grpc 1.66.0 → 1.67.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -21,12 +21,15 @@
 #include <openssl/bytestring.h>
 #include <openssl/curve25519.h>
 #include <openssl/digest.h>
+#include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/evp_errors.h>
 #include <openssl/hkdf.h>
+#include <openssl/mem.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
+#include "../fipsmodule/ec/internal.h"
 #include "../internal.h"
 
 
@@ -111,7 +114,7 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
                                const uint8_t *info, size_t info_len) {
   // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info)
   CBB labeled_info;
-  int ok = CBB_init(&labeled_info, 0) &&
+  int ok = CBB_init(&labeled_info, 0) &&  //
            CBB_add_u16(&labeled_info, out_len) &&
            add_label_string(&labeled_info, kHpkeVersionId) &&
            CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&
@@ -309,6 +312,294 @@ const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
   return &kKEM;
 }
 
+#define P256_PRIVATE_KEY_LEN 32
+#define P256_PUBLIC_KEY_LEN 65
+#define P256_PUBLIC_VALUE_LEN 65
+#define P256_SEED_LEN 32
+#define P256_SHARED_KEY_LEN 32
+
+static int p256_public_from_private(uint8_t out_pub[P256_PUBLIC_VALUE_LEN],
+                                    const uint8_t priv[P256_PRIVATE_KEY_LEN]) {
+  const EC_GROUP *const group = EC_group_p256();
+  const uint8_t kAllZeros[P256_PRIVATE_KEY_LEN] = {0};
+  EC_SCALAR private_scalar;
+  EC_JACOBIAN public_point;
+  EC_AFFINE public_point_affine;
+
+  if (CRYPTO_memcmp(kAllZeros, priv, sizeof(kAllZeros)) == 0) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  if (!ec_scalar_from_bytes(group, &private_scalar, priv,
+                            P256_PRIVATE_KEY_LEN) ||
+      !ec_point_mul_scalar_base(group, &public_point, &private_scalar) ||
+      !ec_jacobian_to_affine(group, &public_point_affine, &public_point)) {
+    return 0;
+  }
+
+  size_t out_len_x, out_len_y;
+  out_pub[0] = POINT_CONVERSION_UNCOMPRESSED;
+  ec_felem_to_bytes(group, &out_pub[1], &out_len_x, &public_point_affine.X);
+  ec_felem_to_bytes(group, &out_pub[33], &out_len_y, &public_point_affine.Y);
+  return 1;
+}
+
+static int p256_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
+                         size_t priv_key_len) {
+  if (priv_key_len != P256_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  if (!p256_public_from_private(key->public_key, priv_key)) {
+    return 0;
+  }
+
+  OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);
+  return 1;
+}
+
+static int p256_private_key_from_seed(uint8_t out_priv[P256_PRIVATE_KEY_LEN],
+                                      const uint8_t seed[P256_SEED_LEN]) {
+  // https://www.rfc-editor.org/rfc/rfc9180.html#name-derivekeypair
+  const uint8_t suite_id[5] = {'K', 'E', 'M',
+                               EVP_HPKE_DHKEM_P256_HKDF_SHA256 >> 8,
+                               EVP_HPKE_DHKEM_P256_HKDF_SHA256 & 0xff};
+
+  uint8_t dkp_prk[32];
+  size_t dkp_prk_len;
+  if (!hpke_labeled_extract(EVP_sha256(), dkp_prk, &dkp_prk_len, NULL, 0,
+                            suite_id, sizeof(suite_id), "dkp_prk", seed,
+                            P256_SEED_LEN)) {
+    return 0;
+  }
+  assert(dkp_prk_len == sizeof(dkp_prk));
+
+  const EC_GROUP *const group = EC_group_p256();
+  EC_SCALAR private_scalar;
+
+  for (unsigned counter = 0; counter < 256; counter++) {
+    const uint8_t counter_byte = counter & 0xff;
+    if (!hpke_labeled_expand(EVP_sha256(), out_priv, P256_PRIVATE_KEY_LEN,
+                             dkp_prk, sizeof(dkp_prk), suite_id,
+                             sizeof(suite_id), "candidate", &counter_byte,
+                             sizeof(counter_byte))) {
+      return 0;
+    }
+
+    // This checks that the scalar is less than the order.
+    if (ec_scalar_from_bytes(group, &private_scalar, out_priv,
+                             P256_PRIVATE_KEY_LEN)) {
+      return 1;
+    }
+  }
+
+  // This happens with probability of 2^-(32*256).
+  OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
+  return 0;
+}
+
+static int p256_generate_key(EVP_HPKE_KEY *key) {
+  uint8_t seed[P256_SEED_LEN];
+  RAND_bytes(seed, sizeof(seed));
+  if (!p256_private_key_from_seed(key->private_key, seed) ||
+      !p256_public_from_private(key->public_key, key->private_key)) {
+    return 0;
+  }
+  return 1;
+}
+
+static int p256(uint8_t out_dh[P256_SHARED_KEY_LEN],
+                const uint8_t my_private[P256_PRIVATE_KEY_LEN],
+                const uint8_t their_public[P256_PUBLIC_VALUE_LEN]) {
