/**

 * \file psa/crypto_values.h

 *

 * \brief PSA cryptography module: macros to build and analyze integer values.

 *

 * \note This file may not be included directly. Applications must

 * include psa/crypto.h. Drivers must include the appropriate driver

 * header file.

 *

 * This file contains portable definitions of macros to build and analyze

 * values of integral types that encode properties of cryptographic keys,

 * designations of cryptographic algorithms, and error codes returned by

 * the library.

 *

 * Note that many of the constants defined in this file are embedded in

 * the persistent key store, as part of key metadata (including usage

 * policies). As a consequence, they must not be changed (unless the storage

 * format version changes).

 *

 * This header file only defines preprocessor macros.

 */

/*

 *  Copyright The Mbed TLS Contributors

 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

 */

#ifndef PSA_CRYPTO_VALUES_H

#define PSA_CRYPTO_VALUES_H

#include "mbedtls/private_access.h"

/** \defgroup error Error codes

 * @{

 */

/* PSA error codes */

/* Error codes are standardized across PSA domains (framework, crypto, storage,

 * etc.). Do not change the values in this section or even the expansions

 * of each macro: it must be possible to `#include` both this header

 * and some other PSA component's headers in the same C source,

 * which will lead to duplicate definitions of the `PSA_SUCCESS` and

 * `PSA_ERROR_xxx` macros, which is ok if and only if the macros expand

 * to the same sequence of tokens.

 *

 * If you must add a new

 * value, check with the Arm PSA framework group to pick one that other

 * domains aren't already using. */

/* Tell uncrustify not to touch the constant definitions, otherwise

 * it might change the spacing to something that is not PSA-compliant

 * (e.g. adding a space after casts).

 *

 * *INDENT-OFF*

 */

/** The action was completed successfully. */

#define PSA_SUCCESS ((psa_status_t)0)

/** An error occurred that does not correspond to any defined

 * failure cause.

 *

 * Implementations may use this error code if none of the other standard

 * error codes are applicable. */

#define PSA_ERROR_GENERIC_ERROR         ((psa_status_t)-132)

/** The requested operation or a parameter is not supported

 * by this implementation.

 *

 * Implementations should return this error code when an enumeration

 * parameter such as a key type, algorithm, etc. is not recognized.

 * If a combination of parameters is recognized and identified as

 * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */

#define PSA_ERROR_NOT_SUPPORTED         ((psa_status_t)-134)

/** The requested action is denied by a policy.

 *

 * Implementations should return this error code when the parameters

 * are recognized as valid and supported, and a policy explicitly

 * denies the requested operation.

 *

 * If a subset of the parameters of a function call identify a

 * forbidden operation, and another subset of the parameters are

 * not valid or not supported, it is unspecified whether the function

 * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or

 * #PSA_ERROR_INVALID_ARGUMENT. */

#define PSA_ERROR_NOT_PERMITTED         ((psa_status_t)-133)

/** An output buffer is too small.

 *

 * Applications can call the \c PSA_xxx_SIZE macro listed in the function

 * description to determine a sufficient buffer size.

 *

 * Implementations should preferably return this error code only

 * in cases when performing the operation with a larger output

 * buffer would succeed. However implementations may return this

 * error if a function has invalid or unsupported parameters in addition

 * to the parameters that determine the necessary output buffer size. */

#define PSA_ERROR_BUFFER_TOO_SMALL      ((psa_status_t)-138)

/** Asking for an item that already exists

 *

 * Implementations should return this error, when attempting

 * to write an item (like a key) that already exists. */

#define PSA_ERROR_ALREADY_EXISTS        ((psa_status_t)-139)

/** Asking for an item that doesn't exist

 *

 * Implementations should return this error, if a requested item (like

 * a key) does not exist. */

#define PSA_ERROR_DOES_NOT_EXIST        ((psa_status_t)-140)

/** The requested action cannot be performed in the current state.

 *

 * Multipart operations return this error when one of the

 * functions is called out of sequence. Refer to the function

 * descriptions for permitted sequencing of functions.

 *

 * Implementations shall not return this error code to indicate

 * that a key either exists or not,

 * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST

 * as applicable.

 *

 * Implementations shall not return this error code to indicate that a

 * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE

 * instead. */

#define PSA_ERROR_BAD_STATE             ((psa_status_t)-137)

/** The parameters passed to the function are invalid.

 *

 * Implementations may return this error any time a parameter or

 * combination of parameters are recognized as invalid.

 *

 * Implementations shall not return this error code to indicate that a

 * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE

 * instead.

 */

#define PSA_ERROR_INVALID_ARGUMENT      ((psa_status_t)-135)

/** There is not enough runtime memory.

