grpc 1.61.3 → 1.62.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c

@@ -115,16 +115,12 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) {
   }
   r->ln = r->sn = NULL;
 
-  data = OPENSSL_malloc(o->length);
-  if (data == NULL) {
+  // once data is attached to an object, it remains const
+  r->data = OPENSSL_memdup(o->data, o->length);
+  if (o->length != 0 && r->data == NULL) {
     goto err;
   }
-  if (o->data != NULL) {
-    OPENSSL_memcpy(data, o->data, o->length);
-  }
 
-  // once data is attached to an object, it remains const
-  r->data = data;
   r->length = o->length;
   r->nid = o->nid;
 
@@ -183,12 +179,19 @@ size_t OBJ_length(const ASN1_OBJECT *obj) {
   return (size_t)obj->length;
 }
 
+static const ASN1_OBJECT *get_builtin_object(int nid) {
+  // |NID_undef| is stored separately, so all the indices are off by one. The
+  // caller of this function must have a valid built-in, non-undef NID.
+  BSSL_CHECK(nid > 0 && nid < NUM_NID);
+  return &kObjects[nid - 1];
+}
+
 // obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is
 // an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an
 // unsigned int in the array.
 static int obj_cmp(const void *key, const void *element) {
   uint16_t nid = *((const uint16_t *)element);
-  return OBJ_cmp(key, &kObjects[nid]);
+  return OBJ_cmp(key, get_builtin_object(nid));
 }
 
 int OBJ_obj2nid(const ASN1_OBJECT *obj) {
@@ -219,7 +222,7 @@ int OBJ_obj2nid(const ASN1_OBJECT *obj) {
     return NID_undef;
   }
 
-  return kObjects[*nid_ptr].nid;
+  return get_builtin_object(*nid_ptr)->nid;
 }
 
 int OBJ_cbs2nid(const CBS *cbs) {
@@ -242,7 +245,7 @@ static int short_name_cmp(const void *key, const void *element) {
   const char *name = (const char *)key;
   uint16_t nid = *((const uint16_t *)element);
 
-  return strcmp(name, kObjects[nid].sn);
+  return strcmp(name, get_builtin_object(nid)->sn);
 }
 
 int OBJ_sn2nid(const char *short_name) {
@@ -267,7 +270,7 @@ int OBJ_sn2nid(const char *short_name) {
     return NID_undef;
   }
 
-  return kObjects[*nid_ptr].nid;
+  return get_builtin_object(*nid_ptr)->nid;
 }
 
 // long_name_cmp is called to search the kNIDsInLongNameOrder array. The
@@ -277,7 +280,7 @@ static int long_name_cmp(const void *key, const void *element) {
   const char *name = (const char *)key;
   uint16_t nid = *((const uint16_t *)element);
 
-  return strcmp(name, kObjects[nid].ln);
+  return strcmp(name, get_builtin_object(nid)->ln);
 }
 
 int OBJ_ln2nid(const char *long_name) {
@@ -301,7 +304,7 @@ int OBJ_ln2nid(const char *long_name) {
     return NID_undef;
   }
 
-  return kObjects[*nid_ptr].nid;
+  return get_builtin_object(*nid_ptr)->nid;
 }
 
 int OBJ_txt2nid(const char *s) {
@@ -328,12 +331,29 @@ OPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid) {
   return 1;
 }
 
+const ASN1_OBJECT *OBJ_get_undef(void) {
+  static const ASN1_OBJECT kUndef = {
+      /*sn=*/SN_undef,
+      /*ln=*/LN_undef,
+      /*nid=*/NID_undef,
+      /*length=*/0,
+      /*data=*/NULL,
+      /*flags=*/0,
+  };
+  return &kUndef;
+}
+
 ASN1_OBJECT *OBJ_nid2obj(int nid) {
-  if (nid >= 0 && nid < NUM_NID) {
-    if (nid != NID_undef && kObjects[nid].nid == NID_undef) {
+  if (nid == NID_undef) {
+    return (ASN1_OBJECT *)OBJ_get_undef();
+  }
+
+  if (nid > 0 && nid < NUM_NID) {
+    const ASN1_OBJECT *obj = get_builtin_object(nid);
+    if (nid != NID_undef && obj->nid == NID_undef) {
       goto err;
     }
-    return (ASN1_OBJECT *)&kObjects[nid];
+    return (ASN1_OBJECT *)obj;
   }
 
