_OPERATION_INCOMPLETE will be - /// returned by the function performing the - /// computation. It is then the caller's - /// responsibility to either call again with the - /// same operation context until it returns 0 or an - /// error code; or to call the relevant abort - /// function if the answer is no longer required. - /// - /// \note The interpretation of \p max_ops is also - /// implementation defined. On a hard real time - /// system, this can indicate a hard deadline, as a - /// real-time system needs a guarantee of not - /// spending more than X time, however care must be - /// taken in such an implementation to avoid the - /// situation whereby calls just return, not being - /// able to do any actual work within the allotted - /// time. On a non-real-time system, the - /// implementation can be more relaxed, but again - /// whether this number should be interpreted as as - /// hard or soft limit or even whether a less than - /// or equals as regards to ops executed in a - /// single call is implementation defined. - /// - /// \note For keys in local storage when no accelerator - /// driver applies, please see also the - /// documentation for \c mbedtls_ecp_set_max_ops(), - /// which is the internal implementation in these - /// cases. - /// - /// \warning With implementations that interpret this number - /// as a hard limit, setting this number too small - /// may result in an infinite loop, whereby each - /// call results in immediate return with no ops - /// done (as there is not enough time to execute - /// any), and thus no result will ever be achieved. - /// - /// \note This only applies to functions whose - /// documentation mentions they may return - /// #PSA_OPERATION_INCOMPLETE. - /// - /// \param max_ops The maximum number of ops to be executed in a - /// single call. This can be a number from 0 to - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 - /// is the least amount of work done per call. - pub fn psa_interruptible_set_max_ops(max_ops: u32); -} -unsafe extern "C" { - /// \brief Get the maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. This will return the last - /// value set by - /// \c psa_interruptible_set_max_ops() or - /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if - /// that function has never been called. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \return Maximum number of ops allowed to be - /// executed by an interruptible function in a - /// single call. - pub fn psa_interruptible_get_max_ops() -> u32; + pub fn psa_mac_update( + operation: *mut psa_mac_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash signing - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling - /// \c psa_sign_hash_interruptible_abort() on - /// the operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message. /// - /// \note This interface is guaranteed re-entrant and - /// thus may be called from driver code. + /// The application must call psa_mac_sign_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// \warning Applications should not call this function if they expect + /// a specific value for the MAC. Call psa_mac_verify_finish() instead. + /// Beware that comparing integrity or authenticity data such as + /// MAC values with a function such as \c memcmp is risky + /// because the time taken by the comparison may leak information + /// about the MAC value which could allow an attacker to guess + /// a valid MAC and thereby bypass security controls. /// - /// \param operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// \param[in,out] operation Active MAC operation. + /// \param[out] mac Buffer where the MAC value is to be written. + /// \param mac_size Size of the \p mac buffer in bytes. + /// \param[out] mac_length On success, the number of bytes + /// that make up the MAC value. This is always + /// #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of the key and \c alg is the + /// MAC algorithm that is calculated. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_sign_hash_get_num_ops( - operation: *const psa_sign_hash_interruptible_operation_t, - ) -> u32; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p mac buffer is too small. You can determine a + /// sufficient buffer size by calling PSA_MAC_LENGTH(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac sign + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_sign_finish( + operation: *mut psa_mac_operation_t, + mac: *mut u8, + mac_size: usize, + mac_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Get the number of ops that a hash verification - /// operation has taken so far. If the operation - /// has completed, then this will represent the - /// number of ops required for the entire - /// operation. After initialization or calling \c - /// psa_verify_hash_interruptible_abort() on the - /// operation, a value of 0 will be returned. + /// Finish the calculation of the MAC of a message and compare it with + /// an expected value. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// The application must call psa_mac_verify_setup() before calling this function. + /// This function calculates the MAC of the message formed by concatenating + /// the inputs passed to preceding calls to psa_mac_update(). It then + /// compares the calculated MAC with the expected MAC passed as a + /// parameter to this function. /// - /// This is a helper provided to help you tune the - /// value passed to \c - /// psa_interruptible_set_max_ops(). + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_mac_abort(). /// - /// \param operation The \c - /// psa_verify_hash_interruptible_operation_t to - /// use. This must be initialized first. + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual MAC and the expected MAC is performed + /// in constant time. /// - /// \return Number of ops that the operation has taken so - /// far. - pub fn psa_verify_hash_get_num_ops( - operation: *const psa_verify_hash_interruptible_operation_t, - ) -> u32; + /// \param[in,out] operation Active MAC operation. + /// \param[in] mac Buffer containing the expected MAC value. + /// \param mac_length Size of the \p mac buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The expected MAC is identical to the actual MAC of the message. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The MAC of the message was calculated successfully, but it + /// differs from the expected MAC. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active mac verify + /// operation), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_verify_finish( + operation: *mut psa_mac_operation_t, + mac: *const u8, + mac_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start signing a hash or short message with a - /// private key, in an interruptible manner. + /// Abort a MAC operation. /// - /// \see \c psa_sign_hash_complete() + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_mac_sign_setup() or psa_mac_verify_setup() again. /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// You may call this function any time after the operation object has + /// been initialized by one of the methods described in #psa_mac_operation_t. /// - /// \note This function combined with \c - /// psa_sign_hash_complete() is equivalent to - /// \c psa_sign_hash() but - /// \c psa_sign_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// In particular, calling psa_mac_abort() after the operation has been + /// terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or + /// psa_mac_verify_finish() is safe and has no effect. /// - /// \note Users should call \c psa_sign_hash_complete() - /// repeatedly on the same context after a - /// successful call to this function until \c - /// psa_sign_hash_complete() either returns 0 or an - /// error. \c psa_sign_hash_complete() will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// \param[in,out] operation Initialized MAC operation. /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_sign_hash_abort(). + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_mac_abort(operation: *mut psa_mac_operation_t) -> psa_status_t; +} +unsafe extern "C" { + /// Encrypt a message using a symmetric cipher. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// This function encrypts a message with a random IV (initialization + /// vector). Use the multipart operation interface with a + /// #psa_cipher_operation_t object to provide other forms of IV. /// /// \param key Identifier of the key to use for the operation. - /// It must be an asymmetric key pair. The key must - /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash or message to sign. - /// \param hash_length Size of the \p hash buffer in bytes. + /// It must allow the usage #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// The output contains the IV followed by + /// the ciphertext proper. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. /// /// \retval #PSA_SUCCESS - /// The operation started successfully - call \c psa_sign_hash_complete() - /// with the same context to complete the operation - /// + /// Success. /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does - /// not permit the requested algorithm. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// An operation has previously been started on this context, and is - /// still in progress. - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Decrypt a message using a symmetric cipher. + /// + /// This function decrypts a message encrypted with a symmetric cipher. + /// + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). + /// \param[in] input Buffer containing the message to decrypt. + /// This consists of the IV followed by the + /// ciphertext proper. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the plaintext is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_start( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt( key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, ) -> psa_status_t; } +/// The type of the state data structure for multipart cipher operations. +/// +/// Before calling any function on a cipher operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_cipher_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_cipher_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT, +/// for example: +/// \code +/// psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_cipher_operation_init() +/// to the structure, for example: +/// \code +/// psa_cipher_operation_t operation; +/// operation = psa_cipher_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_cipher_operation_t = psa_cipher_operation_s; unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// signing a hash or short message with a private - /// key, in an interruptible manner. - /// - /// \see \c psa_sign_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_sign_hash_start() is equivalent to - /// \c psa_sign_hash() but this function can return - /// early and resume according to the limit set with - /// \c psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function call. + /// Set the key for a multipart symmetric encryption operation. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_sign_hash_abort() at any point if they no - /// longer want the result. + /// The sequence of operations to encrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. + /// -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to + /// generate or set the IV (initialization vector). You should use + /// psa_cipher_generate_iv() unless the protocol you are implementing + /// requires a specific IV value. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_sign_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_encrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_sign_hash_start() called with it - /// first. + /// After a successful call to psa_cipher_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// - /// \param[out] signature Buffer where the signature is to be written. - /// \param signature_size Size of the \p signature buffer in bytes. This - /// must be appropriate for the selected - /// algorithm and key: - /// - The required signature size is - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c - /// key_bits, \c alg) where \c key_type and \c - /// key_bits are the type and bit-size - /// respectively of key. - /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the - /// maximum signature size of any supported - /// signature algorithm. - /// \param[out] signature_length On success, the number of bytes that make up - /// the returned signature value. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// Operation completed successfully - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p signature buffer is too small. You can - /// determine a sufficient buffer size by calling - /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) - /// where \c key_type and \c key_bits are the type and bit-size - /// respectively of \p key. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_sign_hash_start(). - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_sign_hash_start() with this operation object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_sign_hash_complete( - operation: *mut psa_sign_hash_interruptible_operation_t, - signature: *mut u8, - signature_size: usize, - signature_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// \brief Abort a sign hash operation. - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function is the only function that clears - /// the number of ops completed as part of the - /// operation. Please ensure you copy this value via - /// \c psa_sign_hash_get_num_ops() if required - /// before calling. - /// - /// \note Aborting an operation frees all associated - /// resources except for the \p operation structure - /// itself. Once aborted, the operation object can - /// be reused for another operation by calling \c - /// psa_sign_hash_start() again. - /// - /// \note You may call this function any time after the - /// operation object has been initialized. In - /// particular, calling \c psa_sign_hash_abort() - /// after the operation has already been terminated - /// by a call to \c psa_sign_hash_abort() or - /// psa_sign_hash_complete() is safe. - /// - /// \param[in,out] operation Initialized sign hash operation. - /// - /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_sign_hash_abort( - operation: *mut psa_sign_hash_interruptible_operation_t, + pub fn psa_cipher_encrypt_setup( + operation: *mut psa_cipher_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Start reading and verifying a hash or short - /// message, in an interruptible manner. - /// - /// \see \c psa_verify_hash_complete() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. - /// - /// \note This function combined with \c - /// psa_verify_hash_complete() is equivalent to - /// \c psa_verify_hash() but \c - /// psa_verify_hash_complete() can return early and - /// resume according to the limit set with \c - /// psa_interruptible_set_max_ops() to reduce the - /// maximum time spent in a function. + /// Set the key for a multipart symmetric decryption operation. /// - /// \note Users should call \c psa_verify_hash_complete() - /// repeatedly on the same operation object after a - /// successful call to this function until \c - /// psa_verify_hash_complete() either returns 0 or - /// an error. \c psa_verify_hash_complete() will - /// return #PSA_OPERATION_INCOMPLETE if there is - /// more work to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The sequence of operations to decrypt a message with a symmetric cipher + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_cipher_operation_t, e.g. + /// #PSA_CIPHER_OPERATION_INIT. + /// -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. + /// -# Call psa_cipher_set_iv() with the IV (initialization vector) for the + /// decryption. If the IV is prepended to the ciphertext, you can call + /// psa_cipher_update() on a buffer containing the IV followed by the + /// beginning of the message. + /// -# Call psa_cipher_update() zero, one or more times, passing a fragment + /// of the message each time. + /// -# Call psa_cipher_finish(). /// - /// \note If this function returns an error status, the - /// operation enters an error state and must be - /// aborted by calling \c psa_verify_hash_abort(). + /// If an error occurs at any step after a call to psa_cipher_decrypt_setup(), + /// the operation will need to be reset by a call to psa_cipher_abort(). The + /// application may call psa_cipher_abort() at any time after the operation + /// has been initialized. /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first. + /// After a successful call to psa_cipher_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_cipher_finish(). + /// - A call to psa_cipher_abort(). /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_cipher_operation_t and not yet in use. /// \param key Identifier of the key to use for the operation. - /// The key must allow the usage - /// #PSA_KEY_USAGE_VERIFY_HASH. - /// \param alg A signature algorithm (\c PSA_ALG_XXX - /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) - /// is true), that is compatible with - /// the type of \p key. - /// \param[in] hash The hash whose signature is to be verified. - /// \param hash_length Size of the \p hash buffer in bytes. - /// \param[in] signature Buffer containing the signature to verify. - /// \param signature_length Size of the \p signature buffer in bytes. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The cipher algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_CIPHER(\p alg) is true). /// /// \retval #PSA_SUCCESS - /// The operation started successfully - please call \c - /// psa_verify_hash_complete() with the same context to complete the - /// operation. - /// - /// \retval #PSA_ERROR_BAD_STATE - /// Another operation has already been started on this context, and is - /// still in progress. - /// - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does - /// not permit the requested algorithm. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not a cipher algorithm. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_start( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_decrypt_setup( + operation: *mut psa_cipher_operation_t, key: mbedtls_svc_key_id_t, alg: psa_algorithm_t, - hash: *const u8, - hash_length: usize, - signature: *const u8, - signature_length: usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Continue and eventually complete the action of - /// reading and verifying a hash or short message - /// signed with a private key, in an interruptible - /// manner. - /// - /// \see \c psa_verify_hash_start() - /// - /// \warning This is a beta API, and thus subject to change - /// at any point. It is not bound by the usual - /// interface stability promises. + /// Generate an IV for a symmetric encryption operation. /// - /// \note This function combined with \c - /// psa_verify_hash_start() is equivalent to - /// \c psa_verify_hash() but this function can - /// return early and resume according to the limit - /// set with \c psa_interruptible_set_max_ops() to - /// reduce the maximum time spent in a function - /// call. + /// This function generates a random IV (initialization vector), nonce + /// or initial counter value for the encryption operation as appropriate + /// for the chosen algorithm, key type and key size. /// - /// \note Users should call this function on the same - /// operation object repeatedly until it either - /// returns 0 or an error. This function will return - /// #PSA_OPERATION_INCOMPLETE if there is more work - /// to do. Alternatively users can call - /// \c psa_verify_hash_abort() at any point if they - /// no longer want the result. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note When this function returns successfully, the - /// operation becomes inactive. If this function - /// returns an error status, the operation enters an - /// error state and must be aborted by calling - /// \c psa_verify_hash_abort(). + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t - /// to use. This must be initialized first, and have - /// had \c psa_verify_hash_start() called with it - /// first. + /// \param[in,out] operation Active cipher operation. + /// \param[out] iv Buffer where the generated IV is to be written. + /// \param iv_size Size of the \p iv buffer in bytes. + /// \param[out] iv_length On success, the number of bytes of the + /// generated IV. /// /// \retval #PSA_SUCCESS - /// Operation completed successfully, and the passed signature is valid. - /// - /// \retval #PSA_OPERATION_INCOMPLETE - /// Operation was interrupted due to the setting of \c - /// psa_interruptible_set_max_ops(). There is still work to be done. - /// Call this function again with the same operation object. - /// - /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The calculation was performed successfully, but the passed - /// signature is not a valid signature. - /// \retval #PSA_ERROR_BAD_STATE - /// An operation was not previously started on this context via - /// \c psa_verify_hash_start(). - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p iv buffer is too small. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has either not been previously initialized by - /// psa_crypto_init() or you did not previously call - /// psa_verify_hash_start() on this object. It is - /// implementation-dependent whether a failure to initialize results in - /// this error code. - pub fn psa_verify_hash_complete( - operation: *mut psa_verify_hash_interruptible_operation_t, + /// The operation state is not valid (it must be active, with no IV set), + /// or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_generate_iv( + operation: *mut psa_cipher_operation_t, + iv: *mut u8, + iv_size: usize, + iv_length: *mut usize, ) -> psa_status_t; } unsafe extern "C" { - /// \brief Abort a verify hash operation. + /// Set the IV for a symmetric encryption or decryption operation. /// - /// \warning This is a beta API, and thus subject to change at - /// any point. It is not bound by the usual interface - /// stability promises. + /// This function sets the IV (initialization vector), nonce + /// or initial counter value for the encryption or decryption operation. /// - /// \note This function is the only function that clears the - /// number of ops completed as part of the operation. - /// Please ensure you copy this value via - /// \c psa_verify_hash_get_num_ops() if required - /// before calling. + /// The application must call psa_cipher_encrypt_setup() before + /// calling this function. /// - /// \note Aborting an operation frees all associated - /// resources except for the operation structure - /// itself. Once aborted, the operation object can be - /// reused for another operation by calling \c - /// psa_verify_hash_start() again. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \note You may call this function any time after the - /// operation object has been initialized. - /// In particular, calling \c psa_verify_hash_abort() - /// after the operation has already been terminated by - /// a call to \c psa_verify_hash_abort() or - /// psa_verify_hash_complete() is safe. + /// \note When encrypting, applications should use psa_cipher_generate_iv() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \param[in,out] operation Initialized verify hash operation. + /// \param[in,out] operation Active cipher operation. + /// \param[in] iv Buffer containing the IV to use. + /// \param iv_length Size of the IV in bytes. /// /// \retval #PSA_SUCCESS - /// The operation was aborted successfully. - /// - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p iv is not acceptable for the chosen algorithm, + /// or the chosen algorithm does not use an IV. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The operation state is not valid (it must be an active cipher + /// encrypt operation, with no IV set), or the library has not been + /// previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_verify_hash_abort( - operation: *mut psa_verify_hash_interruptible_operation_t, + pub fn psa_cipher_set_iv( + operation: *mut psa_cipher_operation_t, + iv: *const u8, + iv_length: usize, ) -> psa_status_t; } -/// \brief The GCM context structure. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_gcm_context { - ///< The cipher context used. - pub private_cipher_ctx: mbedtls_cipher_context_t, - ///< Precalculated HTable low. - pub private_HL: [u64; 16usize], - ///< Precalculated HTable high. - pub private_HH: [u64; 16usize], - ///< The total length of the encrypted data. - pub private_len: u64, - ///< The total length of the additional data. - pub private_add_len: u64, - ///< The first ECTR for tag. - pub private_base_ectr: [::core::ffi::c_uchar; 16usize], - ///< The Y working value. - pub private_y: [::core::ffi::c_uchar; 16usize], - ///< The buf working value. - pub private_buf: [::core::ffi::c_uchar; 16usize], - ///< The operation to perform: - ///#MBEDTLS_GCM_ENCRYPT or - ///#MBEDTLS_GCM_DECRYPT. - pub private_mode: ::core::ffi::c_int, -} -impl Default for mbedtls_gcm_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { - /// \brief This function initializes the specified GCM context, - /// to make references valid, and prepares the context - /// for mbedtls_gcm_setkey() or mbedtls_gcm_free(). + /// Encrypt or decrypt a message fragment in an active cipher operation. /// - /// The function does not bind the GCM context to a particular - /// cipher, nor set the key. For this purpose, use - /// mbedtls_gcm_setkey(). + /// Before calling this function, you must: + /// 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. If the algorithm requires an IV, call psa_cipher_generate_iv() + /// (recommended when encrypting) or psa_cipher_set_iv(). /// - /// \param ctx The GCM context to initialize. This must not be \c NULL. - pub fn mbedtls_gcm_init(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief This function associates a GCM context with a - /// cipher algorithm and a key. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param cipher The 128-bit block cipher to use. - /// \param key The encryption key. This must be a readable buffer of at - /// least \p keybits bits. - /// \param keybits The key size in bits. Valid options are: - ///
  • 128 bits
    • - ///
  • 192 bits
    • - ///
  • 256 bits
+ /// \param[in,out] operation Active cipher operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A cipher-specific error code on failure. - pub fn mbedtls_gcm_setkey( - ctx: *mut mbedtls_gcm_context, - cipher: mbedtls_cipher_id_t, - key: *const ::core::ffi::c_uchar, - keybits: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_update( + operation: *mut psa_cipher_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs GCM encryption or decryption of a buffer. + /// Finish encrypting or decrypting a message in a cipher operation. /// - /// \note For encryption, the output buffer can be the same as the - /// input buffer. For decryption, the output buffer cannot be - /// the same as input buffer. If the buffers overlap, the output - /// buffer must trail at least 8 Bytes behind the input buffer. + /// The application must call psa_cipher_encrypt_setup() or + /// psa_cipher_decrypt_setup() before calling this function. The choice + /// of setup function determines whether this function encrypts or + /// decrypts its input. /// - /// \warning When this function performs a decryption, it outputs the - /// authentication tag and does not verify that the data is - /// authentic. You should use this function to perform encryption - /// only. For decryption, use mbedtls_gcm_auth_decrypt() instead. + /// This function finishes the encryption or decryption of the message + /// formed by concatenating the inputs passed to preceding calls to + /// psa_cipher_update(). /// - /// \param ctx The GCM context to use for encryption or decryption. This - /// must be initialized. - /// \param mode The operation to perform: - /// - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. - /// The ciphertext is written to \p output and the - /// authentication tag is written to \p tag. - /// - #MBEDTLS_GCM_DECRYPT to perform decryption. - /// The plaintext is written to \p output and the - /// authentication tag is written to \p tag. - /// Note that this mode is not recommended, because it does - /// not verify the authenticity of the data. For this reason, - /// you should use mbedtls_gcm_auth_decrypt() instead of - /// calling this function in decryption mode. - /// \param length The length of the input data, which is equal to the length - /// of the output data. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param input The buffer holding the input data. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size in Bytes. - /// \param output The buffer for holding the output data. If \p length is greater - /// than zero, this must be a writable buffer of at least that - /// size in Bytes. - /// \param tag_len The length of the tag to generate. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_cipher_abort(). /// - /// \return \c 0 if the encryption or decryption was performed - /// successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, - /// this does not indicate that the data is authentic. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the encryption - /// or decryption failed. - pub fn mbedtls_gcm_crypt_and_tag( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - tag_len: usize, - tag: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active cipher operation. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input size passed to this operation is not valid for + /// this particular algorithm. For example, the algorithm is a based + /// on block cipher and requires a whole number of blocks, but the + /// total input size is not a multiple of the block size. + /// \retval #PSA_ERROR_INVALID_PADDING + /// This is a decryption operation for an algorithm that includes + /// padding, and the ciphertext does not contain valid padding. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with an IV set + /// if required for the algorithm), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_finish( + operation: *mut psa_cipher_operation_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function performs a GCM authenticated decryption of a - /// buffer. + /// Abort a cipher operation. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. /// - /// \param ctx The GCM context. This must be initialized. - /// \param length The length of the ciphertext to decrypt, which is also - /// the length of the decrypted plaintext. - /// \param iv The initialization vector. This must be a readable buffer - /// of at least \p iv_len Bytes. - /// \param iv_len The length of the IV. - /// \param add The buffer holding the additional data. This must be of at - /// least that size in Bytes. - /// \param add_len The length of the additional data. - /// \param tag The buffer holding the tag to verify. This must be a - /// readable buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to verify. - /// \param input The buffer holding the ciphertext. If \p length is greater - /// than zero, this must be a readable buffer of at least that - /// size. - /// \param output The buffer for holding the decrypted plaintext. If \p length - /// is greater than zero, this must be a writable buffer of at - /// least that size. + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_cipher_operation_t. /// - /// \return \c 0 if successful and authenticated. - /// \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are - /// not valid or a cipher-specific error code if the decryption - /// failed. - pub fn mbedtls_gcm_auth_decrypt( - ctx: *mut mbedtls_gcm_context, - length: usize, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - add: *const ::core::ffi::c_uchar, - add_len: usize, - tag: *const ::core::ffi::c_uchar, - tag_len: usize, - input: *const ::core::ffi::c_uchar, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// In particular, calling psa_cipher_abort() after the operation has been + /// terminated by a call to psa_cipher_abort() or psa_cipher_finish() + /// is safe and has no effect. + /// + /// \param[in,out] operation Initialized cipher operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_cipher_abort(operation: *mut psa_cipher_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a GCM encryption or decryption - /// operation. + /// Process an authenticated encryption operation. /// - /// \param ctx The GCM context. This must be initialized. - /// \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or - /// #MBEDTLS_GCM_DECRYPT. - /// \param iv The initialization vector. This must be a readable buffer of - /// at least \p iv_len Bytes. - /// \param iv_len The length of the IV. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that will be authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] plaintext Data that will be authenticated and + /// encrypted. + /// \param plaintext_length Size of \p plaintext in bytes. + /// \param[out] ciphertext Output buffer for the authenticated and + /// encrypted data. The additional data is not + /// part of this output. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate outputs, the + /// authentication tag is appended to the + /// encrypted data. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p plaintext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p + /// plaintext_length) evaluates to the maximum + /// ciphertext size of any supported AEAD + /// encryption. + /// \param[out] ciphertext_length On success, the size of the output + /// in the \p ciphertext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_starts( - ctx: *mut mbedtls_gcm_context, - mode: ::core::ffi::c_int, - iv: *const ::core::ffi::c_uchar, - iv_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p ciphertext_size is too small. + /// #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p plaintext_length) or + /// #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + plaintext: *const u8, + plaintext_length: usize, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer as associated data - /// (authenticated but not encrypted data) in a GCM - /// encryption or decryption operation. - /// - /// Call this function after mbedtls_gcm_starts() to pass - /// the associated data. If the associated data is empty, - /// you do not need to call this function. You may not - /// call this function after calling mbedtls_cipher_update(). + /// Process an authenticated decryption operation. /// - /// \param ctx The GCM context. This must have been started with - /// mbedtls_gcm_starts() and must not have yet received - /// any input with mbedtls_gcm_update(). - /// \param add The buffer holding the additional data, or \c NULL - /// if \p add_len is \c 0. - /// \param add_len The length of the additional data. If \c 0, - /// \p add may be \c NULL. + /// \param key Identifier of the key to use for the + /// operation. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). + /// \param[in] nonce Nonce or IV to use. + /// \param nonce_length Size of the \p nonce buffer in bytes. + /// \param[in] additional_data Additional data that has been authenticated + /// but not encrypted. + /// \param additional_data_length Size of \p additional_data in bytes. + /// \param[in] ciphertext Data that has been authenticated and + /// encrypted. For algorithms where the + /// encrypted data and the authentication tag + /// are defined as separate inputs, the buffer + /// must contain the encrypted data followed + /// by the authentication tag. + /// \param ciphertext_length Size of \p ciphertext in bytes. + /// \param[out] plaintext Output buffer for the decrypted data. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, + /// \p alg, \p ciphertext_length) where + /// \c key_type is the type of \p key. + /// - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p + /// ciphertext_length) evaluates to the maximum + /// plaintext size of any supported AEAD + /// decryption. + /// \param[out] plaintext_length On success, the size of the output + /// in the \p plaintext buffer. /// - /// \return \c 0 on success. - pub fn mbedtls_gcm_update_ad( - ctx: *mut mbedtls_gcm_context, - add: *const ::core::ffi::c_uchar, - add_len: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The ciphertext is not authentic. + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p plaintext_size is too small. + /// #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, + /// \p ciphertext_length) or + /// #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used + /// to determine the required buffer size. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + nonce: *const u8, + nonce_length: usize, + additional_data: *const u8, + additional_data_length: usize, + ciphertext: *const u8, + ciphertext_length: usize, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for multipart AEAD operations. +/// +/// Before calling any function on an AEAD operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_aead_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_aead_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT, +/// for example: +/// \code +/// psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_aead_operation_init() +/// to the structure, for example: +/// \code +/// psa_aead_operation_t operation; +/// operation = psa_aead_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_aead_operation_t = psa_aead_operation_s; unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing GCM - /// encryption or decryption operation. - /// - /// You may call this function zero, one or more times - /// to pass successive parts of the input: the plaintext to - /// encrypt, or the ciphertext (not including the tag) to - /// decrypt. After the last part of the input, call - /// mbedtls_gcm_finish(). + /// Set the key for a multipart authenticated encryption operation. /// - /// This function may produce output in one of the following - /// ways: - /// - Immediate output: the output length is always equal - /// to the input length. - /// - Buffered output: the output consists of a whole number - /// of 16-byte blocks. If the total input length so far - /// (not including associated data) is 16 \* *B* + *A* - /// with *A* < 16 then the total output length is 16 \* *B*. + /// The sequence of operations to encrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_encrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to + /// generate or set the nonce. You should use + /// psa_aead_generate_nonce() unless the protocol you are implementing + /// requires a specific nonce value. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the message to encrypt each time. + /// -# Call psa_aead_finish(). /// - /// In particular: - /// - It is always correct to call this function with - /// \p output_size >= \p input_length + 15. - /// - If \p input_length is a multiple of 16 for all the calls - /// to this function during an operation, then it is - /// correct to use \p output_size = \p input_length. + /// If an error occurs at any step after a call to psa_aead_encrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \note For decryption, the output buffer cannot be the same as - /// input buffer. If the buffers overlap, the output buffer - /// must trail at least 8 Bytes behind the input buffer. + /// After a successful call to psa_aead_encrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_finish(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param input The buffer holding the input data. If \p input_length - /// is greater than zero, this must be a readable buffer - /// of at least \p input_length bytes. - /// \param input_length The length of the input data in bytes. - /// \param output The buffer for the output data. If \p output_size - /// is greater than zero, this must be a writable buffer of - /// of at least \p output_size bytes. - /// \param output_size The size of the output buffer in bytes. - /// See the function description regarding the output size. