grpc 1.69.0 → 1.70.1

data/third_party/boringssl-with-bazel/src/crypto/sha/sha512.cc

@@ -0,0 +1,104 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/sha.h>
+
+#include <openssl/mem.h>
+
+#include "../fipsmodule/bcm_interface.h"
+
+
+int SHA384_Init(SHA512_CTX *sha) {
+  BCM_sha384_init(sha);
+  return 1;
+}
+
+int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
+  BCM_sha384_update(sha, data, len);
+  return 1;
+}
+
+int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
+  BCM_sha384_final(out, sha);
+  return 1;
+}
+
+uint8_t *SHA384(const uint8_t *data, size_t len,
+                uint8_t out[SHA384_DIGEST_LENGTH]) {
+  SHA512_CTX ctx;
+  BCM_sha384_init(&ctx);
+  BCM_sha384_update(&ctx, data, len);
+  BCM_sha384_final(out, &ctx);
+  OPENSSL_cleanse(&ctx, sizeof(ctx));
+  return out;
+}
+
+int SHA512_256_Init(SHA512_CTX *sha) {
+  BCM_sha512_256_init(sha);
+  return 1;
+}
+
+int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
+  BCM_sha512_256_update(sha, data, len);
+  return 1;
+}
+
+int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
+  BCM_sha512_256_final(out, sha);
+  return 1;
+}
+
+uint8_t *SHA512_256(const uint8_t *data, size_t len,
+                uint8_t out[SHA512_256_DIGEST_LENGTH]) {
+  SHA512_CTX ctx;
+  BCM_sha512_256_init(&ctx);
+  BCM_sha512_256_update(&ctx, data, len);
+  BCM_sha512_256_final(out, &ctx);
+  OPENSSL_cleanse(&ctx, sizeof(ctx));
+  return out;
+}
+
+int SHA512_Init(SHA512_CTX *sha) {
+  BCM_sha512_init(sha);
+  return 1;
+}
+
+int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len) {
+  BCM_sha512_update(sha, data, len);
+  return 1;
+}
+
+int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
+  // Historically this function retured failure if passed NULL, even
+  // though other final functions do not.
+  if (out == NULL) {
+    return 0;
+  }
+  BCM_sha512_final(out, sha);
+  return 1;
+}
+
+uint8_t *SHA512(const uint8_t *data, size_t len,
+                uint8_t out[SHA512_DIGEST_LENGTH]) {
+  SHA512_CTX ctx;
+  BCM_sha512_init(&ctx);
+  BCM_sha512_update(&ctx, data, len);
+  BCM_sha512_final(out, &ctx);
+  OPENSSL_cleanse(&ctx, sizeof(ctx));
+  return out;
+}
+
+void SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]) {
+  BCM_sha512_transform(sha, block);
+}

data/third_party/boringssl-with-bazel/src/crypto/siphash/{siphash.c → siphash.cc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2019, Google Inc.
+/* Copyright 2019 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/address.h

