grpc 1.66.0 → 1.67.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c

@@ -14,7 +14,9 @@
 
 #include <openssl/rand.h>
 
-#include "../fipsmodule/rand/internal.h"
+#include "../bcm_support.h"
+#include "../internal.h"
+#include "sysrand_internal.h"
 
 #if defined(OPENSSL_RAND_WINDOWS)
 
@@ -88,6 +90,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
 
 #endif  // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP
 
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
+
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }

data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h

@@ -58,6 +58,8 @@
 #ifndef OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H
 #define OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H
 
+#include <openssl/base.h>
+
 #if defined(__cplusplus)
 extern "C" {
 #endif

data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h

@@ -468,7 +468,8 @@ DECLARE_ASN1_ITEM(ASN1_FBOOLEAN)
 
 // An asn1_string_st (aka |ASN1_STRING|) represents a value of a string-like
 // ASN.1 type. It contains a |type| field, and a byte string |data| field with a
-// type-specific representation.
+// type-specific representation. This type-specific representation does not
+// always correspond to the DER encoding of the type.
 //
 // If |type| is one of |V_ASN1_OCTET_STRING|, |V_ASN1_UTF8STRING|,
 // |V_ASN1_NUMERICSTRING|, |V_ASN1_PRINTABLESTRING|, |V_ASN1_T61STRING|,
@@ -568,6 +569,10 @@ OPENSSL_EXPORT int ASN1_STRING_type(const ASN1_STRING *str);
 // ASN1_STRING_get0_data returns a pointer to |str|'s contents. Callers should
 // use |ASN1_STRING_length| to determine the length of the string. The string
 // may have embedded NUL bytes and may not be NUL-terminated.
+//
+// The contents of an |ASN1_STRING| encode the value in some type-specific
+// representation that does not always correspond to the DER encoding of the
+// type. See the documentation for |ASN1_STRING| for details.
 OPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data(
     const ASN1_STRING *str);
 
@@ -575,10 +580,18 @@ OPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data(
 // should use |ASN1_STRING_length| to determine the length of the string. The
 // string may have embedded NUL bytes and may not be NUL-terminated.
 //
+// The contents of an |ASN1_STRING| encode the value in some type-specific
+// representation that does not always correspond to the DER encoding of the
+// type. See the documentation for |ASN1_STRING| for details.
+//
 // Prefer |ASN1_STRING_get0_data|.
 OPENSSL_EXPORT unsigned char *ASN1_STRING_data(ASN1_STRING *str);
 
 // ASN1_STRING_length returns the length of |str|, in bytes.
+//
+// The contents of an |ASN1_STRING| encode the value in some type-specific
+// representation that does not always correspond to the DER encoding of the
+// type. See the documentation for |ASN1_STRING| for details.
 OPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str);
 
 // ASN1_STRING_cmp compares |a| and |b|'s type and contents. It returns an

data/third_party/boringssl-with-bazel/src/include/openssl/bn.h

@@ -387,9 +387,9 @@ OPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx);
 // or |b|. It returns one on success and zero on allocation failure.
 OPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 
-// BN_uadd sets |r| = |a| + |b|, where |a| and |b| are non-negative and |r| may
-// be the same pointer as either |a| or |b|. It returns one on success and zero
-// on allocation failure.
+// BN_uadd sets |r| = |a| + |b|, considering only the absolute values of |a| and
+// |b|. |r| may be the same pointer as either |a| or |b|. It returns one on
+// success and zero on allocation failure.
 OPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 
 // BN_add_word adds |w| to |a|. It returns one on success and zero otherwise.
@@ -399,9 +399,9 @@ OPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w);
 // or |b|. It returns one on success and zero on allocation failure.
 OPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 
-// BN_usub sets |r| = |a| - |b|, where |a| and |b| are non-negative integers,
-// |b| < |a| and |r| may be the same pointer as either |a| or |b|. It returns
-// one on success and zero on allocation failure.
+// BN_usub sets |r| = |a| - |b|, considering only the absolute values of |a| and
+// |b|. The result must be non-negative, i.e. |b| <= |a|. |r| may be the same
+// pointer as either |a| or |b|. It returns one on success and zero on error.
 OPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 
 // BN_sub_word subtracts |w| from |a|. It returns one on success and zero on
@@ -424,9 +424,14 @@ OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 
 // BN_div divides |numerator| by |divisor| and places the result in |quotient|
 // and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in
-// which case the respective value is not returned. The result is rounded
-// towards zero; thus if |numerator| is negative, the remainder will be zero or
-// negative. It returns one on success or zero on error.
+// which case the respective value is not returned. It returns one on success or
+// zero on error. It is an error condition if |divisor| is zero.
+//
+// The outputs will be such that |quotient| * |divisor| + |rem| = |numerator|,
+// with the quotient rounded towards zero. Thus, if |numerator| is negative,
+// |rem| will be zero or negative. If |divisor| is negative, the sign of
+// |quotient| will be flipped to compensate but otherwise rounding will be as if
+// |divisor| were its absolute value.
 OPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem,
                           const BIGNUM *numerator, const BIGNUM *divisor,
                           BN_CTX *ctx);