   CRYPTO_MUTEX_lock_read(&global_added_lock);

data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h

@@ -7140,7 +7140,6 @@ static const uint8_t kObjectData[] = {
 };
 
 static const ASN1_OBJECT kObjects[NUM_NID] = {
-    {"UNDEF", "undefined", NID_undef, 0, NULL, 0},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &kObjectData[0], 0},
     {"pkcs", "RSA Data Security, Inc. PKCS", NID_pkcs, 7, &kObjectData[6], 0},
     {"MD2", "md2", NID_md2, 8, &kObjectData[13], 0},
@@ -8980,7 +8979,6 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     16 /* ST */,
     143 /* SXNetID */,
     458 /* UID */,
-    0 /* UNDEF */,
     948 /* X25519 */,
     964 /* X25519Kyber768Draft00 */,
     961 /* X448 */,
@@ -10670,7 +10668,6 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     106 /* title */,
     682 /* tpBasis */,
     436 /* ucl */,
-    0 /* undefined */,
     888 /* uniqueMember */,
     55 /* unstructuredAddress */,
     49 /* unstructuredName */,

data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c

@@ -69,6 +69,37 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+
+static X509_PKEY *X509_PKEY_new(void) {
+  return OPENSSL_zalloc(sizeof(X509_PKEY));
+}
+
+static void X509_PKEY_free(X509_PKEY *x) {
+  if (x == NULL) {
+    return;
+  }
+
+  EVP_PKEY_free(x->dec_pkey);
+  OPENSSL_free(x);
+}
+
+static X509_INFO *X509_INFO_new(void) {
+  return OPENSSL_zalloc(sizeof(X509_INFO));
+}
+
+void X509_INFO_free(X509_INFO *x) {
+  if (x == NULL) {
+    return;
+  }
+
+  X509_free(x->x509);
+  X509_CRL_free(x->crl);
+  X509_PKEY_free(x->x_pkey);
+  OPENSSL_free(x->enc_data);
+  OPENSSL_free(x);
+}
+
+
 STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
                                         pem_password_cb *cb, void *u) {
   BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);

data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c

@@ -237,11 +237,10 @@ int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
 }
 
 static PKCS7 *pkcs7_new(CBS *cbs) {
-  PKCS7 *ret = OPENSSL_malloc(sizeof(PKCS7));
+  PKCS7 *ret = OPENSSL_zalloc(sizeof(PKCS7));
   if (ret == NULL) {
     return NULL;
   }
-  OPENSSL_memset(ret, 0, sizeof(PKCS7));
   ret->type = OBJ_nid2obj(NID_pkcs7_signed);
   ret->d.sign = OPENSSL_malloc(sizeof(PKCS7_SIGNED));
   if (ret->d.sign == NULL) {
@@ -326,11 +325,10 @@ int i2d_PKCS7(const PKCS7 *p7, uint8_t **out) {
   }
 
   if (*out == NULL) {
-    *out = OPENSSL_malloc(p7->ber_len);
+    *out = OPENSSL_memdup(p7->ber_bytes, p7->ber_len);
     if (*out == NULL) {
       return -1;
     }
-    OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len);
   } else {
     OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len);
     *out += p7->ber_len;