+  const EC_GROUP *const group = EC_group_p256();
+  EC_SCALAR private_scalar;
+  EC_FELEM x, y;
+  EC_JACOBIAN shared_point, their_point;
+  EC_AFFINE their_point_affine, shared_point_affine;
+
+  if (their_public[0] != POINT_CONVERSION_UNCOMPRESSED ||
+      !ec_felem_from_bytes(group, &x, &their_public[1], 32) ||
+      !ec_felem_from_bytes(group, &y, &their_public[33], 32) ||
+      !ec_point_set_affine_coordinates(group, &their_point_affine, &x, &y) ||
+      !ec_scalar_from_bytes(group, &private_scalar, my_private,
+                            P256_PRIVATE_KEY_LEN)) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  ec_affine_to_jacobian(group, &their_point, &their_point_affine);
+  if (!ec_point_mul_scalar(group, &shared_point, &their_point,
+                           &private_scalar) ||
+      !ec_jacobian_to_affine(group, &shared_point_affine, &shared_point)) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  size_t out_len;
+  ec_felem_to_bytes(group, out_dh, &out_len, &shared_point_affine.X);
+  assert(out_len == P256_SHARED_KEY_LEN);
+  return 1;
+}
+
+static int p256_encap_with_seed(const EVP_HPKE_KEM *kem,
+                                uint8_t *out_shared_secret,
+                                size_t *out_shared_secret_len, uint8_t *out_enc,
+                                size_t *out_enc_len, size_t max_enc,
+                                const uint8_t *peer_public_key,
+                                size_t peer_public_key_len, const uint8_t *seed,
+                                size_t seed_len) {
+  if (max_enc < P256_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+  if (seed_len != P256_SEED_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+  uint8_t private_key[P256_PRIVATE_KEY_LEN];
+  if (!p256_private_key_from_seed(private_key, seed)) {
+    return 0;
+  }
+  p256_public_from_private(out_enc, private_key);
+
+  uint8_t dh[P256_SHARED_KEY_LEN];
+  if (peer_public_key_len != P256_PUBLIC_VALUE_LEN ||
+      !p256(dh, private_key, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_enc_len = P256_PUBLIC_VALUE_LEN;
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+static int p256_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+                      size_t *out_shared_secret_len, const uint8_t *enc,
+                      size_t enc_len) {
+  uint8_t dh[P256_SHARED_KEY_LEN];
+  if (enc_len != P256_PUBLIC_VALUE_LEN ||  //
+      !p256(dh, key->private_key, enc)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+static int p256_auth_encap_with_seed(
+    const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+    size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
+    size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *seed, size_t seed_len) {
+  if (max_enc < P256_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+  if (seed_len != P256_SEED_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+  uint8_t private_key[P256_PRIVATE_KEY_LEN];
+  if (!p256_private_key_from_seed(private_key, seed)) {
+    return 0;
+  }
+  p256_public_from_private(out_enc, private_key);
+
+  uint8_t dh[2 * P256_SHARED_KEY_LEN];
+  if (peer_public_key_len != P256_PUBLIC_VALUE_LEN ||
+      !p256(dh, private_key, peer_public_key) ||
+      !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, key->public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_enc_len = P256_PUBLIC_VALUE_LEN;
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+static int p256_auth_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+                           size_t *out_shared_secret_len, const uint8_t *enc,
+                           size_t enc_len, const uint8_t *peer_public_key,
+                           size_t peer_public_key_len) {
+  uint8_t dh[2 * P256_SHARED_KEY_LEN];
+  if (enc_len != P256_PUBLIC_VALUE_LEN ||
+      peer_public_key_len != P256_PUBLIC_VALUE_LEN ||
+      !p256(dh, key->private_key, enc) ||
+      !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, peer_public_key,
+                 P256_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void) {
+  static const EVP_HPKE_KEM kKEM = {
+      /*id=*/EVP_HPKE_DHKEM_P256_HKDF_SHA256,
+      /*public_key_len=*/P256_PUBLIC_KEY_LEN,
+      /*private_key_len=*/P256_PRIVATE_KEY_LEN,
+      /*seed_len=*/P256_SEED_LEN,
+      /*enc_len=*/P256_PUBLIC_VALUE_LEN,
+      p256_init_key,
+      p256_generate_key,
+      p256_encap_with_seed,
+      p256_decap,
+      p256_auth_encap_with_seed,
+      p256_auth_decap,
+  };
+  return &kKEM;
+}
+
 uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }
 