 *

 * If the action is carried out across multiple security realms, this

 * error can refer to available memory in any of the security realms. */

#define PSA_ERROR_INSUFFICIENT_MEMORY   ((psa_status_t)-141)

/** There is not enough persistent storage.

 *

 * Functions that modify the key storage return this error code if

 * there is insufficient storage space on the host media. In addition,

 * many functions that do not otherwise access storage may return this

 * error code if the implementation requires a mandatory log entry for

 * the requested action and the log storage space is full. */

#define PSA_ERROR_INSUFFICIENT_STORAGE  ((psa_status_t)-142)

/** There was a communication failure inside the implementation.

 *

 * This can indicate a communication failure between the application

 * and an external cryptoprocessor or between the cryptoprocessor and

 * an external volatile or persistent memory. A communication failure

 * may be transient or permanent depending on the cause.

 *

 * \warning If a function returns this error, it is undetermined

 * whether the requested action has completed or not. Implementations

 * should return #PSA_SUCCESS on successful completion whenever

 * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE

 * if the requested action was completed successfully in an external

 * cryptoprocessor but there was a breakdown of communication before

 * the cryptoprocessor could report the status to the application.

 */

#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)

/** There was a storage failure that may have led to data loss.

 *

 * This error indicates that some persistent storage is corrupted.

 * It should not be used for a corruption of volatile memory

 * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error

 * between the cryptoprocessor and its external storage (use

 * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is

 * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE).

 *

 * Note that a storage failure does not indicate that any data that was

 * previously read is invalid. However this previously read data may no

 * longer be readable from storage.

 *

 * When a storage failure occurs, it is no longer possible to ensure

 * the global integrity of the keystore. Depending on the global

 * integrity guarantees offered by the implementation, access to other

 * data may or may not fail even if the data is still readable but

 * its integrity cannot be guaranteed.

 *

 * Implementations should only use this error code to report a

 * permanent storage corruption. However application writers should

 * keep in mind that transient errors while reading the storage may be

 * reported using this error code. */

#define PSA_ERROR_STORAGE_FAILURE       ((psa_status_t)-146)

/** A hardware failure was detected.

 *

 * A hardware failure may be transient or permanent depending on the

 * cause. */

#define PSA_ERROR_HARDWARE_FAILURE      ((psa_status_t)-147)

/** A tampering attempt was detected.

 *

 * If an application receives this error code, there is no guarantee

 * that previously accessed or computed data was correct and remains

 * confidential. Applications should not perform any security function

 * and should enter a safe failure state.

 *

 * Implementations may return this error code if they detect an invalid

 * state that cannot happen during normal operation and that indicates

 * that the implementation's security guarantees no longer hold. Depending

 * on the implementation architecture and on its security and safety goals,

 * the implementation may forcibly terminate the application.

 *

 * This error code is intended as a last resort when a security breach

 * is detected and it is unsure whether the keystore data is still

 * protected. Implementations shall only return this error code

 * to report an alarm from a tampering detector, to indicate that

 * the confidentiality of stored data can no longer be guaranteed,

 * or to indicate that the integrity of previously returned data is now

 * considered compromised. Implementations shall not use this error code

 * to indicate a hardware failure that merely makes it impossible to

 * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE,

 * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE,

 * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code

 * instead).

 *

 * This error indicates an attack against the application. Implementations

 * shall not return this error code as a consequence of the behavior of

 * the application itself. */

#define PSA_ERROR_CORRUPTION_DETECTED    ((psa_status_t)-151)

/** There is not enough entropy to generate random data needed

 * for the requested action.

 *

 * This error indicates a failure of a hardware random generator.

 * Application writers should note that this error can be returned not

 * only by functions whose purpose is to generate random data, such

 * as key, IV or nonce generation, but also by functions that execute

 * an algorithm with a randomized result, as well as functions that

 * use randomization of intermediate computations as a countermeasure

 * to certain attacks.

 *

 * Implementations should avoid returning this error after psa_crypto_init()

 * has succeeded. Implementations should generate sufficient

 * entropy during initialization and subsequently use a cryptographically

 * secure pseudorandom generator (PRNG). However implementations may return

 * this error at any time if a policy requires the PRNG to be reseeded

 * during normal operation. */

#define PSA_ERROR_INSUFFICIENT_ENTROPY  ((psa_status_t)-148)

/** The signature, MAC or hash is incorrect.

 *

 * Verification functions return this error if the verification

 * calculations completed successfully, and the value to be verified

 * was determined to be incorrect.

 *

 * If the value to verify has an invalid size, implementations may return

 * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */

#define PSA_ERROR_INVALID_SIGNATURE     ((psa_status_t)-149)

/** The decrypted padding is incorrect.

