mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-31 10:20:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Clarify requirement on usage flags

Browse Source 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2021-05-05 10:26:29 +02:00
parent 730f62a80a
commit ece9087b93
1 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
include/psa/crypto.h
View File

@ -3359,12 +3359,30 @@ psa_status_t psa_key_derivation_input_integer(
* \param key Identifier of the key. It must have an * \param key Identifier of the key. It must have an
* appropriate type for step and must allow the * appropriate type for step and must allow the
* usage #PSA_KEY_USAGE_DERIVE or * usage #PSA_KEY_USAGE_DERIVE or
* #PSA_KEY_USAGE_VERIFY_DERIVATION. * #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
* and the algorithm used by the operation.
*
* \note Once all inputs steps are completed, the operations will allow:
* - psa_key_derivation_output_bytes() if each input was either a direct input
* or a key with #PSA_KEY_USAGE_DERIVE set;
* - psa_key_derivation_output_key() if each input was either a direct input
* or a key with #PSA_KEY_USAGE_DERIVE set and input for step
* #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
* was from a key slot;
* - psa_key_derivation_verify_bytes() if each input was either a direct input
* or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
* - psa_key_derivation_verify_key() if each input was either a direct input
* or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set and input for step
* #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
* was from a key slot.
* *
* \retval #PSA_SUCCESS * \retval #PSA_SUCCESS
* Success. * Success.
* \retval #PSA_ERROR_INVALID_HANDLE * \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_NOT_PERMITTED
* The key allows neither #PSA_KEY_USAGE_DERIVE nor
* #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
* algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step is not compatible with the operation's algorithm. * \c step is not compatible with the operation's algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
@ -3477,6 +3495,9 @@ psa_status_t psa_key_derivation_key_agreement(
* \param output_length Number of bytes to output. * \param output_length Number of bytes to output.
* *
* \retval #PSA_SUCCESS * \retval #PSA_SUCCESS
* \retval #PSA_ERROR_NOT_PERMITTED
* One of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_DERIVE.
* \retval #PSA_ERROR_INSUFFICIENT_DATA * \retval #PSA_ERROR_INSUFFICIENT_DATA
* The operation's capacity was less than * The operation's capacity was less than
* \p output_length bytes. Note that in this case, * \p output_length bytes. Note that in this case,
@ -3624,8 +3645,10 @@ psa_status_t psa_key_derivation_output_bytes(
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* The provided key attributes are not valid for the operation. * The provided key attributes are not valid for the operation.
* \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_NOT_PERMITTED
* The #PSA_KEY_DERIVATION_INPUT_SECRET input was not provided through * The #PSA_KEY_DERIVATION_INPUT_SECRET or
* a key. * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
* key; or one of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_DERIVE.
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active and completed * The operation state is not valid (it must be active and completed
* all required input steps). * all required input steps).
@ -3679,6 +3702,9 @@ psa_status_t psa_key_derivation_output_key(
* \retval #PSA_ERROR_INVALID_SIGNATURE * \retval #PSA_ERROR_INVALID_SIGNATURE
* The output was read successfully, but if differs from the expected * The output was read successfully, but if differs from the expected
* output. * output.
* \retval #PSA_ERROR_NOT_PERMITTED
* One of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_VERIFY_DERIVATION.
* \retval #PSA_ERROR_INSUFFICIENT_DATA * \retval #PSA_ERROR_INSUFFICIENT_DATA
* The operation's capacity was less than * The operation's capacity was less than
* \p output_length bytes. Note that in this case, * \p output_length bytes. Note that in this case,
@ -3742,7 +3768,10 @@ psa_status_t psa_key_derivation_verify_bytes(
* The key passed as the expected value has an invalid type. * The key passed as the expected value has an invalid type.
* \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_NOT_PERMITTED
* The key passed as the expected value does not allow this usage or * The key passed as the expected value does not allow this usage or
* this algorithm. * this algorithm; or the #PSA_KEY_DERIVATION_INPUT_SECRET or
* #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
* key; or one of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_DERIVE.
* \retval #PSA_ERROR_INSUFFICIENT_DATA * \retval #PSA_ERROR_INSUFFICIENT_DATA
* The operation's capacity was less than * The operation's capacity was less than
* the length of the expected value. In this case, * the length of the expected value. In this case,