data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h

@@ -23,16 +23,14 @@ extern "C" {
 
 
 #if defined(OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM)
-// This header implements experimental, draft versions of not-yet-standardized
-// primitives. When the standard is complete, these functions will be removed
-// and replaced with the final, incompatible standard version. They are
-// available now for short-lived experiments, but must not be deployed anywhere
-// durable, such as a long-lived key store. To use these functions define
-// OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM.
+// The ML-DSA spec has now been standardized and ML-DSA is available in
+// BoringSSL.  This code should no longer be used. It was intended for
+// short-lived experiments and must not have been deployed anywhere durable.  If
+// you were using this you need to use the <openssl/mldsa.h> instead. This
+// header and code will be removed from BoringSSL soon.
 
 // Dilithium3.
 
-
 // DILITHIUM_private_key contains a Dilithium3 private key. The contents of this
 // object should never leave the address space since the format is unstable.
 struct DILITHIUM_private_key {
@@ -66,13 +64,13 @@ struct DILITHIUM_public_key {
 // DILITHIUM_generate_key generates a random public/private key pair, writes the
 // encoded public key to |out_encoded_public_key| and sets |out_private_key| to
 // the private key. Returns 1 on success and 0 on failure.
-OPENSSL_EXPORT int DILITHIUM_generate_key(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_generate_key(
     uint8_t out_encoded_public_key[DILITHIUM_PUBLIC_KEY_BYTES],
     struct DILITHIUM_private_key *out_private_key);
 
 // DILITHIUM_public_from_private sets |*out_public_key| to the public key that
 // corresponds to |private_key|. Returns 1 on success and 0 on failure.
-OPENSSL_EXPORT int DILITHIUM_public_from_private(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_public_from_private(
     struct DILITHIUM_public_key *out_public_key,
     const struct DILITHIUM_private_key *private_key);
 
@@ -80,14 +78,14 @@ OPENSSL_EXPORT int DILITHIUM_public_from_private(
 // |msg_len| using |private_key| following the randomized algorithm, and writes
 // the encoded signature to |out_encoded_signature|. Returns 1 on success and 0
 // on failure.
-OPENSSL_EXPORT int DILITHIUM_sign(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_sign(
     uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES],
     const struct DILITHIUM_private_key *private_key, const uint8_t *msg,
     size_t msg_len);
 
 // DILITHIUM_verify verifies that |encoded_signature| constitutes a valid
 // signature for the message |msg| of length |msg_len| using |public_key|.
-OPENSSL_EXPORT int DILITHIUM_verify(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_verify(
     const struct DILITHIUM_public_key *public_key,
     const uint8_t encoded_signature[DILITHIUM_SIGNATURE_BYTES],
     const uint8_t *msg, size_t msg_len);
@@ -98,27 +96,27 @@ OPENSSL_EXPORT int DILITHIUM_verify(
 // DILITHIUM_marshal_public_key serializes |public_key| to |out| in the standard
 // format for Dilithium public keys. It returns one on success or zero on
 // allocation error.
-OPENSSL_EXPORT int DILITHIUM_marshal_public_key(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_marshal_public_key(
     CBB *out, const struct DILITHIUM_public_key *public_key);
 
 // DILITHIUM_parse_public_key parses a public key, in the format generated by
 // |DILITHIUM_marshal_public_key|, from |in| and writes the result to
 // |out_public_key|. It returns one on success or zero on parse error or if
 // there are trailing bytes in |in|.
-OPENSSL_EXPORT int DILITHIUM_parse_public_key(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_parse_public_key(
     struct DILITHIUM_public_key *public_key, CBS *in);
 