 size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem) {
@@ -398,7 +689,7 @@ int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,
 }
 
 int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,
-                            size_t *out_len, size_t max_out) {
+                             size_t *out_len, size_t max_out) {
   if (max_out < key->kem->private_key_len) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
     return 0;

data/third_party/boringssl-with-bazel/src/crypto/internal.h

@@ -217,7 +217,9 @@ typedef __uint128_t uint128_t;
 // __uint128_t division depends on intrinsics in the compiler runtime. Those
 // intrinsics are missing in clang-cl (https://crbug.com/787617) and nanolibc.
 // These may be bugs in the toolchain definition, but just disable it for now.
-#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC)
+// EDK2's toolchain is missing __udivti3 (b/339380897) so cannot support
+// 128-bit division currently.
+#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) && !defined(__EDK2_BORINGSSL__)
 #define BORINGSSL_CAN_DIVIDE_UINT128
 #endif
 #endif
@@ -272,9 +274,9 @@ typedef __uint128_t uint128_t;
 #endif
 
 #if defined(__GNUC__) || defined(__clang__)
-#define OPENSSL_ATTR_PURE __attribute__((pure))
+#define OPENSSL_ATTR_CONST __attribute__((const))
 #else
-#define OPENSSL_ATTR_PURE
+#define OPENSSL_ATTR_CONST
 #endif
 