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c

@@ -85,15 +85,15 @@ static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out,
   CBS_init(&cbs, (const uint8_t *)in, in_len);
   while (CBS_len(&cbs) != 0) {
     uint32_t c;
-    if (!cbs_get_utf8(&cbs, &c) ||
-        !cbb_add_ucs2_be(&cbb, c)) {
+    if (!CBS_get_utf8(&cbs, &c) ||
+        !CBB_add_ucs2_be(&cbb, c)) {
       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);
       goto err;
     }
   }
 
   // Terminate the result with a UCS-2 NUL.
-  if (!cbb_add_ucs2_be(&cbb, 0) ||
+  if (!CBB_add_ucs2_be(&cbb, 0) ||
       !CBB_finish(&cbb, out, out_len)) {
     goto err;
   }

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c

@@ -70,9 +70,10 @@
 #include <openssl/rand.h>
 #include <openssl/x509.h>
 
-#include "internal.h"
 #include "../bytestring/internal.h"
 #include "../internal.h"
+#include "../x509/internal.h"
+#include "internal.h"
 
 
 int pkcs12_iterations_acceptable(uint64_t iterations) {
@@ -339,8 +340,8 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name,
       }
       while (CBS_len(&value) != 0) {
         uint32_t c;
-        if (!cbs_get_ucs2_be(&value, &c) ||
-            !cbb_add_utf8(&cbb, c)) {
+        if (!CBS_get_ucs2_be(&value, &c) ||
+            !CBB_add_utf8(&cbb, c)) {
           OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);
           CBB_cleanup(&cbb);
           goto err;
@@ -741,26 +742,22 @@ struct pkcs12_st {
 
 PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,
                    size_t ber_len) {
-  PKCS12 *p12;
-
-  p12 = OPENSSL_malloc(sizeof(PKCS12));
+  PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12));
   if (!p12) {
     return NULL;
   }
 
-  p12->ber_bytes = OPENSSL_malloc(ber_len);
+  p12->ber_bytes = OPENSSL_memdup(*ber_bytes, ber_len);
   if (!p12->ber_bytes) {
     OPENSSL_free(p12);
     return NULL;
   }
 
-  OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len);
   p12->ber_len = ber_len;
   *ber_bytes += ber_len;
 
   if (out_p12) {
     PKCS12_free(*out_p12);
-
     *out_p12 = p12;
   }
 
@@ -843,11 +840,10 @@ int i2d_PKCS12(const PKCS12 *p12, uint8_t **out) {
   }
 
   if (*out == NULL) {
-    *out = OPENSSL_malloc(p12->ber_len);
+    *out = OPENSSL_memdup(p12->ber_bytes, p12->ber_len);
     if (*out == NULL) {
       return -1;
     }
-    OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len);
   } else {
     OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len);
     *out += p12->ber_len;
@@ -972,8 +968,8 @@ static int add_bag_attributes(CBB *bag, const char *name, size_t name_len,
     CBS_init(&name_cbs, (const uint8_t *)name, name_len);
     while (CBS_len(&name_cbs) != 0) {
       uint32_t c;
-      if (!cbs_get_utf8(&name_cbs, &c) ||
-          !cbb_add_ucs2_be(&value, c)) {
+      if (!CBS_get_utf8(&name_cbs, &c) ||
+          !CBB_add_ucs2_be(&value, c)) {
         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);
         return 0;
       }

data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c

@@ -42,12 +42,11 @@ static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) {
 }
 
 CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) {
-  CRYPTO_BUFFER_POOL *pool = OPENSSL_malloc(sizeof(CRYPTO_BUFFER_POOL));
+  CRYPTO_BUFFER_POOL *pool = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER_POOL));
   if (pool == NULL) {
     return NULL;
   }
 
-  OPENSSL_memset(pool, 0, sizeof(CRYPTO_BUFFER_POOL));
   pool->bufs = lh_CRYPTO_BUFFER_new(CRYPTO_BUFFER_hash, CRYPTO_BUFFER_cmp);
   if (pool->bufs == NULL) {
     OPENSSL_free(pool);
@@ -109,11 +108,10 @@ static CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len,
     }
   }
 