 // DILITHIUM_marshal_private_key serializes |private_key| to |out| in the
 // standard format for Dilithium private keys. It returns one on success or zero
 // on allocation error.
-OPENSSL_EXPORT int DILITHIUM_marshal_private_key(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_marshal_private_key(
     CBB *out, const struct DILITHIUM_private_key *private_key);
 
 // DILITHIUM_parse_private_key parses a private key, in the format generated by
 // |DILITHIUM_marshal_private_key|, from |in| and writes the result to
 // |out_private_key|. It returns one on success or zero on parse error or if
 // there are trailing bytes in |in|.
-OPENSSL_EXPORT int DILITHIUM_parse_private_key(
+OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_parse_private_key(
     struct DILITHIUM_private_key *private_key, CBS *in);
 
 #endif  // OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM

data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h

@@ -40,12 +40,14 @@ extern "C" {
 // respectively.
 
 // The following constants are KEM identifiers.
+#define EVP_HPKE_DHKEM_P256_HKDF_SHA256 0x0010
 #define EVP_HPKE_DHKEM_X25519_HKDF_SHA256 0x0020
 
 // The following functions are KEM algorithms which may be used with HPKE. Note
 // that, while some HPKE KEMs use KDFs internally, this is separate from the
 // |EVP_HPKE_KDF| selection.
 OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void);
+OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void);
 
 // EVP_HPKE_KEM_id returns the HPKE KEM identifier for |kem|, which
 // will be one of the |EVP_HPKE_KEM_*| constants.
@@ -53,7 +55,7 @@ OPENSSL_EXPORT uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem);
 
 // EVP_HPKE_MAX_PUBLIC_KEY_LENGTH is the maximum length of an encoded public key
 // for all KEMs currently supported by this library.
-#define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 32
+#define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 65
 
 // EVP_HPKE_KEM_public_key_len returns the length of a public key for |kem|.
 // This value will be at most |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH|.
@@ -69,7 +71,7 @@ OPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem);
 
 // EVP_HPKE_MAX_ENC_LENGTH is the maximum length of "enc", the encapsulated
 // shared secret, for all KEMs currently supported by this library.
-#define EVP_HPKE_MAX_ENC_LENGTH 32
+#define EVP_HPKE_MAX_ENC_LENGTH 65
 
 // EVP_HPKE_KEM_enc_len returns the length of the "enc", the encapsulated shared
 // secret, for |kem|. This value will be at most |EVP_HPKE_MAX_ENC_LENGTH|.
@@ -233,7 +235,7 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender(
 // EVP_HPKE_CTX_setup_sender_with_seed_for_testing behaves like
 // |EVP_HPKE_CTX_setup_sender|, but takes a seed to behave deterministically.
 // The seed's format depends on |kem|. For X25519, it is the sender's
-// ephemeral private key.
+// ephemeral private key. For P256, it's an HKDF input.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
     EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
     const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
@@ -265,7 +267,7 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender(
 // EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like
 // |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave
 // deterministically. The seed's format depends on |kem|. For X25519, it is the
-// sender's ephemeral private key.
+// sender's ephemeral private key. For P256, it's an HKDF input.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
     EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
     const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
@@ -375,8 +377,8 @@ struct evp_hpke_ctx_st {
 
 struct evp_hpke_key_st {
   const EVP_HPKE_KEM *kem;
-  uint8_t private_key[X25519_PRIVATE_KEY_LEN];
-  uint8_t public_key[X25519_PUBLIC_VALUE_LEN];
+  uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH];
+  uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
 };
 
 