@@ -0,0 +1,123 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H
+#define OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H
+
+#include <openssl/mem.h>
+
+#include "../internal.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// Offsets of various fields in the address structure for SLH-DSA-SHA2-128s.
+
+// The byte used to specify the Merkle tree layer.
+#define SLHDSA_SHA2_128S_OFFSET_LAYER 0
+
+// The start of the 8 byte field used to specify the tree.
+#define SLHDSA_SHA2_128S_OFFSET_TREE 1
+
+// The byte used to specify the hash type (reason).
+#define SLHDSA_SHA2_128S_OFFSET_TYPE 9
+
+// The high byte used to specify the key pair (which one-time signature).
+#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR2 12
+
+// The low byte used to specific the key pair.
+#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR1 13
+
+// The byte used to specify the chain address (which Winternitz chain).
+#define SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR 17
+
+// The byte used to specify the hash address (where in the Winternitz chain).
+#define SLHDSA_SHA2_128S_OFFSET_HASH_ADDR 21
+
+// The byte used to specify the height of this node in the FORS or Merkle tree.
+#define SLHDSA_SHA2_128S_OFFSET_TREE_HGT 17
+
+// The start of the 4 byte field used to specify the node in the FORS or Merkle
+// tree.
+#define SLHDSA_SHA2_128S_OFFSET_TREE_INDEX 18
+
+
+OPENSSL_INLINE void slhdsa_set_chain_addr(uint8_t addr[32], uint32_t chain) {
+  addr[SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR] = (uint8_t)chain;
+}
+
+OPENSSL_INLINE void slhdsa_set_hash_addr(uint8_t addr[32], uint32_t hash) {
+  addr[SLHDSA_SHA2_128S_OFFSET_HASH_ADDR] = (uint8_t)hash;
+}
+
+OPENSSL_INLINE void slhdsa_set_keypair_addr(uint8_t addr[32],
+                                            uint32_t keypair) {
+  addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8);
+  addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = (uint8_t)keypair;
+}
+
+OPENSSL_INLINE void slhdsa_copy_keypair_addr(uint8_t out[32],
+                                             const uint8_t in[32]) {
+  OPENSSL_memcpy(out, in, SLHDSA_SHA2_128S_OFFSET_TREE + 8);
+  out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2];
+  out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1];
+}
+
+OPENSSL_INLINE void slhdsa_set_layer_addr(uint8_t addr[32], uint32_t layer) {
+  addr[SLHDSA_SHA2_128S_OFFSET_LAYER] = (uint8_t)layer;
+}
+
+OPENSSL_INLINE void slhdsa_set_tree_addr(uint8_t addr[32], uint64_t tree) {
+  CRYPTO_store_u64_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE], tree);
+}
+
+#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTS 0
+#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK 1
+#define SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE 2
+#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE 3
+#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK 4
+#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF 5
+#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF 6
+
+OPENSSL_INLINE void slhdsa_set_type(uint8_t addr[32], uint32_t type) {
+  // FIPS 205 relies on this setting parts of the address to 0, so we do it
+  // here to avoid confusion.
+  //
+  // The behavior here is only correct for the SHA-2 instantiations.
+  OPENSSL_memset(addr + 10, 0, 12);
+  addr[SLHDSA_SHA2_128S_OFFSET_TYPE] = (uint8_t)type;
+}
+
+OPENSSL_INLINE void slhdsa_set_tree_height(uint8_t addr[32],
+                                           uint32_t tree_height) {
+  addr[SLHDSA_SHA2_128S_OFFSET_TREE_HGT] = (uint8_t)tree_height;
+}
+
+OPENSSL_INLINE void slhdsa_set_tree_index(uint8_t addr[32],
+                                          uint32_t tree_index) {
+  CRYPTO_store_u32_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE_INDEX], tree_index);
+}
+
+OPENSSL_INLINE uint32_t slhdsa_get_tree_index(uint8_t addr[32]) {
+  return CRYPTO_load_u32_be(addr + SLHDSA_SHA2_128S_OFFSET_TREE_INDEX);
+}
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/fors.cc