-  CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER));
+  CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER));
   if (buf == NULL) {
     return NULL;
   }
-  OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER));
 
   if (data_is_static) {
     buf->data = (uint8_t *)data;
@@ -170,11 +168,10 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len,
 }
 
 CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) {
-  CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER));
+  CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER));
   if (buf == NULL) {
     return NULL;
   }
-  OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER));
 
   buf->data = OPENSSL_malloc(len);
   if (len != 0 && buf->data == NULL) {

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/forkunsafe.c

@@ -33,6 +33,10 @@ void RAND_enable_fork_unsafe_buffering(int fd) {
 
   CRYPTO_atomic_store_u32(&g_buffering_enabled, 1);
 }
+
+void RAND_disable_fork_unsafe_buffering(void) {
+  CRYPTO_atomic_store_u32(&g_buffering_enabled, 0);
+}
 #endif
 
 int rand_fork_unsafe_buffering_enabled(void) {

data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c

@@ -75,7 +75,9 @@ static void rand_nonzero(uint8_t *out, size_t len) {
   RAND_bytes(out, len);
 
   for (size_t i = 0; i < len; i++) {
-    while (out[i] == 0) {
+    // Zero values are replaced, and the distribution of zero and non-zero bytes
+    // is public, so leaking this is safe.
+    while (constant_time_declassify_int(out[i] == 0)) {
       RAND_bytes(out + i, 1);
     }
   }

data/third_party/boringssl-with-bazel/src/crypto/spx/address.c

@@ -0,0 +1,101 @@
+/* Copyright (c) 2023, Google LLC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <string.h>
+
+#include "../internal.h"
+#include "./address.h"
+#include "./spx_util.h"
+
+
+// Offsets of various fields in the address structure for SPHINCS+-SHA2-128s.
+
+// The byte used to specify the Merkle tree layer.
+#define SPX_OFFSET_LAYER 0
+
+// The start of the 8 byte field used to specify the tree.
+#define SPX_OFFSET_TREE 1
+
+// The byte used to specify the hash type (reason).
+#define SPX_OFFSET_TYPE 9
+
+// The high byte used to specify the key pair (which one-time signature).
+#define SPX_OFFSET_KP_ADDR2 12
+
+// The low byte used to specific the key pair.
+#define SPX_OFFSET_KP_ADDR1 13
+
+// The byte used to specify the chain address (which Winternitz chain).
+#define SPX_OFFSET_CHAIN_ADDR 17
+
+// The byte used to specify the hash address (where in the Winternitz chain).
+#define SPX_OFFSET_HASH_ADDR 21
+
+// The byte used to specify the height of this node in the FORS or Merkle tree.
+#define SPX_OFFSET_TREE_HGT 17
+
+// The start of the 4 byte field used to specify the node in the FORS or Merkle
+// tree.
+#define SPX_OFFSET_TREE_INDEX 18
+
+
+void spx_set_chain_addr(uint8_t addr[32], uint32_t chain) {
+  addr[SPX_OFFSET_CHAIN_ADDR] = (uint8_t)chain;
+}
+
+void spx_set_hash_addr(uint8_t addr[32], uint32_t hash) {
+  addr[SPX_OFFSET_HASH_ADDR] = (uint8_t)hash;
+}
+
+void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair) {
+  addr[SPX_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8);
+  addr[SPX_OFFSET_KP_ADDR1] = (uint8_t)keypair;
+}
+
+void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]) {
+  memcpy(out, in, SPX_OFFSET_TREE + 8);
+  out[SPX_OFFSET_KP_ADDR2] = in[SPX_OFFSET_KP_ADDR2];
+  out[SPX_OFFSET_KP_ADDR1] = in[SPX_OFFSET_KP_ADDR1];
+}
+
+void spx_set_layer_addr(uint8_t addr[32], uint32_t layer) {
+  addr[SPX_OFFSET_LAYER] = (uint8_t)layer;
+}
+
+void spx_set_tree_addr(uint8_t addr[32], uint64_t tree) {
+  spx_uint64_to_len_bytes(&addr[SPX_OFFSET_TREE], 8, tree);
+}
+
+void spx_set_type(uint8_t addr[32], uint32_t type) {
+  // NIST draft relies on this setting parts of the address to 0, so we do it
+  // here to avoid confusion.
+  //
+  // The behavior here is only correct for the SHA2 instantiations.
+  memset(addr + 10, 0, 12);
+  addr[SPX_OFFSET_TYPE] = (uint8_t)type;
+}
+
+void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height) {
+  addr[SPX_OFFSET_TREE_HGT] = (uint8_t)tree_height;
+}
+
+void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index) {
+  CRYPTO_store_u32_be(&addr[SPX_OFFSET_TREE_INDEX], tree_index);
+}
+
+uint32_t spx_get_tree_index(uint8_t addr[32]) {
+  return CRYPTO_load_u32_be(addr + SPX_OFFSET_TREE_INDEX);
+}