data/third_party/boringssl-with-bazel/src/include/openssl/mldsa.h

@@ -0,0 +1,136 @@
+/* Copyright (c) 2024, Google LLC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_MLDSA_H_
+#define OPENSSL_HEADER_MLDSA_H_
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// ML-DSA-65.
+//
+// This implements the Module-Lattice-Based Digital Signature Standard from
+// https://csrc.nist.gov/pubs/fips/204/final
+
+
+// MLDSA65_private_key contains an ML-DSA-65 private key. The contents of this
+// object should never leave the address space since the format is unstable.
+struct MLDSA65_private_key {
+  union {
+    uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)];
+    uint32_t alignment;
+  } opaque;
+};
+
+// MLDSA65_public_key contains an ML-DSA-65 public key. The contents of this
+// object should never leave the address space since the format is unstable.
+struct MLDSA65_public_key {
+  union {
+    uint8_t bytes[32 + 64 + 256 * 4 * 6];
+    uint32_t alignment;
+  } opaque;
+};
+
+// MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65
+// private key.
+#define MLDSA65_PRIVATE_KEY_BYTES 4032
+
+// MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65
+// public key.
+#define MLDSA65_PUBLIC_KEY_BYTES 1952
+
+// MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65
+// signature.
+#define MLDSA65_SIGNATURE_BYTES 3309
+
+// MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value.
+#define MLDSA_SEED_BYTES 32
+
+// MLDSA65_generate_key generates a random public/private key pair, writes the
+// encoded public key to |out_encoded_public_key|, writes the seed to
+// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on
+// success and 0 on allocation failure.
+OPENSSL_EXPORT int MLDSA65_generate_key(
+    uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES],
+    uint8_t out_seed[MLDSA_SEED_BYTES],
+    struct MLDSA65_private_key *out_private_key);
+
+// MLDSA65_private_key_from_seed regenerates a private key from a seed value
+// that was generated by |MLDSA65_generate_key|. Returns 1 on success and 0 on
+// allocation failure or if |seed_len| is incorrect.
+OPENSSL_EXPORT int MLDSA65_private_key_from_seed(
+    struct MLDSA65_private_key *out_private_key, const uint8_t *seed,
+    size_t seed_len);
+
+// MLDSA65_public_from_private sets |*out_public_key| to the public key that
+// corresponds to |private_key|. Returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int MLDSA65_public_from_private(
+    struct MLDSA65_public_key *out_public_key,
+    const struct MLDSA65_private_key *private_key);
+
+// MLDSA65_sign generates a signature for the message |msg| of length
+// |msg_len| using |private_key| (following the randomized algorithm), and
+// writes the encoded signature to |out_encoded_signature|. The |context|
+// argument is also signed over and can be used to include implicit contextual
+// information that isn't included in |msg|. The same value of |context| must be
+// presented to |MLDSA65_verify| in order for the generated signature to be
+// considered valid. |context| and |context_len| may be |NULL| and 0 to use an
+// empty context (this is common). Returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int MLDSA65_sign(
+    uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES],
+    const struct MLDSA65_private_key *private_key, const uint8_t *msg,
+    size_t msg_len, const uint8_t *context, size_t context_len);
+
+// MLDSA65_verify verifies that |signature| constitutes a valid
+// signature for the message |msg| of length |msg_len| using |public_key|. The
+// value of |context| must equal the value that was passed to |MLDSA65_sign|
+// when the signature was generated. Returns 1 on success or 0 on error.
+OPENSSL_EXPORT int MLDSA65_verify(const struct MLDSA65_public_key *public_key,
+                                  const uint8_t *signature,
+                                  size_t signature_len, const uint8_t *msg,
+                                  size_t msg_len, const uint8_t *context,
+                                  size_t context_len);
+
+
+// Serialisation of keys.
+
+// MLDSA65_marshal_public_key serializes |public_key| to |out| in the standard
+// format for ML-DSA-65 public keys. It returns 1 on success or 0 on
+// allocation error.
+OPENSSL_EXPORT int MLDSA65_marshal_public_key(
+    CBB *out, const struct MLDSA65_public_key *public_key);
+
+// MLDSA65_parse_public_key parses a public key, in the format generated by
+// |MLDSA65_marshal_public_key|, from |in| and writes the result to
+// |out_public_key|. It returns 1 on success or 0 on parse error or if
+// there are trailing bytes in |in|.
+OPENSSL_EXPORT int MLDSA65_parse_public_key(
+    struct MLDSA65_public_key *public_key, CBS *in);
+
+// MLDSA65_parse_private_key parses a private key, in the NIST format, from |in|
+// and writes the result to |out_private_key|. It returns 1 on success or 0 on
+// parse error or if there are trailing bytes in |in|.
+OPENSSL_EXPORT int MLDSA65_parse_private_key(
+    struct MLDSA65_private_key *private_key, CBS *in);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_MLDSA_H_