@@ -0,0 +1,169 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include "../internal.h"
+#include "./address.h"
+#include "./fors.h"
+#include "./params.h"
+#include "./thash.h"
+
+// Compute the base 2^12 representation of `message` (algorithm 4, page 16).
+static void fors_base_b(
+    uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES],
+    const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES]) {
+  static_assert(SLHDSA_SHA2_128S_FORS_HEIGHT == 12, "");
+  static_assert((SLHDSA_SHA2_128S_FORS_TREES & 1) == 0, "");
+
+  const uint8_t *msg = message;
+  for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; i += 2) {
+    uint32_t val = ((uint32_t)msg[0] << 16) | ((uint32_t)msg[1] << 8) | msg[2];
+    indices[i] = (val >> 12) & 0xFFF;
+    indices[i + 1] = val & 0xFFF;
+    msg += 3;
+  }
+}
+
+// Implements Algorithm 14: fors_skGen function (page 29)
+void slhdsa_fors_sk_gen(uint8_t fors_sk[SLHDSA_SHA2_128S_N], uint32_t idx,
+                        const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                        const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                        uint8_t addr[32]) {
+  uint8_t sk_addr[32];
+  OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr));
+
+  slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF);
+  slhdsa_copy_keypair_addr(sk_addr, addr);
+  slhdsa_set_tree_index(sk_addr, idx);
+  slhdsa_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr);
+}
+
+// Implements Algorithm 15: fors_node function (page 30)
+void slhdsa_fors_treehash(uint8_t root_node[SLHDSA_SHA2_128S_N],
+                          const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                          uint32_t i /*target node index*/,
+                          uint32_t z /*target node height*/,
+                          const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                          uint8_t addr[32]) {
+  BSSL_CHECK(z <= SLHDSA_SHA2_128S_FORS_HEIGHT);
+  BSSL_CHECK(i < (uint32_t)(SLHDSA_SHA2_128S_FORS_TREES *
+                            (1 << (SLHDSA_SHA2_128S_FORS_HEIGHT - z))));
+
+  if (z == 0) {
+    uint8_t sk[SLHDSA_SHA2_128S_N];
+    slhdsa_set_tree_height(addr, 0);
+    slhdsa_set_tree_index(addr, i);
+    slhdsa_fors_sk_gen(sk, i, sk_seed, pk_seed, addr);
+    slhdsa_thash_f(root_node, sk, pk_seed, addr);
+  } else {
+    // Stores left node and right node.
+    uint8_t nodes[2 * SLHDSA_SHA2_128S_N];
+    slhdsa_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr);
+    slhdsa_fors_treehash(nodes + SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1,
+                         pk_seed, addr);
+    slhdsa_set_tree_height(addr, z);
+    slhdsa_set_tree_index(addr, i);
+    slhdsa_thash_h(root_node, nodes, pk_seed, addr);
+  }
+}
+
+// Implements Algorithm 16: fors_sign function (page 31)
+void slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],
+                      const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],
+                      const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                      const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]) {
+  uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES];
+
+  // Derive FORS indices compatible with the NIST changes.
+  fors_base_b(indices, message);
+
+  for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) {
+    slhdsa_set_tree_height(addr, 0);
+    // Write the FORS secret key element to the correct position.
+    slhdsa_fors_sk_gen(
+        fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1),
+        i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT) + indices[i], sk_seed, pk_seed,
+        addr);
+    for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) {
+      size_t s = (indices[i] / (1 << j)) ^ 1;
+      // Write the FORS auth path element to the correct position.
+      slhdsa_fors_treehash(
+          fors_sig + SLHDSA_SHA2_128S_N *
+                         (i * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) + j + 1),
+          sk_seed, i * (1ULL << (SLHDSA_SHA2_128S_FORS_HEIGHT - j)) + s, j,
+          pk_seed, addr);
+    }
+  }
+}
+
+// Implements Algorithm 17: fors_pkFromSig function (page 32)
+void slhdsa_fors_pk_from_sig(
+    uint8_t fors_pk[SLHDSA_SHA2_128S_N],
+    const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],
+    const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],
+    const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]) {
+  uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES];
+  uint8_t tmp[2 * SLHDSA_SHA2_128S_N];
+  uint8_t roots[SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_N];
+
+  // Derive FORS indices compatible with the NIST changes.
+  fors_base_b(indices, message);
+
+  for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) {
+    // Pointer to current sk and authentication path
+    const uint8_t *sk =
+        fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1);
+    const uint8_t *auth =
+        fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) +
+        SLHDSA_SHA2_128S_N;
+    uint8_t nodes[2 * SLHDSA_SHA2_128S_N];
+
+    slhdsa_set_tree_height(addr, 0);
+    slhdsa_set_tree_index(
+        addr, (i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT)) + indices[i]);
+
+    slhdsa_thash_f(nodes, sk, pk_seed, addr);
+
+    for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) {
+      slhdsa_set_tree_height(addr, j + 1);
+
+      // Even node
+      if (((indices[i] / (1 << j)) % 2) == 0) {
+        slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) / 2);
+        OPENSSL_memcpy(tmp, nodes, SLHDSA_SHA2_128S_N);
+        OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, auth + j * SLHDSA_SHA2_128S_N,
+                       SLHDSA_SHA2_128S_N);
+        slhdsa_thash_h(nodes + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);
+      } else {
+        slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) / 2);
+        OPENSSL_memcpy(tmp, auth + j * SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N);
+        OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, nodes, SLHDSA_SHA2_128S_N);
+        slhdsa_thash_h(nodes + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);
+      }
+      OPENSSL_memcpy(nodes, nodes + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N);
+    }
+    OPENSSL_memcpy(roots + i * SLHDSA_SHA2_128S_N, nodes, SLHDSA_SHA2_128S_N);
+  }
+
+  uint8_t forspk_addr[32];
+  OPENSSL_memcpy(forspk_addr, addr, sizeof(forspk_addr));
+  slhdsa_set_type(forspk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK);
+  slhdsa_copy_keypair_addr(forspk_addr, addr);
+  slhdsa_thash_tk(fors_pk, roots, pk_seed, forspk_addr);
+}