 *

 * \warning In some protocols, when decrypting data, it is essential that

 * the behavior of the application does not depend on whether the padding

 * is correct, down to precise timing. Applications should prefer

 * protocols that use authenticated encryption rather than plain

 * encryption. If the application must perform a decryption of

 * unauthenticated data, the application writer should take care not

 * to reveal whether the padding is invalid.

 *

 * Implementations should strive to make valid and invalid padding

 * as close as possible to indistinguishable to an external observer.

 * In particular, the timing of a decryption operation should not

 * depend on the validity of the padding. */

#define PSA_ERROR_INVALID_PADDING       ((psa_status_t)-150)

/** Return this error when there's insufficient data when attempting

 * to read from a resource. */

#define PSA_ERROR_INSUFFICIENT_DATA     ((psa_status_t)-143)

/** This can be returned if a function can no longer operate correctly.

 * For example, if an essential initialization operation failed or

 * a mutex operation failed. */

#define PSA_ERROR_SERVICE_FAILURE       ((psa_status_t)-144)

/** The key identifier is not valid. See also :ref:\`key-handles\`.

 */

#define PSA_ERROR_INVALID_HANDLE        ((psa_status_t)-136)

/** Stored data has been corrupted.

 *

 * This error indicates that some persistent storage has suffered corruption.

 * It does not indicate the following situations, which have specific error

 * codes:

 *

 * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED.

 * - A communication error between the cryptoprocessor and its external

 *   storage - use #PSA_ERROR_COMMUNICATION_FAILURE.

 * - When the storage is in a valid state but is full - use

 *   #PSA_ERROR_INSUFFICIENT_STORAGE.

 * - When the storage fails for other reasons - use

 *   #PSA_ERROR_STORAGE_FAILURE.

 * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID.

 *

 * \note A storage corruption does not indicate that any data that was

 * previously read is invalid. However this previously read data might no

 * longer be readable from storage.

 *

 * When a storage failure occurs, it is no longer possible to ensure the

 * global integrity of the keystore.

 */

#define PSA_ERROR_DATA_CORRUPT          ((psa_status_t)-152)

/** Data read from storage is not valid for the implementation.

 *

 * This error indicates that some data read from storage does not have a valid

 * format. It does not indicate the following situations, which have specific

 * error codes:

 *

 * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT

 * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE

 * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT

 *

 * This error is typically a result of either storage corruption on a

 * cleartext storage backend, or an attempt to read data that was

 * written by an incompatible version of the library.

 */

#define PSA_ERROR_DATA_INVALID          ((psa_status_t)-153)

/** The function that returns this status is defined as interruptible and

 *  still has work to do, thus the user should call the function again with the

 *  same operation context until it either returns #PSA_SUCCESS or any other

 *  error. This is not an error per se, more a notification of status.

 */

#define PSA_OPERATION_INCOMPLETE           ((psa_status_t)-248)

/* *INDENT-ON* */

/**@}*/

/** \defgroup crypto_types Key and algorithm types

 * @{

 */

/* Note that key type values, including ECC family and DH group values, are

 * embedded in the persistent key store, as part of key metadata. As a

 * consequence, they must not be changed (unless the storage format version

 * changes).

 */

/** An invalid key type value.

 *

 * Zero is not the encoding of any key type.

 */

#define PSA_KEY_TYPE_NONE                           ((psa_key_type_t) 0x0000)

/** Vendor-defined key type flag.

 *

 * Key types defined by this standard will never have the

 * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types

 * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should

 * respect the bitwise structure used by standard encodings whenever practical.

 */

#define PSA_KEY_TYPE_VENDOR_FLAG                    ((psa_key_type_t) 0x8000)

#define PSA_KEY_TYPE_CATEGORY_MASK                  ((psa_key_type_t) 0x7000)

#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t) 0x1000)

#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t) 0x2000)

#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t) 0x4000)

#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR              ((psa_key_type_t) 0x7000)

#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t) 0x3000)

/** Whether a key type is vendor-defined.

 *

 * See also #PSA_KEY_TYPE_VENDOR_FLAG.

 */

#define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \

    (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)

/** Whether a key type is an unstructured array of bytes.

 *

 * This encompasses both symmetric keys and non-key data.

 */

#define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \

    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \

     ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)

/** Whether a key type is asymmetric: either a key pair or a public key. */

#define PSA_KEY_TYPE_IS_ASYMMETRIC(type)                                \

    (((type) & PSA_KEY_TYPE_CATEGORY_MASK                               \

      & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) ==                            \

     PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)

/** Whether a key type is the public part of a key pair. */

#define PSA_KEY_TYPE_IS_PUBLIC_KEY(type)                                \

    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)

/** Whether a key type is a key pair containing a private part and a public

 * part. */

#define PSA_KEY_TYPE_IS_KEY_PAIR(type)                                   \

    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)

/** The key pair type corresponding to a public key type.