data/third_party/boringssl-with-bazel/src/include/openssl/mlkem.h

@@ -0,0 +1,246 @@
+/* Copyright (c) 2024, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_MLKEM_H
+#define OPENSSL_HEADER_MLKEM_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// ML-KEM-768.
+//
+// This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
+// https://csrc.nist.gov/pubs/fips/204/final
+
+
+// MLKEM768_public_key contains an ML-KEM-768 public key. The contents of this
+// object should never leave the address space since the format is unstable.
+struct MLKEM768_public_key {
+  union {
+    uint8_t bytes[512 * (3 + 9) + 32 + 32];
+    uint16_t alignment;
+  } opaque;
+};
+
+// MLKEM768_private_key contains an ML-KEM-768 private key. The contents of this
+// object should never leave the address space since the format is unstable.
+struct MLKEM768_private_key {
+  union {
+    uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
+    uint16_t alignment;
+  } opaque;
+};
+
+// MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768
+// public key.
+#define MLKEM768_PUBLIC_KEY_BYTES 1184
+
+// MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed.
+#define MLKEM_SEED_BYTES 64
+
+// MLKEM768_generate_key generates a random public/private key pair, writes the
+// encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+// the private key. If |optional_out_seed| is not NULL then the seed used to
+// generate the private key is written to it.
+OPENSSL_EXPORT void MLKEM768_generate_key(
+    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
+    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
+    struct MLKEM768_private_key *out_private_key);
+
+// MLKEM768_private_key_from_seed derives a private key from a seed that was
+// generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is
+// incorrect, otherwise it writes |*out_private_key| and returns 1.
+OPENSSL_EXPORT int MLKEM768_private_key_from_seed(
+    struct MLKEM768_private_key *out_private_key, const uint8_t *seed,
+    size_t seed_len);
+
+// MLKEM768_public_from_private sets |*out_public_key| to the public key that
+// corresponds to |private_key|. (This is faster than parsing the output of
+// |MLKEM768_generate_key| if, for some reason, you need to encapsulate to a key
+// that was just generated.)
+OPENSSL_EXPORT void MLKEM768_public_from_private(
+    struct MLKEM768_public_key *out_public_key,
+    const struct MLKEM768_private_key *private_key);
+
+// MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768 ciphertext.
+#define MLKEM768_CIPHERTEXT_BYTES 1088
+
+// MLKEM_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared secret.
+#define MLKEM_SHARED_SECRET_BYTES 32
+
+// MLKEM768_encap encrypts a random shared secret for |public_key|, writes the
+// ciphertext to |out_ciphertext|, and writes the random shared secret to
+// |out_shared_secret|.
+OPENSSL_EXPORT void MLKEM768_encap(
+    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const struct MLKEM768_public_key *public_key);
+
+// MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key|
+// and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
+// returns 0, otherwise it returns 1. If |ciphertext| is invalid (but of the
+// correct length), |out_shared_secret| is filled with a key that will always be
+// the same for the same |ciphertext| and |private_key|, but which appears to be
+// random unless one has access to |private_key|. These alternatives occur in
+// constant time. Any subsequent symmetric encryption using |out_shared_secret|
+// must use an authenticated encryption scheme in order to discover the
+// decapsulation failure.
+OPENSSL_EXPORT int MLKEM768_decap(
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    const struct MLKEM768_private_key *private_key);
+
+
+// Serialisation of keys.
+
+// MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard
+// format for ML-KEM-768 public keys. It returns one on success or zero on
+// allocation error.
+OPENSSL_EXPORT int MLKEM768_marshal_public_key(
+    CBB *out, const struct MLKEM768_public_key *public_key);
+
+// MLKEM768_parse_public_key parses a public key, in the format generated by
+// |MLKEM768_marshal_public_key|, from |in| and writes the result to
+// |out_public_key|. It returns one on success or zero on parse error or if
+// there are trailing bytes in |in|.
+OPENSSL_EXPORT int MLKEM768_parse_public_key(
+    struct MLKEM768_public_key *out_public_key, CBS *in);
+
+// MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by
+// |MLKEM768_marshal_private_key|.
+#define MLKEM768_PRIVATE_KEY_BYTES 2400
+
+// MLKEM768_parse_private_key parses a private key, in NIST's format for
+// private keys, from |in| and writes the result to |out_private_key|. It
+// returns one on success or zero on parse error or if there are trailing bytes
+// in |in|. This format is verbose and should be avoided. Private keys should be
+// stored as seeds and parsed using |MLKEM768_private_key_from_seed|.
+OPENSSL_EXPORT int MLKEM768_parse_private_key(