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/fors.h

@@ -0,0 +1,58 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H
+#define OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H
+
+#include "./params.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// Implements Algorithm 14: fors_skGen function (page 29)
+void slhdsa_fors_sk_gen(uint8_t fors_sk[SLHDSA_SHA2_128S_N], uint32_t idx,
+                        const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                        const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                        uint8_t addr[32]);
+
+// Implements Algorithm 15: fors_node function (page 30)
+void slhdsa_fors_treehash(uint8_t root_node[SLHDSA_SHA2_128S_N],
+                          const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                          uint32_t i /*target node index*/,
+                          uint32_t z /*target node height*/,
+                          const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                          uint8_t addr[32]);
+
+// Implements Algorithm 16: fors_sign function (page 31)
+void slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],
+                      const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],
+                      const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                      const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]);
+
+// Implements Algorithm 17: fors_pkFromSig function (page 32)
+void slhdsa_fors_pk_from_sig(
+    uint8_t fors_pk[SLHDSA_SHA2_128S_N],
+    const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],
+    const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],
+    const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/internal.h

@@ -0,0 +1,63 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H
+
+#include <openssl/slhdsa.h>
+
+#include "params.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// SLHDSA_SHA2_128S_generate_key_from_seed generates an SLH-DSA-SHA2-128s key
+// pair from a 48-byte seed and writes the result to |out_public_key| and
+// |out_secret_key|.
+OPENSSL_EXPORT void SLHDSA_SHA2_128S_generate_key_from_seed(
+    uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
+    uint8_t out_secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
+    const uint8_t seed[3 * SLHDSA_SHA2_128S_N]);
+
+// SLHDSA_SHA2_128S_sign_internal acts like |SLHDSA_SHA2_128S_sign| but
+// accepts an explicit entropy input, which can be PK.seed (bytes 32..48 of
+// the private key) to generate deterministic signatures. It also takes the
+// input message in three parts so that the "internal" version of the signing
+// function, from section 9.2, can be implemented. The |header| argument may be
+// NULL to omit it.
+OPENSSL_EXPORT void SLHDSA_SHA2_128S_sign_internal(
+    uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],
+    const uint8_t secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
+    const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
+    size_t context_len, const uint8_t *msg, size_t msg_len,
+    const uint8_t entropy[SLHDSA_SHA2_128S_N]);
+
+// SLHDSA_SHA2_128S_verify_internal acts like |SLHDSA_SHA2_128S_verify| but
+// takes the input message in three parts so that the "internal" version of the
+// verification function, from section 9.3, can be implemented. The |header|
+// argument may be NULL to omit it.
+OPENSSL_EXPORT int SLHDSA_SHA2_128S_verify_internal(
+    const uint8_t *signature, size_t signature_len,
+    const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
+    const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
+    size_t context_len, const uint8_t *msg, size_t msg_len);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/merkle.cc

