Use m for the bit size of the field order, not q which is
traditionally the field order.
Correct and clarify the private key representation format as has been
done for the private key and ECDH shared secret formats.
The endianness actually depends on the curve type.
Correct the terminology around "curve size" and "order of the curve".
I tried to find a formulation that is comprehensible to programmers
who do not know the underlying mathematics, but nonetheless correct
and precise.
Use similar terminology in other places that were using "order of the
curve" to describe the bit size associated with the curve.
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
A key selection algorithm is similar to a key derivation algorithm in
that it takes a secret input and produces a secret output stream.
However, unlike key derivation algorithms, there is no expectation
that the input cannot be reconstructed from the output. Key selection
algorithms are exclusively meant to be used on the output of a key
agreement algorithm to select chunks of the shared secret.
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the format
specification and the import code, but not the export code.
Add extern "C" wrappers around type and function declarations to enable C++
interoperability of the driver header. This is done so that the driver
functions and types can be used or implmented by C++ code.
Convert PSA Crypto driver model structs to typedefs so that the `struct`
name doesn't need to be used and for consistent style with other PSA
structures.
The file crypto_driver.h was not using the header guard style as other PSA
Crypto header files. Remove the `__` prefix and suffix. Use C-style
comments for the end-of-guard comment.
The driver model's "encrypt or decrypt" type, encrypt_or_decrypt_t, is
publicly exposed and needs to have a `psa_` prefix in order to properly
communicate that it is part of the PSA driver model.
The `pcd_` prefix is ambiguous and does not make it clear that the types
and symbols are standardized by PSA. Replace `pcd_` with a prefix that can
be shared with all PSA drivers, `psa_drv_`.
"Driver APIs" can be interpreted to mean APIs used when you want to write a
driver, not the set of functions you implement to make a driver. See
https://www.kernel.org/doc/html/latest/driver-api/index.html "The kernel
offers a wide variety of interfaces to support the development of device
drivers."
As such, we are renaming "Driver API" to "Driver Model" and updating our
work so far to reflect this change.
Add comments noting that the maximum length of a MAC must fit in
PSA_ALG_MAC_TRUNCATION_MASK. Add a unit test that verifies that the
maximum MAC size fits.
None of the currently defined MAC algorithms have a MAC size that
depends on the key size, so the key_bits parameter is unused. The
key_type parameter may be unused on an implementation where there is
no block cipher MAC. Declare the key_type and key_bits parameters as
used so that callers who define a variable just for this don't risk
getting "unused variable" warnings.
The macro was used under the name PSA_ALG_IS_BLOCK_CIPHER_MAC but
defined as PSA_ALG_IS_CIPHER_MAC. That wouldn't have worked if we used
this macro (we currently don't but it may become useful).
TLS now defines named curves in the "TLS Supported Groups registry",
but we're using the encoding only for elliptic curves, so don't
include values that aren't named curve.
While we're at it, upgrade the reference to the shiny new RFC 8422.
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.
Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.