 #if defined(BORINGSSL_MALLOC_FAILURE_TESTING)
@@ -567,11 +569,22 @@ static inline void constant_time_conditional_memcpy(void *dst, const void *src,
 // |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory
 // ranges at |dst| and |src| must not overlap, as when calling |memcpy|.
 static inline void constant_time_conditional_memxor(void *dst, const void *src,
-                                                    const size_t n,
+                                                    size_t n,
                                                     const crypto_word_t mask) {
   assert(!buffers_alias(dst, n, src, n));
   uint8_t *out = (uint8_t *)dst;
   const uint8_t *in = (const uint8_t *)src;
+#if defined(__GNUC__) && !defined(__clang__)
+  // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier
+  typedef uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias));
+  size_t n_vec = n&~(size_t)31;
+  v32u8 masks = ((uint8_t)mask-(v32u8){}); // broadcast
+  for (size_t i = 0; i < n_vec; i += 32) {
+    *(v32u8*)&out[i] ^= masks & *(v32u8*)&in[i];
+  }
+  out += n_vec;
+  n -= n_vec;
+#endif
   for (size_t i = 0; i < n; i++) {
     out[i] ^= value_barrier_w(mask) & in[i];
   }
@@ -1377,21 +1390,23 @@ OPENSSL_INLINE int boringssl_fips_break_test(const char *test) {
 //     ECX for CPUID where EAX = 1
 //     Bit 11 is used to indicate AMD XOP support, not SDBG
 //   Index 2:
-//     EBX for CPUID where EAX = 7
+//     EBX for CPUID where EAX = 7, ECX = 0
+//     Bit 14 (for removed feature MPX) is used to indicate a preference for ymm
+//       registers over zmm even when zmm registers are supported
 //   Index 3:
-//     ECX for CPUID where EAX = 7
+//     ECX for CPUID where EAX = 7, ECX = 0
 //
-// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM
-// bits in XCR0, so it is not necessary to check those. (WARNING: See caveats
-// in cpu_intel.c.)
+// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the XMM, YMM,
+// and AVX512 bits in XCR0, so it is not necessary to check those. (WARNING: See
+// caveats in cpu_intel.c.)
 //
 // From C, this symbol should only be accessed with |OPENSSL_get_ia32cap|.
 extern uint32_t OPENSSL_ia32cap_P[4];
 
 // OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th
-// entry of |OPENSSL_ia32cap_P|. It is marked as a pure function so duplicate
+// entry of |OPENSSL_ia32cap_P|. It is marked as a const function so duplicate
 // calls can be merged by the compiler, at least when indices match.
-OPENSSL_ATTR_PURE uint32_t OPENSSL_get_ia32cap(int idx);
+OPENSSL_ATTR_CONST uint32_t OPENSSL_get_ia32cap(int idx);
 
 // See Intel manual, volume 2A, table 3-11.
 
@@ -1551,6 +1566,46 @@ OPENSSL_INLINE int CRYPTO_cpu_perf_is_like_silvermont(void) {
   return !hardware_supports_xsave && CRYPTO_is_MOVBE_capable();
 }
 
+OPENSSL_INLINE int CRYPTO_is_AVX512BW_capable(void) {
+#if defined(__AVX512BW__)
+  return 1;
+#else
+  return (OPENSSL_get_ia32cap(2) & (1u << 30)) != 0;
+#endif
+}
+
+OPENSSL_INLINE int CRYPTO_is_AVX512VL_capable(void) {
+#if defined(__AVX512VL__)
+  return 1;
+#else
+  return (OPENSSL_get_ia32cap(2) & (1u << 31)) != 0;
+#endif
+}
+
+// CRYPTO_cpu_avoid_zmm_registers returns 1 if zmm registers (512-bit vectors)
+// should not be used even if the CPU supports them.
+//
+// Note that this reuses the bit for the removed MPX feature.
+OPENSSL_INLINE int CRYPTO_cpu_avoid_zmm_registers(void) {
+  return (OPENSSL_get_ia32cap(2) & (1u << 14)) != 0;
+}
+
+OPENSSL_INLINE int CRYPTO_is_VAES_capable(void) {
+#if defined(__VAES__)
+  return 1;
+#else
+  return (OPENSSL_get_ia32cap(3) & (1u << 9)) != 0;
+#endif
+}
+
+OPENSSL_INLINE int CRYPTO_is_VPCLMULQDQ_capable(void) {
+#if defined(__VPCLMULQDQ__)
+  return 1;
+#else
+  return (OPENSSL_get_ia32cap(3) & (1u << 10)) != 0;
+#endif
+}
+
 #endif  // OPENSSL_X86 || OPENSSL_X86_64
 
 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
@@ -1560,9 +1615,9 @@ OPENSSL_INLINE int CRYPTO_cpu_perf_is_like_silvermont(void) {
 extern uint32_t OPENSSL_armcap_P;
 
 // OPENSSL_get_armcap initializes the library if needed and returns ARM CPU
-// capabilities. It is marked as a pure function so duplicate calls can be
-// merged by the compiler, at least when indices match.
-OPENSSL_ATTR_PURE uint32_t OPENSSL_get_armcap(void);
+// capabilities. It is marked as a const function so duplicate calls can be
+// merged by the compiler.
+OPENSSL_ATTR_CONST uint32_t OPENSSL_get_armcap(void);
 