 *

 * You may also pass a key pair type as \p type, it will be left unchanged.

 *

 * \param type      A public key type or key pair type.

 *

 * \return          The corresponding key pair type.

 *                  If \p type is not a public key or a key pair,

 *                  the return value is undefined.

 */

#define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type)        \

    ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)

/** The public key type corresponding to a key pair type.

 *

 * You may also pass a public key type as \p type, it will be left unchanged.

 *

 * \param type      A public key type or key pair type.

 *

 * \return          The corresponding public key type.

 *                  If \p type is not a public key or a key pair,

 *                  the return value is undefined.

 */

#define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type)        \

    ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)

/** Raw data.

 *

 * A "key" of this type cannot be used for any cryptographic operation.

 * Applications may use this type to store arbitrary data in the keystore. */

#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t) 0x1001)

/** HMAC key.

 *

 * The key policy determines which underlying hash algorithm the key can be

 * used for.

 *

 * HMAC keys should generally have the same size as the underlying hash.

 * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where

 * \c alg is the HMAC algorithm or the underlying hash algorithm. */

#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t) 0x1100)

/** A secret for key derivation.

 *

 * This key type is for high-entropy secrets only. For low-entropy secrets,

 * #PSA_KEY_TYPE_PASSWORD should be used instead.

 *

 * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or

 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms.

 *

 * The key policy determines which key derivation algorithm the key

 * can be used for.

 */

#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t) 0x1200)

/** A low-entropy secret for password hashing or key derivation.

 *

 * This key type is suitable for passwords and passphrases which are typically

 * intended to be memorizable by humans, and have a low entropy relative to

 * their size. It can be used for randomly generated or derived keys with

 * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable

 * for such keys. It is not suitable for passwords with extremely low entropy,

 * such as numerical PINs.

 *

 * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of

 * key derivation algorithms. Algorithms that accept such an input were

 * designed to accept low-entropy secret and are known as password hashing or

 * key stretching algorithms.

 *

 * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of

 * key derivation algorithms, as the algorithms that take such an input expect

 * it to be high-entropy.

 *

 * The key policy determines which key derivation algorithm the key can be

 * used for, among the permissible subset defined above.

 */

#define PSA_KEY_TYPE_PASSWORD                       ((psa_key_type_t) 0x1203)

/** A secret value that can be used to verify a password hash.

 *

 * The key policy determines which key derivation algorithm the key

 * can be used for, among the same permissible subset as for

 * #PSA_KEY_TYPE_PASSWORD.

 */

#define PSA_KEY_TYPE_PASSWORD_HASH                  ((psa_key_type_t) 0x1205)

/** A secret value that can be used in when computing a password hash.

 *

 * The key policy determines which key derivation algorithm the key

 * can be used for, among the subset of algorithms that can use pepper.

 */

#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t) 0x1206)

/** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.

 *

 * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or

 * 32 bytes (AES-256).

 */

#define PSA_KEY_TYPE_AES                            ((psa_key_type_t) 0x2400)

/** Key for a cipher, AEAD or MAC algorithm based on the

 * ARIA block cipher. */

#define PSA_KEY_TYPE_ARIA                           ((psa_key_type_t) 0x2406)

/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).

 *

 * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or

 * 192 bits (3-key 3DES).

 *

 * Note that single DES and 2-key 3DES are weak and strongly

 * deprecated and should only be used to decrypt legacy data. 3-key 3DES

 * is weak and deprecated and should only be used in legacy protocols.

 */

#define PSA_KEY_TYPE_DES                            ((psa_key_type_t) 0x2301)

/** Key for a cipher, AEAD or MAC algorithm based on the

 * Camellia block cipher. */

#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t) 0x2403)

/** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.

 *

 * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.

 *

 * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports

 *       12-byte nonces.

 *

 * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt

 *       with the initial counter value 1, you can process and discard a

 *       64-byte block before the real data.

 */

#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t) 0x2004)

/** RSA public key.

 *

 * The size of an RSA key is the bit size of the modulus.

 */

#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t) 0x4001)

/** RSA key pair (private and public key).

 *

 * The size of an RSA key is the bit size of the modulus.

 */

#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t) 0x7001)

/** Whether a key type is an RSA key (pair or public-only). */

#define PSA_KEY_TYPE_IS_RSA(type)                                       \

    (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)

#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t) 0x4100)

#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE              ((psa_key_type_t) 0x7100)

#define PSA_KEY_TYPE_ECC_CURVE_MASK                 ((psa_key_type_t) 0x00ff)

/** Elliptic curve key pair.