+    struct MLKEM768_private_key *out_private_key, CBS *in);
+
+
+// ML-KEM-1024
+//
+// ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible.
+
+// MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this
+// object should never leave the address space since the format is unstable.
+struct MLKEM1024_public_key {
+  union {
+    uint8_t bytes[512 * (4 + 16) + 32 + 32];
+    uint16_t alignment;
+  } opaque;
+};
+
+// MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of
+// this object should never leave the address space since the format is
+// unstable.
+struct MLKEM1024_private_key {
+  union {
+    uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
+    uint16_t alignment;
+  } opaque;
+};
+
+// MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
+// public key.
+#define MLKEM1024_PUBLIC_KEY_BYTES 1568
+
+// MLKEM1024_generate_key generates a random public/private key pair, writes the
+// encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+// the private key. If |optional_out_seed| is not NULL then the seed used to
+// generate the private key is written to it.
+OPENSSL_EXPORT void MLKEM1024_generate_key(
+    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
+    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
+    struct MLKEM1024_private_key *out_private_key);
+
+// MLKEM1024_private_key_from_seed derives a private key from a seed that was
+// generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len|
+// is incorrect, otherwise it writes |*out_private_key| and returns 1.
+OPENSSL_EXPORT int MLKEM1024_private_key_from_seed(
+    struct MLKEM1024_private_key *out_private_key, const uint8_t *seed,
+    size_t seed_len);
+
+// MLKEM1024_public_from_private sets |*out_public_key| to the public key that
+// corresponds to |private_key|. (This is faster than parsing the output of
+// |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a
+// key that was just generated.)
+OPENSSL_EXPORT void MLKEM1024_public_from_private(
+    struct MLKEM1024_public_key *out_public_key,
+    const struct MLKEM1024_private_key *private_key);
+
+// MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext.
+#define MLKEM1024_CIPHERTEXT_BYTES 1568
+
+// MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the
+// ciphertext to |out_ciphertext|, and writes the random shared secret to
+// |out_shared_secret|.
+OPENSSL_EXPORT void MLKEM1024_encap(
+    uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const struct MLKEM1024_public_key *public_key);
+
+// MLKEM1024_decap decrypts a shared secret from |ciphertext| using
+// |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is
+// incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid
+// (but of the correct length), |out_shared_secret| is filled with a key that
+// will always be the same for the same |ciphertext| and |private_key|, but
+// which appears to be random unless one has access to |private_key|. These
+// alternatives occur in constant time. Any subsequent symmetric encryption
+// using |out_shared_secret| must use an authenticated encryption scheme in
+// order to discover the decapsulation failure.
+OPENSSL_EXPORT int MLKEM1024_decap(
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    const struct MLKEM1024_private_key *private_key);
+
+
+// Serialisation of ML-KEM-1024 keys.
+
+// MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard
+// format for ML-KEM-1024 public keys. It returns one on success or zero on
+// allocation error.
+OPENSSL_EXPORT int MLKEM1024_marshal_public_key(
+    CBB *out, const struct MLKEM1024_public_key *public_key);
+
+// MLKEM1024_parse_public_key parses a public key, in the format generated by
+// |MLKEM1024_marshal_public_key|, from |in| and writes the result to
+// |out_public_key|. It returns one on success or zero on parse error or if
+// there are trailing bytes in |in|.
+OPENSSL_EXPORT int MLKEM1024_parse_public_key(
+    struct MLKEM1024_public_key *out_public_key, CBS *in);
+
+// MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by
+// |MLKEM1024_marshal_private_key|.
+#define MLKEM1024_PRIVATE_KEY_BYTES 3168
+
+// MLKEM1024_parse_private_key parses a private key, in NIST's format for
+// private keys, from |in| and writes the result to |out_private_key|. It
+// returns one on success or zero on parse error or if there are trailing bytes
+// in |in|. This format is verbose and should be avoided. Private keys should be
+// stored as seeds and parsed using |MLKEM1024_private_key_from_seed|.
+OPENSSL_EXPORT int MLKEM1024_parse_private_key(
+    struct MLKEM1024_private_key *out_private_key, CBS *in);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_MLKEM_H

data/third_party/boringssl-with-bazel/src/include/openssl/nid.h

@@ -4255,6 +4255,9 @@ extern "C" {
 #define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00"
 #define NID_X25519Kyber768Draft00 964
 
+#define SN_X25519MLKEM768 "X25519MLKEM768"
+#define NID_X25519MLKEM768 965
+
 
 #if defined(__cplusplus)
 } /* extern C */