data/third_party/boringssl-with-bazel/src/crypto/spx/address.h

@@ -0,0 +1,50 @@
+/* Copyright (c) 2023, Google LLC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H
+#define OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+#define SPX_ADDR_TYPE_WOTS 0
+#define SPX_ADDR_TYPE_WOTSPK 1
+#define SPX_ADDR_TYPE_HASHTREE 2
+#define SPX_ADDR_TYPE_FORSTREE 3
+#define SPX_ADDR_TYPE_FORSPK 4
+#define SPX_ADDR_TYPE_WOTSPRF 5
+#define SPX_ADDR_TYPE_FORSPRF 6
+
+void spx_set_chain_addr(uint8_t addr[32], uint32_t chain);
+void spx_set_hash_addr(uint8_t addr[32], uint32_t hash);
+void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair);
+void spx_set_layer_addr(uint8_t addr[32], uint32_t layer);
+void spx_set_tree_addr(uint8_t addr[32], uint64_t tree);
+void spx_set_type(uint8_t addr[32], uint32_t type);
+void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height);
+void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index);
+void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]);
+
+uint32_t spx_get_tree_index(uint8_t addr[32]);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H

data/third_party/boringssl-with-bazel/src/crypto/spx/fors.c

@@ -0,0 +1,133 @@
+/* Copyright (c) 2023, Google LLC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <string.h>
+
+#include "./address.h"
+#include "./fors.h"
+#include "./params.h"
+#include "./spx_util.h"
+#include "./thash.h"
+
+void spx_fors_sk_gen(uint8_t *fors_sk, uint32_t idx,
+                     const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N],
+                     uint8_t addr[32]) {
+  uint8_t sk_addr[32];
+  memcpy(sk_addr, addr, sizeof(sk_addr));
+
+  spx_set_type(sk_addr, SPX_ADDR_TYPE_FORSPRF);
+  spx_copy_keypair_addr(sk_addr, addr);
+  spx_set_tree_index(sk_addr, idx);
+  spx_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr);
+}
+
+void spx_fors_treehash(uint8_t root_node[SPX_N], const uint8_t sk_seed[SPX_N],
+                       uint32_t i /*target node index*/,
+                       uint32_t z /*target node height*/,
+                       const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
+
+  BSSL_CHECK(z <= SPX_FORS_HEIGHT);
+  BSSL_CHECK(i < (uint32_t)(SPX_FORS_TREES * (1 << (SPX_FORS_HEIGHT - z))));
+
+  if (z == 0) {
+    uint8_t sk[SPX_N];
+    spx_set_tree_height(addr, 0);
+    spx_set_tree_index(addr, i);
+    spx_fors_sk_gen(sk, i, sk_seed, pk_seed, addr);
+    spx_thash_f(root_node, sk, pk_seed, addr);
+  } else {
+    // Stores left node and right node.
+    uint8_t nodes[2 * SPX_N];
+    spx_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr);
+    spx_fors_treehash(nodes + SPX_N, sk_seed, 2 * i + 1, z - 1, pk_seed, addr);
+    spx_set_tree_height(addr, z);
+    spx_set_tree_index(addr, i);
+    spx_thash_h(root_node, nodes, pk_seed, addr);
+  }
+}
+
+void spx_fors_sign(uint8_t *fors_sig, const uint8_t message[SPX_FORS_MSG_BYTES],