 *

 * The size of an elliptic curve key is the bit size associated with the curve,

 * i.e. the bit size of *q* for a curve over a field *F<sub>q</sub>*.

 * See the documentation of `PSA_ECC_FAMILY_xxx` curve families for details.

 *

 * \param curve     A value of type ::psa_ecc_family_t that

 *                  identifies the ECC curve to be used.

 */

#define PSA_KEY_TYPE_ECC_KEY_PAIR(curve)         \

    (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))

/** Elliptic curve public key.

 *

 * The size of an elliptic curve public key is the same as the corresponding

 * private key (see #PSA_KEY_TYPE_ECC_KEY_PAIR and the documentation of

 * `PSA_ECC_FAMILY_xxx` curve families).

 *

 * \param curve     A value of type ::psa_ecc_family_t that

 *                  identifies the ECC curve to be used.

 */

#define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)              \

    (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))

/** Whether a key type is an elliptic curve key (pair or public-only). */

#define PSA_KEY_TYPE_IS_ECC(type)                                       \

    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \

      ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)

/** Whether a key type is an elliptic curve key pair. */

#define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)                               \

    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \

     PSA_KEY_TYPE_ECC_KEY_PAIR_BASE)

/** Whether a key type is an elliptic curve public key. */

#define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)                            \

    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \

     PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)

/** Extract the curve from an elliptic curve key type. */

#define PSA_KEY_TYPE_ECC_GET_FAMILY(type)                        \

    ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ?             \

                         ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \

                         0))

/** Check if the curve of given family is Weierstrass elliptic curve. */

#define PSA_ECC_FAMILY_IS_WEIERSTRASS(family) ((family & 0xc0) == 0)

/** SEC Koblitz curves over prime fields.

 *

 * This family comprises the following curves:

 * secp192k1, secp224k1, secp256k1.

 * They are defined in _Standards for Efficient Cryptography_,

 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.

 * https://www.secg.org/sec2-v2.pdf

 *

 * \note For secp224k1, the bit-size is 225 (size of a private value).

 *

 * \note Mbed TLS only supports secp192k1 and secp256k1.

 */

#define PSA_ECC_FAMILY_SECP_K1           ((psa_ecc_family_t) 0x17)

/** SEC random curves over prime fields.

 *

 * This family comprises the following curves:

 * secp192r1, secp224r1, secp256r1, secp384r1, secp521r1.

 * They are defined in _Standards for Efficient Cryptography_,

 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.

 * https://www.secg.org/sec2-v2.pdf

 */

#define PSA_ECC_FAMILY_SECP_R1           ((psa_ecc_family_t) 0x12)

/* SECP160R2 (SEC2 v1, obsolete, not supported in Mbed TLS) */

#define PSA_ECC_FAMILY_SECP_R2           ((psa_ecc_family_t) 0x1b)

/** SEC Koblitz curves over binary fields.

 *

 * This family comprises the following curves:

 * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1.

 * They are defined in _Standards for Efficient Cryptography_,

 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.

 * https://www.secg.org/sec2-v2.pdf

 *

 * \note Mbed TLS does not support any curve in this family.

 */

#define PSA_ECC_FAMILY_SECT_K1           ((psa_ecc_family_t) 0x27)

/** SEC random curves over binary fields.

 *

 * This family comprises the following curves:

 * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1.

 * They are defined in _Standards for Efficient Cryptography_,

 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.

 * https://www.secg.org/sec2-v2.pdf

 *

 * \note Mbed TLS does not support any curve in this family.

 */

#define PSA_ECC_FAMILY_SECT_R1           ((psa_ecc_family_t) 0x22)

/** SEC additional random curves over binary fields.

 *

 * This family comprises the following curve:

 * sect163r2.

 * It is defined in _Standards for Efficient Cryptography_,

 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.

 * https://www.secg.org/sec2-v2.pdf

 *

 * \note Mbed TLS does not support any curve in this family.

 */

#define PSA_ECC_FAMILY_SECT_R2           ((psa_ecc_family_t) 0x2b)

/** Brainpool P random curves.

 *

 * This family comprises the following curves:

 * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,

 * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.

 * It is defined in RFC 5639.

 *

 * \note Mbed TLS only supports the 256-bit, 384-bit and 512-bit curves

 *       in this family.

 */

#define PSA_ECC_FAMILY_BRAINPOOL_P_R1    ((psa_ecc_family_t) 0x30)

/** Curve25519 and Curve448.

 *

 * This family comprises the following Montgomery curves:

 * - 255-bit: Bernstein et al.,

 *   _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006.