@@ -0,0 +1,161 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <string.h>
+
+#include "../internal.h"
+#include "./address.h"
+#include "./merkle.h"
+#include "./params.h"
+#include "./thash.h"
+#include "./wots.h"
+
+
+// Implements Algorithm 9: xmss_node function (page 23)
+void slhdsa_treehash(uint8_t out_pk[SLHDSA_SHA2_128S_N],
+                     const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                     uint32_t i /*target node index*/,
+                     uint32_t z /*target node height*/,
+                     const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                     uint8_t addr[32]) {
+  BSSL_CHECK(z <= SLHDSA_SHA2_128S_TREE_HEIGHT);
+  BSSL_CHECK(i < (uint32_t)(1 << (SLHDSA_SHA2_128S_TREE_HEIGHT - z)));
+
+  if (z == 0) {
+    slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);
+    slhdsa_set_keypair_addr(addr, i);
+    slhdsa_wots_pk_gen(out_pk, sk_seed, pk_seed, addr);
+  } else {
+    // Stores left node and right node.
+    uint8_t nodes[2 * SLHDSA_SHA2_128S_N];
+    slhdsa_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr);
+    slhdsa_treehash(nodes + SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1,
+                    pk_seed, addr);
+    slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE);
+    slhdsa_set_tree_height(addr, z);
+    slhdsa_set_tree_index(addr, i);
+    slhdsa_thash_h(out_pk, nodes, pk_seed, addr);
+  }
+}
+
+// Implements Algorithm 10: xmss_sign function (page 24)
+void slhdsa_xmss_sign(uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES],
+                      const uint8_t msg[SLHDSA_SHA2_128S_N], unsigned int idx,
+                      const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+                      const uint8_t pk_seed[SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]) {
+  // Build authentication path
+  for (size_t j = 0; j < SLHDSA_SHA2_128S_TREE_HEIGHT; ++j) {
+    unsigned int k = (idx >> j) ^ 1;
+    slhdsa_treehash(sig + SLHDSA_SHA2_128S_WOTS_BYTES + j * SLHDSA_SHA2_128S_N,
+                    sk_seed, k, j, pk_seed, addr);
+  }
+
+  // Compute WOTS+ signature
+  slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);
+  slhdsa_set_keypair_addr(addr, idx);
+  slhdsa_wots_sign(sig, msg, sk_seed, pk_seed, addr);
+}
+
+// Implements Algorithm 11: xmss_pkFromSig function (page 25)
+void slhdsa_xmss_pk_from_sig(
+    uint8_t root[SLHDSA_SHA2_128S_N],
+    const uint8_t xmss_sig[SLHDSA_SHA2_128S_XMSS_BYTES], unsigned int idx,
+    const uint8_t msg[SLHDSA_SHA2_128S_N],
+    const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]) {
+  // Stores node[0] and node[1] from Algorithm 11
+  slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);
+  slhdsa_set_keypair_addr(addr, idx);
+  uint8_t node[2 * SLHDSA_SHA2_128S_N];
+  slhdsa_wots_pk_from_sig(node, xmss_sig, msg, pk_seed, addr);
+
+  slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE);
+  slhdsa_set_tree_index(addr, idx);
+
+  uint8_t tmp[2 * SLHDSA_SHA2_128S_N];
+  const uint8_t *const auth = xmss_sig + SLHDSA_SHA2_128S_WOTS_BYTES;
+  for (size_t k = 0; k < SLHDSA_SHA2_128S_TREE_HEIGHT; ++k) {
+    slhdsa_set_tree_height(addr, k + 1);
+    if (((idx >> k) & 1) == 0) {
+      slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) >> 1);
+      OPENSSL_memcpy(tmp, node, SLHDSA_SHA2_128S_N);
+      OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, auth + k * SLHDSA_SHA2_128S_N,
+                     SLHDSA_SHA2_128S_N);
+      slhdsa_thash_h(node + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);
+    } else {
+      slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) >> 1);
+      OPENSSL_memcpy(tmp, auth + k * SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N);
+      OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, node, SLHDSA_SHA2_128S_N);
+      slhdsa_thash_h(node + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);
+    }
+    OPENSSL_memcpy(node, node + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N);
+  }
+  OPENSSL_memcpy(root, node, SLHDSA_SHA2_128S_N);
+}
+
+// Implements Algorithm 12: ht_sign function (page 27)
+void slhdsa_ht_sign(
+    uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES * SLHDSA_SHA2_128S_D],
+    const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree,
+    uint32_t idx_leaf, const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
+    const uint8_t pk_seed[SLHDSA_SHA2_128S_N]) {
+  uint8_t addr[32] = {0};
+  slhdsa_set_tree_addr(addr, idx_tree);
+
+  // Layer 0
+  slhdsa_xmss_sign(sig, message, idx_leaf, sk_seed, pk_seed, addr);
+  uint8_t root[SLHDSA_SHA2_128S_N];
+  slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, message, pk_seed, addr);
+  sig += SLHDSA_SHA2_128S_XMSS_BYTES;
+
+  // All other layers
+  for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) {
+    idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT);
+    idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT;
+    slhdsa_set_layer_addr(addr, j);
+    slhdsa_set_tree_addr(addr, idx_tree);
+    slhdsa_xmss_sign(sig, root, idx_leaf, sk_seed, pk_seed, addr);
+    if (j < (SLHDSA_SHA2_128S_D - 1)) {
+      slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, root, pk_seed, addr);
+    }
+
+    sig += SLHDSA_SHA2_128S_XMSS_BYTES;
+  }
+}
+
+// Implements Algorithm 13: ht_verify function (page 28)
+int slhdsa_ht_verify(
+    const uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES],
+    const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree,
+    uint32_t idx_leaf, const uint8_t pk_root[SLHDSA_SHA2_128S_N],
+    const uint8_t pk_seed[SLHDSA_SHA2_128S_N]) {
+  uint8_t addr[32] = {0};
+  slhdsa_set_tree_addr(addr, idx_tree);
+
+  uint8_t node[SLHDSA_SHA2_128S_N];
+  slhdsa_xmss_pk_from_sig(node, sig, idx_leaf, message, pk_seed, addr);
+
+  for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) {
+    idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT);
+    idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT;
+    slhdsa_set_layer_addr(addr, j);
+    slhdsa_set_tree_addr(addr, idx_tree);
+
+    slhdsa_xmss_pk_from_sig(node, sig + j * SLHDSA_SHA2_128S_XMSS_BYTES,
+                            idx_leaf, node, pk_seed, addr);
+  }
+  return memcmp(node, pk_root, SLHDSA_SHA2_128S_N) == 0;
+}