 // We do not detect any features at runtime on several 32-bit Arm platforms.
 // Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8

data/third_party/boringssl-with-bazel/src/crypto/mem.c

@@ -94,7 +94,11 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
 // Windows doesn't really support weak symbols as of May 2019, and Clang on
 // Windows will emit strong symbols instead. See
 // https://bugs.llvm.org/show_bug.cgi?id=37598
-#if defined(__ELF__) && defined(__GNUC__)
+//
+// EDK2 targets UEFI but builds as ELF and then translates the binary to
+// COFF(!). Thus it builds with __ELF__ defined but cannot actually cope with
+// weak symbols.
+#if !defined(__EDK2_BORINGSSL__) && defined(__ELF__) && defined(__GNUC__)
 #define WEAK_SYMBOL_FUNC(rettype, name, args) \
   rettype name args __attribute__((weak));
 #else
@@ -242,7 +246,7 @@ void *OPENSSL_malloc(size_t size) {
   __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
   return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX;
 
- err:
+err:
   // This only works because ERR does not call OPENSSL_malloc.
   OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
   return NULL;
@@ -523,7 +527,7 @@ int OPENSSL_vasprintf_internal(char **str, const char *format, va_list args,
   *str = candidate;
   return ret;
 
- err:
+err:
   deallocate(candidate);
   *str = NULL;
   errno = ENOMEM;

data/third_party/boringssl-with-bazel/src/crypto/mldsa/internal.h

@@ -0,0 +1,73 @@
+/* Copyright (c) 2024, Google LLC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H
+
+#include <openssl/base.h>
+#include <openssl/mldsa.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// MLDSA_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly
+// random entropy necessary to generate a signature in randomized mode.
+#define MLDSA_SIGNATURE_RANDOMIZER_BYTES 32
+
+// MLDSA65_generate_key_external_entropy generates a public/private key pair
+// using the given seed, writes the encoded public key to
+// |out_encoded_public_key| and sets |out_private_key| to the private key.
+// It returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int MLDSA65_generate_key_external_entropy(
+    uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES],
+    struct MLDSA65_private_key *out_private_key,
+    const uint8_t entropy[MLDSA_SEED_BYTES]);
+
+// MLDSA65_sign_internal signs |msg| using |private_key| and writes the
+// signature to |out_encoded_signature|. The |context_prefix| and |context| are
+// prefixed to the message, in that order, before signing. The |randomizer|
+// value can be set to zero bytes in order to make a deterministic signature, or
+// else filled with entropy for the usual |MLDSA_sign| behavior. It returns 1 on
+// success and 0 on error.
+OPENSSL_EXPORT int MLDSA65_sign_internal(
+    uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES],
+    const struct MLDSA65_private_key *private_key, const uint8_t *msg,
+    size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,
+    const uint8_t *context, size_t context_len,
+    const uint8_t randomizer[MLDSA_SIGNATURE_RANDOMIZER_BYTES]);
+
+// MLDSA65_verify_internal verifies that |encoded_signature| is a valid
+// signature of |msg| by |public_key|. The |context_prefix| and |context| are
+// prefixed to the message before verification, in that order. It returns 1 on
+// success and 0 on error.
+OPENSSL_EXPORT int MLDSA65_verify_internal(
+    const struct MLDSA65_public_key *public_key,
+    const uint8_t encoded_signature[MLDSA65_SIGNATURE_BYTES],
+    const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,
+    size_t context_prefix_len, const uint8_t *context, size_t context_len);
+
+// MLDSA65_marshal_private_key serializes |private_key| to |out| in the
+// NIST format for ML-DSA-65 private keys. It returns 1 on success or 0
+// on allocation error.
+OPENSSL_EXPORT int MLDSA65_marshal_private_key(
+    CBB *out, const struct MLDSA65_private_key *private_key);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H