 *   The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve.

 * - 448-bit: Hamburg,

 *   _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.

 *   The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.

 */

#define PSA_ECC_FAMILY_MONTGOMERY        ((psa_ecc_family_t) 0x41)

/** The twisted Edwards curves Ed25519 and Ed448.

 *

 * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,

 * #PSA_ALG_ED25519PH for the 255-bit curve,

 * #PSA_ALG_ED448PH for the 448-bit curve).

 *

 * This family comprises the following twisted Edwards curves:

 * - 255-bit: Edwards25519, the twisted Edwards curve birationally equivalent

 *   to Curve25519.

 *   Bernstein et al., _Twisted Edwards curves_, Africacrypt 2008.

 * - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent

 *   to Curve448.

 *   Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.

 *

 * \note Mbed TLS does not support Edwards curves yet.

 */

#define PSA_ECC_FAMILY_TWISTED_EDWARDS   ((psa_ecc_family_t) 0x42)

#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t) 0x4200)

#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE               ((psa_key_type_t) 0x7200)

#define PSA_KEY_TYPE_DH_GROUP_MASK                  ((psa_key_type_t) 0x00ff)

/** Diffie-Hellman key pair.

 *

 * \param group     A value of type ::psa_dh_family_t that identifies the

 *                  Diffie-Hellman group to be used.

 */

#define PSA_KEY_TYPE_DH_KEY_PAIR(group)          \

    (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))

/** Diffie-Hellman public key.

 *

 * \param group     A value of type ::psa_dh_family_t that identifies the

 *                  Diffie-Hellman group to be used.

 */

#define PSA_KEY_TYPE_DH_PUBLIC_KEY(group)               \

    (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group))

/** Whether a key type is a Diffie-Hellman key (pair or public-only). */

#define PSA_KEY_TYPE_IS_DH(type)                                        \

    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \

      ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)

/** Whether a key type is a Diffie-Hellman key pair. */

#define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type)                               \

    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \

     PSA_KEY_TYPE_DH_KEY_PAIR_BASE)

/** Whether a key type is a Diffie-Hellman public key. */

#define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type)                            \

    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \

     PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)

/** Extract the group from a Diffie-Hellman key type. */

#define PSA_KEY_TYPE_DH_GET_FAMILY(type)                        \

    ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ?              \

                        ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) :  \

                        0))

/** Diffie-Hellman groups defined in RFC 7919 Appendix A.

 *

 * This family includes groups with the following key sizes (in bits):

 * 2048, 3072, 4096, 6144, 8192. A given implementation may support

 * all of these sizes or only a subset.

 */

#define PSA_DH_FAMILY_RFC7919            ((psa_dh_family_t) 0x03)

#define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type)      \

    (((type) >> 8) & 7)

/** The block size of a block cipher.

 *

 * \param type  A cipher key type (value of type #psa_key_type_t).

 *

 * \return      The block size for a block cipher, or 1 for a stream cipher.

 *              The return value is undefined if \p type is not a supported

 *              cipher key type.

 *

 * \note It is possible to build stream cipher algorithms on top of a block

 *       cipher, for example CTR mode (#PSA_ALG_CTR).

 *       This macro only takes the key type into account, so it cannot be

 *       used to determine the size of the data that #psa_cipher_update()

 *       might buffer for future processing in general.

 *

 * \note This macro returns a compile-time constant if its argument is one.

 *

 * \warning This macro may evaluate its argument multiple times.

 */

#define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type)                                     \

    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \

     1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) :                         \

        0u)

/* Note that algorithm values are embedded in the persistent key store,

 * as part of key metadata. As a consequence, they must not be changed

 * (unless the storage format version changes).

 */

/** Vendor-defined algorithm flag.

 *

 * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG

 * bit set. Vendors who define additional algorithms must use an encoding with

 * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure

 * used by standard encodings whenever practical.

 */

#define PSA_ALG_VENDOR_FLAG                     ((psa_algorithm_t) 0x80000000)

#define PSA_ALG_CATEGORY_MASK                   ((psa_algorithm_t) 0x7f000000)

#define PSA_ALG_CATEGORY_HASH                   ((psa_algorithm_t) 0x02000000)

#define PSA_ALG_CATEGORY_MAC                    ((psa_algorithm_t) 0x03000000)

#define PSA_ALG_CATEGORY_CIPHER                 ((psa_algorithm_t) 0x04000000)

#define PSA_ALG_CATEGORY_AEAD                   ((psa_algorithm_t) 0x05000000)

#define PSA_ALG_CATEGORY_SIGN                   ((psa_algorithm_t) 0x06000000)

#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION  ((psa_algorithm_t) 0x07000000)

#define PSA_ALG_CATEGORY_KEY_DERIVATION         ((psa_algorithm_t) 0x08000000)

#define PSA_ALG_CATEGORY_KEY_AGREEMENT          ((psa_algorithm_t) 0x09000000)

/** Whether an algorithm is vendor-defined.