+                   const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N],
+                   uint8_t addr[32]) {
+  uint32_t indices[SPX_FORS_TREES];
+
+  // Derive FORS indices compatible with the NIST changes.
+  spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT);
+
+  for (size_t i = 0; i < SPX_FORS_TREES; ++i) {
+    spx_set_tree_height(addr, 0);
+    // Write the FORS secret key element to the correct position.
+    spx_fors_sk_gen(fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1),
+                    i * (1 << SPX_FORS_HEIGHT) + indices[i], sk_seed, pk_seed,
+                    addr);
+    for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) {
+      size_t s = (indices[i] / (1 << j)) ^ 1;
+      // Write the FORS auth path element to the correct position.
+      spx_fors_treehash(fors_sig + SPX_N * (i * (SPX_FORS_HEIGHT + 1) + j + 1),
+                        sk_seed, i * (1ULL << (SPX_FORS_HEIGHT - j)) + s, j,
+                        pk_seed, addr);
+    }
+  }
+}
+
+void spx_fors_pk_from_sig(uint8_t *fors_pk,
+                          const uint8_t fors_sig[SPX_FORS_BYTES],
+                          const uint8_t message[SPX_FORS_MSG_BYTES],
+                          const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
+  uint32_t indices[SPX_FORS_TREES];
+  uint8_t tmp[2 * SPX_N];
+  uint8_t roots[SPX_FORS_TREES * SPX_N];
+
+  // Derive FORS indices compatible with the NIST changes.
+  spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT);
+
+  for (size_t i = 0; i < SPX_FORS_TREES; ++i) {
+    // Pointer to current sk and authentication path
+    const uint8_t *sk = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1);
+    const uint8_t *auth = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1) + SPX_N;
+    uint8_t nodes[2 * SPX_N];
+
+    spx_set_tree_height(addr, 0);
+    spx_set_tree_index(addr, (i * (1 << SPX_FORS_HEIGHT)) + indices[i]);
+
+    spx_thash_f(nodes, sk, pk_seed, addr);
+
+    for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) {
+      spx_set_tree_height(addr, j + 1);
+
+      // Even node
+      if (((indices[i] / (1 << j)) % 2) == 0) {
+        spx_set_tree_index(addr, spx_get_tree_index(addr) / 2);
+        memcpy(tmp, nodes, SPX_N);
+        memcpy(tmp + SPX_N, auth + j * SPX_N, SPX_N);
+        spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr);
+      } else {
+        spx_set_tree_index(addr, (spx_get_tree_index(addr) - 1) / 2);
+        memcpy(tmp, auth + j * SPX_N, SPX_N);
+        memcpy(tmp + SPX_N, nodes, SPX_N);
+        spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr);
+      }
+      memcpy(nodes, nodes + SPX_N, SPX_N);
+    }
+    memcpy(roots + i * SPX_N, nodes, SPX_N);
+  }
+
+  uint8_t forspk_addr[32];
+  memcpy(forspk_addr, addr, sizeof(forspk_addr));
+  spx_set_type(forspk_addr, SPX_ADDR_TYPE_FORSPK);
+  spx_copy_keypair_addr(forspk_addr, addr);
+  spx_thash_tk(fors_pk, roots, pk_seed, forspk_addr);
+}