grpc 1.70.1 → 1.71.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +43 -79
- data/include/grpc/event_engine/endpoint_config.h +5 -5
- data/include/grpc/event_engine/event_engine.h +44 -5
- data/include/grpc/status.h +1 -1
- data/include/grpc/support/json.h +16 -16
- data/src/core/call/request_buffer.cc +22 -22
- data/src/core/call/request_buffer.h +4 -4
- data/src/core/channelz/channelz.cc +2 -2
- data/src/core/channelz/channelz.h +3 -22
- data/src/core/channelz/channelz_registry.cc +0 -7
- data/src/core/client_channel/client_channel.cc +16 -26
- data/src/core/client_channel/client_channel.h +2 -2
- data/src/core/client_channel/client_channel_filter.cc +54 -131
- data/src/core/client_channel/client_channel_filter.h +10 -6
- data/src/core/client_channel/client_channel_plugin.cc +2 -1
- data/src/core/client_channel/client_channel_service_config.cc +1 -1
- data/src/core/client_channel/client_channel_service_config.h +5 -5
- data/src/core/client_channel/direct_channel.cc +1 -1
- data/src/core/client_channel/direct_channel.h +1 -1
- data/src/core/client_channel/lb_metadata.cc +7 -8
- data/src/core/client_channel/lb_metadata.h +3 -3
- data/src/core/client_channel/load_balanced_call_destination.cc +4 -4
- data/src/core/client_channel/retry_filter.cc +1 -1
- data/src/core/client_channel/retry_filter.h +1 -1
- data/src/core/client_channel/retry_filter_legacy_call_data.cc +10 -12
- data/src/core/client_channel/retry_filter_legacy_call_data.h +7 -7
- data/src/core/client_channel/retry_interceptor.cc +16 -14
- data/src/core/client_channel/retry_interceptor.h +2 -2
- data/src/core/client_channel/retry_service_config.cc +1 -1
- data/src/core/client_channel/retry_service_config.h +3 -3
- data/src/core/client_channel/subchannel.cc +43 -76
- data/src/core/client_channel/subchannel.h +4 -4
- data/src/core/client_channel/subchannel_stream_client.cc +0 -1
- data/src/core/client_channel/subchannel_stream_client.h +3 -3
- data/src/core/config/config_vars.cc +1 -0
- data/src/core/config/config_vars.h +1 -0
- data/src/core/config/load_config.cc +3 -2
- data/src/core/config/load_config.h +1 -1
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +4 -11
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.h +7 -7
- data/src/core/ext/filters/channel_idle/legacy_channel_idle_filter.cc +1 -1
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +8 -15
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +6 -6
- data/src/core/ext/filters/fault_injection/fault_injection_service_config_parser.cc +1 -1
- data/src/core/ext/filters/gcp_authentication/gcp_authentication_filter.cc +0 -7
- data/src/core/ext/filters/gcp_authentication/gcp_authentication_filter.h +6 -6
- data/src/core/ext/filters/gcp_authentication/gcp_authentication_service_config_parser.cc +1 -1
- data/src/core/ext/filters/gcp_authentication/gcp_authentication_service_config_parser.h +1 -1
- data/src/core/ext/filters/http/client/http_client_filter.cc +1 -6
- data/src/core/ext/filters/http/client/http_client_filter.h +4 -4
- data/src/core/ext/filters/http/client_authority_filter.cc +6 -11
- data/src/core/ext/filters/http/client_authority_filter.h +6 -6
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +18 -22
- data/src/core/ext/filters/http/message_compress/compression_filter.h +18 -13
- data/src/core/ext/filters/http/server/http_server_filter.cc +3 -8
- data/src/core/ext/filters/http/server/http_server_filter.h +4 -4
- data/src/core/ext/filters/message_size/message_size_filter.cc +13 -25
- data/src/core/ext/filters/message_size/message_size_filter.h +20 -21
- data/src/core/ext/filters/rbac/rbac_filter.cc +0 -7
- data/src/core/ext/filters/rbac/rbac_filter.h +6 -6
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +3 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +1 -6
- data/src/core/ext/filters/stateful_session/stateful_session_filter.h +4 -4
- data/src/core/ext/filters/stateful_session/stateful_session_service_config_parser.cc +1 -1
- data/src/core/ext/filters/stateful_session/stateful_session_service_config_parser.h +2 -2
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -2
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +4 -3
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +30 -20
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +5 -5
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/call_tracer_wrapper.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/call_tracer_wrapper.h +4 -4