 *

 * See also #PSA_ALG_VENDOR_FLAG.

 */

#define PSA_ALG_IS_VENDOR_DEFINED(alg)                                  \

    (((alg) & PSA_ALG_VENDOR_FLAG) != 0)

/** Whether the specified algorithm is a hash algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a hash algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_HASH(alg)                                            \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)

/** Whether the specified algorithm is a MAC algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a MAC algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_MAC(alg)                                             \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC)

/** Whether the specified algorithm is a symmetric cipher algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_CIPHER(alg)                                          \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)

/** Whether the specified algorithm is an authenticated encryption

 * with associated data (AEAD) algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is an AEAD algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_AEAD(alg)                                            \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD)

/** Whether the specified algorithm is an asymmetric signature algorithm,

 * also known as public-key signature algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_SIGN(alg)                                            \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)

/** Whether the specified algorithm is an asymmetric encryption algorithm,

 * also known as public-key encryption algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg)                           \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION)

/** Whether the specified algorithm is a key agreement algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a key agreement algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_KEY_AGREEMENT(alg)                                   \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT)

/** Whether the specified algorithm is a key derivation algorithm.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a key derivation algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_KEY_DERIVATION(alg)                                  \

    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)

/** Whether the specified algorithm is a key stretching / password hashing

 * algorithm.

 *

 * A key stretching / password hashing algorithm is a key derivation algorithm

 * that is suitable for use with a low-entropy secret such as a password.

 * Equivalently, it's a key derivation algorithm that uses a

 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is a key stretching / password hashing algorithm, 0

 *         otherwise. This macro may return either 0 or 1 if \p alg is not a

 *         supported algorithm identifier.

 */

#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg)                                  \

    (PSA_ALG_IS_KEY_DERIVATION(alg) &&              \

     (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)

/** An invalid algorithm identifier value. */

/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */

#define PSA_ALG_NONE                            ((psa_algorithm_t)0)

/* *INDENT-ON* */

#define PSA_ALG_HASH_MASK                       ((psa_algorithm_t) 0x000000ff)

/** MD5 */

#define PSA_ALG_MD5                             ((psa_algorithm_t) 0x02000003)

/** PSA_ALG_RIPEMD160 */

#define PSA_ALG_RIPEMD160                       ((psa_algorithm_t) 0x02000004)

/** SHA1 */

#define PSA_ALG_SHA_1                           ((psa_algorithm_t) 0x02000005)

/** SHA2-224 */

#define PSA_ALG_SHA_224                         ((psa_algorithm_t) 0x02000008)

/** SHA2-256 */

#define PSA_ALG_SHA_256                         ((psa_algorithm_t) 0x02000009)

/** SHA2-384 */

#define PSA_ALG_SHA_384                         ((psa_algorithm_t) 0x0200000a)

/** SHA2-512 */

#define PSA_ALG_SHA_512                         ((psa_algorithm_t) 0x0200000b)

/** SHA2-512/224 */

#define PSA_ALG_SHA_512_224                     ((psa_algorithm_t) 0x0200000c)

/** SHA2-512/256 */

#define PSA_ALG_SHA_512_256                     ((psa_algorithm_t) 0x0200000d)

/** SHA3-224 */

#define PSA_ALG_SHA3_224                        ((psa_algorithm_t) 0x02000010)

/** SHA3-256 */

#define PSA_ALG_SHA3_256                        ((psa_algorithm_t) 0x02000011)

/** SHA3-384 */

#define PSA_ALG_SHA3_384                        ((psa_algorithm_t) 0x02000012)

/** SHA3-512 */

#define PSA_ALG_SHA3_512                        ((psa_algorithm_t) 0x02000013)

/** The first 512 bits (64 bytes) of the SHAKE256 output.

 *

 * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other

 * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512

 * has the same output size and a (theoretically) higher security strength.

 */

#define PSA_ALG_SHAKE256_512                    ((psa_algorithm_t) 0x02000015)

/** In a hash-and-sign algorithm policy, allow any hash algorithm.

 *

 * This value may be used to form the algorithm usage field of a policy

 * for a signature algorithm that is parametrized by a hash. The key

 * may then be used to perform operations using the same signature

 * algorithm parametrized with any supported hash.

 *

 * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:

 * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,

 * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.