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// total input length too long, - /// unsupported input/output buffer overlap detected, - /// or \p output_size too small. - pub fn mbedtls_gcm_update( - ctx: *mut mbedtls_gcm_context, - input: *const ::core::ffi::c_uchar, - input_length: usize, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_encrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the GCM operation and generates - /// the authentication tag. + /// Set the key for a multipart authenticated decryption operation. /// - /// It wraps up the GCM stream, and generates the - /// tag. The tag can have a maximum length of 16 Bytes. + /// The sequence of operations to decrypt a message with authentication + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_aead_operation_t, e.g. + /// #PSA_AEAD_OPERATION_INIT. + /// -# Call psa_aead_decrypt_setup() to specify the algorithm and key. + /// -# If needed, call psa_aead_set_lengths() to specify the length of the + /// inputs to the subsequent calls to psa_aead_update_ad() and + /// psa_aead_update(). See the documentation of psa_aead_set_lengths() + /// for details. + /// -# Call psa_aead_set_nonce() with the nonce for the decryption. + /// -# Call psa_aead_update_ad() zero, one or more times, passing a fragment + /// of the non-encrypted additional authenticated data each time. + /// -# Call psa_aead_update() zero, one or more times, passing a fragment + /// of the ciphertext to decrypt each time. + /// -# Call psa_aead_verify(). /// - /// \param ctx The GCM context. This must be initialized. - /// \param tag The buffer for holding the tag. This must be a writable - /// buffer of at least \p tag_len Bytes. - /// \param tag_len The length of the tag to generate. This must be at least - /// four. - /// \param output The buffer for the final output. - /// If \p output_size is nonzero, this must be a writable - /// buffer of at least \p output_size bytes. - /// \param output_size The size of the \p output buffer in bytes. - /// This must be large enough for the output that - /// mbedtls_gcm_update() has not produced. In particular: - /// - If mbedtls_gcm_update() produces immediate output, - /// or if the total input size is a multiple of \c 16, - /// then mbedtls_gcm_finish() never produces any output, - /// so \p output_size can be \c 0. - /// - \p output_size never needs to be more than \c 15. - /// \param output_length On success, \p *output_length contains the actual - /// length of the output written in \p output. - /// On failure, the content of \p *output_length is - /// unspecified. + /// If an error occurs at any step after a call to psa_aead_decrypt_setup(), + /// the operation will need to be reset by a call to psa_aead_abort(). The + /// application may call psa_aead_abort() at any time after the operation + /// has been initialized. /// - /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: - /// invalid value of \p tag_len, - /// or \p output_size too small. - pub fn mbedtls_gcm_finish( - ctx: *mut mbedtls_gcm_context, - output: *mut ::core::ffi::c_uchar, - output_size: usize, - output_length: *mut usize, - tag: *mut ::core::ffi::c_uchar, - tag_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function clears a GCM context and the underlying - /// cipher sub-context. + /// After a successful call to psa_aead_decrypt_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A successful call to psa_aead_verify(). + /// - A call to psa_aead_abort(). /// - /// \param ctx The GCM context to clear. If this is \c NULL, the call has - /// no effect. Otherwise, this must be initialized. - pub fn mbedtls_gcm_free(ctx: *mut mbedtls_gcm_context); -} -unsafe extern "C" { - /// \brief The GCM checkup routine. + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized as per the documentation for + /// #psa_aead_operation_t and not yet in use. + /// \param key Identifier of the key to use for the operation. + /// It must remain valid until the operation + /// terminates. It must allow the usage + /// #PSA_KEY_USAGE_DECRYPT. + /// \param alg The AEAD algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_AEAD(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_gcm_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_DECRYPT: psa_encrypt_or_decrypt_t = 0; -pub const psa_encrypt_or_decrypt_t_PSA_CRYPTO_DRIVER_ENCRYPT: psa_encrypt_or_decrypt_t = 1; -/// For encrypt-decrypt functions, whether the operation is an encryption -/// or a decryption. -pub type psa_encrypt_or_decrypt_t = ::core::ffi::c_uint; -/// \brief MD5 context structure -/// -/// \warning MD5 is considered a weak message digest and its use -/// constitutes a security risk. We recommend considering -/// stronger message digests instead. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_md5_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 4usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_md5_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not compatible with \p alg. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not supported or is not an AEAD algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_decrypt_setup( + operation: *mut psa_aead_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize MD5 context + /// Generate a random nonce for an authenticated encryption operation. /// - /// \param ctx MD5 context to be initialized + /// This function generates a random nonce for the authenticated encryption + /// operation with an appropriate size for the chosen algorithm, key type + /// and key size. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_init(ctx: *mut mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief Clear MD5 context + /// The application must call psa_aead_encrypt_setup() before + /// calling this function. /// - /// \param ctx MD5 context to be cleared + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_free(ctx: *mut mbedtls_md5_context); + /// \param[in,out] operation Active AEAD operation. + /// \param[out] nonce Buffer where the generated nonce is to be + /// written. + /// \param nonce_size Size of the \p nonce buffer in bytes. + /// \param[out] nonce_length On success, the number of bytes of the + /// generated nonce. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p nonce buffer is too small. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active aead encrypt + /// operation, with no nonce set), or the library has not been + /// previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_generate_nonce( + operation: *mut psa_aead_operation_t, + nonce: *mut u8, + nonce_size: usize, + nonce_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) an MD5 context + /// Set the nonce for an authenticated encryption or decryption operation. /// - /// \param dst The destination context - /// \param src The context to be cloned + /// This function sets the nonce for the authenticated + /// encryption or decryption operation. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_clone(dst: *mut mbedtls_md5_context, src: *const mbedtls_md5_context); -} -unsafe extern "C" { - /// \brief MD5 context setup + /// The application must call psa_aead_encrypt_setup() or + /// psa_aead_decrypt_setup() before calling this function. /// - /// \param ctx context to be initialized + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \note When encrypting, applications should use psa_aead_generate_nonce() + /// instead of this function, unless implementing a protocol that requires + /// a non-random IV. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_starts(ctx: *mut mbedtls_md5_context) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] nonce Buffer containing the nonce to use. + /// \param nonce_length Size of the nonce in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The size of \p nonce is not acceptable for the chosen algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, with no nonce + /// set), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_nonce( + operation: *mut psa_aead_operation_t, + nonce: *const u8, + nonce_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process buffer + /// Declare the lengths of the message and additional data for AEAD. /// - /// \param ctx MD5 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// The application must call this function before calling + /// psa_aead_update_ad() or psa_aead_update() if the algorithm for + /// the operation requires it. If the algorithm does not require it, + /// calling this function is optional, but if this function is called + /// then the implementation must enforce the lengths. /// - /// \return 0 if successful + /// You may call this function before or after setting the nonce with + /// psa_aead_set_nonce() or psa_aead_generate_nonce(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_update( - ctx: *mut mbedtls_md5_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief MD5 final digest + /// - For #PSA_ALG_CCM, calling this function is required. + /// - For the other AEAD algorithms defined in this specification, calling + /// this function is not required. + /// - For vendor-defined algorithm, refer to the vendor documentation. /// - /// \param ctx MD5 context - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \param[in,out] operation Active AEAD operation. + /// \param ad_length Size of the non-encrypted additional + /// authenticated data in bytes. + /// \param plaintext_length Size of the plaintext to encrypt in bytes. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_finish( - ctx: *mut mbedtls_md5_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// At least one of the lengths is not acceptable for the chosen + /// algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and + /// psa_aead_update_ad() and psa_aead_update() must not have been + /// called yet), or the library has not been previously initialized + /// by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_set_lengths( + operation: *mut psa_aead_operation_t, + ad_length: usize, + plaintext_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief MD5 process data block (internal use only) + /// Pass additional data to an active AEAD operation. /// - /// \param ctx MD5 context - /// \param data buffer holding one block of data + /// Additional data is authenticated, but not encrypted. /// - /// \return 0 if successful + /// You may call this function multiple times to pass successive fragments + /// of the additional data. You may not call this function after passing + /// data to encrypt or decrypt with psa_aead_update(). /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_internal_md5_process( - ctx: *mut mbedtls_md5_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = MD5( input buffer ) + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output MD5 checksum result + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS, + /// treat the input as untrusted and prepare to undo any action that + /// depends on the input if psa_aead_verify() returns an error status. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the fragment of + /// additional data. + /// \param input_length Size of the \p input buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total input length overflows the additional data length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, have lengths set if required by the algorithm, and + /// psa_aead_update() must not have been called yet), or the library + /// has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update_ad( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Encrypt or decrypt a message fragment in an active AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed + /// Before calling this function, you must: + /// 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup(). + /// The choice of setup function determines whether this function + /// encrypts or decrypts its input. + /// 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce(). + /// 3. Call psa_aead_update_ad() to pass all the additional data. /// - /// \warning MD5 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. - pub fn mbedtls_md5_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -/// \brief RIPEMD-160 context structure -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ripemd160_context { - ///< number of bytes processed - pub private_total: [u32; 2usize], - ///< intermediate digest state - pub private_state: [u32; 5usize], - ///< data block being processed - pub private_buffer: [::core::ffi::c_uchar; 64usize], -} -impl Default for mbedtls_ripemd160_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize RIPEMD-160 context + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \param ctx RIPEMD-160 context to be initialized - pub fn mbedtls_ripemd160_init(ctx: *mut mbedtls_ripemd160_context); -} -unsafe extern "C" { - /// \brief Clear RIPEMD-160 context + /// \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS, + /// there is no guarantee that the input is valid. Therefore, until + /// you have called psa_aead_verify() and it has returned #PSA_SUCCESS: + /// - Do not use the output in any way other than storing it in a + /// confidential location. If you take any action that depends + /// on the tentative decrypted data, this action will need to be + /// undone if the input turns out not to be valid. Furthermore, + /// if an adversary can observe that this action took place + /// (for example through timing), they may be able to use this + /// fact as an oracle to decrypt any message encrypted with the + /// same key. + /// - In particular, do not copy the output anywhere but to a + /// memory or storage space that you have exclusive access to. /// - /// \param ctx RIPEMD-160 context to be cleared - pub fn mbedtls_ripemd160_free(ctx: *mut mbedtls_ripemd160_context); + /// This function does not require the input to be aligned to any + /// particular block boundary. If the implementation can only process + /// a whole block at a time, it must consume all the input provided, but + /// it may delay the end of the corresponding output until a subsequent + /// call to psa_aead_update(), psa_aead_finish() or psa_aead_verify() + /// provides sufficient input. The amount of data that can be delayed + /// in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[in] input Buffer containing the message fragment to + /// encrypt or decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[out] output Buffer where the output is to be written. + /// \param output_size Size of the \p output buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, + /// \c alg, \p input_length) where + /// \c key_type is the type of key and \c alg is + /// the algorithm that were used to set up the + /// operation. + /// - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p + /// input_length) evaluates to the maximum + /// output size of any supported AEAD + /// algorithm. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or + /// #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to + /// determine the required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total input length overflows the plaintext length that + /// was previously specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, have a nonce + /// set, and have lengths set if required by the algorithm), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_update( + operation: *mut psa_aead_operation_t, + input: *const u8, + input_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Clone (the state of) a RIPEMD-160 context + /// Finish encrypting a message in an AEAD operation. /// - /// \param dst The destination context - /// \param src The context to be cloned - pub fn mbedtls_ripemd160_clone( - dst: *mut mbedtls_ripemd160_context, - src: *const mbedtls_ripemd160_context, - ); -} -unsafe extern "C" { - /// \brief RIPEMD-160 context setup + /// The operation must have been set up with psa_aead_encrypt_setup(). /// - /// \param ctx context to be initialized + /// This function finishes the authentication of the additional data + /// formed by concatenating the inputs passed to preceding calls to + /// psa_aead_update_ad() with the plaintext formed by concatenating the + /// inputs passed to preceding calls to psa_aead_update(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_starts(ctx: *mut mbedtls_ripemd160_context) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process buffer + /// This function has two output buffers: + /// - \p ciphertext contains trailing ciphertext that was buffered from + /// preceding calls to psa_aead_update(). + /// - \p tag contains the authentication tag. /// - /// \param ctx RIPEMD-160 context - /// \param input buffer holding the data - /// \param ilen length of the input data + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_update( - ctx: *mut mbedtls_ripemd160_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation Active AEAD operation. + /// \param[out] ciphertext Buffer where the last part of the ciphertext + /// is to be written. + /// \param ciphertext_size Size of the \p ciphertext buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] ciphertext_length On success, the number of bytes of + /// returned ciphertext. + /// \param[out] tag Buffer where the authentication tag is + /// to be written. + /// \param tag_size Size of the \p tag buffer in bytes. + /// This must be appropriate for the selected + /// algorithm and key: + /// - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c + /// key_type, \c key_bits, \c alg) where + /// \c key_type and \c key_bits are the type and + /// bit-size of the key, and \c alg is the + /// algorithm that were used in the call to + /// psa_aead_encrypt_setup(). + /// - #PSA_AEAD_TAG_MAX_SIZE evaluates to the + /// maximum tag size of any supported AEAD + /// algorithm. + /// \param[out] tag_length On success, the number of bytes + /// that make up the returned tag. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p ciphertext or \p tag buffer is too small. + /// #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the + /// required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type, + /// \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to + /// determine the required \p tag buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active encryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_finish( + operation: *mut psa_aead_operation_t, + ciphertext: *mut u8, + ciphertext_size: usize, + ciphertext_length: *mut usize, + tag: *mut u8, + tag_size: usize, + tag_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief RIPEMD-160 final digest + /// Finish authenticating and decrypting a message in an AEAD operation. /// - /// \param ctx RIPEMD-160 context - /// \param output RIPEMD-160 checksum result + /// The operation must have been set up with psa_aead_decrypt_setup(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160_finish( - ctx: *mut mbedtls_ripemd160_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief RIPEMD-160 process data block (internal use only) + /// This function finishes the authenticated decryption of the message + /// components: /// - /// \param ctx RIPEMD-160 context - /// \param data buffer holding one block of data + /// - The additional data consisting of the concatenation of the inputs + /// passed to preceding calls to psa_aead_update_ad(). + /// - The ciphertext consisting of the concatenation of the inputs passed to + /// preceding calls to psa_aead_update(). + /// - The tag passed to this function call. /// - /// \return 0 if successful - pub fn mbedtls_internal_ripemd160_process( - ctx: *mut mbedtls_ripemd160_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Output = RIPEMD-160( input buffer ) + /// If the authentication tag is correct, this function outputs any remaining + /// plaintext and reports success. If the authentication tag is not correct, + /// this function returns #PSA_ERROR_INVALID_SIGNATURE. /// - /// \param input buffer holding the data - /// \param ilen length of the input data - /// \param output RIPEMD-160 checksum result + /// When this function returns successfully, the operation becomes inactive. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_aead_abort(). /// - /// \return 0 if successful - pub fn mbedtls_ripemd160( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \note Implementations shall make the best effort to ensure that the + /// comparison between the actual tag and the expected tag is performed + /// in constant time. + /// + /// \param[in,out] operation Active AEAD operation. + /// \param[out] plaintext Buffer where the last part of the plaintext + /// is to be written. This is the remaining data + /// from previous calls to psa_aead_update() + /// that could not be processed until the end + /// of the input. + /// \param plaintext_size Size of the \p plaintext buffer in bytes. + /// This must be appropriate for the selected algorithm and key: + /// - A sufficient output size is + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, + /// \c alg) where \c key_type is the type of key + /// and \c alg is the algorithm that were used to + /// set up the operation. + /// - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to + /// the maximum output size of any supported AEAD + /// algorithm. + /// \param[out] plaintext_length On success, the number of bytes of + /// returned plaintext. + /// \param[in] tag Buffer containing the authentication tag. + /// \param tag_length Size of the \p tag buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculations were successful, but the authentication tag is + /// not correct. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p plaintext buffer is too small. + /// #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or + /// #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the + /// required buffer size. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The total length of input to psa_aead_update_ad() so far is + /// less than the additional data length that was previously + /// specified with psa_aead_set_lengths(), or + /// the total length of input to psa_aead_update() so far is + /// less than the plaintext length that was previously + /// specified with psa_aead_set_lengths(). + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be an active decryption + /// operation with a nonce set), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_verify( + operation: *mut psa_aead_operation_t, + plaintext: *mut u8, + plaintext_size: usize, + plaintext_length: *mut usize, + tag: *const u8, + tag_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// Abort an AEAD operation. /// - /// \return 0 if successful, or 1 if the test failed - pub fn mbedtls_ripemd160_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha1_context { - pub work_area: [::core::ffi::c_uchar; 208usize], -} -impl Default for mbedtls_sha1_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// Aborting an operation frees all associated resources except for the + /// \p operation structure itself. Once aborted, the operation object + /// can be reused for another operation by calling + /// psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again. + /// + /// You may call this function any time after the operation object has + /// been initialized as described in #psa_aead_operation_t. + /// + /// In particular, calling psa_aead_abort() after the operation has been + /// terminated by a call to psa_aead_abort(), psa_aead_finish() or + /// psa_aead_verify() is safe and has no effect. + /// + /// \param[in,out] operation Initialized AEAD operation. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_aead_abort(operation: *mut psa_aead_operation_t) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-1 context. - /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \brief Sign a message with a private key. For hash-and-sign algorithms, + /// this includes the hashing step. /// - /// \param ctx The SHA-1 context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_sha1_init(ctx: *mut mbedtls_sha1_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-1 context. + /// \note To perform a multi-part hash-and-sign signature algorithm, first use + /// a multi-part hash operation and then pass the resulting hash to + /// psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the + /// hash algorithm to use. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in] key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The input message to sign. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param[in] signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and + /// bit-size respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. /// - /// \param ctx The SHA-1 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it is - /// not \c NULL, it must point to an initialized - /// SHA-1 context. - pub fn mbedtls_sha1_free(ctx: *mut mbedtls_sha1_context); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-1 context. + /// \brief Verify the signature of a message with a public key, using + /// a hash-and-sign verification algorithm. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \note To perform a multi-part hash-and-sign signature verification + /// algorithm, first use a multi-part hash operation to hash the message + /// and then pass the resulting hash to psa_verify_hash(). + /// PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm + /// to use. /// - /// \param dst The SHA-1 context to clone to. This must be initialized. - /// \param src The SHA-1 context to clone from. This must be initialized. - pub fn mbedtls_sha1_clone(dst: *mut mbedtls_sha1_context, src: *const mbedtls_sha1_context); + /// \param[in] key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_MESSAGE. + /// \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg) + /// is true), that is compatible with the type of + /// \p key. + /// \param[in] input The message whose signature is to be verified. + /// \param[in] input_length Size of the \p input buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param[in] signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, + /// or it does not permit the requested algorithm. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed signature + /// is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_message( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-1 checksum calculation. + /// \brief Sign a hash or short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context to initialize. This must be initialized. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. + /// \param[out] signature_length On success, the number of bytes + /// that make up the returned signature value. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_starts(ctx: *mut mbedtls_sha1_context) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing SHA-1 - /// checksum calculation. + /// \brief Verify the signature of a hash or short message using a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// Note that to perform a hash-and-sign signature algorithm, you must + /// first calculate the hash by calling psa_hash_setup(), psa_hash_update() + /// and psa_hash_finish(), or alternatively by calling psa_hash_compute(). + /// Then pass the resulting hash as the \p hash + /// parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) + /// to determine the hash algorithm to use. /// - /// \param ctx The SHA-1 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. + /// \param key Identifier of the key to use for the operation. It + /// must be a public key or an asymmetric key pair. The + /// key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message whose signature is to be + /// verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_update( - ctx: *mut mbedtls_sha1_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// The signature is valid. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function finishes the SHA-1 operation, and writes - /// the result to the output buffer. + /// \brief Encrypt a short message with a public key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be a public key or an asymmetric key + /// pair. It must allow the usage + /// #PSA_KEY_USAGE_ENCRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to encrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized and - /// have a hash operation started. - /// \param output The SHA-1 checksum result. This must be a writable - /// buffer of length \c 20 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the encrypted message is to + /// be written. + /// \param output_size Size of the \p output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1_finish( - ctx: *mut mbedtls_sha1_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_encrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief SHA-1 process data block (internal use only). + /// \brief Decrypt a short message with a private key. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. It must + /// allow the usage #PSA_KEY_USAGE_DECRYPT. + /// \param alg An asymmetric encryption algorithm that is + /// compatible with the type of \p key. + /// \param[in] input The message to decrypt. + /// \param input_length Size of the \p input buffer in bytes. + /// \param[in] salt A salt or label, if supported by the + /// encryption algorithm. + /// If the algorithm does not support a + /// salt, pass \c NULL. + /// If the algorithm supports an optional + /// salt and you do not want to pass a salt, + /// pass \c NULL. /// - /// \param ctx The SHA-1 context to use. This must be initialized. - /// \param data The data block being processed. This must be a - /// readable buffer of length \c 64 Bytes. + /// - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is + /// supported. + /// \param salt_length Size of the \p salt buffer in bytes. + /// If \p salt is \c NULL, pass 0. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha1_process( - ctx: *mut mbedtls_sha1_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \p key. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INVALID_PADDING \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_asymmetric_decrypt( + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + input: *const u8, + input_length: usize, + salt: *const u8, + salt_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } +/// The type of the state data structure for key derivation operations. +/// +/// Before calling any function on a key derivation operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_key_derivation_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT, +/// for example: +/// \code +/// psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_key_derivation_operation_init() +/// to the structure, for example: +/// \code +/// psa_key_derivation_operation_t operation; +/// operation = psa_key_derivation_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_key_derivation_operation_t = psa_key_derivation_s; unsafe extern "C" { - /// \brief This function calculates the SHA-1 checksum of a buffer. + /// Set up a key derivation operation. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// A key derivation algorithm takes some inputs and uses them to generate + /// a byte stream in a deterministic way. + /// This byte stream can be used to produce keys and other + /// cryptographic material. /// - /// The SHA-1 result is calculated as - /// output = SHA-1(input buffer). + /// To derive a key: + /// -# Start with an initialized object of type #psa_key_derivation_operation_t. + /// -# Call psa_key_derivation_setup() to select the algorithm. + /// -# Provide the inputs for the key derivation by calling + /// psa_key_derivation_input_bytes() or psa_key_derivation_input_key() + /// as appropriate. Which inputs are needed, in what order, and whether + /// they may be keys and if so of what type depends on the algorithm. + /// -# Optionally set the operation's maximum capacity with + /// psa_key_derivation_set_capacity(). You may do this before, in the middle + /// of or after providing inputs. For some algorithms, this step is mandatory + /// because the output depends on the maximum capacity. + /// -# To derive a key, call psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// To derive a byte string for a different purpose, call + /// psa_key_derivation_output_bytes(). + /// Successive calls to these functions use successive output bytes + /// calculated by the key derivation algorithm. + /// -# Clean up the key derivation operation object with + /// psa_key_derivation_abort(). /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// If this function returns an error, the key derivation operation object is + /// not changed. /// - /// \param input The buffer holding the input data. - /// This must be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data \p input in Bytes. - /// \param output The SHA-1 checksum result. - /// This must be a writable buffer of length \c 20 Bytes. + /// If an error occurs at any step after a call to psa_key_derivation_setup(), + /// the operation will need to be reset by a call to psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha1( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-1 checkup routine. + /// Implementations must reject an attempt to derive a key of size 0. /// - /// \warning SHA-1 is considered a weak message digest and its use - /// constitutes a security risk. We recommend considering - /// stronger message digests instead. + /// \param[in,out] operation The key derivation operation object + /// to set up. It must + /// have been initialized but not set up yet. + /// \param alg The key derivation algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha1_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha256_context { - pub work_area: [::core::ffi::c_uchar; 208usize], - pub is224: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha256_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c alg is not a key derivation algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be inactive), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_setup( + operation: *mut psa_key_derivation_operation_t, + alg: psa_algorithm_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function initializes a SHA-256 context. + /// Retrieve the current capacity of a key derivation operation. /// - /// \param ctx The SHA-256 context to initialize. This must not be \c NULL. - pub fn mbedtls_sha256_init(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-256 context. + /// The capacity of a key derivation is the maximum number of bytes that it can + /// return. When you get *N* bytes of output from a key derivation operation, + /// this reduces its capacity by *N*. /// - /// \param ctx The SHA-256 context to clear. This may be \c NULL, in which - /// case this function returns immediately. If it is not \c NULL, - /// it must point to an initialized SHA-256 context. - pub fn mbedtls_sha256_free(ctx: *mut mbedtls_sha256_context); -} -unsafe extern "C" { - /// \brief This function clones the state of a SHA-256 context. + /// \param[in] operation The operation to query. + /// \param[out] capacity On success, the capacity of the operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha256_clone( - dst: *mut mbedtls_sha256_context, - src: *const mbedtls_sha256_context, - ); + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_get_capacity( + operation: *const psa_key_derivation_operation_t, + capacity: *mut usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function starts a SHA-224 or SHA-256 checksum - /// calculation. + /// Set the maximum capacity of a key derivation operation. /// - /// \param ctx The context to use. This must be initialized. - /// \param is224 This determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// The capacity of a key derivation operation is the maximum number of bytes + /// that the key derivation operation can return from this point onwards. /// - /// \note is224 must be defined accordingly to the enabled - /// MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to modify. + /// \param capacity The new capacity of the operation. + /// It must be less or equal to the operation's + /// current capacity. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_starts( - ctx: *mut mbedtls_sha256_context, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p capacity is larger than the operation's current capacity. + /// In this case, the operation object remains valid and its capacity + /// remains unchanged. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active), or the + /// library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_set_capacity( + operation: *mut psa_key_derivation_operation_t, + capacity: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-256 checksum calculation. + /// Provide an input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_update( - ctx: *mut mbedtls_sha256_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-256 operation, and writes - /// the result to the output buffer. + /// This function passes direct inputs, which is usually correct for + /// non-secret inputs. To pass a secret input, which should be in a key + /// object, call psa_key_derivation_input_key() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param ctx The SHA-256 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256_finish( - ctx: *mut mbedtls_sha256_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] data Input data to use. + /// \param data_length Size of the \p data buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow direct inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_bytes( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + data: *const u8, + data_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-256 computation. This function is for - /// internal use only. + /// Provide a numeric input for key derivation or key agreement. /// - /// \param ctx The SHA-256 context. This must be initialized. - /// \param data The buffer holding one block of data. This must - /// be a readable buffer of length \c 64 Bytes. + /// Which inputs are required and in what order depends on the algorithm. + /// However, when an algorithm requires a particular order, numeric inputs + /// usually come first as they tend to be configuration parameters. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha256_process( - ctx: *mut mbedtls_sha256_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// This function is used for inputs which are fixed-size non-negative + /// integers. + /// + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param[in] value The value of the numeric input. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow numeric inputs. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_integer( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + value: u64, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function calculates the SHA-224 or SHA-256 - /// checksum of a buffer. + /// Provide an input for key derivation in the form of a key. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// Which inputs are required and in what order depends on the algorithm. + /// Refer to the documentation of each key derivation or key agreement + /// algorithm for information. /// - /// The SHA-256 result is calculated as - /// output = SHA-256(input buffer). + /// This function obtains input from a key object, which is usually correct for + /// secret inputs or for non-secret personalization strings kept in the key + /// store. To pass a non-secret parameter which is not in the key store, + /// call psa_key_derivation_input_bytes() instead of this function. + /// Refer to the documentation of individual step types + /// (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t) + /// for more information. /// - /// \param input The buffer holding the data. This must be a readable - /// buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-224 or SHA-256 checksum result. - /// This must be a writable buffer of length \c 32 bytes - /// for SHA-256, \c 28 bytes for SHA-224. - /// \param is224 Determines which function to use. This must be - /// either \c 0 for SHA-256, or \c 1 for SHA-224. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() and must not + /// have produced any output yet. + /// \param step Which step the input data is for. + /// \param key Identifier of the key. It must have an + /// appropriate type for step and must allow the + /// usage #PSA_KEY_USAGE_DERIVE or + /// #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + /// and the algorithm used by the operation. + /// + /// \note Once all inputs steps are completed, the operations will allow: + /// - psa_key_derivation_output_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() + /// if the input for step + /// #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + /// was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + /// either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; + /// - psa_key_derivation_verify_bytes() if each input was either a direct input + /// or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + /// - psa_key_derivation_verify_key() under the same conditions as + /// psa_key_derivation_verify_bytes(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha256( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is224: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key allows neither #PSA_KEY_USAGE_DERIVE nor + /// #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + /// algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c step is not compatible with the operation's algorithm, or + /// \c step does not allow key inputs of the given type + /// or does not allow key inputs at all. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this input \p step, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_input_key( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + key: mbedtls_svc_key_id_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief The SHA-224 checkup routine. + /// Perform a key agreement and use the shared secret as input to a key + /// derivation. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha224_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-256 checkup routine. + /// A key agreement algorithm takes two inputs: a private key \p private_key + /// a public key \p peer_key. + /// The result of this function is passed as input to a key derivation. + /// The output of this key derivation can be extracted by reading from the + /// resulting operation to produce keys and other cryptographic material. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha256_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_sha512_context { - pub work_area: [::core::ffi::c_uchar; 304usize], - pub is384: ::core::ffi::c_uchar, -} -impl Default for mbedtls_sha512_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief This function initializes a SHA-512 context. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \param ctx The SHA-512 context to initialize. This must - /// not be \c NULL. - pub fn mbedtls_sha512_init(ctx: *mut mbedtls_sha512_context); -} -unsafe extern "C" { - /// \brief This function clears a SHA-512 context. + /// \param[in,out] operation The key derivation operation object to use. + /// It must have been set up with + /// psa_key_derivation_setup() with a + /// key agreement and derivation algorithm + /// \c alg (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true + /// and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) + /// is false). + /// The operation must be ready for an + /// input of the type given by \p step. + /// \param step Which step the input data is for. + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. The peer key must be in the + /// same format that psa_import_key() accepts for the + /// public key type corresponding to the type of + /// private_key. That is, this function performs the + /// equivalent of + /// #psa_import_key(..., + /// `peer_key`, `peer_key_length`) where + /// with key attributes indicating the public key + /// type corresponding to the type of `private_key`. + /// For example, for EC keys, this means that peer_key + /// is interpreted as a point on the curve that the + /// private key is on. The standard formats for public + /// keys are documented in the documentation of + /// psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. /// - /// \param ctx The SHA-512 context to clear. This may be \c NULL, - /// in which case this function does nothing. If it - /// is not \c NULL, it must point to an initialized - /// SHA-512 context. - pub fn mbedtls_sha512_free(ctx: *mut mbedtls_sha512_context); + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \c private_key is not compatible with \c alg, + /// or \p peer_key is not valid for \c alg or not compatible with + /// \c private_key, or \c step does not allow an input resulting + /// from a key agreement. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \c alg is not supported or is not a key derivation algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid for this key agreement \p step, + /// or the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_key_agreement( + operation: *mut psa_key_derivation_operation_t, + step: psa_key_derivation_step_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function clones the state of a SHA-512 context. + /// Read some data from a key derivation operation. /// - /// \param dst The destination context. This must be initialized. - /// \param src The context to clone. This must be initialized. - pub fn mbedtls_sha512_clone( - dst: *mut mbedtls_sha512_context, - src: *const mbedtls_sha512_context, - ); -} -unsafe extern "C" { - /// \brief This function starts a SHA-384 or SHA-512 checksum - /// calculation. + /// This function calculates output bytes from a key derivation algorithm and + /// return those bytes. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the requested number of bytes from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context to use. This must be initialized. - /// \param is384 Determines which function to use. This must be - /// either \c 0 for SHA-512, or \c 1 for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \note is384 must be defined accordingly to the enabled - /// MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the - /// function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] output Buffer where the output will be written. + /// \param output_length Number of bytes to output. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_starts( - ctx: *mut mbedtls_sha512_context, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// no output is written to the output buffer. + /// The operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_bytes( + operation: *mut psa_key_derivation_operation_t, + output: *mut u8, + output_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief This function feeds an input buffer into an ongoing - /// SHA-512 checksum calculation. + /// Derive a key from an ongoing key derivation operation. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param input The buffer holding the input data. This must - /// be a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. + /// This function calculates output bytes from a key derivation algorithm + /// and uses those bytes to generate a key deterministically. + /// The key's location, usage policy, type and size are taken from + /// \p attributes. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_update( - ctx: *mut mbedtls_sha512_context, - input: *const ::core::ffi::c_uchar, - ilen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function finishes the SHA-512 operation, and writes - /// the result to the output buffer. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads as many bytes as required from the + /// stream. + /// The operation's capacity decreases by the number of bytes read. /// - /// \param ctx The SHA-512 context. This must be initialized - /// and have a hash operation started. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + /// state and must be aborted by calling psa_key_derivation_abort(). /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512_finish( - ctx: *mut mbedtls_sha512_context, - output: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function processes a single data block within - /// the ongoing SHA-512 computation. - /// This function is for internal use only. + /// How much output is produced and consumed from the operation, and how + /// the key is derived, depends on the key type and on the key size + /// (denoted \c bits below): /// - /// \param ctx The SHA-512 context. This must be initialized. - /// \param data The buffer holding one block of data. This - /// must be a readable buffer of length \c 128 Bytes. + /// - For key types for which the key is an arbitrary sequence of bytes + /// of a given size, this function is functionally equivalent to + /// calling #psa_key_derivation_output_bytes + /// and passing the resulting output to #psa_import_key. + /// However, this function has a security benefit: + /// if the implementation provides an isolation boundary then + /// the key material is not exposed outside the isolation boundary. + /// As a consequence, for these key types, this function always consumes + /// exactly (\c bits / 8) bytes from the operation. + /// The following key types defined in this specification follow this scheme: /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_internal_sha512_process( - ctx: *mut mbedtls_sha512_context, - data: *const ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This function calculates the SHA-512 or SHA-384 - /// checksum of a buffer. + /// - #PSA_KEY_TYPE_AES; + /// - #PSA_KEY_TYPE_ARIA; + /// - #PSA_KEY_TYPE_CAMELLIA; + /// - #PSA_KEY_TYPE_DERIVE; + /// - #PSA_KEY_TYPE_HMAC; + /// - #PSA_KEY_TYPE_PASSWORD_HASH. /// - /// The function allocates the context, performs the - /// calculation, and frees the context. + /// - For ECC keys on a Montgomery elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Montgomery curve), this function always draws a byte string whose + /// length is determined by the curve, and sets the mandatory bits + /// accordingly. That is: /// - /// The SHA-512 result is calculated as - /// output = SHA-512(input buffer). + /// - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte + /// string and process it as specified in RFC 7748 §5. + /// - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte + /// string and process it as specified in RFC 7748 §5. /// - /// \param input The buffer holding the input data. This must be - /// a readable buffer of length \p ilen Bytes. - /// \param ilen The length of the input data in Bytes. - /// \param output The SHA-384 or SHA-512 checksum result. - /// This must be a writable buffer of length \c 64 bytes - /// for SHA-512, \c 48 bytes for SHA-384. - /// \param is384 Determines which function to use. This must be either - /// \c 0 for SHA-512, or \c 1 for SHA-384. + /// - For key types for which the key is represented by a single sequence of + /// \c bits bits with constraints as to which bit sequences are acceptable, + /// this function draws a byte string of length (\c bits / 8) bytes rounded + /// up to the nearest whole number of bytes. If the resulting byte string + /// is acceptable, it becomes the key, otherwise the drawn bytes are discarded. + /// This process is repeated until an acceptable byte string is drawn. + /// The byte string drawn from the operation is interpreted as specified + /// for the output produced by psa_export_key(). + /// The following key types defined in this specification follow this scheme: /// - /// \note is384 must be defined accordingly with the supported - /// symbols in the config file. If: - /// - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or - /// - is384 is 1, but \c MBEDTLS_SHA512_C is not defined - /// then the function will return - /// #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA. + /// - #PSA_KEY_TYPE_DES. + /// Force-set the parity bits, but discard forbidden weak keys. + /// For 2-key and 3-key triple-DES, the three keys are generated + /// successively (for example, for 3-key triple-DES, + /// if the first 8 bytes specify a weak key and the next 8 bytes do not, + /// discard the first 8 bytes, use the next 8 bytes as the first key, + /// and continue reading output from the operation to derive the other + /// two keys). + /// - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group) + /// where \c group designates any Diffie-Hellman group) and + /// ECC keys on a Weierstrass elliptic curve + /// (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a + /// Weierstrass curve). + /// For these key types, interpret the byte string as integer + /// in big-endian order. Discard it if it is not in the range + /// [0, *N* - 2] where *N* is the boundary of the private key domain + /// (the prime *p* for Diffie-Hellman, the subprime *q* for DSA, + /// or the order of the curve's base point for ECC). + /// Add 1 to the resulting integer and use this as the private key *x*. + /// This method allows compliance to NIST standards, specifically + /// the methods titled "key-pair generation by testing candidates" + /// in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, + /// in FIPS 186-4 §B.1.2 for DSA, and + /// in NIST SP 800-56A §5.6.1.2.2 or + /// FIPS 186-4 §B.4.2 for elliptic curve keys. /// - /// \return \c 0 on success. - /// \return A negative error code on failure. - pub fn mbedtls_sha512( - input: *const ::core::ffi::c_uchar, - ilen: usize, - output: *mut ::core::ffi::c_uchar, - is384: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-384 checkup routine. + /// - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR, + /// the way in which the operation output is consumed is + /// implementation-defined. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha384_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief The SHA-512 checkup routine. + /// In all cases, the data that is read is discarded from the operation. + /// The operation's capacity is decreased by the number of bytes read. /// - /// \return \c 0 on success. - /// \return \c 1 on failure. - pub fn mbedtls_sha512_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hash_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_hash_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_hash_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub md5: mbedtls_md5_context, - pub ripemd160: mbedtls_ripemd160_context, - pub sha1: mbedtls_sha1_context, - pub sha256: mbedtls_sha256_context, - pub sha512: mbedtls_sha512_context, -} -impl Default for mbedtls_psa_hash_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_hash_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_cipher_operation_t { - pub private_alg: psa_algorithm_t, - pub private_iv_length: u8, - pub private_block_length: u8, - pub private_ctx: mbedtls_psa_cipher_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_cipher: mbedtls_cipher_context_t, -} -impl Default for mbedtls_psa_cipher_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_cipher_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_hash_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_hash_operation_t, -} -impl Default for psa_driver_hash_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_cipher_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_cipher_operation_t, -} -impl Default for psa_driver_cipher_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_hash_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h. - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. the driver context is not active, in use). - pub private_id: ::core::ffi::c_uint, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_hash_context_t, -} -impl Default for psa_hash_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_cipher_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_default_iv_length: u8, - pub private_ctx: psa_driver_cipher_context_t, + /// For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET, + /// the input to that step must be provided with psa_key_derivation_input_key(). + /// Future versions of this specification may include additional restrictions + /// on the derived key based on the attributes and strength of the secret key. + /// + /// \note This function is equivalent to calling + /// psa_key_derivation_output_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for psa_cipher_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// See the description of psa_key_derivation_out_key() for the operation of + /// this function with the default production parameters. + /// Mbed TLS currently does not currently support any non-default production + /// parameters. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_custom( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl psa_cipher_operation_s { - #[inline] - pub fn private_iv_required(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_required(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_required_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_required_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_iv_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_iv_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_iv_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_iv_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_iv_required: ::core::ffi::c_uint, - private_iv_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_iv_required: u32 = unsafe { ::core::mem::transmute(private_iv_required) }; - private_iv_required as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_iv_set: u32 = unsafe { ::core::mem::transmute(private_iv_set) }; - private_iv_set as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Derive a key from an ongoing key derivation operation with custom + /// production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// If the key type to be created is + /// #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + /// the policy must be the same as in the current + /// operation. + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] params Customization parameters for the key derivation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_key_derivation_output_key(). + /// Mbed TLS currently only supports the default + /// production parameters, i.e. + /// #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + /// for all key types. + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// There was not enough data to create the desired key. + /// Note that in this case, no output is written to the output buffer. + /// The operation's capacity is set to 0, thus subsequent calls to + /// this function will not succeed, even with a smaller output buffer. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size is not supported, either by the + /// implementation in general or in this particular location. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The provided key attributes are not valid for the operation. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The #PSA_KEY_DERIVATION_INPUT_SECRET or + /// #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + /// key; or one of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_DERIVE. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_output_key_ext( + attributes: *const psa_key_attributes_t, + operation: *mut psa_key_derivation_operation_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_hmac_operation_t { - /// The HMAC algorithm in use - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - /// The hash context. - pub hash_ctx: psa_hash_operation_s, - /// The HMAC part of the context. - pub private_opad: [u8; 128usize], +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value in constant time. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the expected number of bytes from the + /// stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to the following code: + /// \code + /// psa_key_derivation_output_bytes(operation, tmp, output_length); + /// if (memcmp(output, tmp, output_length) != 0) + /// return PSA_ERROR_INVALID_SIGNATURE; + /// \endcode + /// except (1) it works even if the key's policy does not allow outputting the + /// bytes, and (2) the comparison will be done in constant time. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected Buffer containing the expected derivation output. + /// \param expected_length Length of the expected output; this is also the + /// number of bytes that will be read. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but it differs from the expected + /// output. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// One of the inputs was a key whose policy didn't allow + /// #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// \p output_length bytes. Note that in this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_bytes( + operation: *mut psa_key_derivation_operation_t, + expected: *const u8, + expected_length: usize, + ) -> psa_status_t; } -impl Default for mbedtls_psa_hmac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Compare output data from a key derivation operation to an expected value + /// stored in a key object. + /// + /// This function calculates output bytes from a key derivation algorithm and + /// compares those bytes to an expected value, provided as key of type + /// #PSA_KEY_TYPE_PASSWORD_HASH. + /// If you view the key derivation's output as a stream of bytes, this + /// function destructively reads the number of bytes corresponding to the + /// length of the expected value from the stream before comparing them. + /// The operation's capacity decreases by the number of bytes read. + /// + /// This is functionally equivalent to exporting the key and calling + /// psa_key_derivation_verify_bytes() on the result, except that it + /// works even if the key cannot be exported. + /// + /// If this function returns an error status other than + /// #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + /// the operation enters an error state and must be aborted by calling + /// psa_key_derivation_abort(). + /// + /// \param[in,out] operation The key derivation operation object to read from. + /// \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + /// containing the expected output. Its policy must + /// include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + /// and the permitted algorithm must match the + /// operation. The value of this key was likely + /// computed by a previous call to + /// psa_key_derivation_output_key() or + /// psa_key_derivation_output_key_custom(). + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The output was read successfully, but if differs from the expected + /// output. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// The key passed as the expected value does not exist. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key passed as the expected value has an invalid type. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key passed as the expected value does not allow this usage or + /// this algorithm; or one of the inputs was a key whose policy didn't + /// allow #PSA_KEY_USAGE_VERIFY_DERIVATION. + /// \retval #PSA_ERROR_INSUFFICIENT_DATA + /// The operation's capacity was less than + /// the length of the expected value. In this case, + /// the operation's capacity is set to 0, thus + /// subsequent calls to this function will not + /// succeed, even with a smaller expected output. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active and completed + /// all required input steps), or the library has not been previously + /// initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_verify_key( + operation: *mut psa_key_derivation_operation_t, + expected: psa_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_mac_operation_t { - pub private_alg: psa_algorithm_t, - pub __bindgen_padding_0: u64, - pub private_ctx: mbedtls_psa_mac_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// Abort a key derivation operation. + /// + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_key_derivation_setup() again. + /// + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_key_derivation_operation_t. + /// + /// In particular, it is valid to call psa_key_derivation_abort() twice, or to + /// call psa_key_derivation_abort() on an operation that has not been set up. + /// + /// \param[in,out] operation The operation to abort. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_key_derivation_abort(operation: *mut psa_key_derivation_operation_t) + -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union mbedtls_psa_mac_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_hmac: mbedtls_psa_hmac_operation_t, - pub private_cmac: mbedtls_cipher_context_t, +unsafe extern "C" { + /// Perform a key agreement and return the raw shared secret. + /// + /// \warning The raw result of a key agreement algorithm such as finite-field + /// Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should + /// not be used directly as key material. It should instead be passed as + /// input to a key derivation algorithm. To chain a key agreement with + /// a key derivation, use psa_key_derivation_key_agreement() and other + /// functions from the key derivation interface. + /// + /// \param alg The key agreement algorithm to compute + /// (\c PSA_ALG_XXX value such that + /// #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg) + /// is true). + /// \param private_key Identifier of the private key to use. It must + /// allow the usage #PSA_KEY_USAGE_DERIVE. + /// \param[in] peer_key Public key of the peer. It must be + /// in the same format that psa_import_key() + /// accepts. The standard formats for public + /// keys are documented in the documentation + /// of psa_export_public_key(). + /// \param peer_key_length Size of \p peer_key in bytes. + /// \param[out] output Buffer where the decrypted message is to + /// be written. + /// \param output_size Size of the \c output buffer in bytes. + /// \param[out] output_length On success, the number of bytes + /// that make up the returned output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p alg is not a key agreement algorithm, or + /// \p private_key is not compatible with \p alg, + /// or \p peer_key is not valid for \p alg or not compatible with + /// \p private_key. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// \p output_size is too small + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p alg is not a supported key agreement algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_raw_key_agreement( + alg: psa_algorithm_t, + private_key: mbedtls_svc_key_id_t, + peer_key: *const u8, + peer_key_length: usize, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// \brief Generate random bytes. + /// + /// \warning This function **can** fail! Callers MUST check the return status + /// and MUST NOT use the content of the output buffer if the return + /// status is not #PSA_SUCCESS. + /// + /// \note To generate a key, use psa_generate_key() instead. + /// + /// \param[out] output Output buffer for the generated data. + /// \param output_size Number of bytes to generate and output. + /// + /// \retval #PSA_SUCCESS \emptydescription + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_random(output: *mut u8, output_size: usize) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair. + /// + /// The key is generated randomly. + /// Its location, usage policy, type and size are taken from \p attributes. + /// + /// Implementations must reject an attempt to generate a key of size 0. + /// + /// The following type-specific considerations apply: + /// - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), + /// the public exponent is 65537. + /// The modulus is a product of two probabilistic primes + /// between 2^{n-1} and 2^n where n is the bit size specified in the + /// attributes. + /// + /// \note This function is equivalent to calling psa_generate_key_custom() + /// with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// and `custom_data_length == 0` (i.e. `custom_data` is empty). + /// + /// \param[in] attributes The attributes for the new key. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key( + attributes: *const psa_key_attributes_t, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -impl Default for mbedtls_psa_mac_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// See the description of psa_generate_key() for the operation of this + /// function with the default production parameters. In addition, this function + /// supports the following production customizations, described in more detail + /// in the documentation of ::psa_custom_key_parameters_t: + /// + /// - RSA keys: generation with a custom public exponent. + /// + /// \note This function is experimental and may change in future minor + /// versions of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] custom Customization parameters for the key generation. + /// When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + /// with \p custom_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param[in] custom_data Variable-length data associated with \c custom. + /// \param custom_data_length + /// Length of `custom_data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_custom( + attributes: *const psa_key_attributes_t, + custom: *const psa_custom_key_parameters_t, + custom_data: *const u8, + custom_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_aead_operation_t { - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_tag_length: u8, - pub ctx: mbedtls_psa_aead_operation_t__bindgen_ty_1, +unsafe extern "C" { + /// \brief Generate a key or key pair using custom production parameters. + /// + /// \note + /// This is a deprecated variant of psa_key_derivation_output_key_custom(). + /// It is equivalent except that the associated variable-length data + /// is passed in `params->data` instead of a separate parameter. + /// This function will be removed in a future version of Mbed TLS. + /// + /// \param[in] attributes The attributes for the new key. + /// \param[in] params Customization parameters for the key generation. + /// When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + /// with \p params_data_length = 0, + /// this function is equivalent to + /// psa_generate_key(). + /// \param params_data_length + /// Length of `params->data` in bytes. + /// \param[out] key On success, an identifier for the newly created + /// key. For persistent keys, this is the key + /// identifier defined in \p attributes. + /// \c 0 on failure. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// If the key is persistent, the key material and the key's metadata + /// have been saved to persistent storage. + /// \retval #PSA_ERROR_ALREADY_EXISTS + /// This is an attempt to create a persistent key, and there is + /// already a persistent key with the given identifier. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_generate_key_ext( + attributes: *const psa_key_attributes_t, + params: *const psa_key_production_parameters_t, + params_data_length: usize, + key: *mut mbedtls_svc_key_id_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_aead_operation_t__bindgen_ty_1 { - pub dummy: ::core::ffi::c_uint, - pub private_ccm: mbedtls_ccm_context, - pub private_gcm: mbedtls_gcm_context, - pub private_chachapoly: mbedtls_chachapoly_context, +/// The type of the state data structure for interruptible hash +/// signing operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation = +/// PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_sign_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_sign_hash_interruptible_operation_t operation; +/// operation = psa_sign_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_sign_hash_interruptible_operation_t = psa_sign_hash_interruptible_operation_s; +/// The type of the state data structure for interruptible hash +/// verification operations. +/// +/// Before calling any function on a sign hash operation object, the +/// application must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer +/// #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation = +/// PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function +/// psa_verify_hash_interruptible_operation_init() to the structure, for +/// example: +/// \code +/// psa_verify_hash_interruptible_operation_t operation; +/// operation = psa_verify_hash_interruptible_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_verify_hash_interruptible_operation_t = psa_verify_hash_interruptible_operation_s; +unsafe extern "C" { + /// \brief Set the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note The time taken to execute a single op is + /// implementation specific and depends on + /// software, hardware, the algorithm, key type and + /// curve chosen. Even within a single operation, + /// successive ops can take differing amounts of + /// time. The only guarantee is that lower values + /// for \p max_ops means functions will block for a + /// lesser maximum amount of time. The functions + /// \c psa_sign_interruptible_get_num_ops() and + /// \c psa_verify_interruptible_get_num_ops() are + /// provided to help with tuning this value. + /// + /// \note This value defaults to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + /// means the whole operation will be done in one + /// go, regardless of the number of ops required. + /// + /// \note If more ops are needed to complete a + /// computation, #PSA_OPERATION_INCOMPLETE will be + /// returned by the function performing the + /// computation. It is then the caller's + /// responsibility to either call again with the + /// same operation context until it returns 0 or an + /// error code; or to call the relevant abort + /// function if the answer is no longer required. + /// + /// \note The interpretation of \p max_ops is also + /// implementation defined. On a hard real time + /// system, this can indicate a hard deadline, as a + /// real-time system needs a guarantee of not + /// spending more than X time, however care must be + /// taken in such an implementation to avoid the + /// situation whereby calls just return, not being + /// able to do any actual work within the allotted + /// time. On a non-real-time system, the + /// implementation can be more relaxed, but again + /// whether this number should be interpreted as as + /// hard or soft limit or even whether a less than + /// or equals as regards to ops executed in a + /// single call is implementation defined. + /// + /// \note For keys in local storage when no accelerator + /// driver applies, please see also the + /// documentation for \c mbedtls_ecp_set_max_ops(), + /// which is the internal implementation in these + /// cases. + /// + /// \warning With implementations that interpret this number + /// as a hard limit, setting this number too small + /// may result in an infinite loop, whereby each + /// call results in immediate return with no ops + /// done (as there is not enough time to execute + /// any), and thus no result will ever be achieved. + /// + /// \note This only applies to functions whose + /// documentation mentions they may return + /// #PSA_OPERATION_INCOMPLETE. + /// + /// \param max_ops The maximum number of ops to be executed in a + /// single call. This can be a number from 0 to + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + /// is the least amount of work done per call. + pub fn psa_interruptible_set_max_ops(max_ops: u32); } -impl Default for mbedtls_psa_aead_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. This will return the last + /// value set by + /// \c psa_interruptible_set_max_ops() or + /// #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + /// that function has never been called. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \return Maximum number of ops allowed to be + /// executed by an interruptible function in a + /// single call. + pub fn psa_interruptible_get_max_ops() -> u32; } -impl Default for mbedtls_psa_aead_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash signing + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling + /// \c psa_sign_hash_interruptible_abort() on + /// the operation, a value of 0 will be returned. + /// + /// \note This interface is guaranteed re-entrant and + /// thus may be called from driver code. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_sign_hash_get_num_ops( + operation: *const psa_sign_hash_interruptible_operation_t, + ) -> u32; } -impl mbedtls_psa_aead_operation_t { - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Get the number of ops that a hash verification + /// operation has taken so far. If the operation + /// has completed, then this will represent the + /// number of ops required for the entire + /// operation. After initialization or calling \c + /// psa_verify_hash_interruptible_abort() on the + /// operation, a value of 0 will be returned. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// This is a helper provided to help you tune the + /// value passed to \c + /// psa_interruptible_set_max_ops(). + /// + /// \param operation The \c + /// psa_verify_hash_interruptible_operation_t to + /// use. This must be initialized first. + /// + /// \return Number of ops that the operation has taken so + /// far. + pub fn psa_verify_hash_get_num_ops( + operation: *const psa_verify_hash_interruptible_operation_t, + ) -> u32; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_sign_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Start signing a hash or short message with a + /// private key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_complete() is equivalent to + /// \c psa_sign_hash() but + /// \c psa_sign_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call \c psa_sign_hash_complete() + /// repeatedly on the same context after a + /// successful call to this function until \c + /// psa_sign_hash_complete() either returns 0 or an + /// error. \c psa_sign_hash_complete() will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// It must be an asymmetric key pair. The key must + /// allow the usage #PSA_KEY_USAGE_SIGN_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash or message to sign. + /// \param hash_length Size of the \p hash buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - call \c psa_sign_hash_complete() + /// with the same context to complete the operation + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + /// not permit the requested algorithm. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation has previously been started on this context, and is + /// still in progress. + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_start( + operation: *mut psa_sign_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_verify_hash_interruptible_operation_t { - pub private_dummy: ::core::ffi::c_uint, +unsafe extern "C" { + /// \brief Continue and eventually complete the action of + /// signing a hash or short message with a private + /// key, in an interruptible manner. + /// + /// \see \c psa_sign_hash_start() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_sign_hash_start() is equivalent to + /// \c psa_sign_hash() but this function can return + /// early and resume according to the limit set with + /// \c psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function call. + /// + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_sign_hash_abort() at any point if they no + /// longer want the result. + /// + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_sign_hash_abort(). + /// + /// \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_sign_hash_start() called with it + /// first. + /// + /// \param[out] signature Buffer where the signature is to be written. + /// \param signature_size Size of the \p signature buffer in bytes. This + /// must be appropriate for the selected + /// algorithm and key: + /// - The required signature size is + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + /// key_bits, \c alg) where \c key_type and \c + /// key_bits are the type and bit-size + /// respectively of key. + /// - #PSA_SIGNATURE_MAX_SIZE evaluates to the + /// maximum signature size of any supported + /// signature algorithm. + /// \param[out] signature_length On success, the number of bytes that make up + /// the returned signature value. + /// + /// \retval #PSA_SUCCESS + /// Operation completed successfully + /// + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p signature buffer is too small. You can + /// determine a sufficient buffer size by calling + /// #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg) + /// where \c key_type and \c key_bits are the type and bit-size + /// respectively of \c key. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_sign_hash_start(). + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_sign_hash_start() with this operation object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_sign_hash_complete( + operation: *mut psa_sign_hash_interruptible_operation_t, + signature: *mut u8, + signature_size: usize, + signature_length: *mut usize, + ) -> psa_status_t; } -///< Client -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_CLIENT: mbedtls_ecjpake_role = 0; -///< Server -pub const mbedtls_ecjpake_role_MBEDTLS_ECJPAKE_SERVER: mbedtls_ecjpake_role = 1; -/// Roles in the EC J-PAKE exchange -pub type mbedtls_ecjpake_role = ::core::ffi::c_uint; -/// EC J-PAKE context structure. -/// -/// J-PAKE is a symmetric protocol, except for the identifiers used in -/// Zero-Knowledge Proofs, and the serialization of the second message -/// (KeyExchange) as defined by the Thread spec. -/// -/// In order to benefit from this symmetry, we choose a different naming -/// convention from the Thread v1.0 spec. Correspondence is indicated in the -/// description as a pair C: client name, S: server name -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_ecjpake_context { - ///< Hash to use - pub private_md_type: mbedtls_md_type_t, - ///< Elliptic curve - pub private_grp: mbedtls_ecp_group, - ///< Are we client or server? - pub private_role: mbedtls_ecjpake_role, - ///< Format for point export - pub private_point_format: ::core::ffi::c_int, - ///< My public key 1 C: X1, S: X3 - pub private_Xm1: mbedtls_ecp_point, - ///< My public key 2 C: X2, S: X4 - pub private_Xm2: mbedtls_ecp_point, - ///< Peer public key 1 C: X3, S: X1 - pub private_Xp1: mbedtls_ecp_point, - ///< Peer public key 2 C: X4, S: X2 - pub private_Xp2: mbedtls_ecp_point, - ///< Peer public key C: Xs, S: Xc - pub private_Xp: mbedtls_ecp_point, - ///< My private key 1 C: x1, S: x3 - pub private_xm1: mbedtls_mpi, - ///< My private key 2 C: x2, S: x4 - pub private_xm2: mbedtls_mpi, - ///< Pre-shared secret (passphrase) - pub private_s: mbedtls_mpi, +unsafe extern "C" { + /// \brief Abort a sign hash operation. + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function is the only function that clears + /// the number of ops completed as part of the + /// operation. Please ensure you copy this value via + /// \c psa_sign_hash_get_num_ops() if required + /// before calling. + /// + /// \note Aborting an operation frees all associated + /// resources except for the \p operation structure + /// itself. Once aborted, the operation object can + /// be reused for another operation by calling \c + /// psa_sign_hash_start() again. + /// + /// \note You may call this function any time after the + /// operation object has been initialized. In + /// particular, calling \c psa_sign_hash_abort() + /// after the operation has already been terminated + /// by a call to \c psa_sign_hash_abort() or + /// psa_sign_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized sign hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_sign_hash_abort( + operation: *mut psa_sign_hash_interruptible_operation_t, + ) -> psa_status_t; } -impl Default for mbedtls_ecjpake_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Start reading and verifying a hash or short + /// message, in an interruptible manner. + /// + /// \see \c psa_verify_hash_complete() + /// + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. + /// + /// \note This function combined with \c + /// psa_verify_hash_complete() is equivalent to + /// \c psa_verify_hash() but \c + /// psa_verify_hash_complete() can return early and + /// resume according to the limit set with \c + /// psa_interruptible_set_max_ops() to reduce the + /// maximum time spent in a function. + /// + /// \note Users should call \c psa_verify_hash_complete() + /// repeatedly on the same operation object after a + /// successful call to this function until \c + /// psa_verify_hash_complete() either returns 0 or + /// an error. \c psa_verify_hash_complete() will + /// return #PSA_OPERATION_INCOMPLETE if there is + /// more work to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. + /// + /// \note If this function returns an error status, the + /// operation enters an error state and must be + /// aborted by calling \c psa_verify_hash_abort(). + /// + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first. + /// + /// \param key Identifier of the key to use for the operation. + /// The key must allow the usage + /// #PSA_KEY_USAGE_VERIFY_HASH. + /// \param alg A signature algorithm (\c PSA_ALG_XXX + /// value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + /// is true), that is compatible with + /// the type of \p key. + /// \param[in] hash The hash whose signature is to be verified. + /// \param hash_length Size of the \p hash buffer in bytes. + /// \param[in] signature Buffer containing the signature to verify. + /// \param signature_length Size of the \p signature buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// The operation started successfully - please call \c + /// psa_verify_hash_complete() with the same context to complete the + /// operation. + /// + /// \retval #PSA_ERROR_BAD_STATE + /// Another operation has already been started on this context, and is + /// still in progress. + /// + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + /// not permit the requested algorithm. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_start( + operation: *mut psa_verify_hash_interruptible_operation_t, + key: mbedtls_svc_key_id_t, + alg: psa_algorithm_t, + hash: *const u8, + hash_length: usize, + signature: *const u8, + signature_length: usize, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Initialize an ECJPAKE context. + /// \brief Continue and eventually complete the action of + /// reading and verifying a hash or short message + /// signed with a private key, in an interruptible + /// manner. /// - /// \param ctx The ECJPAKE context to initialize. - /// This must not be \c NULL. - pub fn mbedtls_ecjpake_init(ctx: *mut mbedtls_ecjpake_context); -} -unsafe extern "C" { - /// \brief Set up an ECJPAKE context for use. + /// \see \c psa_verify_hash_start() /// - /// \note Currently the only values for hash/curve allowed by the - /// standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. + /// \warning This is a beta API, and thus subject to change + /// at any point. It is not bound by the usual + /// interface stability promises. /// - /// \param ctx The ECJPAKE context to set up. This must be initialized. - /// \param role The role of the caller. This must be either - /// #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. - /// \param hash The identifier of the hash function to use, - /// for example #MBEDTLS_MD_SHA256. - /// \param curve The identifier of the elliptic curve to use, - /// for example #MBEDTLS_ECP_DP_SECP256R1. - /// \param secret The pre-shared secret (passphrase). This must be - /// a readable not empty buffer of length \p len Bytes. It need - /// only be valid for the duration of this call. - /// \param len The length of the pre-shared secret \p secret. + /// \note This function combined with \c + /// psa_verify_hash_start() is equivalent to + /// \c psa_verify_hash() but this function can + /// return early and resume according to the limit + /// set with \c psa_interruptible_set_max_ops() to + /// reduce the maximum time spent in a function + /// call. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_setup( - ctx: *mut mbedtls_ecjpake_context, - role: mbedtls_ecjpake_role, - hash: mbedtls_md_type_t, - curve: mbedtls_ecp_group_id, - secret: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the point format for future reads and writes. + /// \note Users should call this function on the same + /// operation object repeatedly until it either + /// returns 0 or an error. This function will return + /// #PSA_OPERATION_INCOMPLETE if there is more work + /// to do. Alternatively users can call + /// \c psa_verify_hash_abort() at any point if they + /// no longer want the result. /// - /// \param ctx The ECJPAKE context to configure. - /// \param point_format The point format to use: - /// #MBEDTLS_ECP_PF_UNCOMPRESSED (default) - /// or #MBEDTLS_ECP_PF_COMPRESSED. + /// \note When this function returns successfully, the + /// operation becomes inactive. If this function + /// returns an error status, the operation enters an + /// error state and must be aborted by calling + /// \c psa_verify_hash_abort(). /// - /// \return \c 0 if successful. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format - /// is invalid. - pub fn mbedtls_ecjpake_set_point_format( - ctx: *mut mbedtls_ecjpake_context, - point_format: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Check if an ECJPAKE context is ready for use. + /// \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + /// to use. This must be initialized first, and have + /// had \c psa_verify_hash_start() called with it + /// first. /// - /// \param ctx The ECJPAKE context to check. This must be - /// initialized. + /// \retval #PSA_SUCCESS + /// Operation completed successfully, and the passed signature is valid. /// - /// \return \c 0 if the context is ready for use. - /// \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. - pub fn mbedtls_ecjpake_check(ctx: *const mbedtls_ecjpake_context) -> ::core::ffi::c_int; + /// \retval #PSA_OPERATION_INCOMPLETE + /// Operation was interrupted due to the setting of \c + /// psa_interruptible_set_max_ops(). There is still work to be done. + /// Call this function again with the same operation object. + /// + /// \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The calculation was performed successfully, but the passed + /// signature is not a valid signature. + /// \retval #PSA_ERROR_BAD_STATE + /// An operation was not previously started on this context via + /// \c psa_verify_hash_start(). + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has either not been previously initialized by + /// psa_crypto_init() or you did not previously call + /// psa_verify_hash_start() on this object. It is + /// implementation-dependent whether a failure to initialize results in + /// this error code. + pub fn psa_verify_hash_complete( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Generate and write the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \brief Abort a verify hash operation. /// - /// \param ctx The ECJPAKE context to use. This must be - /// initialized and set up. - /// \param buf The buffer to write the contents to. This must be a - /// writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number - /// of Bytes written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \warning This is a beta API, and thus subject to change at + /// any point. It is not bound by the usual interface + /// stability promises. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Read and process the first round message - /// (TLS: contents of the Client/ServerHello extension, - /// excluding extension type and length bytes). + /// \note This function is the only function that clears the + /// number of ops completed as part of the operation. + /// Please ensure you copy this value via + /// \c psa_verify_hash_get_num_ops() if required + /// before calling. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up. - /// \param buf The buffer holding the first round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// \note Aborting an operation frees all associated + /// resources except for the operation structure + /// itself. Once aborted, the operation object can be + /// reused for another operation by calling \c + /// psa_verify_hash_start() again. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_one( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \note You may call this function any time after the + /// operation object has been initialized. + /// In particular, calling \c psa_verify_hash_abort() + /// after the operation has already been terminated by + /// a call to \c psa_verify_hash_abort() or + /// psa_verify_hash_complete() is safe. + /// + /// \param[in,out] operation Initialized verify hash operation. + /// + /// \retval #PSA_SUCCESS + /// The operation was aborted successfully. + /// + /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_verify_hash_abort( + operation: *mut psa_verify_hash_interruptible_operation_t, + ) -> psa_status_t; } +pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// \brief Generate and write the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Open a handle to an existing persistent key. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up, and already have performed round one. - /// \param buf The buffer to write the round two contents to. - /// This must be a writable buffer of length \p len Bytes. - /// \param len The size of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Open a handle to a persistent key. A key is persistent if it was created + /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key + /// always has a nonzero key identifier, set with psa_set_key_id() when + /// creating the key. Implementations may provide additional pre-provisioned + /// keys that can be opened with psa_open_key(). Such keys have an application + /// key identifier in the vendor range, as documented in the description of + /// #psa_key_id_t. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; + /// The application must eventually close the handle with psa_close_key() or + /// psa_destroy_key() to release associated resources. If the application dies + /// without calling one of these functions, the implementation should perform + /// the equivalent of a call to psa_close_key(). + /// + /// Some implementations permit an application to open the same key multiple + /// times. If this is successful, each call to psa_open_key() will return a + /// different key handle. + /// + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. + /// + /// \note Applications that rely on opening a key multiple times will not be + /// portable to implementations that only permit a single key handle to be + /// opened. See also :ref:\`key-handles\`. + /// + /// + /// \param key The persistent identifier of the key. + /// \param[out] handle On success, a handle to the key. + /// + /// \retval #PSA_SUCCESS + /// Success. The application can now use the value of `*handle` + /// to access the key. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY + /// The implementation does not have sufficient resources to open the + /// key. This can be due to reaching an implementation limit on the + /// number of open keys, the number of open key handles, or available + /// memory. + /// \retval #PSA_ERROR_DOES_NOT_EXIST + /// There is no persistent key with key identifier \p key. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p key is not a valid persistent key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The specified key exists, but the application does not have the + /// permission to access it. Note that this specification does not + /// define any way to create such a key, but it may be possible + /// through implementation-specific means. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Read and process the second round message - /// (TLS: contents of the Client/ServerKeyExchange). + /// Close a key handle. /// - /// \param ctx The ECJPAKE context to use. This must be initialized - /// and set up and already have performed round one. - /// \param buf The buffer holding the second round message. This must - /// be a readable buffer of length \p len Bytes. - /// \param len The length in Bytes of \p buf. + /// If the handle designates a volatile key, this will destroy the key material + /// and free all associated resources, just like psa_destroy_key(). /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_read_round_two( - ctx: *mut mbedtls_ecjpake_context, - buf: *const ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Derive the shared secret - /// (TLS: Pre-Master Secret). + /// If this is the last open handle to a persistent key, then closing the handle + /// will free all resources associated with the key in volatile memory. The key + /// data in persistent storage is not affected and can be opened again later + /// with a call to psa_open_key(). /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of Bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// Closing the key handle makes the handle invalid, and the key handle + /// must not be used again by the application. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_derive_secret( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Write the shared key material to be passed to a Key - /// Derivation Function as described in RFC8236. + /// \note This API is not part of the PSA Cryptography API Release 1.0.0 + /// specification. It was defined in the 1.0 Beta 3 version of the + /// specification but was removed in the 1.0.0 released version. This API is + /// kept for the time being to not break applications relying on it. It is not + /// deprecated yet but will be in the near future. /// - /// \param ctx The ECJPAKE context to use. This must be initialized, - /// set up and have performed both round one and two. - /// \param buf The buffer to write the derived secret to. This must - /// be a writable buffer of length \p len Bytes. - /// \param len The length of \p buf in Bytes. - /// \param olen The address at which to store the total number of bytes - /// written to \p buf. This must not be \c NULL. - /// \param f_rng The RNG function to use. This must not be \c NULL. - /// \param p_rng The RNG parameter to be passed to \p f_rng. This - /// may be \c NULL if \p f_rng doesn't use a context. + /// \note If the key handle was used to set up an active + /// :ref:\`multipart operation \`, then closing the + /// key handle can cause the multipart operation to fail. Applications should + /// maintain the key handle until after the multipart operation has finished. /// - /// \return \c 0 if successful. - /// \return A negative error code on failure. - pub fn mbedtls_ecjpake_write_shared_key( - ctx: *mut mbedtls_ecjpake_context, - buf: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, - p_rng: *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief This clears an ECJPAKE context and frees any - /// embedded data structure. + /// \param handle The key handle to close. + /// If this is \c 0, do nothing and return \c PSA_SUCCESS. /// - /// \param ctx The ECJPAKE context to free. This may be \c NULL, - /// in which case this function does nothing. If it is not - /// \c NULL, it must point to an initialized ECJPAKE context. - pub fn mbedtls_ecjpake_free(ctx: *mut mbedtls_ecjpake_context); + /// \retval #PSA_SUCCESS + /// \p handle was a valid handle or \c 0. It is now closed. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p handle is not a valid handle nor \c 0. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; } unsafe extern "C" { - /// \brief Checkup routine + /// \brief Library deinitialization. /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_ecjpake_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_psa_pake_operation_t { - pub private_alg: psa_algorithm_t, - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: u8, - pub private_buffer: [u8; 336usize], - pub private_buffer_length: usize, - pub private_buffer_offset: usize, - pub private_ctx: mbedtls_psa_pake_operation_t__bindgen_ty_1, -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union mbedtls_psa_pake_operation_t__bindgen_ty_1 { - pub private_dummy: ::core::ffi::c_uint, - pub private_jpake: mbedtls_ecjpake_context, -} -impl Default for mbedtls_psa_pake_operation_t__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl Default for mbedtls_psa_pake_operation_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_driver_mac_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_mac_operation_t, -} -impl Default for psa_driver_mac_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_aead_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_aead_operation_t, -} -impl Default for psa_driver_aead_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_sign_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_sign_hash_interruptible_operation_t, -} -impl Default for psa_driver_sign_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_verify_hash_interruptible_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_verify_hash_interruptible_operation_t, -} -impl Default for psa_driver_verify_hash_interruptible_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_driver_pake_context_t { - pub dummy: ::core::ffi::c_uint, - pub mbedtls_ctx: mbedtls_psa_pake_operation_t, -} -impl Default for psa_driver_pake_context_t { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } + /// This function clears all data associated with the PSA layer, + /// including the whole key store. + /// This function is not thread safe, it wipes every key slot regardless of + /// state and reader count. It should only be called when no slot is in use. + /// + /// This is an Mbed TLS extension. + pub fn mbedtls_psa_crypto_free(); } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. #[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_mac_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_mac_size: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub __bindgen_padding_0: u64, - pub private_ctx: psa_driver_mac_context_t, +#[derive(Default, Copy, Clone)] +pub struct mbedtls_psa_stats_s { + /// Number of slots containing key material for a volatile key. + pub private_volatile_slots: usize, + /// Number of slots containing key material for a key which is in + /// internal persistent storage. + pub private_persistent_slots: usize, + /// Number of slots containing a reference to a key in a + /// secure element. + pub private_external_slots: usize, + /// Number of slots which are occupied, but do not contain + /// key material yet. + pub private_half_filled_slots: usize, + /// Number of slots that contain cache data. + pub private_cache_slots: usize, + /// Number of slots that are not used for anything. + pub private_empty_slots: usize, + /// Number of slots that are locked. + pub private_locked_slots: usize, + /// Largest key id value among open keys in internal persistent storage. + pub private_max_open_internal_key_id: psa_key_id_t, + /// Largest key id value among open keys in secure elements. + pub private_max_open_external_key_id: psa_key_id_t, } -impl Default for psa_mac_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// \brief Statistics about +/// resource consumption related to the PSA keystore. +/// +/// \note The content of this structure is not part of the stable API and ABI +/// of Mbed TLS and may change arbitrarily from version to version. +pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; +unsafe extern "C" { + /// \brief Get statistics about + /// resource consumption related to the PSA keystore. + /// + /// \note When Mbed TLS is built as part of a service, with isolation + /// between the application and the keystore, the service may or + /// may not expose this function. + pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); } -impl psa_mac_operation_s { - #[inline] - pub fn private_is_sign(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_sign(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_sign_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_sign_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_is_sign: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_is_sign: u32 = unsafe { ::core::mem::transmute(private_is_sign) }; - private_is_sign as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// \brief Inject an initial entropy seed for the random generator into + /// secure storage. + /// + /// This function injects data to be used as a seed for the random generator + /// used by the PSA Crypto implementation. On devices that lack a trusted + /// entropy source (preferably a hardware random number generator), + /// the Mbed PSA Crypto implementation uses this value to seed its + /// random generator. + /// + /// On devices without a trusted entropy source, this function must be + /// called exactly once in the lifetime of the device. On devices with + /// a trusted entropy source, calling this function is optional. + /// In all cases, this function may only be called before calling any + /// other function in the PSA Crypto API, including psa_crypto_init(). + /// + /// When this function returns successfully, it populates a file in + /// persistent storage. Once the file has been created, this function + /// can no longer succeed. + /// + /// If any error occurs, this function does not change the system state. + /// You can call this function again after correcting the reason for the + /// error if possible. + /// + /// \warning This function **can** fail! Callers MUST check the return status. + /// + /// \warning If you use this function, you should use it as part of a + /// factory provisioning process. The value of the injected seed + /// is critical to the security of the device. It must be + /// *secret*, *unpredictable* and (statistically) *unique per device*. + /// You should be generate it randomly using a cryptographically + /// secure random generator seeded from trusted entropy sources. + /// You should transmit it securely to the device and ensure + /// that its value is not leaked or stored anywhere beyond the + /// needs of transmitting it from the point of generation to + /// the call of this function, and erase all copies of the value + /// once this function returns. + /// + /// This is an Mbed TLS extension. + /// + /// \note This function is only available on the following platforms: + /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. + /// Note that you must provide compatible implementations of + /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. + /// * In a client-server integration of PSA Cryptography, on the client side, + /// if the server supports this feature. + /// \param[in] seed Buffer containing the seed value to inject. + /// \param[in] seed_size Size of the \p seed buffer. + /// The size of the seed in bytes must be greater + /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE + /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM + /// in `library/entropy_poll.h` in the Mbed TLS source + /// code. + /// It must be less or equal to + /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. + /// + /// \retval #PSA_SUCCESS + /// The seed value was injected successfully. The random generator + /// of the PSA Crypto implementation is now ready for use. + /// You may now call psa_crypto_init() and use the PSA Crypto + /// implementation. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p seed_size is out of range. + /// \retval #PSA_ERROR_STORAGE_FAILURE + /// There was a failure reading or writing from storage. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The library has already been initialized. It is no longer + /// possible to call this function. + pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_aead_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_key_type: psa_key_type_t, - pub private_ad_remaining: usize, - pub private_body_remaining: usize, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_ctx: psa_driver_aead_context_t, +unsafe extern "C" { + /// External random generator function, implemented by the platform. + /// + /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, + /// this function replaces Mbed TLS's entropy and DRBG modules for all + /// random generation triggered via PSA crypto interfaces. + /// + /// \note This random generator must deliver random numbers with cryptographic + /// quality and high performance. It must supply unpredictable numbers + /// with a uniform distribution. The implementation of this function + /// is responsible for ensuring that the random generator is seeded + /// with sufficient entropy. If you have a hardware TRNG which is slow + /// or delivers non-uniform output, declare it as an entropy source + /// with mbedtls_entropy_add_source() instead of enabling this option. + /// + /// \param[in,out] context Pointer to the random generator context. + /// This is all-bits-zero on the first call + /// and preserved between successive calls. + /// \param[out] output Output buffer. On success, this buffer + /// contains random data with a uniform + /// distribution. + /// \param output_size The size of the \p output buffer in bytes. + /// \param[out] output_length On success, set this value to \p output_size. + /// + /// \retval #PSA_SUCCESS + /// Success. The output buffer contains \p output_size bytes of + /// cryptographic-quality random data, and \c *output_length is + /// set to \p output_size. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + /// The random generator requires extra entropy and there is no + /// way to obtain entropy under current environment conditions. + /// This error should not happen under normal circumstances since + /// this function is responsible for obtaining as much entropy as + /// it needs. However implementations of this function may return + /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain + /// entropy without blocking indefinitely. + /// \retval #PSA_ERROR_HARDWARE_FAILURE + /// A failure of the random generator hardware that isn't covered + /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. + pub fn mbedtls_psa_external_get_random( + context: *mut mbedtls_psa_external_random_context_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_aead_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +/// A slot number identifying a key in a driver. +/// +/// Values of this type are used to identify built-in keys. +pub type psa_drv_slot_number_t = u64; +unsafe extern "C" { + /// Check if PSA is capable of handling the specified hash algorithm. + /// + /// This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + /// set and that psa_crypto_init has already been called. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the algorithm. + /// This might be improved in the future. + /// + /// \param hash_alg The hash algorithm. + /// + /// \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + pub fn psa_can_do_hash(hash_alg: psa_algorithm_t) -> ::core::ffi::c_int; } -impl psa_aead_operation_s { - #[inline] - pub fn private_nonce_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_nonce_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_nonce_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_nonce_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_lengths_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(1usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_lengths_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(1usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_lengths_set_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 1usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_lengths_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 1usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_ad_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_ad_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_ad_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_ad_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_body_started(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(3usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_body_started(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(3usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_body_started_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 3usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_body_started_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 3usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn private_is_encrypt(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(4usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_is_encrypt(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(4usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_is_encrypt_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 4usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_is_encrypt_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 4usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_nonce_set: ::core::ffi::c_uint, - private_lengths_set: ::core::ffi::c_uint, - private_ad_started: ::core::ffi::c_uint, - private_body_started: ::core::ffi::c_uint, - private_is_encrypt: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_nonce_set: u32 = unsafe { ::core::mem::transmute(private_nonce_set) }; - private_nonce_set as u64 - }); - __bindgen_bitfield_unit.set(1usize, 1u8, { - let private_lengths_set: u32 = unsafe { ::core::mem::transmute(private_lengths_set) }; - private_lengths_set as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_ad_started: u32 = unsafe { ::core::mem::transmute(private_ad_started) }; - private_ad_started as u64 - }); - __bindgen_bitfield_unit.set(3usize, 1u8, { - let private_body_started: u32 = unsafe { ::core::mem::transmute(private_body_started) }; - private_body_started as u64 - }); - __bindgen_bitfield_unit.set(4usize, 1u8, { - let private_is_encrypt: u32 = unsafe { ::core::mem::transmute(private_is_encrypt) }; - private_is_encrypt as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Tell if PSA is ready for this cipher. + /// + /// \note When using the built-in version of the PSA core (i.e. + /// #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + /// the state of the driver subsystem, not the key type and algorithm. + /// This might be improved in the future. + /// + /// \param key_type The key type. + /// \param cipher_alg The cipher algorithm. + /// + /// \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. + pub fn psa_can_do_cipher( + key_type: psa_key_type_t, + cipher_alg: psa_algorithm_t, + ) -> ::core::ffi::c_int; +} +/// \brief Encoding of the application role of PAKE +/// +/// Encodes the application's role in the algorithm is being executed. For more +/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX +/// constants. +pub type psa_pake_role_t = u8; +/// Encoding of input and output indicators for PAKE. +/// +/// Some PAKE algorithms need to exchange more data than just a single key share. +/// This type is for encoding additional input and output data for such +/// algorithms. +pub type psa_pake_step_t = u8; +/// Encoding of the type of the PAKE's primitive. +/// +/// Values defined by this standard will never be in the range 0x80-0xff. +/// Vendors who define additional types must use an encoding in this range. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_primitive_type_t = u8; +/// \brief Encoding of the family of the primitive associated with the PAKE. +/// +/// For more information see the documentation of individual +/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. +pub type psa_pake_family_t = u8; +/// \brief Encoding of the primitive associated with the PAKE. +/// +/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. +pub type psa_pake_primitive_t = u32; +#[repr(C)] +#[derive(Default, Copy, Clone)] +pub struct psa_pake_cipher_suite_s { + pub algorithm: psa_algorithm_t, + pub type_: psa_pake_primitive_type_t, + pub family: psa_pake_family_t, + pub bits: u16, + pub hash: psa_algorithm_t, } #[repr(C)] -#[repr(align(16))] #[derive(Copy, Clone)] -pub struct psa_hkdf_key_derivation_t { - pub private_info: *mut u8, - pub private_info_length: usize, - pub private_offset_in_block: u8, - pub private_block_number: u8, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_output_block: [u8; 64usize], - pub private_prk: [u8; 64usize], - pub __bindgen_padding_0: [u64; 0usize], - pub private_hmac: psa_mac_operation_s, +pub struct psa_crypto_driver_pake_inputs_s { + pub private_password: *mut u8, + pub private_password_len: usize, + pub private_user: *mut u8, + pub private_user_len: usize, + pub private_peer: *mut u8, + pub private_peer_len: usize, + pub private_attributes: psa_key_attributes_t, + pub private_cipher_suite: psa_pake_cipher_suite_s, } -impl Default for psa_hkdf_key_derivation_t { +impl Default for psa_crypto_driver_pake_inputs_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17057,126 +18119,97 @@ impl Default for psa_hkdf_key_derivation_t { } } } -impl psa_hkdf_key_derivation_t { - #[inline] - pub fn private_state(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 2u8) as u32) } - } - #[inline] - pub fn set_private_state(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 2u8, val as u64) - } - } - #[inline] - pub unsafe fn private_state_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 2u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_state_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 2u8, - val as u64, - ) - } - } - #[inline] - pub fn private_info_set(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(2usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_info_set(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(2usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_info_set_raw(this: *const Self) -> ::core::ffi::c_uint { +pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = + 10; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = + 11; +pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; +pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; +pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; +pub const psa_jpake_round_PSA_JPAKE_FIRST: psa_jpake_round = 0; +pub const psa_jpake_round_PSA_JPAKE_SECOND: psa_jpake_round = 1; +pub const psa_jpake_round_PSA_JPAKE_FINISHED: psa_jpake_round = 2; +pub type psa_jpake_round = ::core::ffi::c_uint; +pub use self::psa_jpake_round as psa_jpake_round_t; +pub const psa_jpake_io_mode_PSA_JPAKE_INPUT: psa_jpake_io_mode = 0; +pub const psa_jpake_io_mode_PSA_JPAKE_OUTPUT: psa_jpake_io_mode = 1; +pub type psa_jpake_io_mode = ::core::ffi::c_uint; +pub use self::psa_jpake_io_mode as psa_jpake_io_mode_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_jpake_computation_stage_s { + pub private_round: psa_jpake_round_t, + pub private_io_mode: psa_jpake_io_mode_t, + pub private_inputs: u8, + pub private_outputs: u8, + pub private_step: psa_pake_step_t, +} +impl Default for psa_jpake_computation_stage_s { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 2usize, - 1u8, - ) as u32) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub unsafe fn set_private_info_set_raw(this: *mut Self, val: ::core::ffi::c_uint) { +} +#[repr(C)] +#[derive(Copy, Clone)] +pub struct psa_pake_operation_s { + /// Unique ID indicating which driver got assigned to do the + /// operation. Since driver contexts are driver-specific, swapping + /// drivers halfway through the operation is not supported. + /// ID values are auto-generated in psa_crypto_driver_wrappers.h + /// ID value zero means the context is not valid or not assigned to + /// any driver (i.e. none of the driver contexts are active). + pub private_id: ::core::ffi::c_uint, + pub private_alg: psa_algorithm_t, + pub private_primitive: psa_pake_primitive_t, + pub private_stage: u8, + pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, + pub private_data: psa_pake_operation_s__bindgen_ty_2, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union psa_pake_operation_s__bindgen_ty_1 { + pub private_dummy: u8, + pub private_jpake: psa_jpake_computation_stage_s, +} +impl Default for psa_pake_operation_s__bindgen_ty_1 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 2usize, - 1u8, - val as u64, - ) + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() } } - #[inline] - pub fn new_bitfield_1( - private_state: ::core::ffi::c_uint, - private_info_set: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 2u8, { - let private_state: u32 = unsafe { ::core::mem::transmute(private_state) }; - private_state as u64 - }); - __bindgen_bitfield_unit.set(2usize, 1u8, { - let private_info_set: u32 = unsafe { ::core::mem::transmute(private_info_set) }; - private_info_set as u64 - }); - __bindgen_bitfield_unit - } -} -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_tls12_ecjpake_to_pms_t { - pub private_data: [u8; 32usize], } -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_INIT: - psa_tls12_prf_key_derivation_state_t = 0; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_SEED_SET: - psa_tls12_prf_key_derivation_state_t = 1; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OTHER_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 2; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_KEY_SET: - psa_tls12_prf_key_derivation_state_t = 3; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_LABEL_SET: - psa_tls12_prf_key_derivation_state_t = 4; -pub const psa_tls12_prf_key_derivation_state_t_PSA_TLS12_PRF_STATE_OUTPUT: - psa_tls12_prf_key_derivation_state_t = 5; -pub type psa_tls12_prf_key_derivation_state_t = ::core::ffi::c_uint; #[repr(C)] #[derive(Copy, Clone)] -pub struct psa_tls12_prf_key_derivation_s { - pub private_left_in_block: u8, - pub private_block_number: u8, - pub private_state: psa_tls12_prf_key_derivation_state_t, - pub private_secret: *mut u8, - pub private_secret_length: usize, - pub private_seed: *mut u8, - pub private_seed_length: usize, - pub private_label: *mut u8, - pub private_label_length: usize, - pub private_other_secret: *mut u8, - pub private_other_secret_length: usize, - pub private_Ai: [u8; 64usize], - pub private_output_block: [u8; 64usize], +pub union psa_pake_operation_s__bindgen_ty_2 { + pub private_ctx: psa_driver_pake_context_t, + pub private_inputs: psa_crypto_driver_pake_inputs_s, } -impl Default for psa_tls12_prf_key_derivation_s { +impl Default for psa_pake_operation_s__bindgen_ty_2 { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +impl Default for psa_pake_operation_s { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -17185,1462 +18218,1629 @@ impl Default for psa_tls12_prf_key_derivation_s { } } } -pub type psa_tls12_prf_key_derivation_t = psa_tls12_prf_key_derivation_s; -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct psa_key_derivation_s { - pub private_alg: psa_algorithm_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_capacity: usize, - pub __bindgen_padding_0: [u64; 0usize], - pub private_ctx: psa_key_derivation_s__bindgen_ty_1, +/// The type of the data structure for PAKE cipher suites. +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; +/// The type of the state data structure for PAKE operations. +/// +/// Before calling any function on a PAKE operation object, the application +/// must initialize it by any of the following means: +/// - Set the structure to all-bits-zero, for example: +/// \code +/// psa_pake_operation_t operation; +/// memset(&operation, 0, sizeof(operation)); +/// \endcode +/// - Initialize the structure to logical zero values, for example: +/// \code +/// psa_pake_operation_t operation = {0}; +/// \endcode +/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, +/// for example: +/// \code +/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; +/// \endcode +/// - Assign the result of the function psa_pake_operation_init() +/// to the structure, for example: +/// \code +/// psa_pake_operation_t operation; +/// operation = psa_pake_operation_init(); +/// \endcode +/// +/// This is an implementation-defined \c struct. Applications should not +/// make any assumptions about the content of this structure. +/// Implementation details can change in future versions without notice. +pub type psa_pake_operation_t = psa_pake_operation_s; +/// The type of input values for PAKE operations. +pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; +/// The type of computation stage for J-PAKE operations. +pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; +unsafe extern "C" { + /// Get the length of the password in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] password_len Password length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + password_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the password from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] buffer Return buffer for password. + /// \param buffer_size Size of the return buffer in bytes. + /// \param[out] buffer_length Actual size of the password in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Password hasn't been set yet. + pub fn psa_crypto_driver_pake_get_password( + inputs: *const psa_crypto_driver_pake_inputs_t, + buffer: *mut u8, + buffer_size: usize, + buffer_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the user id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_len User id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_user_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_len: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Get the length of the peer id in bytes from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_len Peer id length. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + pub fn psa_crypto_driver_pake_get_peer_len( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_len: *mut usize, + ) -> psa_status_t; } -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub union psa_key_derivation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_hkdf: psa_hkdf_key_derivation_t, - pub private_tls12_prf: psa_tls12_prf_key_derivation_t, - pub private_tls12_ecjpake_to_pms: psa_tls12_ecjpake_to_pms_t, +unsafe extern "C" { + /// Get the user id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] user_id User id. + /// \param user_id_size Size of \p user_id in bytes. + /// \param[out] user_id_len Size of the user id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// User id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p user_id is too small. + pub fn psa_crypto_driver_pake_get_user( + inputs: *const psa_crypto_driver_pake_inputs_t, + user_id: *mut u8, + user_id_size: usize, + user_id_len: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s__bindgen_ty_1 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the peer id from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] peer_id Peer id. + /// \param peer_id_size Size of \p peer_id in bytes. + /// \param[out] peer_id_length Size of the peer id in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Peer id hasn't been set yet. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p peer_id is too small. + pub fn psa_crypto_driver_pake_get_peer( + inputs: *const psa_crypto_driver_pake_inputs_t, + peer_id: *mut u8, + peer_id_size: usize, + peer_id_length: *mut usize, + ) -> psa_status_t; } -impl Default for psa_key_derivation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Get the cipher suite from given inputs. + /// + /// \param[in] inputs Operation inputs. + /// \param[out] cipher_suite Return buffer for role. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BAD_STATE + /// Cipher_suite hasn't been set yet. + pub fn psa_crypto_driver_pake_get_cipher_suite( + inputs: *const psa_crypto_driver_pake_inputs_t, + cipher_suite: *mut psa_pake_cipher_suite_t, + ) -> psa_status_t; } -impl psa_key_derivation_s { - #[inline] - pub fn private_can_output_key(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_can_output_key(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_can_output_key_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_can_output_key_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_can_output_key: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_can_output_key: u32 = - unsafe { ::core::mem::transmute(private_can_output_key) }; - private_can_output_key as u64 - }); - __bindgen_bitfield_unit - } +unsafe extern "C" { + /// Set the session information for a password-authenticated key exchange. + /// + /// The sequence of operations to set up a password-authenticated key exchange + /// is as follows: + /// -# Allocate an operation object which will be passed to all the functions + /// listed here. + /// -# Initialize the operation object with one of the methods described in the + /// documentation for #psa_pake_operation_t, e.g. + /// #PSA_PAKE_OPERATION_INIT. + /// -# Call psa_pake_setup() to specify the cipher suite. + /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the + /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + /// to be called depends on the algorithm in use. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// A typical sequence of calls to perform a password-authenticated key + /// exchange: + /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + /// key share that needs to be sent to the peer. + /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + /// the key share that was received from the peer. + /// -# Depending on the algorithm additional calls to psa_pake_output() and + /// psa_pake_input() might be necessary. + /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// If an error occurs at any step after a call to psa_pake_setup(), + /// the operation will need to be reset by a call to psa_pake_abort(). The + /// application may call psa_pake_abort() at any time after the operation + /// has been initialized. + /// + /// After a successful call to psa_pake_setup(), the application must + /// eventually terminate the operation. The following events terminate an + /// operation: + /// - A call to psa_pake_abort(). + /// - A successful call to psa_pake_get_implicit_key(). + /// + /// \param[in,out] operation The operation object to set up. It must have + /// been initialized but not set up yet. + /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + /// characterizes a PAKE algorithm and determines + /// the algorithm as well.) + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the + /// PAKE primitive in \p cipher_suite is not compatible with the + /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + /// or not compatible with the PAKE algorithm and primitive. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, + /// or the PAKE primitive in \p cipher_suite is not supported or not + /// compatible with the PAKE algorithm, or the hash algorithm in + /// \p cipher_suite is not supported or not compatible with the PAKE + /// algorithm and primitive. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_setup( + operation: *mut psa_pake_operation_t, + cipher_suite: *const psa_pake_cipher_suite_t, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_key_policy_s { - pub private_usage: psa_key_usage_t, - pub private_alg: psa_algorithm_t, - pub private_alg2: psa_algorithm_t, +unsafe extern "C" { + /// Set the password for a password-authenticated key exchange from key ID. + /// + /// Call this function when the password, or a value derived from the password, + /// is already present in the key store. + /// + /// \param[in,out] operation The operation object to set the password for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the password hasn't + /// been set yet (psa_pake_set_password_key() + /// hasn't been called yet). + /// \param password Identifier of the key holding the password or a + /// value derived from the password (eg. by a + /// memory-hard function). It must remain valid + /// until the operation terminates. It must be of + /// type #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + /// the usage #PSA_KEY_USAGE_DERIVE. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_HANDLE + /// \p password is not a valid key identifier. + /// \retval #PSA_ERROR_NOT_PERMITTED + /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + /// permit the \p operation's algorithm. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + /// the \p operation's cipher suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The key type or key size of \p password is not supported with the + /// \p operation's cipher suite. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must have been set up.), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_password_key( + operation: *mut psa_pake_operation_t, + password: mbedtls_svc_key_id_t, + ) -> psa_status_t; } -pub type psa_key_policy_t = psa_key_policy_s; -pub type psa_key_bits_t = u16; -/// A mask of flags that can be stored in key attributes. -/// -/// This type is also used internally to store flags in slots. Internal -/// flags are defined in library/psa_crypto_core.h. Internal flags may have -/// the same value as external flags if they are properly handled during -/// key creation and in psa_get_key_attributes. -pub type psa_key_attributes_flag_t = u16; -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_core_key_attributes_t { - pub private_type: psa_key_type_t, - pub private_bits: psa_key_bits_t, - pub private_lifetime: psa_key_lifetime_t, - pub private_id: mbedtls_svc_key_id_t, - pub private_policy: psa_key_policy_t, - pub private_flags: psa_key_attributes_flag_t, +unsafe extern "C" { + /// Set the user ID for a password-authenticated key exchange. + /// + /// Call this function to set the user ID. For PAKE algorithms that associate a + /// user identifier with each side of the session you need to call + /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single + /// user identifier with the session, call psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the user ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the user ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the user ID hasn't + /// been set (psa_pake_set_user() hasn't been + /// called yet). + /// \param[in] user_id The user ID to authenticate with. + /// \param user_id_len Size of the \p user_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p user_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The value of \p user_id is not supported by the implementation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_user( + operation: *mut psa_pake_operation_t, + user_id: *const u8, + user_id_len: usize, + ) -> psa_status_t; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_key_attributes_s { - pub private_core: psa_core_key_attributes_t, - pub private_domain_parameters: *mut ::core::ffi::c_void, - pub private_domain_parameters_size: usize, +unsafe extern "C" { + /// Set the peer ID for a password-authenticated key exchange. + /// + /// Call this function in addition to psa_pake_set_user() for PAKE algorithms + /// that associate a user identifier with each side of the session. For PAKE + /// algorithms that associate a single user identifier with the session, call + /// psa_pake_set_user() only. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \note When using the built-in implementation of #PSA_ALG_JPAKE, the peer ID + /// must be `"client"` (6-byte string) or `"server"` (6-byte string). + /// Third-party drivers may or may not have this limitation. + /// + /// \param[in,out] operation The operation object to set the peer ID for. It + /// must have been set up by psa_pake_setup() and + /// not yet in use (neither psa_pake_output() nor + /// psa_pake_input() has been called yet). It must + /// be on operation for which the peer ID hasn't + /// been set (psa_pake_set_peer() hasn't been + /// called yet). + /// \param[in] peer_id The peer's ID to authenticate. + /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p peer_id is not valid for the \p operation's algorithm and cipher + /// suite. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The algorithm doesn't associate a second identity with the session. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// Calling psa_pake_set_peer() is invalid with the \p operation's + /// algorithm, the operation state is not valid, or the library has not + /// been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_peer( + operation: *mut psa_pake_operation_t, + peer_id: *const u8, + peer_id_len: usize, + ) -> psa_status_t; } -impl Default for psa_key_attributes_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// Set the application role for a password-authenticated key exchange. + /// + /// Not all PAKE algorithms need to differentiate the communicating entities. + /// It is optional to call this function for PAKEs that don't require a role + /// to be specified. For such PAKEs the application role parameter is ignored, + /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// + /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + /// for more information. + /// + /// \param[in,out] operation The operation object to specify the + /// application's role for. It must have been set up + /// by psa_pake_setup() and not yet in use (neither + /// psa_pake_output() nor psa_pake_input() has been + /// called yet). It must be on operation for which + /// the application's role hasn't been specified + /// (psa_pake_set_role() hasn't been called yet). + /// \param role A value of type ::psa_pake_role_t indicating the + /// application's role in the PAKE the algorithm + /// that is being set up. For more information see + /// the documentation of \c PSA_PAKE_ROLE_XXX + /// constants. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// The \p role is not a valid PAKE role in the \p operation’s algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// The \p role for this algorithm is not supported or is not valid. + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid, or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_set_role( + operation: *mut psa_pake_operation_t, + role: psa_pake_role_t, + ) -> psa_status_t; } unsafe extern "C" { - /// \brief Set domain parameters for a key. + /// Get output for a step of a password-authenticated key exchange. /// - /// Some key types require additional domain parameters in addition to - /// the key type identifier and the key size. Use this function instead - /// of psa_set_key_type() when you need to specify domain parameters. + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. /// - /// The format for the required domain parameters varies based on the key type. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - /// the domain parameter data consists of the public exponent, - /// represented as a big-endian integer with no leading zeros. - /// This information is used when generating an RSA key pair. - /// When importing a key, the public exponent is read from the imported - /// key data and the exponent recorded in the attribute structure is ignored. - /// As an exception, the public exponent 65537 is represented by an empty - /// byte string. - /// - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR), - /// the `Dss-Params` format as defined by RFC 3279 §2.3.2. - /// ``` - /// Dss-Params ::= SEQUENCE { - /// p INTEGER, - /// q INTEGER, - /// g INTEGER - /// } - /// ``` - /// - For Diffie-Hellman key exchange keys - /// (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - /// #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the - /// `DomainParameters` format as defined by RFC 3279 §2.3.3. - /// ``` - /// DomainParameters ::= SEQUENCE { - /// p INTEGER, -- odd prime, p=jq +1 - /// g INTEGER, -- generator, g - /// q INTEGER, -- factor of p-1 - /// j INTEGER OPTIONAL, -- subgroup factor - /// validationParams ValidationParams OPTIONAL - /// } - /// ValidationParams ::= SEQUENCE { - /// seed BIT STRING, - /// pgenCounter INTEGER - /// } - /// ``` + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \note This function may allocate memory or other resources. - /// Once you have called this function on an attribute structure, - /// you must call psa_reset_key_attributes() to free these resources. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step of the algorithm for which the output is + /// requested. + /// \param[out] output Buffer where the output is to be written in the + /// format appropriate for this \p step. Refer to + /// the documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param output_size Size of the \p output buffer in bytes. This must + /// be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c + /// primitive, \p output_step) where \c alg and + /// \p primitive are the PAKE algorithm and primitive + /// in the operation's cipher suite, and \p step is + /// the output step. + /// + /// \param[out] output_length On success, the number of bytes of the returned + /// output. + /// + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_BUFFER_TOO_SMALL + /// The size of the \p output buffer is too small. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p step is not compatible with the operation's algorithm. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step is not supported with the operation's algorithm. + /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_output( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + output: *mut u8, + output_size: usize, + output_length: *mut usize, + ) -> psa_status_t; +} +unsafe extern "C" { + /// Provide input for a step of a password-authenticated key exchange. + /// + /// Depending on the algorithm being executed, you might need to call this + /// function several times or you might not need to call this at all. + /// + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. + /// If this function returns an error status, the operation enters an error + /// state and must be aborted by calling psa_pake_abort(). /// - /// \param[in,out] attributes Attribute structure where the specified domain - /// parameters will be stored. - /// If this function fails, the content of - /// \p attributes is not modified. - /// \param type Key type (a \c PSA_KEY_TYPE_XXX value). - /// \param[in] data Buffer containing the key domain parameters. - /// The content of this buffer is interpreted - /// according to \p type as described above. - /// \param data_length Size of the \p data buffer in bytes. + /// \param[in,out] operation Active PAKE operation. + /// \param step The step for which the input is provided. + /// \param[in] input Buffer containing the input in the format + /// appropriate for this \p step. Refer to the + /// documentation of the individual + /// \c PSA_PAKE_STEP_XXX constants for more + /// information. + /// \param input_length Size of the \p input buffer in bytes. /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - /// \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + /// \retval #PSA_SUCCESS + /// Success. + /// \retval #PSA_ERROR_INVALID_SIGNATURE + /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + /// \retval #PSA_ERROR_INVALID_ARGUMENT + /// \p input_length is not compatible with the \p operation’s algorithm, + /// or the \p input is not valid for the \p operation's algorithm, + /// cipher suite or \p step. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// \p step p is not supported with the \p operation's algorithm, or the + /// \p input is not supported for the \p operation's algorithm, cipher + /// suite or \p step. /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - pub fn psa_set_key_domain_parameters( - attributes: *mut psa_key_attributes_t, - type_: psa_key_type_t, - data: *const u8, - data_length: usize, + /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription + /// \retval #PSA_ERROR_BAD_STATE + /// The operation state is not valid (it must be active, and fully set + /// up, and this call must conform to the algorithm's requirements + /// for ordering of input and output steps), or + /// the library has not been previously initialized by psa_crypto_init(). + /// It is implementation-dependent whether a failure to initialize + /// results in this error code. + pub fn psa_pake_input( + operation: *mut psa_pake_operation_t, + step: psa_pake_step_t, + input: *const u8, + input_length: usize, ) -> psa_status_t; } -/// \brief The context for PSA interruptible hash signing. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_sign_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_sign_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_sign_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_sign_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -/// \brief The context for PSA interruptible hash verification. -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_verify_hash_interruptible_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_ctx: psa_driver_verify_hash_interruptible_context_t, - pub _bitfield_align_1: [u8; 0], - pub _bitfield_1: __BindgenBitfieldUnit<[u8; 1usize]>, - pub private_num_ops: u32, -} -impl Default for psa_verify_hash_interruptible_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -impl psa_verify_hash_interruptible_operation_s { - #[inline] - pub fn private_error_occurred(&self) -> ::core::ffi::c_uint { - unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u32) } - } - #[inline] - pub fn set_private_error_occurred(&mut self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - self._bitfield_1.set(0usize, 1u8, val as u64) - } - } - #[inline] - pub unsafe fn private_error_occurred_raw(this: *const Self) -> ::core::ffi::c_uint { - unsafe { - ::core::mem::transmute(<__BindgenBitfieldUnit<[u8; 1usize]>>::raw_get( - ::core::ptr::addr_of!((*this)._bitfield_1), - 0usize, - 1u8, - ) as u32) - } - } - #[inline] - pub unsafe fn set_private_error_occurred_raw(this: *mut Self, val: ::core::ffi::c_uint) { - unsafe { - let val: u32 = ::core::mem::transmute(val); - <__BindgenBitfieldUnit<[u8; 1usize]>>::raw_set( - ::core::ptr::addr_of_mut!((*this)._bitfield_1), - 0usize, - 1u8, - val as u64, - ) - } - } - #[inline] - pub fn new_bitfield_1( - private_error_occurred: ::core::ffi::c_uint, - ) -> __BindgenBitfieldUnit<[u8; 1usize]> { - let mut __bindgen_bitfield_unit: __BindgenBitfieldUnit<[u8; 1usize]> = Default::default(); - __bindgen_bitfield_unit.set(0usize, 1u8, { - let private_error_occurred: u32 = - unsafe { ::core::mem::transmute(private_error_occurred) }; - private_error_occurred as u64 - }); - __bindgen_bitfield_unit - } -} -pub type psa_key_handle_t = mbedtls_svc_key_id_t; unsafe extern "C" { - /// Open a handle to an existing persistent key. - /// - /// Open a handle to a persistent key. A key is persistent if it was created - /// with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key - /// always has a nonzero key identifier, set with psa_set_key_id() when - /// creating the key. Implementations may provide additional pre-provisioned - /// keys that can be opened with psa_open_key(). Such keys have an application - /// key identifier in the vendor range, as documented in the description of - /// #psa_key_id_t. + /// Get implicitly confirmed shared secret from a PAKE. /// - /// The application must eventually close the handle with psa_close_key() or - /// psa_destroy_key() to release associated resources. If the application dies - /// without calling one of these functions, the implementation should perform - /// the equivalent of a call to psa_close_key(). + /// At this point there is a cryptographic guarantee that only the authenticated + /// party who used the same password is able to compute the key. But there is no + /// guarantee that the peer is the party it claims to be and was able to do so. /// - /// Some implementations permit an application to open the same key multiple - /// times. If this is successful, each call to psa_open_key() will return a - /// different key handle. + /// That is, the authentication is only implicit. Since the peer is not + /// authenticated yet, no action should be taken yet that assumes that the peer + /// is who it claims to be. For example, do not access restricted files on the + /// peer's behalf until an explicit authentication has succeeded. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function can be called after the key exchange phase of the operation + /// has completed. It imports the shared secret output of the PAKE into the + /// provided derivation operation. The input step + /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + /// material in the key derivation operation. /// - /// \note Applications that rely on opening a key multiple times will not be - /// portable to implementations that only permit a single key handle to be - /// opened. See also :ref:\`key-handles\`. + /// The exact sequence of calls to perform a password-authenticated key + /// exchange depends on the algorithm in use. Refer to the documentation of + /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type + /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + /// information. /// + /// When this function returns successfully, \p operation becomes inactive. + /// If this function returns an error status, both \p operation + /// and \c key_derivation operations enter an error state and must be aborted by + /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. /// - /// \param key The persistent identifier of the key. - /// \param[out] handle On success, a handle to the key. + /// \param[in,out] operation Active PAKE operation. + /// \param[out] output A key derivation operation that is ready + /// for an input step of type + /// #PSA_KEY_DERIVATION_INPUT_SECRET. /// /// \retval #PSA_SUCCESS - /// Success. The application can now use the value of `*handle` - /// to access the key. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY - /// The implementation does not have sufficient resources to open the - /// key. This can be due to reaching an implementation limit on the - /// number of open keys, the number of open key handles, or available - /// memory. - /// \retval #PSA_ERROR_DOES_NOT_EXIST - /// There is no persistent key with key identifier \p key. + /// Success. /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p key is not a valid persistent key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The specified key exists, but the application does not have the - /// permission to access it. Note that this specification does not - /// define any way to create such a key, but it may be possible - /// through implementation-specific means. + /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + /// algorithm in the \p output key derivation operation. + /// \retval #PSA_ERROR_NOT_SUPPORTED + /// Input from a PAKE is not supported by the algorithm in the \p output + /// key derivation operation. + /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + /// \retval #PSA_ERROR_DATA_INVALID \emptydescription /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). + /// The PAKE operation state is not valid (it must be active, but beyond + /// that validity is specific to the algorithm), or + /// the library has not been previously initialized by psa_crypto_init(), + /// or the state of \p output is not valid for + /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + /// step is out of order or the application has done this step already + /// and it may not be repeated. /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_open_key(key: mbedtls_svc_key_id_t, handle: *mut psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_get_implicit_key( + operation: *mut psa_pake_operation_t, + output: *mut psa_key_derivation_operation_t, + ) -> psa_status_t; } unsafe extern "C" { - /// Close a key handle. - /// - /// If the handle designates a volatile key, this will destroy the key material - /// and free all associated resources, just like psa_destroy_key(). - /// - /// If this is the last open handle to a persistent key, then closing the handle - /// will free all resources associated with the key in volatile memory. The key - /// data in persistent storage is not affected and can be opened again later - /// with a call to psa_open_key(). + /// Abort a PAKE operation. /// - /// Closing the key handle makes the handle invalid, and the key handle - /// must not be used again by the application. + /// Aborting an operation frees all associated resources except for the \c + /// operation structure itself. Once aborted, the operation object can be reused + /// for another operation by calling psa_pake_setup() again. /// - /// \note This API is not part of the PSA Cryptography API Release 1.0.0 - /// specification. It was defined in the 1.0 Beta 3 version of the - /// specification but was removed in the 1.0.0 released version. This API is - /// kept for the time being to not break applications relying on it. It is not - /// deprecated yet but will be in the near future. + /// This function may be called at any time after the operation + /// object has been initialized as described in #psa_pake_operation_t. /// - /// \note If the key handle was used to set up an active - /// :ref:\`multipart operation \`, then closing the - /// key handle can cause the multipart operation to fail. Applications should - /// maintain the key handle until after the multipart operation has finished. + /// In particular, calling psa_pake_abort() after the operation has been + /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + /// is safe and has no effect. /// - /// \param handle The key handle to close. - /// If this is \c 0, do nothing and return \c PSA_SUCCESS. + /// \param[in,out] operation The operation to abort. /// /// \retval #PSA_SUCCESS - /// \p handle was a valid handle or \c 0. It is now closed. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p handle is not a valid handle nor \c 0. + /// Success. /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription /// \retval #PSA_ERROR_BAD_STATE /// The library has not been previously initialized by psa_crypto_init(). /// It is implementation-dependent whether a failure to initialize /// results in this error code. - pub fn psa_close_key(handle: psa_key_handle_t) -> psa_status_t; + pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; } -unsafe extern "C" { - /// \brief Library deinitialization. +pub const mbedtls_pk_type_t_MBEDTLS_PK_NONE: mbedtls_pk_type_t = 0; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA: mbedtls_pk_type_t = 1; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY: mbedtls_pk_type_t = 2; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECKEY_DH: mbedtls_pk_type_t = 3; +pub const mbedtls_pk_type_t_MBEDTLS_PK_ECDSA: mbedtls_pk_type_t = 4; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSA_ALT: mbedtls_pk_type_t = 5; +pub const mbedtls_pk_type_t_MBEDTLS_PK_RSASSA_PSS: mbedtls_pk_type_t = 6; +pub const mbedtls_pk_type_t_MBEDTLS_PK_OPAQUE: mbedtls_pk_type_t = 7; +/// \brief Public key types +pub type mbedtls_pk_type_t = ::core::ffi::c_uint; +/// \brief Options for RSASSA-PSS signature verification. +/// See \c mbedtls_rsa_rsassa_pss_verify_ext() +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_rsassa_pss_options { + /// The digest to use for MGF1 in PSS. /// - /// This function clears all data associated with the PSA layer, - /// including the whole key store. + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is + /// disabled, this must be equal to the \c md_alg argument passed + /// to mbedtls_pk_verify_ext(). In a future version of the library, + /// this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is + /// enabled regardless of the status of #MBEDTLS_RSA_C. + pub mgf1_hash_id: mbedtls_md_type_t, + /// The expected length of the salt, in bytes. This may be + /// #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. /// - /// This is an Mbed TLS extension. - pub fn mbedtls_psa_crypto_free(); + /// \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only + /// #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be + /// ignored (allowing any salt length). + pub expected_salt_len: ::core::ffi::c_int, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. +impl Default for mbedtls_pk_rsassa_pss_options { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_NONE: mbedtls_pk_debug_type = 0; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_MPI: mbedtls_pk_debug_type = 1; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_ECP: mbedtls_pk_debug_type = 2; +pub const mbedtls_pk_debug_type_MBEDTLS_PK_DEBUG_PSA_EC: mbedtls_pk_debug_type = 3; +/// \brief Types for interfacing with the debug module +pub type mbedtls_pk_debug_type = ::core::ffi::c_uint; +/// \brief Item to send to the debug module #[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct mbedtls_psa_stats_s { - /// Number of slots containing key material for a volatile key. - pub private_volatile_slots: usize, - /// Number of slots containing key material for a key which is in - /// internal persistent storage. - pub private_persistent_slots: usize, - /// Number of slots containing a reference to a key in a - /// secure element. - pub private_external_slots: usize, - /// Number of slots which are occupied, but do not contain - /// key material yet. - pub private_half_filled_slots: usize, - /// Number of slots that contain cache data. - pub private_cache_slots: usize, - /// Number of slots that are not used for anything. - pub private_empty_slots: usize, - /// Number of slots that are locked. - pub private_locked_slots: usize, - /// Largest key id value among open keys in internal persistent storage. - pub private_max_open_internal_key_id: psa_key_id_t, - /// Largest key id value among open keys in secure elements. - pub private_max_open_external_key_id: psa_key_id_t, +#[derive(Copy, Clone)] +pub struct mbedtls_pk_debug_item { + pub private_type: mbedtls_pk_debug_type, + pub private_name: *const ::core::ffi::c_char, + pub private_value: *mut ::core::ffi::c_void, } -/// \brief Statistics about -/// resource consumption related to the PSA keystore. -/// -/// \note The content of this structure is not part of the stable API and ABI -/// of Mbed Crypto and may change arbitrarily from version to version. -pub type mbedtls_psa_stats_t = mbedtls_psa_stats_s; -unsafe extern "C" { - /// \brief Get statistics about - /// resource consumption related to the PSA keystore. - /// - /// \note When Mbed Crypto is built as part of a service, with isolation - /// between the application and the keystore, the service may or - /// may not expose this function. - pub fn mbedtls_psa_get_stats(stats: *mut mbedtls_psa_stats_t); +impl Default for mbedtls_pk_debug_item { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } -unsafe extern "C" { - /// \brief Inject an initial entropy seed for the random generator into - /// secure storage. - /// - /// This function injects data to be used as a seed for the random generator - /// used by the PSA Crypto implementation. On devices that lack a trusted - /// entropy source (preferably a hardware random number generator), - /// the Mbed PSA Crypto implementation uses this value to seed its - /// random generator. - /// - /// On devices without a trusted entropy source, this function must be - /// called exactly once in the lifetime of the device. On devices with - /// a trusted entropy source, calling this function is optional. - /// In all cases, this function may only be called before calling any - /// other function in the PSA Crypto API, including psa_crypto_init(). - /// - /// When this function returns successfully, it populates a file in - /// persistent storage. Once the file has been created, this function - /// can no longer succeed. - /// - /// If any error occurs, this function does not change the system state. - /// You can call this function again after correcting the reason for the - /// error if possible. - /// - /// \warning This function **can** fail! Callers MUST check the return status. - /// - /// \warning If you use this function, you should use it as part of a - /// factory provisioning process. The value of the injected seed - /// is critical to the security of the device. It must be - /// *secret*, *unpredictable* and (statistically) *unique per device*. - /// You should be generate it randomly using a cryptographically - /// secure random generator seeded from trusted entropy sources. - /// You should transmit it securely to the device and ensure - /// that its value is not leaked or stored anywhere beyond the - /// needs of transmitting it from the point of generation to - /// the call of this function, and erase all copies of the value - /// once this function returns. - /// - /// This is an Mbed TLS extension. - /// - /// \note This function is only available on the following platforms: - /// * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled. - /// Note that you must provide compatible implementations of - /// mbedtls_nv_seed_read and mbedtls_nv_seed_write. - /// * In a client-server integration of PSA Cryptography, on the client side, - /// if the server supports this feature. - /// \param[in] seed Buffer containing the seed value to inject. - /// \param[in] seed_size Size of the \p seed buffer. - /// The size of the seed in bytes must be greater - /// or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE - /// and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM - /// in `library/entropy_poll.h` in the Mbed TLS source - /// code. - /// It must be less or equal to - /// #MBEDTLS_ENTROPY_MAX_SEED_SIZE. - /// - /// \retval #PSA_SUCCESS - /// The seed value was injected successfully. The random generator - /// of the PSA Crypto implementation is now ready for use. - /// You may now call psa_crypto_init() and use the PSA Crypto - /// implementation. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p seed_size is out of range. - /// \retval #PSA_ERROR_STORAGE_FAILURE - /// There was a failure reading or writing from storage. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The library has already been initialized. It is no longer - /// possible to call this function. - pub fn mbedtls_psa_inject_entropy(seed: *const u8, seed_size: usize) -> psa_status_t; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_info_t { + _unused: [u8; 0], } -unsafe extern "C" { - /// \brief Get domain parameters for a key. - /// - /// Get the domain parameters for a key with this function, if any. The format - /// of the domain parameters written to \p data is specified in the - /// documentation for psa_set_key_domain_parameters(). - /// - /// \note This is an experimental extension to the interface. It may change - /// in future versions of the library. - /// - /// \param[in] attributes The key attribute structure to query. - /// \param[out] data On success, the key domain parameters. - /// \param data_size Size of the \p data buffer in bytes. - /// The buffer is guaranteed to be large - /// enough if its size in bytes is at least - /// the value given by - /// PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - /// \param[out] data_length On success, the number of bytes - /// that make up the key domain parameters data. - /// - /// \retval #PSA_SUCCESS \emptydescription - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - pub fn psa_get_key_domain_parameters( - attributes: *const psa_key_attributes_t, - data: *mut u8, - data_size: usize, - data_length: *mut usize, - ) -> psa_status_t; +/// \brief Public key container +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_pk_context { + ///< Public key information + pub private_pk_info: *const mbedtls_pk_info_t, + ///< Underlying public key context + pub private_pk_ctx: *mut ::core::ffi::c_void, +} +impl Default for mbedtls_pk_context { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } } +pub type mbedtls_pk_restart_ctx = ::core::ffi::c_void; +/// \brief Types for RSA-alt abstraction +pub type mbedtls_pk_rsa_alt_decrypt_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + olen: *mut usize, + input: *const ::core::ffi::c_uchar, + output: *mut ::core::ffi::c_uchar, + output_max_len: usize, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_sign_func = ::core::option::Option< + unsafe extern "C" fn( + ctx: *mut ::core::ffi::c_void, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + md_alg: mbedtls_md_type_t, + hashlen: ::core::ffi::c_uint, + hash: *const ::core::ffi::c_uchar, + sig: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +pub type mbedtls_pk_rsa_alt_key_len_func = + ::core::option::Option usize>; unsafe extern "C" { - /// Convert an ECC curve identifier from the PSA encoding to Mbed TLS. - /// - /// \note This function is provided solely for the convenience of - /// Mbed TLS and may be removed at any time without notice. + /// \brief Return information associated with the given PK type /// - /// \param curve A PSA elliptic curve identifier - /// (`PSA_ECC_FAMILY_xxx`). - /// \param bits The bit-length of a private key on \p curve. - /// \param bits_is_sloppy If true, \p bits may be the bit-length rounded up - /// to the nearest multiple of 8. This allows the caller - /// to infer the exact curve from the length of a key - /// which is supplied as a byte string. + /// \param pk_type PK type to search for. /// - /// \return The corresponding Mbed TLS elliptic curve identifier - /// (`MBEDTLS_ECP_DP_xxx`). - /// \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized. - /// \return #MBEDTLS_ECP_DP_NONE if \p bits is not - /// correct for \p curve. - pub fn mbedtls_ecc_group_of_psa( - curve: psa_ecc_family_t, - bits: usize, - bits_is_sloppy: ::core::ffi::c_int, - ) -> mbedtls_ecp_group_id; + /// \return The PK info associated with the type or NULL if not found. + pub fn mbedtls_pk_info_from_type(pk_type: mbedtls_pk_type_t) -> *const mbedtls_pk_info_t; } unsafe extern "C" { - /// External random generator function, implemented by the platform. - /// - /// When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, - /// this function replaces Mbed TLS's entropy and DRBG modules for all - /// random generation triggered via PSA crypto interfaces. - /// - /// \note This random generator must deliver random numbers with cryptographic - /// quality and high performance. It must supply unpredictable numbers - /// with a uniform distribution. The implementation of this function - /// is responsible for ensuring that the random generator is seeded - /// with sufficient entropy. If you have a hardware TRNG which is slow - /// or delivers non-uniform output, declare it as an entropy source - /// with mbedtls_entropy_add_source() instead of enabling this option. - /// - /// \param[in,out] context Pointer to the random generator context. - /// This is all-bits-zero on the first call - /// and preserved between successive calls. - /// \param[out] output Output buffer. On success, this buffer - /// contains random data with a uniform - /// distribution. - /// \param output_size The size of the \p output buffer in bytes. - /// \param[out] output_length On success, set this value to \p output_size. + /// \brief Initialize a #mbedtls_pk_context (as NONE). /// - /// \retval #PSA_SUCCESS - /// Success. The output buffer contains \p output_size bytes of - /// cryptographic-quality random data, and \c *output_length is - /// set to \p output_size. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - /// The random generator requires extra entropy and there is no - /// way to obtain entropy under current environment conditions. - /// This error should not happen under normal circumstances since - /// this function is responsible for obtaining as much entropy as - /// it needs. However implementations of this function may return - /// #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain - /// entropy without blocking indefinitely. - /// \retval #PSA_ERROR_HARDWARE_FAILURE - /// A failure of the random generator hardware that isn't covered - /// by #PSA_ERROR_INSUFFICIENT_ENTROPY. - pub fn mbedtls_psa_external_get_random( - context: *mut mbedtls_psa_external_random_context_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \param ctx The context to initialize. + /// This must not be \c NULL. + pub fn mbedtls_pk_init(ctx: *mut mbedtls_pk_context); } -/// A slot number identifying a key in a driver. -/// -/// Values of this type are used to identify built-in keys. -pub type psa_drv_slot_number_t = u64; -/// \brief Encoding of the application role of PAKE -/// -/// Encodes the application's role in the algorithm is being executed. For more -/// information see the documentation of individual \c PSA_PAKE_ROLE_XXX -/// constants. -pub type psa_pake_role_t = u8; -/// Encoding of input and output indicators for PAKE. -/// -/// Some PAKE algorithms need to exchange more data than just a single key share. -/// This type is for encoding additional input and output data for such -/// algorithms. -pub type psa_pake_step_t = u8; -/// Encoding of the type of the PAKE's primitive. -/// -/// Values defined by this standard will never be in the range 0x80-0xff. -/// Vendors who define additional types must use an encoding in this range. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_primitive_type_t = u8; -/// \brief Encoding of the family of the primitive associated with the PAKE. -/// -/// For more information see the documentation of individual -/// \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. -pub type psa_pake_family_t = u8; -/// \brief Encoding of the primitive associated with the PAKE. -/// -/// For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. -pub type psa_pake_primitive_t = u32; -/// The type of the data structure for PAKE cipher suites. -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_cipher_suite_t = psa_pake_cipher_suite_s; -/// The type of the state data structure for PAKE operations. -/// -/// Before calling any function on a PAKE operation object, the application -/// must initialize it by any of the following means: -/// - Set the structure to all-bits-zero, for example: -/// \code -/// psa_pake_operation_t operation; -/// memset(&operation, 0, sizeof(operation)); -/// \endcode -/// - Initialize the structure to logical zero values, for example: -/// \code -/// psa_pake_operation_t operation = {0}; -/// \endcode -/// - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, -/// for example: -/// \code -/// psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; -/// \endcode -/// - Assign the result of the function psa_pake_operation_init() -/// to the structure, for example: -/// \code -/// psa_pake_operation_t operation; -/// operation = psa_pake_operation_init(); -/// \endcode -/// -/// This is an implementation-defined \c struct. Applications should not -/// make any assumptions about the content of this structure. -/// Implementation details can change in future versions without notice. -pub type psa_pake_operation_t = psa_pake_operation_s; -/// The type of input values for PAKE operations. -pub type psa_crypto_driver_pake_inputs_t = psa_crypto_driver_pake_inputs_s; -/// The type of computation stage for J-PAKE operations. -pub type psa_jpake_computation_stage_t = psa_jpake_computation_stage_s; unsafe extern "C" { - /// Get the length of the password in bytes from given inputs. + /// \brief Free the components of a #mbedtls_pk_context. /// - /// \param[in] inputs Operation inputs. - /// \param[out] password_len Password length. + /// \param ctx The context to clear. It must have been initialized. + /// If this is \c NULL, this function does nothing. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - password_len: *mut usize, - ) -> psa_status_t; + /// \note For contexts that have been set up with + /// mbedtls_pk_setup_opaque(), this does not free the underlying + /// PSA key and you still need to call psa_destroy_key() + /// independently if you want to destroy that key. + pub fn mbedtls_pk_free(ctx: *mut mbedtls_pk_context); } unsafe extern "C" { - /// Get the password from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] buffer Return buffer for password. - /// \param buffer_size Size of the return buffer in bytes. - /// \param[out] buffer_length Actual size of the password in bytes. + /// \brief Initialize a PK context with the information given + /// and allocates the type-specific PK subcontext. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Password hasn't been set yet. - pub fn psa_crypto_driver_pake_get_password( - inputs: *const psa_crypto_driver_pake_inputs_t, - buffer: *mut u8, - buffer_size: usize, - buffer_length: *mut usize, - ) -> psa_status_t; -} -unsafe extern "C" { - /// Get the role from given inputs. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param info Information to use /// - /// \param[in] inputs Operation inputs. - /// \param[out] role Return buffer for role. + /// \return 0 on success, + /// MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input, + /// MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Role hasn't been set yet. - pub fn psa_crypto_driver_pake_get_role( - inputs: *const psa_crypto_driver_pake_inputs_t, - role: *mut psa_pake_role_t, - ) -> psa_status_t; + /// \note For contexts holding an RSA-alt key, use + /// \c mbedtls_pk_setup_rsa_alt() instead. + pub fn mbedtls_pk_setup( + ctx: *mut mbedtls_pk_context, + info: *const mbedtls_pk_info_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the user id in bytes from given inputs. + /// \brief Initialize an RSA-alt context /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_len User id length. + /// \param ctx Context to initialize. It must not have been set + /// up yet (type #MBEDTLS_PK_NONE). + /// \param key RSA key pointer + /// \param decrypt_func Decryption function + /// \param sign_func Signing function + /// \param key_len_func Function returning key length in bytes /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_user_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_len: *mut usize, - ) -> psa_status_t; + /// \return 0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the + /// context wasn't already initialized as RSA_ALT. + /// + /// \note This function replaces \c mbedtls_pk_setup() for RSA-alt. + pub fn mbedtls_pk_setup_rsa_alt( + ctx: *mut mbedtls_pk_context, + key: *mut ::core::ffi::c_void, + decrypt_func: mbedtls_pk_rsa_alt_decrypt_func, + sign_func: mbedtls_pk_rsa_alt_sign_func, + key_len_func: mbedtls_pk_rsa_alt_key_len_func, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the length of the peer id in bytes from given inputs. + /// \brief Get the size in bits of the underlying key /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_len Peer id length. + /// \param ctx The context to query. It must have been initialized. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - pub fn psa_crypto_driver_pake_get_peer_len( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_len: *mut usize, - ) -> psa_status_t; + /// \return Key size in bits, or 0 on error + pub fn mbedtls_pk_get_bitlen(ctx: *const mbedtls_pk_context) -> usize; } unsafe extern "C" { - /// Get the user id from given inputs. + /// \brief Tell if a context can do the operation given by type /// - /// \param[in] inputs Operation inputs. - /// \param[out] user_id User id. - /// \param user_id_size Size of \p user_id in bytes. - /// \param[out] user_id_len Size of the user id in bytes. + /// \param ctx The context to query. It must have been initialized. + /// \param type The desired type. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// User id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p user_id is too small. - pub fn psa_crypto_driver_pake_get_user( - inputs: *const psa_crypto_driver_pake_inputs_t, - user_id: *mut u8, - user_id_size: usize, - user_id_len: *mut usize, - ) -> psa_status_t; + /// \return 1 if the context can do operations on the given type. + /// \return 0 if the context cannot do the operations on the given + /// type. This is always the case for a context that has + /// been initialized but not set up, or that has been + /// cleared with mbedtls_pk_free(). + pub fn mbedtls_pk_can_do( + ctx: *const mbedtls_pk_context, + type_: mbedtls_pk_type_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the peer id from given inputs. + /// \brief Determine valid PSA attributes that can be used to + /// import a key into PSA. /// - /// \param[in] inputs Operation inputs. - /// \param[out] peer_id Peer id. - /// \param peer_id_size Size of \p peer_id in bytes. - /// \param[out] peer_id_length Size of the peer id in bytes. + /// The attributes determined by this function are suitable + /// for calling mbedtls_pk_import_into_psa() to create + /// a PSA key with the same key material. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Peer id hasn't been set yet. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p peer_id is too small. - pub fn psa_crypto_driver_pake_get_peer( - inputs: *const psa_crypto_driver_pake_inputs_t, - peer_id: *mut u8, - peer_id_size: usize, - peer_id_length: *mut usize, - ) -> psa_status_t; + /// The typical flow of operations involving this function is + /// ``` + /// psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + /// int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + /// if (ret != 0) ...; // error handling omitted + /// // Tweak attributes if desired + /// psa_key_id_t key_id = 0; + /// ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + /// if (ret != 0) ...; // error handling omitted + /// ``` + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + /// - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_ENCRYPT as well as + /// #PSA_KEY_USAGE_DECRYPT. + /// - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type. + /// - #PSA_KEY_USAGE_ENCRYPT: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_HASH as well as + /// #PSA_KEY_USAGE_SIGN_HASH. + /// - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + /// key pair. The output \p attributes will contain a + /// key pair type, and the usage policy will allow + /// #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + /// #PSA_KEY_USAGE_SIGN_MESSAGE. + /// - #PSA_KEY_USAGE_VERIFY_HASH: The output + /// \p attributes will contain a public key type. + /// - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + /// \p attributes will contain a public key type. + /// \param[out] attributes + /// On success, valid attributes to import the key into PSA. + /// - The lifetime and key identifier are unchanged. If the + /// attribute structure was initialized or reset before + /// calling this function, this will result in a volatile + /// key. Call psa_set_key_identifier() before or after this + /// function if you wish to create a persistent key. Call + /// psa_set_key_lifetime() before or after this function if + /// you wish to import the key in a secure element. + /// - The key type and bit-size are determined by the contents + /// of the PK context. If the PK context contains a key + /// pair, the key type can be either a key pair type or + /// the corresponding public key type, depending on + /// \p usage. If the PK context contains a public key, + /// the key type is a public key type. + /// - The key's policy is determined by the key type and + /// the \p usage parameter. The usage always allows + /// \p usage, exporting and copying the key, and + /// possibly other permissions as documented for the + /// \p usage parameter. + /// The permitted algorithm policy is determined as follows + /// based on the #mbedtls_pk_type_t type of \p pk, + /// the chosen \p usage and other factors: + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V15: + /// #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_PKCS1V15_CRYPT + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA whose underlying + /// #mbedtls_rsa_context has the padding mode + /// #MBEDTLS_RSA_PKCS_V21 and the digest type + /// corresponding to the PSA algorithm \c hash: + /// #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + /// if \p usage is SIGN/VERIFY, and + /// #PSA_ALG_RSA_OAEP(\c hash) + /// if \p usage is ENCRYPT/DECRYPT. + /// - #MBEDTLS_PK_RSA_ALT: not supported. + /// - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + /// if \p usage is SIGN/VERIFY: + /// #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + /// if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + /// otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + /// - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + /// if \p usage is DERIVE: + /// #PSA_ALG_ECDH. + /// - #MBEDTLS_PK_OPAQUE: same as the primary algorithm + /// set for the underlying PSA key, except that + /// sign/decrypt flags are removed if the type is + /// set to a public key type. + /// The underlying key must allow \p usage. + /// Note that the enrollment algorithm set with + /// psa_set_key_enrollment_algorithm() is not copied. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_get_psa_attributes( + pk: *const mbedtls_pk_context, + usage: psa_key_usage_t, + attributes: *mut psa_key_attributes_t, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get the cipher suite from given inputs. - /// - /// \param[in] inputs Operation inputs. - /// \param[out] cipher_suite Return buffer for role. + /// \brief Import a key into the PSA key store. + /// + /// This function is equivalent to calling psa_import_key() + /// with the key material from \p pk. + /// + /// The typical way to use this function is: + /// -# Call mbedtls_pk_get_psa_attributes() to obtain + /// attributes for the given key. + /// -# If desired, modify the attributes, for example: + /// - To create a persistent key, call + /// psa_set_key_identifier() and optionally + /// psa_set_key_lifetime(). + /// - To import only the public part of a key pair: + /// + /// psa_set_key_type(&attributes, + /// PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + /// psa_get_key_type(&attributes))); + /// - Restrict the key usage if desired. + /// -# Call mbedtls_pk_import_into_psa(). + /// + /// \note This function does not support RSA-alt contexts + /// (set up with mbedtls_pk_setup_rsa_alt()). + /// + /// \param[in] pk The PK context to use. It must have been set up. + /// It can either contain a key pair or just a public key. + /// \param[in] attributes + /// The attributes to use for the new key. They must be + /// compatible with \p pk. In particular, the key type + /// must match the content of \p pk. + /// If \p pk contains a key pair, the key type in + /// attributes can be either the key pair type or the + /// corresponding public key type (to import only the + /// public part). + /// \param[out] key_id + /// On success, the identifier of the newly created key. + /// On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + /// + /// \return 0 on success. + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + /// a key of the type identified in \p attributes. + /// Another error code on other failures. + pub fn mbedtls_pk_import_into_psa( + pk: *const mbedtls_pk_context, + attributes: *const psa_key_attributes_t, + key_id: *mut mbedtls_svc_key_id_t, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Create a PK context starting from a key stored in PSA. + /// This key: + /// - must be exportable and + /// - must be an RSA or EC key pair or public key (FFDH is not supported in PK). + /// + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. + /// + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_sign(), mbedtls_pk_verify(), + /// mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. + /// * For ECDSA, the choice of deterministic vs randomized will + /// be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. + /// * For an RSA key, the output PK context will allow both + /// encrypt/decrypt and sign/verify regardless of the original + /// key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. + /// + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BAD_STATE - /// Cipher_suite hasn't been set yet. - pub fn psa_crypto_driver_pake_get_cipher_suite( - inputs: *const psa_crypto_driver_pake_inputs_t, - cipher_suite: *mut psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the session information for a password-authenticated key exchange. + /// \brief Create a PK context for the public key of a PSA key. /// - /// The sequence of operations to set up a password-authenticated key exchange - /// is as follows: - /// -# Allocate an operation object which will be passed to all the functions - /// listed here. - /// -# Initialize the operation object with one of the methods described in the - /// documentation for #psa_pake_operation_t, e.g. - /// #PSA_PAKE_OPERATION_INIT. - /// -# Call psa_pake_setup() to specify the cipher suite. - /// -# Call \c psa_pake_set_xxx() functions on the operation to complete the - /// setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - /// to be called depends on the algorithm in use. + /// The key must be an RSA or ECC key. It can be either a + /// public key or a key pair, and only the public key is copied. + /// The resulting PK object will be a transparent type: + /// - #MBEDTLS_PK_RSA for RSA keys or + /// - #MBEDTLS_PK_ECKEY for EC keys. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// Once this functions returns the PK object will be completely + /// independent from the original PSA key that it was generated + /// from. + /// Calling mbedtls_pk_verify() or + /// mbedtls_pk_encrypt() on the resulting + /// PK context will perform the corresponding algorithm for that + /// PK context type. /// - /// A typical sequence of calls to perform a password-authenticated key - /// exchange: - /// -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - /// key share that needs to be sent to the peer. - /// -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - /// the key share that was received from the peer. - /// -# Depending on the algorithm additional calls to psa_pake_output() and - /// psa_pake_input() might be necessary. - /// -# Call psa_pake_get_implicit_key() for accessing the shared secret. + /// For an RSA key, the output PK context will allow both + /// encrypt and verify regardless of the original key's policy. + /// The original key's policy determines the output key's padding + /// mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, + /// otherwise PKCS1 v1.5 is set. /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param key_id The key identifier of the key stored in PSA. + /// \param pk The PK context that will be filled. It must be initialized, + /// but not set up. /// - /// If an error occurs at any step after a call to psa_pake_setup(), - /// the operation will need to be reset by a call to psa_pake_abort(). The - /// application may call psa_pake_abort() at any time after the operation - /// has been initialized. + /// \return 0 on success. + /// \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input + /// parameters are not correct. + pub fn mbedtls_pk_copy_public_from_psa( + key_id: mbedtls_svc_key_id_t, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature (including padding if relevant). /// - /// After a successful call to psa_pake_setup(), the application must - /// eventually terminate the operation. The following events terminate an - /// operation: - /// - A call to psa_pake_abort(). - /// - A successful call to psa_pake_get_implicit_key(). + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used. + /// This can be #MBEDTLS_MD_NONE if the signature algorithm + /// does not rely on a hash algorithm (non-deterministic + /// ECDSA, RSA PKCS#1 v1.5). + /// For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + /// \p hash is the DigestInfo structure used by RFC 8017 + /// §9.2 steps 3–6. If \p md_alg is a valid hash + /// algorithm then \p hash is the digest itself, and this + /// function calculates the DigestInfo encoding internally. + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Signature to verify + /// \param sig_len Signature length /// - /// \param[in,out] operation The operation object to set up. It must have - /// been initialized but not set up yet. - /// \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - /// characterizes a PAKE algorithm and determines - /// the algorithm as well.) + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (accepting any salt length), + /// depending on the padding mode in the underlying RSA context. + /// For a pk object constructed by parsing, this is PKCS#1 v1.5 + /// by default. Use mbedtls_pk_verify_ext() to explicitly select + /// a different algorithm. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The algorithm in \p cipher_suite is not a PAKE algorithm, or the - /// PAKE primitive in \p cipher_suite is not compatible with the - /// PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - /// or not compatible with the PAKE algorithm and primitive. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm in \p cipher_suite is not a supported PAKE algorithm, - /// or the PAKE primitive in \p cipher_suite is not supported or not - /// compatible with the PAKE algorithm, or the hash algorithm in - /// \p cipher_suite is not supported or not compatible with the PAKE - /// algorithm and primitive. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_setup( - operation: *mut psa_pake_operation_t, - cipher_suite: *const psa_pake_cipher_suite_t, - ) -> psa_status_t; + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + pub fn mbedtls_pk_verify( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the password for a password-authenticated key exchange from key ID. + /// \brief Restartable version of \c mbedtls_pk_verify() /// - /// Call this function when the password, or a value derived from the password, - /// is already present in the key store. + /// \note Performs the same job as \c mbedtls_pk_verify(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_verify(). /// - /// \param[in,out] operation The operation object to set the password for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the password hasn't - /// been set yet (psa_pake_set_password_key() - /// hasn't been called yet). - /// \param password Identifier of the key holding the password or a - /// value derived from the password (eg. by a - /// memory-hard function). It must remain valid - /// until the operation terminates. It must be of - /// type #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - /// the usage #PSA_KEY_USAGE_DERIVE. + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_HANDLE - /// \p password is not a valid key identifier. - /// \retval #PSA_ERROR_NOT_PERMITTED - /// The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - /// permit the \p operation's algorithm. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - /// #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - /// the \p operation's cipher suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The key type or key size of \p password is not supported with the - /// \p operation's cipher suite. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must have been set up.), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_password_key( - operation: *mut psa_pake_operation_t, - password: mbedtls_svc_key_id_t, - ) -> psa_status_t; + /// \return See \c mbedtls_pk_verify(), or + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_verify_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Verify signature, with options. + /// (Includes verification of the padding depending on type.) + /// + /// \param type Signature type (inc. possible padding type) to verify + /// \param options Pointer to type-specific options, or NULL + /// \param ctx The PK context to use. It must have been set up. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length or 0 (see notes) + /// \param sig Signature to verify + /// \param sig_len Signature length + /// + /// \return 0 on success (signature is valid), + /// #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be + /// used for this type of signatures, + /// #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid + /// signature in \p sig but its length is less than \p sig_len, + /// or a specific error code. + /// + /// \note If hash_len is 0, then the length associated with md_alg + /// is used instead, or an error returned if it is invalid. + /// + /// \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 + /// + /// \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point + /// to a mbedtls_pk_rsassa_pss_options structure, + /// otherwise it must be NULL. Note that if + /// #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not + /// verified as PSA_ALG_RSA_PSS_ANY_SALT is used. + pub fn mbedtls_pk_verify_ext( + type_: mbedtls_pk_type_t, + options: *const ::core::ffi::c_void, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *const ::core::ffi::c_uchar, + sig_len: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the user ID for a password-authenticated key exchange. + /// \brief Make signature, including padding if relevant. /// - /// Call this function to set the user ID. For PAKE algorithms that associate a - /// user identifier with each side of the session you need to call - /// psa_pake_set_peer() as well. For PAKE algorithms that associate a single - /// user identifier with the session, call psa_pake_set_user() only. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or PSS (using the largest possible salt + /// length up to the hash length), depending on the padding mode + /// in the underlying RSA context. For a pk object constructed + /// by parsing, this is PKCS#1 v1.5 by default. Use + /// mbedtls_pk_verify_ext() to explicitly select a different + /// algorithm. /// - /// \param[in,out] operation The operation object to set the user ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the user ID hasn't - /// been set (psa_pake_set_user() hasn't been - /// called yet). - /// \param[in] user_id The user ID to authenticate with. - /// (temporary limitation: "client" or "server" only) - /// \param user_id_len Size of the \p user_id buffer in bytes. + /// \return 0 on success, or a specific error code. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The value of \p user_id is not supported by the implementation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_user( - operation: *mut psa_pake_operation_t, - user_id: *const u8, - user_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the peer ID for a password-authenticated key exchange. + /// \brief Make signature given a signature type. /// - /// Call this function in addition to psa_pake_set_user() for PAKE algorithms - /// that associate a user identifier with each side of the session. For PAKE - /// algorithms that associate a single user identifier with the session, call - /// psa_pake_set_user() only. + /// \param pk_type Signature type. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \return 0 on success, or a specific error code. /// - /// \param[in,out] operation The operation object to set the peer ID for. It - /// must have been set up by psa_pake_setup() and - /// not yet in use (neither psa_pake_output() nor - /// psa_pake_input() has been called yet). It must - /// be on operation for which the peer ID hasn't - /// been set (psa_pake_set_peer() hasn't been - /// called yet). - /// \param[in] peer_id The peer's ID to authenticate. - /// (temporary limitation: "client" or "server" only) - /// \param peer_id_len Size of the \p peer_id buffer in bytes. + /// \note When \p pk_type is #MBEDTLS_PK_RSASSA_PSS, + /// see #PSA_ALG_RSA_PSS for a description of PSS options used. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p user_id is not valid for the \p operation's algorithm and cipher - /// suite. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The algorithm doesn't associate a second identity with the session. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// Calling psa_pake_set_peer() is invalid with the \p operation's - /// algorithm, the operation state is not valid, or the library has not - /// been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_peer( - operation: *mut psa_pake_operation_t, - peer_id: *const u8, - peer_id_len: usize, - ) -> psa_status_t; + /// \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. + /// For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + pub fn mbedtls_pk_sign_ext( + pk_type: mbedtls_pk_type_t, + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Set the application role for a password-authenticated key exchange. + /// \brief Restartable version of \c mbedtls_pk_sign() /// - /// Not all PAKE algorithms need to differentiate the communicating entities. - /// It is optional to call this function for PAKEs that don't require a role - /// to be specified. For such PAKEs the application role parameter is ignored, - /// or #PSA_PAKE_ROLE_NONE can be passed as \c role. + /// \note Performs the same job as \c mbedtls_pk_sign(), but can + /// return early and restart according to the limit set with + /// \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC + /// operations. For RSA, same as \c mbedtls_pk_sign(). /// - /// Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - /// values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - /// for more information. + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) + /// \param hash Hash of the message to sign + /// \param hash_len Hash length + /// \param sig Place to write the signature. + /// It must have enough room for the signature. + /// #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. + /// You may use a smaller buffer if it is large enough + /// given the key type. + /// \param sig_size The size of the \p sig buffer in bytes. + /// \param sig_len On successful return, + /// the number of bytes written to \p sig. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// \param rs_ctx Restart context (NULL to disable restart) /// - /// \param[in,out] operation The operation object to specify the - /// application's role for. It must have been set up - /// by psa_pake_setup() and not yet in use (neither - /// psa_pake_output() nor psa_pake_input() has been - /// called yet). It must be on operation for which - /// the application's role hasn't been specified - /// (psa_pake_set_role() hasn't been called yet). - /// \param role A value of type ::psa_pake_role_t indicating the - /// application's role in the PAKE the algorithm - /// that is being set up. For more information see - /// the documentation of \c PSA_PAKE_ROLE_XXX - /// constants. + /// \return See \c mbedtls_pk_sign(). + /// \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + /// operations was reached: see \c mbedtls_ecp_set_max_ops(). + pub fn mbedtls_pk_sign_restartable( + ctx: *mut mbedtls_pk_context, + md_alg: mbedtls_md_type_t, + hash: *const ::core::ffi::c_uchar, + hash_len: usize, + sig: *mut ::core::ffi::c_uchar, + sig_size: usize, + sig_len: *mut usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + rs_ctx: *mut mbedtls_pk_restart_ctx, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Decrypt message (including padding if relevant). /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// The \p role is not a valid PAKE role in the \p operation’s algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// The \p role for this algorithm is not supported or is not valid. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid, or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_set_role( - operation: *mut psa_pake_operation_t, - role: psa_pake_role_t, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been set up + /// with a private key. + /// \param input Input to decrypt + /// \param ilen Input size + /// \param output Decrypted output + /// \param olen Decrypted message length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter + /// + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. + /// + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_decrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Get output for a step of a password-authenticated key exchange. + /// \brief Encrypt message (including padding if relevant). /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been set up. + /// \param input Message to encrypt + /// \param ilen Message size + /// \param output Encrypted output + /// \param olen Encrypted output length + /// \param osize Size of the output buffer + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + /// either PKCS#1 v1.5 or OAEP, depending on the padding mode in + /// the underlying RSA context. For a pk object constructed by + /// parsing, this is PKCS#1 v1.5 by default. /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \note \p f_rng is used for padding generation. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step of the algorithm for which the output is - /// requested. - /// \param[out] output Buffer where the output is to be written in the - /// format appropriate for this \p step. Refer to - /// the documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param output_size Size of the \p output buffer in bytes. This must - /// be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p - /// primitive, \p step) where \p alg and - /// \p primitive are the PAKE algorithm and primitive - /// in the operation's cipher suite, and \p step is - /// the output step. + /// \return 0 on success, or a specific error code. + pub fn mbedtls_pk_encrypt( + ctx: *mut mbedtls_pk_context, + input: *const ::core::ffi::c_uchar, + ilen: usize, + output: *mut ::core::ffi::c_uchar, + olen: *mut usize, + osize: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Check if a public-private pair of keys matches. /// - /// \param[out] output_length On success, the number of bytes of the returned - /// output. + /// \param pub Context holding a public key. + /// \param prv Context holding a private (and public) key. + /// \param f_rng RNG function, must not be \c NULL. + /// \param p_rng RNG parameter /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_BUFFER_TOO_SMALL - /// The size of the \p output buffer is too small. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p step is not compatible with the operation's algorithm. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step is not supported with the operation's algorithm. - /// \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_output( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - output: *mut u8, - output_size: usize, - output_length: *mut usize, - ) -> psa_status_t; + /// \return \c 0 on success (keys were checked and match each other). + /// \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not + /// be checked - in that case they may or may not match. + /// \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid. + /// \return Another non-zero value if the keys do not match. + pub fn mbedtls_pk_check_pair( + pub_: *const mbedtls_pk_context, + prv: *const mbedtls_pk_context, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Provide input for a step of a password-authenticated key exchange. + /// \brief Export debug information /// - /// Depending on the algorithm being executed, you might need to call this - /// function several times or you might not need to call this at all. + /// \param ctx The PK context to use. It must have been initialized. + /// \param items Place to write debug items /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA + pub fn mbedtls_pk_debug( + ctx: *const mbedtls_pk_context, + items: *mut mbedtls_pk_debug_item, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Access the type name /// - /// If this function returns an error status, the operation enters an error - /// state and must be aborted by calling psa_pake_abort(). + /// \param ctx The PK context to use. It must have been initialized. /// - /// \param[in,out] operation Active PAKE operation. - /// \param step The step for which the input is provided. - /// \param[in] input Buffer containing the input in the format - /// appropriate for this \p step. Refer to the - /// documentation of the individual - /// \c PSA_PAKE_STEP_XXX constants for more - /// information. - /// \param input_length Size of the \p input buffer in bytes. + /// \return Type name on success, or "invalid PK" + pub fn mbedtls_pk_get_name(ctx: *const mbedtls_pk_context) -> *const ::core::ffi::c_char; +} +unsafe extern "C" { + /// \brief Get the key type /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_SIGNATURE - /// The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// \p is not compatible with the \p operation’s algorithm, or the - /// \p input is not valid for the \p operation's algorithm, cipher suite - /// or \p step. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// \p step p is not supported with the \p operation's algorithm, or the - /// \p input is not supported for the \p operation's algorithm, cipher - /// suite or \p step. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The operation state is not valid (it must be active, and fully set - /// up, and this call must conform to the algorithm's requirements - /// for ordering of input and output steps), or - /// the library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_input( - operation: *mut psa_pake_operation_t, - step: psa_pake_step_t, - input: *const u8, - input_length: usize, - ) -> psa_status_t; + /// \param ctx The PK context to use. It must have been initialized. + /// + /// \return Type on success. + /// \return #MBEDTLS_PK_NONE for a context that has not been set up. + pub fn mbedtls_pk_get_type(ctx: *const mbedtls_pk_context) -> mbedtls_pk_type_t; } unsafe extern "C" { - /// Get implicitly confirmed shared secret from a PAKE. + /// \ingroup pk_module */ + ////** + /// \brief Parse a private key in PEM or DER format /// - /// At this point there is a cryptographic guarantee that only the authenticated - /// party who used the same password is able to compute the key. But there is no - /// guarantee that the peer is the party it claims to be and was able to do so. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// That is, the authentication is only implicit. Since the peer is not - /// authenticated yet, no action should be taken yet that assumes that the peer - /// is who it claims to be. For example, do not access restricted files on the - /// peer's behalf until an explicit authentication has succeeded. + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// \param pwd Optional password for decryption. + /// Pass \c NULL if expecting a non-encrypted key. + /// Pass a string of \p pwdlen bytes if expecting an encrypted + /// key; a non-encrypted key will also be accepted. + /// The empty password is not supported. + /// \param pwdlen Size of the password in bytes. + /// Ignored if \p pwd is \c NULL. + /// \param f_rng RNG function, must not be \c NULL. Used for blinding. + /// \param p_rng RNG parameter /// - /// This function can be called after the key exchange phase of the operation - /// has completed. It imports the shared secret output of the PAKE into the - /// provided derivation operation. The input step - /// #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - /// material in the key derivation operation. + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). /// - /// The exact sequence of calls to perform a password-authenticated key - /// exchange depends on the algorithm in use. Refer to the documentation of - /// individual PAKE algorithm types (`PSA_ALG_XXX` values of type - /// ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - /// information. + /// \note The key is also checked for correctness. /// - /// When this function returns successfully, \p operation becomes inactive. - /// If this function returns an error status, both \p operation - /// and \p key_derivation operations enter an error state and must be aborted by - /// calling psa_pake_abort() and psa_key_derivation_abort() respectively. + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + f_rng: mbedtls_f_rng_t, + p_rng: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \ingroup pk_module */ + ////** + /// \brief Parse a public key in PEM or DER format /// - /// \param[in,out] operation Active PAKE operation. - /// \param[out] output A key derivation operation that is ready - /// for an input step of type - /// #PSA_KEY_DERIVATION_INPUT_SECRET. + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_INVALID_ARGUMENT - /// #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - /// algorithm in the \p output key derivation operation. - /// \retval #PSA_ERROR_NOT_SUPPORTED - /// Input from a PAKE is not supported by the algorithm in the \p output - /// key derivation operation. - /// \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - /// \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - /// \retval #PSA_ERROR_DATA_INVALID \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The PAKE operation state is not valid (it must be active, but beyond - /// that validity is specific to the algorithm), or - /// the library has not been previously initialized by psa_crypto_init(), - /// or the state of \p output is not valid for - /// the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - /// step is out of order or the application has done this step already - /// and it may not be repeated. - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_get_implicit_key( - operation: *mut psa_pake_operation_t, - output: *mut psa_key_derivation_operation_t, - ) -> psa_status_t; + /// \param ctx The PK context to fill. It must have been initialized + /// but not set up. + /// \param key Input buffer to parse. + /// The buffer must contain the input exactly, with no + /// extra trailing material. For PEM, the buffer must + /// contain a null-terminated string. + /// \param keylen Size of \b key in bytes. + /// For PEM data, this includes the terminating null byte, + /// so \p keylen must be equal to `strlen(key) + 1`. + /// + /// \note On entry, ctx must be empty, either freshly initialised + /// with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a + /// specific key type, check the result with mbedtls_pk_can_do(). + /// + /// \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for + /// limitations. + /// + /// \note The key is also checked for correctness. + /// + /// \return 0 if successful, or a specific PK or PEM error code + pub fn mbedtls_pk_parse_public_key( + ctx: *mut mbedtls_pk_context, + key: *const ::core::ffi::c_uchar, + keylen: usize, + ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// Abort a PAKE operation. + /// \brief Write a private key to a PKCS#1 or SEC1 DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// Aborting an operation frees all associated resources except for the \c - /// operation structure itself. Once aborted, the operation object can be reused - /// for another operation by calling psa_pake_setup() again. + /// \param ctx PK context which must contain a valid private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// This function may be called at any time after the operation - /// object has been initialized as described in #psa_pake_operation_t. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_key_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a SubjectPublicKeyInfo DER structure + /// Note: data is written at the end of the buffer! Use the + /// return value to determine where you should start + /// using the buffer /// - /// In particular, calling psa_pake_abort() after the operation has been - /// terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - /// is safe and has no effect. + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf buffer to write to + /// \param size size of the buffer /// - /// \param[in,out] operation The operation to abort. + /// \return length of data written if successful, or a specific + /// error code + pub fn mbedtls_pk_write_pubkey_der( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Write a public key to a PEM string /// - /// \retval #PSA_SUCCESS - /// Success. - /// \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - /// \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - /// \retval #PSA_ERROR_BAD_STATE - /// The library has not been previously initialized by psa_crypto_init(). - /// It is implementation-dependent whether a failure to initialize - /// results in this error code. - pub fn psa_pake_abort(operation: *mut psa_pake_operation_t) -> psa_status_t; + /// \param ctx PK context which must contain a valid public or private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_pubkey_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Default, Copy, Clone)] -pub struct psa_pake_cipher_suite_s { - pub algorithm: psa_algorithm_t, - pub type_: psa_pake_primitive_type_t, - pub family: psa_pake_family_t, - pub bits: u16, - pub hash: psa_algorithm_t, +unsafe extern "C" { + /// \brief Write a private key to a PKCS#1 or SEC1 PEM string + /// + /// \param ctx PK context which must contain a valid private key. + /// \param buf Buffer to write to. The output includes a + /// terminating null byte. + /// \param size Size of the buffer in bytes. + /// + /// \return 0 if successful, or a specific error code + pub fn mbedtls_pk_write_key_pem( + ctx: *const mbedtls_pk_context, + buf: *mut ::core::ffi::c_uchar, + size: usize, + ) -> ::core::ffi::c_int; } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_crypto_driver_pake_inputs_s { - pub private_password: *mut u8, - pub private_password_len: usize, - pub private_role: psa_pake_role_t, - pub private_user: *mut u8, - pub private_user_len: usize, - pub private_peer: *mut u8, - pub private_peer_len: usize, - pub private_attributes: psa_key_attributes_t, - pub private_cipher_suite: psa_pake_cipher_suite_t, +unsafe extern "C" { + /// \brief Parse a SubjectPublicKeyInfo DER structure + /// + /// \param p the position in the ASN.1 data + /// \param end end of the buffer + /// \param pk The PK context to fill. It must have been initialized + /// but not set up. + /// + /// \return 0 if successful, or a specific PK error code + pub fn mbedtls_pk_parse_subpubkey( + p: *mut *mut ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + pk: *mut mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -impl Default for psa_crypto_driver_pake_inputs_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + /// \brief Write a subjectPublicKey to ASN.1 data + /// Note: function works backwards in data buffer + /// + /// \param p reference to current position pointer + /// \param start start of the buffer (for bounds-checking) + /// \param key PK context which must contain a valid public or private key. + /// + /// \return the length written or a negative error code + pub fn mbedtls_pk_write_pubkey( + p: *mut *mut ::core::ffi::c_uchar, + start: *mut ::core::ffi::c_uchar, + key: *const mbedtls_pk_context, + ) -> ::core::ffi::c_int; } -pub const psa_jpake_step_PSA_PAKE_STEP_INVALID: psa_jpake_step = 0; -pub const psa_jpake_step_PSA_PAKE_STEP_X1_X2: psa_jpake_step = 1; -pub const psa_jpake_step_PSA_PAKE_STEP_X2S: psa_jpake_step = 2; -pub const psa_jpake_step_PSA_PAKE_STEP_DERIVE: psa_jpake_step = 3; -pub type psa_jpake_step = ::core::ffi::c_uint; -pub use self::psa_jpake_step as psa_jpake_step_t; -pub const psa_jpake_state_PSA_PAKE_STATE_INVALID: psa_jpake_state = 0; -pub const psa_jpake_state_PSA_PAKE_STATE_SETUP: psa_jpake_state = 1; -pub const psa_jpake_state_PSA_PAKE_STATE_READY: psa_jpake_state = 2; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X1_X2: psa_jpake_state = 3; -pub const psa_jpake_state_PSA_PAKE_OUTPUT_X2S: psa_jpake_state = 4; -pub const psa_jpake_state_PSA_PAKE_INPUT_X1_X2: psa_jpake_state = 5; -pub const psa_jpake_state_PSA_PAKE_INPUT_X4S: psa_jpake_state = 6; -pub type psa_jpake_state = ::core::ffi::c_uint; -pub use self::psa_jpake_state as psa_jpake_state_t; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_INVALID: psa_jpake_sequence = 0; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_KEY_SHARE: psa_jpake_sequence = 1; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PUBLIC: psa_jpake_sequence = 2; -pub const psa_jpake_sequence_PSA_PAKE_X1_STEP_ZK_PROOF: psa_jpake_sequence = 3; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_KEY_SHARE: psa_jpake_sequence = 4; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PUBLIC: psa_jpake_sequence = 5; -pub const psa_jpake_sequence_PSA_PAKE_X2_STEP_ZK_PROOF: psa_jpake_sequence = 6; -pub const psa_jpake_sequence_PSA_PAKE_SEQ_END: psa_jpake_sequence = 7; -pub type psa_jpake_sequence = ::core::ffi::c_uint; -pub use self::psa_jpake_sequence as psa_jpake_sequence_t; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_STEP_INVALID: psa_crypto_driver_pake_step = 0; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 1; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 2; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X1_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 3; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 4; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 5; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 6; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = 7; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = 8; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X2S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 9; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_KEY_SHARE: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_NONE: mbedtls_key_exchange_type_t = 0; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA: mbedtls_key_exchange_type_t = 1; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_RSA: mbedtls_key_exchange_type_t = 2; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: mbedtls_key_exchange_type_t = + 3; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + mbedtls_key_exchange_type_t = 4; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_PSK: mbedtls_key_exchange_type_t = 5; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_DHE_PSK: mbedtls_key_exchange_type_t = 6; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_RSA_PSK: mbedtls_key_exchange_type_t = 7; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: mbedtls_key_exchange_type_t = + 8; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_RSA: mbedtls_key_exchange_type_t = + 9; +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: mbedtls_key_exchange_type_t = 10; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PUBLIC: psa_crypto_driver_pake_step = +pub const mbedtls_key_exchange_type_t_MBEDTLS_KEY_EXCHANGE_ECJPAKE: mbedtls_key_exchange_type_t = 11; -pub const psa_crypto_driver_pake_step_PSA_JPAKE_X4S_STEP_ZK_PROOF: psa_crypto_driver_pake_step = 12; -pub type psa_crypto_driver_pake_step = ::core::ffi::c_uint; -pub use self::psa_crypto_driver_pake_step as psa_crypto_driver_pake_step_t; -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_jpake_computation_stage_s { - pub private_state: psa_jpake_state_t, - pub private_sequence: psa_jpake_sequence_t, - pub private_input_step: psa_jpake_step_t, - pub private_output_step: psa_jpake_step_t, -} -impl Default for psa_jpake_computation_stage_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -#[repr(C)] -#[derive(Copy, Clone)] -pub struct psa_pake_operation_s { - /// Unique ID indicating which driver got assigned to do the - /// operation. Since driver contexts are driver-specific, swapping - /// drivers halfway through the operation is not supported. - /// ID values are auto-generated in psa_crypto_driver_wrappers.h - /// ID value zero means the context is not valid or not assigned to - /// any driver (i.e. none of the driver contexts are active). - pub private_id: ::core::ffi::c_uint, - pub private_alg: psa_algorithm_t, - pub private_stage: u8, - pub private_computation_stage: psa_pake_operation_s__bindgen_ty_1, - pub private_data: psa_pake_operation_s__bindgen_ty_2, -} +pub type mbedtls_key_exchange_type_t = ::core::ffi::c_uint; +/// \brief This structure is used for storing ciphersuite information +/// +/// \note members are defined using integral types instead of enums +/// in order to pack structure and reduce memory usage by internal +/// \c ciphersuite_definitions[] #[repr(C)] #[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_1 { - pub private_dummy: u8, - pub private_jpake: psa_jpake_computation_stage_t, +pub struct mbedtls_ssl_ciphersuite_t { + pub private_id: ::core::ffi::c_int, + pub private_name: *const ::core::ffi::c_char, + pub private_cipher: u8, + pub private_mac: u8, + pub private_key_exchange: u8, + pub private_flags: u8, + pub private_min_tls_version: u16, + pub private_max_tls_version: u16, } -impl Default for psa_pake_operation_s__bindgen_ty_1 { +impl Default for mbedtls_ssl_ciphersuite_t { fn default() -> Self { let mut s = ::core::mem::MaybeUninit::::uninit(); unsafe { @@ -18649,29 +19849,23 @@ impl Default for psa_pake_operation_s__bindgen_ty_1 { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub union psa_pake_operation_s__bindgen_ty_2 { - pub private_ctx: psa_driver_pake_context_t, - pub private_inputs: psa_crypto_driver_pake_inputs_t, +unsafe extern "C" { + pub fn mbedtls_ssl_list_ciphersuites() -> *const ::core::ffi::c_int; } -impl Default for psa_pake_operation_s__bindgen_ty_2 { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_string( + ciphersuite_name: *const ::core::ffi::c_char, + ) -> *const mbedtls_ssl_ciphersuite_t; } -impl Default for psa_pake_operation_s { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_from_id( + ciphersuite_id: ::core::ffi::c_int, + ) -> *const mbedtls_ssl_ciphersuite_t; +} +unsafe extern "C" { + pub fn mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( + info: *const mbedtls_ssl_ciphersuite_t, + ) -> usize; } /// Type-length-value structure that allows for ASN1 using DER. pub type mbedtls_x509_buf = mbedtls_asn1_buf; @@ -18682,6 +19876,23 @@ pub type mbedtls_x509_bitstring = mbedtls_asn1_bitstring; pub type mbedtls_x509_name = mbedtls_asn1_named_data; /// Container for a sequence of ASN.1 items pub type mbedtls_x509_sequence = mbedtls_asn1_sequence; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_authority { + pub keyIdentifier: mbedtls_x509_buf, + pub authorityCertIssuer: mbedtls_x509_sequence, + pub authorityCertSerialNumber: mbedtls_x509_buf, + pub raw: mbedtls_x509_buf, +} +impl Default for mbedtls_x509_authority { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} /// Container for date and time (precision in seconds). #[repr(C)] #[derive(Default, Copy, Clone)] @@ -18773,9 +19984,9 @@ pub struct mbedtls_x509_subject_alternative_name { #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_x509_subject_alternative_name__bindgen_ty_1 { - ///< The otherName supported type. pub other_name: mbedtls_x509_san_other_name, - ///< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported + pub directory_name: mbedtls_x509_name, + ///< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. pub unstructured_name: mbedtls_x509_buf, } impl Default for mbedtls_x509_subject_alternative_name__bindgen_ty_1 { @@ -18796,6 +20007,21 @@ impl Default for mbedtls_x509_subject_alternative_name { } } } +#[repr(C)] +#[derive(Copy, Clone)] +pub struct mbedtls_x509_san_list { + pub node: mbedtls_x509_subject_alternative_name, + pub next: *mut mbedtls_x509_san_list, +} +impl Default for mbedtls_x509_san_list { + fn default() -> Self { + let mut s = ::core::mem::MaybeUninit::::uninit(); + unsafe { + ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); + s.assume_init() + } + } +} unsafe extern "C" { /// \brief Store the certificate DN in printable form into buf; /// no more than size characters will be written. @@ -18812,6 +20038,26 @@ unsafe extern "C" { dn: *const mbedtls_x509_name, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Convert the certificate DN string \p name into + /// a linked list of mbedtls_x509_name (equivalent to + /// mbedtls_asn1_named_data). + /// + /// \note This function allocates a linked list, and places the head + /// pointer in \p head. This list must later be freed by a + /// call to mbedtls_asn1_free_named_data_list(). + /// + /// \param[out] head Address in which to store the pointer to the head of the + /// allocated list of mbedtls_x509_name. Must point to NULL on + /// entry. + /// \param[in] name The string representation of a DN to convert + /// + /// \return 0 on success, or a negative error code. + pub fn mbedtls_x509_string_to_names( + head: *mut *mut mbedtls_asn1_named_data, + name: *const ::core::ffi::c_char, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Store the certificate serial in printable form into buf; /// no more than size characters will be written. @@ -18828,6 +20074,20 @@ unsafe extern "C" { serial: *const mbedtls_x509_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Compare pair of mbedtls_x509_time. + /// + /// \param t1 mbedtls_x509_time to compare + /// \param t2 mbedtls_x509_time to compare + /// + /// \return < 0 if t1 is before t2 + /// 0 if t1 equals t2 + /// > 0 if t1 is after t2 + pub fn mbedtls_x509_time_cmp( + t1: *const mbedtls_x509_time, + t2: *const mbedtls_x509_time, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Check a given mbedtls_x509_time against the system time /// and tell if it's in the past. @@ -18856,21 +20116,25 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief This function parses an item in the SubjectAlternativeNames - /// extension. + /// extension. Please note that this function might allocate + /// additional memory for a subject alternative name, thus + /// mbedtls_x509_free_subject_alt_name has to be called + /// to dispose of this additional memory afterwards. /// /// \param san_buf The buffer holding the raw data item of the subject /// alternative name. /// \param san The target structure to populate with the parsed presentation - /// of the subject alternative name encoded in \p san_raw. + /// of the subject alternative name encoded in \p san_buf. /// /// \note Supported GeneralName types, as defined in RFC 5280: - /// "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + /// "rfc822Name", "dnsName", "directoryName", + /// "uniformResourceIdentifier" and "hardware_module_name" /// of type "otherName", as defined in RFC 4108. /// /// \note This function should be called on a single raw data of /// subject alternative name. For example, after successful /// certificate parsing, one must iterate on every item in the - /// \p crt->subject_alt_names sequence, and pass it to + /// \c crt->subject_alt_names sequence, and pass it to /// this function. /// /// \warning The target structure contains pointers to the raw data of the @@ -18887,173 +20151,29 @@ unsafe extern "C" { ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \} addtogroup x509_module - pub fn mbedtls_x509_get_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - cur: *mut mbedtls_x509_name, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg_null( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_alg( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - alg: *mut mbedtls_x509_buf, - params: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_rsassa_pss_params( - params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - mgf_md: *mut mbedtls_md_type_t, - salt_len: *mut ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - sig: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_sig_alg( - sig_oid: *const mbedtls_x509_buf, - sig_params: *const mbedtls_x509_buf, - md_alg: *mut mbedtls_md_type_t, - pk_alg: *mut mbedtls_pk_type_t, - sig_opts: *mut *mut ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_time( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - t: *mut mbedtls_x509_time, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_serial( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - serial: *mut mbedtls_x509_buf, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ext( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ext: *mut mbedtls_x509_buf, - tag: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_sig_alg_gets( - buf: *mut ::core::ffi::c_char, - size: usize, - sig_oid: *const mbedtls_x509_buf, - pk_alg: mbedtls_pk_type_t, - md_alg: mbedtls_md_type_t, - sig_opts: *const ::core::ffi::c_void, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_key_size_helper( - buf: *mut ::core::ffi::c_char, - buf_size: usize, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_string_to_names( - head: *mut *mut mbedtls_asn1_named_data, - name: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_set_extension( - head: *mut *mut mbedtls_asn1_named_data, - oid: *const ::core::ffi::c_char, - oid_len: usize, - critical: ::core::ffi::c_int, - val: *const ::core::ffi::c_uchar, - val_len: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_extensions( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_names( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - first: *mut mbedtls_asn1_named_data, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_write_sig( - p: *mut *mut ::core::ffi::c_uchar, - start: *mut ::core::ffi::c_uchar, - oid: *const ::core::ffi::c_char, - oid_len: usize, - sig: *mut ::core::ffi::c_uchar, - size: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_ns_cert_type( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - ns_cert_type: *mut ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_key_usage( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - key_usage: *mut ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_get_subject_alt_name( - p: *mut *mut ::core::ffi::c_uchar, - end: *const ::core::ffi::c_uchar, - subject_alt_name: *mut mbedtls_x509_sequence, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_subject_alt_name( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - subject_alt_name: *const mbedtls_x509_sequence, - prefix: *const ::core::ffi::c_char, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - pub fn mbedtls_x509_info_cert_type( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - ns_cert_type: ::core::ffi::c_uchar, - ) -> ::core::ffi::c_int; + /// \brief Unallocate all data related to subject alternative name + /// + /// \param san SAN structure - extra memory owned by this structure will be freed + pub fn mbedtls_x509_free_subject_alt_name(san: *mut mbedtls_x509_subject_alternative_name); } unsafe extern "C" { - pub fn mbedtls_x509_info_key_usage( - buf: *mut *mut ::core::ffi::c_char, - size: *mut usize, - key_usage: ::core::ffi::c_uint, - ) -> ::core::ffi::c_int; + /// \brief This function parses a CN string as an IP address. + /// + /// \param cn The CN string to parse. CN string MUST be null-terminated. + /// \param dst The target buffer to populate with the binary IP address. + /// The buffer MUST be 16 bytes to save IPv6, and should be + /// 4-byte aligned if the result will be used as struct in_addr. + /// e.g. uint32_t dst[4] + /// + /// \note \p cn is parsed as an IPv6 address if string contains ':', + /// else \p cn is parsed as an IPv4 address. + /// + /// \return Length of binary IP address; num bytes written to target. + /// \return \c 0 on failure to parse CN string as an IP address. + pub fn mbedtls_x509_crt_parse_cn_inet_pton( + cn: *const ::core::ffi::c_char, + dst: *mut ::core::ffi::c_void, + ) -> usize; } /// Certificate revocation list entry. /// Contains the CA-specific serial numbers and revocation dates. @@ -19245,8 +20365,12 @@ pub struct mbedtls_x509_crt { pub subject_id: mbedtls_x509_buf, ///< Optional X.509 v3 extensions. pub v3_ext: mbedtls_x509_buf, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, + ///< Optional X.509 v3 extension subject key identifier. + pub subject_key_id: mbedtls_x509_buf, + ///< Optional X.509 v3 extension authority key identifier. + pub authority_key_id: mbedtls_x509_authority, ///< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). pub certificate_policies: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions @@ -19345,6 +20469,22 @@ impl Default for mbedtls_x509write_cert { } } } +unsafe extern "C" { + /// \brief Set Subject Alternative Name + /// + /// \param ctx Certificate context to use + /// \param san_list List of SAN values + /// + /// \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + /// + /// \note "dnsName", "uniformResourceIdentifier", "IP address", + /// "otherName", and "DirectoryName", as defined in RFC 5280, + /// are supported. + pub fn mbedtls_x509write_crt_set_subject_alternative_name( + ctx: *mut mbedtls_x509write_cert, + san_list: *const mbedtls_x509_san_list, + ) -> ::core::ffi::c_int; +} /// Item in a verification chain: cert and flags for it #[repr(C)] #[derive(Copy, Clone)] @@ -19683,8 +20823,12 @@ unsafe extern "C" { /// \param cn The expected Common Name. This will be checked to be /// present in the certificate's subjectAltNames extension or, /// if this extension is absent, as a CN component in its - /// Subject name. Currently only DNS names are supported. This - /// may be \c NULL if the CN need not be verified. + /// Subject name. DNS names and IP addresses are fully + /// supported, while the URI subtype is partially supported: + /// only exact matching, without any normalization procedures + /// described in 7.4 of RFC5280, will result in a positive + /// URI verification. + /// This may be \c NULL if the CN need not be verified. /// \param flags The address at which to store the result of the verification. /// If the verification couldn't be completed, the flag value is /// set to (uint32_t) -1. @@ -19915,6 +21059,16 @@ unsafe extern "C" { /// \param crt Certificate chain to free pub fn mbedtls_x509_crt_free(crt: *mut mbedtls_x509_crt); } +unsafe extern "C" { + /// \brief Access the ca_istrue field + /// + /// \param[in] crt Certificate to be queried, must not be \c NULL + /// + /// \return \c 1 if this a CA certificate \c 0 otherwise. + /// \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain + /// the Optional Basic Constraint extension. + pub fn mbedtls_x509_crt_get_ca_istrue(crt: *const mbedtls_x509_crt) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Initialize a CRT writing context /// @@ -19995,7 +21149,7 @@ unsafe extern "C" { /// \brief Set the issuer name for a Certificate /// Issuer names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS CA" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS CA" /// /// \param ctx CRT context to use /// \param issuer_name issuer name to set @@ -20011,7 +21165,7 @@ unsafe extern "C" { /// \brief Set the subject name for a Certificate /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CRT context to use /// \param subject_name subject name to set @@ -20181,13 +21335,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20207,13 +21355,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_cert, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20334,13 +21476,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20413,13 +21549,7 @@ unsafe extern "C" { x_size: ::core::ffi::c_int, output: *mut ::core::ffi::c_uchar, olen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20453,13 +21583,7 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, output_size: usize, olen: *mut usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20490,7 +21614,7 @@ unsafe extern "C" { /// initialized. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p field is invalid. + /// \return #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid. /// \return An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails. pub fn mbedtls_dhm_get_value( ctx: *const mbedtls_dhm_context, @@ -20618,6 +21742,18 @@ impl Default for mbedtls_ecdh_context { } } } +unsafe extern "C" { + /// \brief Return the ECP group for provided context. + /// + /// \note To access group specific fields, users should use + /// `mbedtls_ecp_curve_info_from_grp_id` or + /// `mbedtls_ecp_group_load` on the extracted `group_id`. + /// + /// \param ctx The ECDH context to parse. This must not be \c NULL. + /// + /// \return The \c mbedtls_ecp_group_id of the context. + pub fn mbedtls_ecdh_get_grp_id(ctx: *mut mbedtls_ecdh_context) -> mbedtls_ecp_group_id; +} unsafe extern "C" { /// \brief Check whether a given group can be used for ECDH. /// @@ -20654,13 +21790,7 @@ unsafe extern "C" { grp: *mut mbedtls_ecp_group, d: *mut mbedtls_mpi, Q: *mut mbedtls_ecp_point, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20699,13 +21829,7 @@ unsafe extern "C" { z: *mut mbedtls_mpi, Q: *const mbedtls_ecp_point, d: *const mbedtls_mpi, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20772,13 +21896,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20814,7 +21932,7 @@ unsafe extern "C" { /// \brief This function sets up an ECDH context from an EC key. /// /// It is used by clients and servers in place of the - /// ServerKeyEchange for static ECDH, and imports ECDH + /// ServerKeyExchange for static ECDH, and imports ECDH /// parameters from the EC key information of a certificate. /// /// \see ecp.h @@ -20863,13 +21981,7 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -20930,19 +22042,14 @@ unsafe extern "C" { olen: *mut usize, buf: *mut ::core::ffi::c_uchar, blen: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } #[repr(C)] #[derive(Copy, Clone)] pub union mbedtls_ssl_premaster_secret { + pub dummy: ::core::ffi::c_uchar, pub _pms_rsa: [::core::ffi::c_uchar; 48usize], pub _pms_dhm: [::core::ffi::c_uchar; 1024usize], pub _pms_ecdh: [::core::ffi::c_uchar; 66usize], @@ -21214,6 +22321,8 @@ pub struct mbedtls_ssl_session { ///< MaxFragmentLength negotiated by peer pub private_mfl_code: ::core::ffi::c_uchar, pub private_exported: ::core::ffi::c_uchar, + ///< 0: client, 1: server + pub private_endpoint: u8, /// TLS version negotiated in the session. Used if and when renegotiating /// or resuming a session instead of the configured minor TLS version. pub private_tls_version: mbedtls_ssl_protocol_version, @@ -21232,15 +22341,13 @@ pub struct mbedtls_ssl_session { ///< RFC 5077 session ticket pub private_ticket: *mut ::core::ffi::c_uchar, ///< session ticket length - pub private_ticket_len: usize, - ///< ticket lifetime hint - pub private_ticket_lifetime: u32, - ///< 0: client, 1: server - pub private_endpoint: u8, - ///< Ticket flags - pub private_ticket_flags: u8, + pub private_ticket_len: usize, + ///< ticket lifetime hint + pub private_ticket_lifetime: u32, ///< Randomly generated value used to obscure the age of the ticket pub private_ticket_age_add: u32, + ///< Ticket flags + pub private_ticket_flags: u8, ///< resumption_key length pub private_resumption_key_len: u8, pub private_resumption_key: [::core::ffi::c_uchar; 48usize], @@ -21579,22 +22686,30 @@ pub struct mbedtls_ssl_context { ///number of retransmissions of request if ///renego_max_records is < 0 pub private_renego_records_seen: ::core::ffi::c_int, - /// Server: Negotiated TLS protocol version. - /// Client: Maximum TLS version to be negotiated, then negotiated TLS - /// version. - /// - /// It is initialized as the maximum TLS version to be negotiated in the - /// ClientHello writing preparation stage and used throughout the - /// ClientHello writing. For a fresh handshake not linked to any previous - /// handshake, it is initialized to the configured maximum TLS version - /// to be negotiated. When renegotiating or resuming a session, it is - /// initialized to the previously negotiated TLS version. - /// - /// Updated to the negotiated TLS version as soon as the ServerHello is - /// received. + /// Maximum TLS version to be negotiated, then negotiated TLS version. + /// + /// It is initialized as the configured maximum TLS version to be + /// negotiated by mbedtls_ssl_setup(). + /// + /// When renegotiating or resuming a session, it is overwritten in the + /// ClientHello writing preparation stage with the previously negotiated + /// TLS version. + /// + /// On client side, it is updated to the TLS version selected by the server + /// for the handshake when the ServerHello is received. + /// + /// On server side, it is updated to the TLS version the server selects for + /// the handshake when the ClientHello is received. pub private_tls_version: mbedtls_ssl_protocol_version, - ///< records with a bad MAC received - pub private_badmac_seen: ::core::ffi::c_uint, + /// Multipurpose field. + /// + /// - DTLS: records with a bad MAC received. + /// - TLS: accumulated length of handshake fragments (up to \c in_hslen). + /// + /// This field is multipurpose in order to preserve the ABI in the + /// Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS + /// and called `badmac_seen`. + pub private_badmac_seen_or_in_hsfraglen: ::core::ffi::c_uint, /// Callback to customize X.509 certificate chain verification pub private_f_vrfy: ::core::option::Option< unsafe extern "C" fn( @@ -21731,8 +22846,33 @@ pub struct mbedtls_ssl_context { pub private_cur_out_ctr: [::core::ffi::c_uchar; 8usize], ///< path mtu, used to fragment outgoing messages pub private_mtu: u16, - ///< expected peer CN for verification - ///(and SNI if available) + /// Expected peer CN for verification. + /// + /// Also used on clients for SNI, + /// and for TLS 1.3 session resumption using tickets. + /// + /// The value of this field can be: + /// - \p NULL in a newly initialized or reset context. + /// - A heap-allocated copy of the last value passed to + /// mbedtls_ssl_set_hostname(), if the last call had a non-null + /// \p hostname argument. + /// - A special value to indicate that mbedtls_ssl_set_hostname() + /// was called with \p NULL (as opposed to never having been called). + /// See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + /// + /// If this field contains the value \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is unset, on a TLS client, attempting to verify a server certificate + /// results in the error + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + /// + /// If this field contains the special value described above, or if + /// the value is \p NULL and the configuration option + /// #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// is set, then the peer name verification is skipped, which may be + /// insecure, especially on a client. Furthermore, on a client, the + /// server_name extension is not sent, and the server name is ignored + /// in TLS 1.3 session resumption using tickets. pub private_hostname: *mut ::core::ffi::c_char, ///< negotiated protocol pub private_alpn_chosen: *const ::core::ffi::c_char, @@ -21828,6 +22968,14 @@ unsafe extern "C" { /// Calling mbedtls_ssl_setup again is not supported, even /// if no session is active. /// + /// \warning After setting up a client context, if certificate-based + /// authentication is enabled, you should call + /// mbedtls_ssl_set_hostname() to specifiy the expected + /// name of the server. Without this, in most scenarios, + /// the TLS connection is insecure. See + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more information. + /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. @@ -21931,18 +23079,16 @@ unsafe extern "C" { unsafe extern "C" { /// \brief Set the random number generator callback /// + /// \note The callback with its parameter must remain valid as + /// long as there is an SSL context that uses the + /// SSL configuration. + /// /// \param conf SSL configuration /// \param f_rng RNG function (mandatory) /// \param p_rng RNG parameter pub fn mbedtls_ssl_conf_rng( conf: *mut mbedtls_ssl_config, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ); } @@ -22045,10 +23191,10 @@ unsafe extern "C" { /// \param own_cid The address of the readable buffer holding the CID we want /// the peer to use when sending encrypted messages to us. /// This may be \c NULL if \p own_cid_len is \c 0. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// \param own_cid_len The length of \p own_cid. - /// This parameter is unused if \p enabled is set to + /// This parameter is unused if \p enable is set to /// MBEDTLS_SSL_CID_DISABLED. /// /// \note The value of \p own_cid_len must match the value of the @@ -22703,16 +23849,16 @@ unsafe extern "C" { /// a full handshake. /// /// \note This function can handle a variety of mechanisms for session - /// resumption: For TLS 1.2, both session ID-based resumption and - /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and loading - /// one or more sessions via this call will lead to their - /// corresponding tickets being advertised as resumption PSKs - /// by the client. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// resumption: For TLS 1.2, both session ID-based resumption + /// and ticket-based resumption will be considered. For TLS 1.3, + /// sessions equate to tickets, and loading one session by + /// calling this function will lead to its corresponding ticket + /// being advertised as resumption PSK by the client. This + /// depends on session tickets being enabled (see + /// #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + /// If session tickets are disabled, a call to this function + /// with a TLS 1.3 session, will not have any effect on the next + /// handshake for the SSL context \p ssl. /// /// \param ssl The SSL context representing the connection which should /// be attempted to be setup using session resumption. This @@ -22727,9 +23873,10 @@ unsafe extern "C" { /// /// \return \c 0 if successful. /// \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - /// could not be loaded because of an implementation limitation. - /// This error is non-fatal, and has no observable effect on - /// the SSL context or the session that was attempted to be loaded. + /// could not be loaded because one session has already been + /// loaded. This error is non-fatal, and has no observable + /// effect on the SSL context or the session that was attempted + /// to be loaded. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_get_session() @@ -22787,8 +23934,8 @@ unsafe extern "C" { /// /// \param session The session structure to be saved. /// \param buf The buffer to write the serialized data to. It must be a - /// writeable buffer of at least \p len bytes, or may be \c - /// NULL if \p len is \c 0. + /// writeable buffer of at least \p buf_len bytes, or may be \c + /// NULL if \p buf_len is \c 0. /// \param buf_len The number of bytes available for writing in \p buf. /// \param olen The size in bytes of the data that has been or would have /// been written. It must point to a valid \c size_t. @@ -22798,8 +23945,16 @@ unsafe extern "C" { /// to determine the necessary size by calling this function /// with \p buf set to \c NULL and \p buf_len to \c 0. /// + /// \note For TLS 1.3 sessions, this feature is supported only if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + /// as in TLS 1.3 session resumption is possible only with + /// tickets. + /// /// \return \c 0 if successful. /// \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + /// MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + /// and the session is a TLS 1.3 session. pub fn mbedtls_ssl_session_save( session: *const mbedtls_ssl_session, buf: *mut ::core::ffi::c_uchar, @@ -22925,7 +24080,7 @@ unsafe extern "C" { /// record headers. /// /// \return \c 0 on success. - /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len + /// \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len /// is too large. pub fn mbedtls_ssl_conf_cid( conf: *mut mbedtls_ssl_config, @@ -23252,6 +24407,8 @@ unsafe extern "C" { /// used for certificate signature are controlled by the /// verification profile, see \c mbedtls_ssl_conf_cert_profile(). /// + /// \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). + /// /// \note This list should be ordered by decreasing preference /// (preferred hash first). /// @@ -23276,27 +24433,43 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Configure allowed signature algorithms for use in TLS 1.3 + /// \brief Configure allowed signature algorithms for use in TLS /// /// \param conf The SSL configuration to use. /// \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - /// terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain - /// available throughout the lifetime of the conf object. Supported - /// values are available as \c MBEDTLS_TLS1_3_SIG_XXXX + /// terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain + /// available throughout the lifetime of the conf object. + /// - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be + /// used. + /// - For TLS 1.2, values should be given as + /// "(HashAlgorithm << 8) | SignatureAlgorithm". pub fn mbedtls_ssl_conf_sig_algs(conf: *mut mbedtls_ssl_config, sig_algs: *const u16); } unsafe extern "C" { /// \brief Set or reset the hostname to check against the received - /// server certificate. It sets the ServerName TLS extension, - /// too, if that extension is enabled. (client-side only) + /// peer certificate. On a client, this also sets the + /// ServerName TLS extension, if that extension is enabled. + /// On a TLS 1.3 client, this also sets the server name in + /// the session resumption ticket, if that feature is enabled. /// /// \param ssl SSL context - /// \param hostname the server hostname, may be NULL to clear hostname - /// - /// \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. - /// - /// \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - /// allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + /// \param hostname The server hostname. This may be \c NULL to clear + /// the hostname. + /// + /// \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + /// + /// \note If the hostname is \c NULL on a client, then the server + /// is not authenticated: it only needs to have a valid + /// certificate, not a certificate matching its name. + /// Therefore you should always call this function on a client, + /// unless the connection is set up to only allow + /// pre-shared keys, or in scenarios where server + /// impersonation is not a concern. See the documentation of + /// #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /// for more details. + /// + /// \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + /// allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on /// too long input hostname. /// /// Hostname set to the one provided on success (cleared @@ -23309,8 +24482,8 @@ unsafe extern "C" { } unsafe extern "C" { /// \brief Retrieve SNI extension value for the current handshake. - /// Available in \p f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), - /// this is the same value passed to \p f_sni callback of + /// Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), + /// this is the same value passed to \c f_sni callback of /// \c mbedtls_ssl_conf_sni() and may be used instead of /// \c mbedtls_ssl_conf_sni(). /// @@ -23319,10 +24492,10 @@ unsafe extern "C" { /// 0 if SNI extension is not present or not yet processed. /// /// \return const pointer to SNI extension value. - /// - value is valid only when called in \p f_cert_cb + /// - value is valid only when called in \c f_cert_cb /// registered with \c mbedtls_ssl_conf_cert_cb(). /// - value is NULL if SNI extension is not present. - /// - value is not '\0'-terminated. Use \c name_len for len. + /// - value is not '\0'-terminated. Use \c name_len for len. /// - value must not be freed. pub fn mbedtls_ssl_get_hs_sni( ssl: *mut mbedtls_ssl_context, @@ -23572,6 +24745,10 @@ unsafe extern "C" { /// with \c mbedtls_ssl_read()), not handshake messages. /// With DTLS, this affects both ApplicationData and handshake. /// + /// \note Defragmentation of TLS handshake messages is supported + /// with some limitations. See the documentation of + /// mbedtls_ssl_handshake() for details. + /// /// \note This sets the maximum length for a record's payload, /// excluding record overhead that will be added to it, see /// \c mbedtls_ssl_get_record_expansion(). @@ -23605,19 +24782,48 @@ unsafe extern "C" { ); } unsafe extern "C" { - /// \brief Enable / Disable session tickets (client only). - /// (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + /// \brief Enable / Disable TLS 1.2 session tickets (client only, + /// TLS 1.2 only). Enabled by default. /// /// \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). /// /// \param conf SSL configuration - /// \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - /// MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + /// \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) pub fn mbedtls_ssl_conf_session_tickets( conf: *mut mbedtls_ssl_config, use_tickets: ::core::ffi::c_int, ); } +unsafe extern "C" { + /// \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + /// (client only, TLS 1.3 only). + /// + /// The handling of TLS 1.3 NewSessionTicket messages is disabled by + /// default. + /// + /// In TLS 1.3, servers may send a NewSessionTicket message at any time, + /// and may send multiple NewSessionTicket messages. By default, TLS 1.3 + /// clients ignore NewSessionTicket messages. + /// + /// To support session tickets in TLS 1.3 clients, call this function + /// with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + /// this is enabled, when a client receives a NewSessionTicket message, + /// the next call to a message processing functions (notably + /// mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + /// call mbedtls_ssl_get_session() to retrieve the session ticket before + /// calling the same message processing function again. + /// + /// \param conf SSL configuration + /// \param signal_new_session_tickets Enable or disable + /// (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + /// #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + pub fn mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf: *mut mbedtls_ssl_config, + signal_new_session_tickets: ::core::ffi::c_int, + ); +} unsafe extern "C" { /// \brief Number of NewSessionTicket messages for the server to send /// after handshake completion. @@ -23946,29 +25152,22 @@ unsafe extern "C" { /// \param ssl The SSL context representing the connection for which to /// to export a session structure for later resumption. /// \param session The target structure in which to store the exported session. - /// This must have been initialized with mbedtls_ssl_init_session() + /// This must have been initialized with mbedtls_ssl_session_init() /// but otherwise be unused. /// /// \note This function can handle a variety of mechanisms for session /// resumption: For TLS 1.2, both session ID-based resumption and /// ticket-based resumption will be considered. For TLS 1.3, - /// once implemented, sessions equate to tickets, and calling - /// this function multiple times will export the available - /// tickets one a time until no further tickets are available, - /// in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - /// be returned. - /// - /// \note Calling this function multiple times will only be useful - /// once TLS 1.3 is supported. For TLS 1.2 connections, this - /// function should be called at most once. + /// sessions equate to tickets, and if session tickets are + /// enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + /// option), this function exports the last received ticket and + /// the exported session may be used to resume the TLS 1.3 + /// session. If session tickets are disabled, exported sessions + /// cannot be used to resume a TLS 1.3 session. /// /// \return \c 0 if successful. In this case, \p session can be used for /// session resumption by passing it to mbedtls_ssl_set_session(), /// and serialized for storage via mbedtls_ssl_session_save(). - /// \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - /// is available for export. - /// This error is a non-fatal, and has no observable effect on - /// the SSL context or the destination session. /// \return Another negative error code on other kinds of failure. /// /// \sa mbedtls_ssl_set_session() @@ -24000,6 +25199,17 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use /// and the client did not demonstrate reachability yet - in /// this case you must stop using the context (see below). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24008,7 +25218,9 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24028,10 +25240,31 @@ unsafe extern "C" { /// currently being processed might or might not contain further /// DTLS records. /// - /// \note If the context is configured to allow TLS 1.3, or if - /// #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling /// psa_crypto_init() before calling this function. + /// Otherwise, the handshake may call psa_crypto_init() + /// if a negotiation involving TLS 1.3 takes place (this may + /// be the case even if TLS 1.3 is offered but eventually + /// not selected). + /// + /// \note In TLS, reception of fragmented handshake messages is + /// supported with some limitations (those limitations do + /// not apply to DTLS, where defragmentation is fully + /// supported): + /// - On an Mbed TLS server that only accepts TLS 1.2, + /// the initial ClientHello message must not be fragmented. + /// A TLS 1.2 ClientHello may be fragmented if the server + /// also accepts TLS 1.3 connections (meaning + /// that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + /// accepted versions have not been restricted with + /// mbedtls_ssl_conf_max_tls_version() or the like). + /// - The first fragment of a handshake message must be + /// at least 4 bytes long. + /// - Non-handshake records must not be interleaved between + /// the fragments of a handshake message. (This is permitted + /// in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + /// even in TLS 1.2.) pub fn mbedtls_ssl_handshake(ssl: *mut mbedtls_ssl_context) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -24060,8 +25293,10 @@ unsafe extern "C" { /// /// \warning If this function returns something other than \c 0, /// #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using /// the SSL context for reading or writing, and either free it /// or call \c mbedtls_ssl_session_reset() on it before /// re-using it for a new connection; the current connection @@ -24124,6 +25359,24 @@ unsafe extern "C" { /// \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server /// side of a DTLS connection and the client is initiating a /// new connection using the same source port. See below. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. + /// This error code is only returned on the client side. It is + /// only returned if handling of TLS 1.3 NewSessionTicket + /// messages has been enabled through + /// mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + /// This error code indicates that a TLS 1.3 NewSessionTicket + /// message has been received and parsed successfully by the + /// client. The ticket data can be retrieved from the SSL + /// context by calling mbedtls_ssl_get_session(). It remains + /// available until the next call to mbedtls_ssl_read(). + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24132,8 +25385,10 @@ unsafe extern "C" { /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24200,6 +25455,17 @@ unsafe extern "C" { /// operation is in progress (see mbedtls_ecp_set_max_ops()) - /// in this case you must call this function again to complete /// the handshake when you're done attending other tasks. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + /// NewSessionTicket message has been received. See the + /// documentation of mbedtls_ssl_read() for more information + /// about this error code. + /// \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + /// defined in RFC 8446 (TLS 1.3 specification), has been + /// received as part of the handshake. This is server specific + /// and may occur only if the early data feature has been + /// enabled on server (see mbedtls_ssl_conf_early_data() + /// documentation). You must call mbedtls_ssl_read_early_data() + /// to read the early data before resuming the handshake. /// \return Another SSL error code - in this case you must stop using /// the context (see below). /// @@ -24207,8 +25473,10 @@ unsafe extern "C" { /// a non-negative value, /// #MBEDTLS_ERR_SSL_WANT_READ, /// #MBEDTLS_ERR_SSL_WANT_WRITE, - /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + /// #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + /// #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or + /// #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, /// you must stop using the SSL context for reading or writing, /// and either free it or call \c mbedtls_ssl_session_reset() /// on it before re-using it for a new connection; the current @@ -24449,381 +25717,64 @@ unsafe extern "C" { /// \brief Free an SSL configuration context /// /// \param conf SSL configuration context - pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); -} -unsafe extern "C" { - /// \brief Initialize SSL session structure - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief Free referenced items in an SSL session including the - /// peer certificate and clear memory - /// - /// \note A session object can be freed even if the SSL context - /// that was used to retrieve the session is still in use. - /// - /// \param session SSL session - pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); -} -unsafe extern "C" { - /// \brief TLS-PRF function for key derivation. - /// - /// \param prf The tls_prf type function type to be used. - /// \param secret Secret for the key derivation function. - /// \param slen Length of the secret. - /// \param label String label for the key derivation function, - /// terminated with null character. - /// \param random Random bytes. - /// \param rlen Length of the random bytes buffer. - /// \param dstbuf The buffer holding the derived key. - /// \param dlen Length of the output buffer. - /// - /// \return 0 on success. An SSL specific error on failure. - pub fn mbedtls_ssl_tls_prf( - prf: mbedtls_tls_prf_types, - secret: *const ::core::ffi::c_uchar, - slen: usize, - label: *const ::core::ffi::c_char, - random: *const ::core::ffi::c_uchar, - rlen: usize, - dstbuf: *mut ::core::ffi::c_uchar, - dlen: usize, - ) -> ::core::ffi::c_int; -} -unsafe extern "C" { - /// \brief Set the threshold error level to handle globally all debug output. - /// Debug messages that have a level over the threshold value are - /// discarded. - /// (Default value: 0 = No debug ) - /// - /// \param threshold threshold level of messages to filter on. Messages at a - /// higher level will be discarded. - /// - Debug levels - /// - 0 No debug - /// - 1 Error - /// - 2 State change - /// - 3 Informational - /// - 4 Verbose - pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); -} -unsafe extern "C" { - /// \brief Print a message to the debug output. This function is always used - /// through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - /// context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the message has occurred in - /// \param line line number the message has occurred at - /// \param format format specifier, in printf format - /// \param ... variables used by the format specifier - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_msg( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - format: *const ::core::ffi::c_char, - ... - ); -} -unsafe extern "C" { - /// \brief Print the return value of a function to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text the name of the function that returned the error - /// \param ret the return code value - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ret( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - ret: ::core::ffi::c_int, - ); -} -unsafe extern "C" { - /// \brief Output a buffer of size len bytes to the debug output. This function - /// is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the buffer being dumped. Normally the - /// variable or buffer name - /// \param buf the buffer to be outputted - /// \param len length of the buffer - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_buf( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - buf: *const ::core::ffi::c_uchar, - len: usize, - ); -} -unsafe extern "C" { - /// \brief Print a MPI variable to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the MPI being output. Normally the - /// variable name - /// \param X the MPI variable - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_mpi( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_mpi, - ); -} -unsafe extern "C" { - /// \brief Print an ECP point to the debug output. This function is always - /// used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - /// ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the ECP point being output. Normally the - /// variable name - /// \param X the ECP point - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_ecp( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - X: *const mbedtls_ecp_point, - ); -} -unsafe extern "C" { - /// \brief Print a X.509 certificate structure to the debug output. This - /// function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - /// which supplies the ssl context, file and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param text a name or label for the certificate being output - /// \param crt X.509 certificate structure - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_print_crt( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - text: *const ::core::ffi::c_char, - crt: *const mbedtls_x509_crt, - ); -} -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Q: mbedtls_debug_ecdh_attr = 0; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_QP: mbedtls_debug_ecdh_attr = 1; -pub const mbedtls_debug_ecdh_attr_MBEDTLS_DEBUG_ECDH_Z: mbedtls_debug_ecdh_attr = 2; -pub type mbedtls_debug_ecdh_attr = ::core::ffi::c_uint; -unsafe extern "C" { - /// \brief Print a field of the ECDH structure in the SSL context to the debug - /// output. This function is always used through the - /// MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - /// and line number parameters. - /// - /// \param ssl SSL context - /// \param level error level of the debug message - /// \param file file the error has occurred in - /// \param line line number the error has occurred in - /// \param ecdh the ECDH context - /// \param attr the identifier of the attribute being output - /// - /// \attention This function is intended for INTERNAL usage within the - /// library only. - pub fn mbedtls_debug_printf_ecdh( - ssl: *const mbedtls_ssl_context, - level: ::core::ffi::c_int, - file: *const ::core::ffi::c_char, - line: ::core::ffi::c_int, - ecdh: *const mbedtls_ecdh_context, - attr: mbedtls_debug_ecdh_attr, - ); -} -/// \brief Entropy poll callback pointer -/// -/// \param data Callback-specific data pointer -/// \param output Data to fill -/// \param len Maximum size to provide -/// \param olen The actual amount of bytes put into the buffer (Can be 0) -/// -/// \return 0 if no critical failures occurred, -/// MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise -pub type mbedtls_entropy_f_source_ptr = ::core::option::Option< - unsafe extern "C" fn( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - olen: *mut usize, - ) -> ::core::ffi::c_int, ->; -/// \brief Entropy source state -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_source_state { - ///< The entropy source callback - pub private_f_source: mbedtls_entropy_f_source_ptr, - ///< The callback data pointer - pub private_p_source: *mut ::core::ffi::c_void, - ///< Amount received in bytes - pub private_size: usize, - ///< Minimum bytes required before release - pub private_threshold: usize, - ///< Is the source strong? - pub private_strong: ::core::ffi::c_int, -} -impl Default for mbedtls_entropy_source_state { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -/// \brief Entropy context structure -#[repr(C)] -#[repr(align(16))] -#[derive(Copy, Clone)] -pub struct mbedtls_entropy_context { - pub private_accumulator_started: ::core::ffi::c_int, - pub __bindgen_padding_0: u64, - pub private_accumulator: mbedtls_sha512_context, - pub private_source_count: ::core::ffi::c_int, - pub private_source: [mbedtls_entropy_source_state; 20usize], -} -impl Default for mbedtls_entropy_context { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} -unsafe extern "C" { - /// \brief Initialize the context - /// - /// \param ctx Entropy context to initialize - pub fn mbedtls_entropy_init(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Free the data in the context - /// - /// \param ctx Entropy context to free - pub fn mbedtls_entropy_free(ctx: *mut mbedtls_entropy_context); -} -unsafe extern "C" { - /// \brief Adds an entropy source to poll - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context - /// \param f_source Entropy function - /// \param p_source Function data - /// \param threshold Minimum required from source before entropy is released - /// ( with mbedtls_entropy_func() ) (in bytes) - /// \param strong MBEDTLS_ENTROPY_SOURCE_STRONG or - /// MBEDTLS_ENTROPY_SOURCE_WEAK. - /// At least one strong source needs to be added. - /// Weaker sources (such as the cycle counter) can be used as - /// a complement. - /// - /// \return 0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES - pub fn mbedtls_entropy_add_source( - ctx: *mut mbedtls_entropy_context, - f_source: mbedtls_entropy_f_source_ptr, - p_source: *mut ::core::ffi::c_void, - threshold: usize, - strong: ::core::ffi::c_int, - ) -> ::core::ffi::c_int; + pub fn mbedtls_ssl_config_free(conf: *mut mbedtls_ssl_config); } unsafe extern "C" { - /// \brief Trigger an extra gather poll for the accumulator - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) - /// - /// \param ctx Entropy context + /// \brief Initialize SSL session structure /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_gather(ctx: *mut mbedtls_entropy_context) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_init(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Retrieve entropy from the accumulator - /// (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE) - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief Free referenced items in an SSL session including the + /// peer certificate and clear memory /// - /// \param data Entropy context - /// \param output Buffer to fill - /// \param len Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE + /// \note A session object can be freed even if the SSL context + /// that was used to retrieve the session is still in use. /// - /// \return 0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED - pub fn mbedtls_entropy_func( - data: *mut ::core::ffi::c_void, - output: *mut ::core::ffi::c_uchar, - len: usize, - ) -> ::core::ffi::c_int; + /// \param session SSL session + pub fn mbedtls_ssl_session_free(session: *mut mbedtls_ssl_session); } unsafe extern "C" { - /// \brief Add data to the accumulator manually - /// (Thread-safe if MBEDTLS_THREADING_C is enabled) + /// \brief TLS-PRF function for key derivation. /// - /// \param ctx Entropy context - /// \param data Data to add - /// \param len Length of data + /// \param prf The tls_prf type function type to be used. + /// \param secret Secret for the key derivation function. + /// \param slen Length of the secret. + /// \param label String label for the key derivation function, + /// terminated with null character. + /// \param random Random bytes. + /// \param rlen Length of the random bytes buffer. + /// \param dstbuf The buffer holding the derived key. + /// \param dlen Length of the output buffer. /// - /// \return 0 if successful - pub fn mbedtls_entropy_update_manual( - ctx: *mut mbedtls_entropy_context, - data: *const ::core::ffi::c_uchar, - len: usize, + /// \return 0 on success. An SSL specific error on failure. + pub fn mbedtls_ssl_tls_prf( + prf: mbedtls_tls_prf_types, + secret: *const ::core::ffi::c_uchar, + slen: usize, + label: *const ::core::ffi::c_char, + random: *const ::core::ffi::c_uchar, + rlen: usize, + dstbuf: *mut ::core::ffi::c_uchar, + dlen: usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { - /// \brief Checkup routine - /// - /// This module self-test also calls the entropy self-test, - /// mbedtls_entropy_source_self_test(); + /// \brief Set the threshold error level to handle globally all debug output. + /// Debug messages that have a level over the threshold value are + /// discarded. + /// (Default value: 0 = No debug ) /// - /// \return 0 if successful, or 1 if a test failed - pub fn mbedtls_entropy_self_test(verbose: ::core::ffi::c_int) -> ::core::ffi::c_int; + /// \param threshold threshold level of messages to filter on. Messages at a + /// higher level will be discarded. + /// - Debug levels + /// - 0 No debug + /// - 1 Error + /// - 2 State change + /// - 3 Informational + /// - 4 Verbose + pub fn mbedtls_debug_set_threshold(threshold: ::core::ffi::c_int); } unsafe extern "C" { /// \brief This is the HMAC-based Extract-and-Expand Key Derivation Function @@ -24992,8 +25943,8 @@ unsafe extern "C" { /// \param len The length of the personalization string. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 + /// where \c entropy_len is the entropy length /// described above. /// /// \return \c 0 if successful. @@ -25118,8 +26069,8 @@ unsafe extern "C" { /// \param len The length of the additional data. /// This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT /// and also at most - /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len - /// where \p entropy_len is the entropy length + /// #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len + /// where \c entropy_len is the entropy length /// (see mbedtls_hmac_drbg_set_entropy_len()). /// /// \return \c 0 if successful. @@ -25602,6 +26553,28 @@ unsafe extern "C" { oid: *const mbedtls_asn1_buf, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate a string containing a dotted-decimal + /// representation of an ASN.1 OID into its encoded form + /// (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D"). + /// On success, this function allocates oid->buf from the + /// heap. It must be freed by the caller using mbedtls_free(). + /// + /// \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID + /// \param oid_str string representation of the OID to parse + /// \param size length of the OID string, not including any null terminator + /// + /// \return 0 if successful + /// \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not + /// represent a valid OID + /// \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to + /// allocate oid->buf + pub fn mbedtls_oid_from_numeric_string( + oid: *mut mbedtls_asn1_buf, + oid_str: *const ::core::ffi::c_char, + size: usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate an X.509 extension OID into local values /// @@ -25679,6 +26652,34 @@ unsafe extern "C" { olen: *mut usize, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief Translate AlgorithmIdentifier OID into an EC group identifier, + /// for curves that are directly encoded at this level + /// + /// \param oid OID to use + /// \param grp_id place to store group id + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_ec_grp_algid( + oid: *const mbedtls_asn1_buf, + grp_id: *mut mbedtls_ecp_group_id, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief Translate EC group identifier into AlgorithmIdentifier OID, + /// for curves that are directly encoded at this level + /// + /// \param grp_id EC group identifier + /// \param oid place to store ASN.1 OID string pointer + /// \param olen length of the OID + /// + /// \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + pub fn mbedtls_oid_get_oid_by_ec_grp_algid( + grp_id: mbedtls_ecp_group_id, + oid: *mut *const ::core::ffi::c_char, + olen: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Translate SignatureAlgorithm OID into md_type and pk_type /// @@ -25846,11 +26847,11 @@ unsafe extern "C" { /// \param data source data to look in (must be nul-terminated) /// \param pwd password for decryption (can be NULL) /// \param pwdlen length of password - /// \param use_len destination for total length used (set after header is - /// correctly read, so unless you get + /// \param use_len destination for total length used from data buffer. It is + /// set after header is correctly read, so unless you get /// MBEDTLS_ERR_PEM_BAD_INPUT_DATA or /// MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - /// the length to skip) + /// the length to skip. /// /// \note Attempts to check password correctness by verifying if /// the decrypted text starts with an ASN.1 sequence of @@ -25915,13 +26916,40 @@ unsafe extern "C" { unsafe extern "C" { /// \brief PKCS#5 PBES2 function /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs5_pbes2_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params the ASN.1 algorithm parameters - /// \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT /// \param pwd password to use when generating key /// \param pwdlen length of password /// \param data data to process /// \param datalen length of data - /// \param output output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. pub fn mbedtls_pkcs5_pbes2( @@ -25934,6 +26962,50 @@ unsafe extern "C" { output: *mut ::core::ffi::c_uchar, ) -> ::core::ffi::c_int; } +unsafe extern "C" { + /// \brief PKCS#5 PBES2 function + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params the ASN.1 algorithm parameters + /// \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT + /// \param pwd password to use when generating key + /// \param pwdlen length of password + /// \param data data to process + /// \param datalen length of data + /// \param output Output buffer. + /// On success, it contains the decrypted data. + /// On failure, the content is indetermidate. + /// For decryption, there must be enough room for \p datalen + /// bytes. + /// For encryption, there must be enough room for + /// \p datalen + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails. + pub fn mbedtls_pkcs5_pbes2_ext( + pbe_params: *const mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, + datalen: usize, + output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context /// @@ -26165,6 +27237,25 @@ unsafe extern "C" { /// \brief PKCS12 Password Based function (encryption / decryption) /// for cipher-based and mbedtls_md-based PBE's /// + /// \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must + /// be enabled at compile time. + /// + /// \deprecated This function is deprecated and will be removed in a + /// future version of the library. + /// Please use mbedtls_pkcs12_pbe_ext() instead. + /// + /// \warning When decrypting: + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile + /// time, this function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile + /// time, this function does not validate the CBC padding. + /// /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or /// #MBEDTLS_PKCS12_PBE_DECRYPT @@ -26173,9 +27264,17 @@ unsafe extern "C" { /// \param pwd Latin1-encoded password used. This may only be \c NULL when /// \p pwdlen is 0. No null terminator should be used. /// \param pwdlen length of the password (may be 0) - /// \param input the input data + /// \param data the input data /// \param len data length - /// \param output the output buffer + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. /// /// \return 0 if successful, or a MBEDTLS_ERR_XXX code pub fn mbedtls_pkcs12_pbe( @@ -26185,9 +27284,62 @@ unsafe extern "C" { md_type: mbedtls_md_type_t, pwd: *const ::core::ffi::c_uchar, pwdlen: usize, - input: *const ::core::ffi::c_uchar, + data: *const ::core::ffi::c_uchar, + len: usize, + output: *mut ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int; +} +unsafe extern "C" { + /// \brief PKCS12 Password Based function (encryption / decryption) + /// for cipher-based and mbedtls_md-based PBE's + /// + /// + /// \warning When decrypting: + /// - This function validates the CBC padding and returns + /// #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is + /// invalid. Note that this can help active adversaries + /// attempting to brute-forcing the password. Note also that + /// there is no guarantee that an invalid password will be + /// detected (the chances of a valid padding with a random + /// password are about 1/255). + /// + /// \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + /// \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + /// #MBEDTLS_PKCS12_PBE_DECRYPT + /// \param cipher_type the cipher used + /// \param md_type the mbedtls_md used + /// \param pwd Latin1-encoded password used. This may only be \c NULL when + /// \p pwdlen is 0. No null terminator should be used. + /// \param pwdlen length of the password (may be 0) + /// \param data the input data + /// \param len data length + /// \param output Output buffer. + /// On success, it contains the encrypted or decrypted data, + /// possibly followed by the CBC padding. + /// On failure, the content is indeterminate. + /// For decryption, there must be enough room for \p len + /// bytes. + /// For encryption, there must be enough room for + /// \p len + 1 bytes, rounded up to the block size of + /// the block cipher identified by \p pbe_params. + /// \param output_size size of output buffer. + /// This must be big enough to accommodate for output plus + /// padding data. + /// \param output_len On success, length of actual data written to the output buffer. + /// + /// \return 0 if successful, or a MBEDTLS_ERR_XXX code + pub fn mbedtls_pkcs12_pbe_ext( + pbe_params: *mut mbedtls_asn1_buf, + mode: ::core::ffi::c_int, + cipher_type: mbedtls_cipher_type_t, + md_type: mbedtls_md_type_t, + pwd: *const ::core::ffi::c_uchar, + pwdlen: usize, + data: *const ::core::ffi::c_uchar, len: usize, output: *mut ::core::ffi::c_uchar, + output_size: usize, + output_len: *mut usize, ) -> ::core::ffi::c_int; } unsafe extern "C" { @@ -26286,6 +27438,11 @@ unsafe extern "C" { /// \param session_id_len The length of \p session_id in bytes. /// \param session The address at which to store the session /// associated with \p session_id, if present. + /// + /// \return \c 0 on success. + /// \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is + /// no cache entry with specified session ID found, or + /// any other negative error code for other failures. pub fn mbedtls_ssl_cache_get( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26302,6 +27459,9 @@ unsafe extern "C" { /// associated to \p session. /// \param session_id_len The length of \p session_id in bytes. /// \param session The session to store. + /// + /// \return \c 0 on success. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_set( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26315,12 +27475,13 @@ unsafe extern "C" { /// /// \param data The SSL cache context to use. /// \param session_id The pointer to the buffer holding the session ID - /// associated to \p session. + /// associated to session. /// \param session_id_len The length of \p session_id in bytes. /// - /// \return 0: The cache entry for session with provided ID - /// is removed or does not exist. - /// Otherwise: fail. + /// \return \c 0 on success. This indicates the cache entry for + /// the session with provided ID is removed or does not + /// exist. + /// \return A negative error code on failure. pub fn mbedtls_ssl_cache_remove( data: *mut ::core::ffi::c_void, session_id: *const ::core::ffi::c_uchar, @@ -26373,13 +27534,7 @@ unsafe extern "C" { /// \brief Setup cookie context (generate keys) pub fn mbedtls_ssl_cookie_setup( ctx: *mut mbedtls_ssl_cookie_ctx, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26425,6 +27580,9 @@ unsafe extern "C" { #[derive(Copy, Clone)] pub struct mbedtls_ssl_ticket_key { pub private_name: [::core::ffi::c_uchar; 4usize], + /// Lifetime of the key in seconds. This is also the lifetime of the + /// tickets created under that key. + pub private_lifetime: u32, ///< context for auth enc/decryption pub private_ctx: mbedtls_cipher_context_t, } @@ -26480,7 +27638,9 @@ unsafe extern "C" { /// /// \param ctx Context to be set up /// \param f_rng RNG callback function (mandatory) - /// \param p_rng RNG callback context + /// \param p_rng RNG callback context. + /// Note that the RNG callback must remain valid + /// until the ticket context is freed. /// \param cipher AEAD cipher to use for ticket protection. /// Recommended value: MBEDTLS_CIPHER_AES_256_GCM. /// \param lifetime Tickets lifetime in seconds @@ -26490,21 +27650,21 @@ unsafe extern "C" { /// least as strong as the strongest ciphersuite /// supported. Usually that means a 256-bit key. /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_setup( ctx: *mut mbedtls_ssl_ticket_context, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, cipher: mbedtls_cipher_type_t, lifetime: u32, @@ -26535,10 +27695,16 @@ unsafe extern "C" { /// \note \c klength must be sufficient for use by cipher specified /// to \c mbedtls_ssl_ticket_setup /// - /// \note The lifetime of the keys is twice the lifetime of tickets. - /// It is recommended to pick a reasonable lifetime so as not + /// \note It is recommended to pick a reasonable lifetime so as not /// to negate the benefits of forward secrecy. /// + /// \note The TLS 1.3 specification states that ticket lifetime must + /// be smaller than seven days. If ticket lifetime has been + /// set to a value greater than seven days in this module then + /// if the TLS 1.3 is configured to send tickets after the + /// handshake it will fail the connection when trying to send + /// the first ticket. + /// /// \return 0 if successful, /// or a specific MBEDTLS_ERR_XXX error code pub fn mbedtls_ssl_ticket_rotate( @@ -26604,7 +27770,7 @@ pub struct mbedtls_x509_csr { pub key_usage: ::core::ffi::c_uint, ///< Optional Netscape certificate type extension value: See the values in x509.h pub ns_cert_type: ::core::ffi::c_uchar, - ///< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). + ///< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. pub subject_alt_names: mbedtls_x509_sequence, ///< Bit string containing detected and parsed extensions pub private_ext_types: ::core::ffi::c_int, @@ -26644,25 +27810,12 @@ impl Default for mbedtls_x509write_csr { } } } -#[repr(C)] -#[derive(Copy, Clone)] -pub struct mbedtls_x509_san_list { - pub node: mbedtls_x509_subject_alternative_name, - pub next: *mut mbedtls_x509_san_list, -} -impl Default for mbedtls_x509_san_list { - fn default() -> Self { - let mut s = ::core::mem::MaybeUninit::::uninit(); - unsafe { - ::core::ptr::write_bytes(s.as_mut_ptr(), 0, 1); - s.assume_init() - } - } -} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR) in DER format /// - /// \note CSR attributes (if any) are currently silently ignored. + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the CSR is rejected. /// /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto /// subsystem must have been initialized by calling @@ -26679,6 +27832,70 @@ unsafe extern "C" { buflen: usize, ) -> ::core::ffi::c_int; } +/// \brief The type of certificate extension callbacks. +/// +/// Callbacks of this type are passed to and used by the +/// mbedtls_x509_csr_parse_der_with_ext_cb() routine when +/// it encounters either an unsupported extension. +/// Future versions of the library may invoke the callback +/// in other cases, if and when the need arises. +/// +/// \param p_ctx An opaque context passed to the callback. +/// \param csr The CSR being parsed. +/// \param oid The OID of the extension. +/// \param critical Whether the extension is critical. +/// \param p Pointer to the start of the extension value +/// (the content of the OCTET STRING). +/// \param end End of extension value. +/// +/// \note The callback must fail and return a negative error code +/// if it can not parse or does not support the extension. +/// When the callback fails to parse a critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() also fails. +/// When the callback fails to parse a non critical extension +/// mbedtls_x509_csr_parse_der_with_ext_cb() simply skips +/// the extension and continues parsing. +/// +/// \return \c 0 on success. +/// \return A negative error code on failure. +pub type mbedtls_x509_csr_ext_cb_t = ::core::option::Option< + unsafe extern "C" fn( + p_ctx: *mut ::core::ffi::c_void, + csr: *const mbedtls_x509_csr, + oid: *const mbedtls_x509_buf, + critical: ::core::ffi::c_int, + p: *const ::core::ffi::c_uchar, + end: *const ::core::ffi::c_uchar, + ) -> ::core::ffi::c_int, +>; +unsafe extern "C" { + /// \brief Load a Certificate Signing Request (CSR) in DER format + /// + /// \note Any unsupported requested extensions are silently + /// ignored, unless the critical flag is set, in which case + /// the result of the callback function decides whether + /// CSR is rejected. + /// + /// \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + /// subsystem must have been initialized by calling + /// psa_crypto_init() before calling this function. + /// + /// \param csr CSR context to fill + /// \param buf buffer holding the CRL data + /// \param buflen size of the buffer + /// \param cb A callback invoked for every unsupported certificate + /// extension. + /// \param p_ctx An opaque context passed to the callback. + /// + /// \return 0 if successful, or a specific X509 error code + pub fn mbedtls_x509_csr_parse_der_with_ext_cb( + csr: *mut mbedtls_x509_csr, + buf: *const ::core::ffi::c_uchar, + buflen: usize, + cb: mbedtls_x509_csr_ext_cb_t, + p_ctx: *mut ::core::ffi::c_void, + ) -> ::core::ffi::c_int; +} unsafe extern "C" { /// \brief Load a Certificate Signing Request (CSR), DER or PEM format /// @@ -26740,7 +27957,7 @@ unsafe extern "C" { /// \brief Set the subject name for a CSR /// Subject names should contain a comma-separated list /// of OID types and values: - /// e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" + /// e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1" /// /// \param ctx CSR context to use /// \param subject_name subject name to set @@ -26871,13 +28088,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; } @@ -26898,13 +28109,7 @@ unsafe extern "C" { ctx: *mut mbedtls_x509write_csr, buf: *mut ::core::ffi::c_uchar, size: usize, - f_rng: ::core::option::Option< - unsafe extern "C" fn( - arg1: *mut ::core::ffi::c_void, - arg2: *mut ::core::ffi::c_uchar, - arg3: usize, - ) -> ::core::ffi::c_int, - >, + f_rng: mbedtls_f_rng_t, p_rng: *mut ::core::ffi::c_void, ) -> ::core::ffi::c_int; }