 * Then you may create and use a key as follows:

 * - Set the key usage field using #PSA_ALG_ANY_HASH, for example:

 *   ```

 *   psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY

 *   psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));

 *   ```

 * - Import or generate key material.

 * - Call psa_sign_hash() or psa_verify_hash(), passing

 *   an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each

 *   call to sign or verify a message may use a different hash.

 *   ```

 *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);

 *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);

 *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);

 *   ```

 *

 * This value may not be used to build other algorithms that are

 * parametrized over a hash. For any valid use of this macro to build

 * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true.

 *

 * This value may not be used to build an algorithm specification to

 * perform an operation. It is only valid to build policies.

 */

#define PSA_ALG_ANY_HASH                        ((psa_algorithm_t) 0x020000ff)

#define PSA_ALG_MAC_SUBCATEGORY_MASK            ((psa_algorithm_t) 0x00c00000)

#define PSA_ALG_HMAC_BASE                       ((psa_algorithm_t) 0x03800000)

/** Macro to build an HMAC algorithm.

 *

 * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.

 *

 * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that

 *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).

 *

 * \return              The corresponding HMAC algorithm.

 * \return              Unspecified if \p hash_alg is not a supported

 *                      hash algorithm.

 */

#define PSA_ALG_HMAC(hash_alg)                                  \

    (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))

#define PSA_ALG_HMAC_GET_HASH(hmac_alg)                             \

    (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))

/** Whether the specified algorithm is an HMAC algorithm.

 *

 * HMAC is a family of MAC algorithms that are based on a hash function.

 *

 * \param alg An algorithm identifier (value of type #psa_algorithm_t).

 *

 * \return 1 if \p alg is an HMAC algorithm, 0 otherwise.

 *         This macro may return either 0 or 1 if \p alg is not a supported

 *         algorithm identifier.

 */

#define PSA_ALG_IS_HMAC(alg)                                            \

    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \

     PSA_ALG_HMAC_BASE)

/* In the encoding of a MAC algorithm, the bits corresponding to

 * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is

 * truncated. As an exception, the value 0 means the untruncated algorithm,

 * whatever its length is. The length is encoded in 6 bits, so it can

 * reach up to 63; the largest MAC is 64 bytes so its trivial truncation

 * to full length is correctly encoded as 0 and any non-trivial truncation

 * is correctly encoded as a value between 1 and 63. */

#define PSA_ALG_MAC_TRUNCATION_MASK             ((psa_algorithm_t) 0x003f0000)

#define PSA_MAC_TRUNCATION_OFFSET 16

/* In the encoding of a MAC algorithm, the bit corresponding to

 * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm

 * is a wildcard algorithm. A key with such wildcard algorithm as permitted

 * algorithm policy can be used with any algorithm corresponding to the

 * same base class and having a (potentially truncated) MAC length greater or

 * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */

#define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG   ((psa_algorithm_t) 0x00008000)

/** Macro to build a truncated MAC algorithm.

 *

 * A truncated MAC algorithm is identical to the corresponding MAC

 * algorithm except that the MAC value for the truncated algorithm

 * consists of only the first \p mac_length bytes of the MAC value

 * for the untruncated algorithm.

 *

 * \note    This macro may allow constructing algorithm identifiers that

 *          are not valid, either because the specified length is larger

 *          than the untruncated MAC or because the specified length is

 *          smaller than permitted by the implementation.

 *

 * \note    It is implementation-defined whether a truncated MAC that

 *          is truncated to the same length as the MAC of the untruncated

 *          algorithm is considered identical to the untruncated algorithm

 *          for policy comparison purposes.

 *

 * \param mac_alg       A MAC algorithm identifier (value of type

 *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)

 *                      is true). This may be a truncated or untruncated

 *                      MAC algorithm.

 * \param mac_length    Desired length of the truncated MAC in bytes.

 *                      This must be at most the full length of the MAC

 *                      and must be at least an implementation-specified

 *                      minimum. The implementation-specified minimum

 *                      shall not be zero.

 *

 * \return              The corresponding MAC algorithm with the specified

 *                      length.

 * \return              Unspecified if \p mac_alg is not a supported

 *                      MAC algorithm or if \p mac_length is too small or

 *                      too large for the specified MAC algorithm.

 */

#define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length)              \

    (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK |               \

                    PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) |   \

     ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK))

/** Macro to build the base MAC algorithm corresponding to a truncated

 * MAC algorithm.

 *

 * \param mac_alg       A MAC algorithm identifier (value of type

 *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)

 *                      is true). This may be a truncated or untruncated

 *                      MAC algorithm.

 *

 * \return              The corresponding base MAC algorithm.

 * \return              Unspecified if \p mac_alg is not a supported

 *                      MAC algorithm.

 */