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +84 -59
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +7 -7
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/flow_control.h +3 -3
- data/src/core/ext/transport/chttp2/transport/frame.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/frame.h +5 -5
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +8 -8
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +5 -5
- data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +2 -2
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +32 -31
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +6 -7
- data/src/core/ext/transport/chttp2/transport/http2_settings.cc +3 -3
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +19 -8
- data/src/core/ext/transport/chttp2/transport/parsing.cc +14 -14
- data/src/core/ext/transport/chttp2/transport/ping_abuse_policy.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/ping_callbacks.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/ping_callbacks.h +2 -2
- data/src/core/ext/transport/chttp2/transport/ping_rate_policy.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/ping_rate_policy.h +2 -2
- data/src/core/ext/transport/chttp2/transport/stream_lists.cc +1 -39
- data/src/core/ext/transport/chttp2/transport/varint.cc +4 -4
- data/src/core/ext/transport/chttp2/transport/writing.cc +16 -22
- data/src/core/ext/transport/inproc/inproc_transport.cc +1 -3
- data/src/core/ext/transport/inproc/legacy_inproc_transport.cc +15 -10
- data/src/core/ext/upb-gen/envoy/admin/v3/server_info.upb.h +16 -0
- data/src/core/ext/upb-gen/envoy/admin/v3/server_info.upb_minitable.c +3 -2
- data/src/core/ext/upb-gen/envoy/config/core/v3/protocol.upb.h +30 -0
- data/src/core/ext/upb-gen/envoy/config/core/v3/protocol.upb_minitable.c +5 -3
- data/src/core/ext/upb-gen/envoy/config/route/v3/route_components.upb.h +118 -0
- data/src/core/ext/upb-gen/envoy/config/route/v3/route_components.upb_minitable.c +31 -6
- data/src/core/ext/upb-gen/envoy/config/route/v3/route_components.upb_minitable.h +2 -0
- data/src/core/ext/upb-gen/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upb.h +37 -7
- data/src/core/ext/upb-gen/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upb_minitable.c +7 -5
- data/src/core/ext/upb-gen/envoy/type/matcher/v3/address.upb.h +142 -0
- data/src/core/ext/upb-gen/envoy/type/matcher/v3/address.upb_minitable.c +55 -0
- data/src/core/ext/upb-gen/envoy/type/matcher/v3/address.upb_minitable.h +32 -0
- data/src/core/ext/upb-gen/envoy/type/matcher/v3/filter_state.upb.h +33 -0
- data/src/core/ext/upb-gen/envoy/type/matcher/v3/filter_state.upb_minitable.c +7 -4
- data/src/core/ext/upbdefs-gen/envoy/admin/v3/server_info.upbdefs.c +6 -4
- data/src/core/ext/upbdefs-gen/envoy/config/core/v3/protocol.upbdefs.c +50 -47
- data/src/core/ext/upbdefs-gen/envoy/config/route/v3/route_components.upbdefs.c +210 -199
- data/src/core/ext/upbdefs-gen/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-gen/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c +33 -33
- data/src/core/ext/upbdefs-gen/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upbdefs.c +19 -17
- data/src/core/ext/upbdefs-gen/envoy/type/matcher/v3/address.upbdefs.c +41 -0
- data/src/core/ext/upbdefs-gen/envoy/type/matcher/v3/address.upbdefs.h +33 -0
- data/src/core/ext/upbdefs-gen/envoy/type/matcher/v3/filter_state.upbdefs.c +26 -19
- data/src/core/filter/blackboard.cc +2 -2
- data/src/core/filter/filter_args.h +2 -2
- data/src/core/handshaker/handshaker.cc +0 -3
- data/src/core/handshaker/http_connect/http_connect_handshaker.cc +3 -5
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +31 -32
- data/src/core/handshaker/http_connect/http_proxy_mapper.h +4 -4
- data/src/core/handshaker/http_connect/xds_http_proxy_mapper.cc +5 -5
- data/src/core/handshaker/http_connect/xds_http_proxy_mapper.h +5 -5
- data/src/core/handshaker/proxy_mapper.h +4 -4
- data/src/core/handshaker/proxy_mapper_registry.cc +5 -6
- data/src/core/handshaker/proxy_mapper_registry.h +4 -4
- data/src/core/handshaker/security/secure_endpoint.cc +2 -2
- data/src/core/handshaker/security/security_handshaker.cc +3 -5
- data/src/core/handshaker/tcp_connect/tcp_connect_handshaker.cc +6 -4
- data/src/core/lib/channel/channel_args.cc +13 -13
- data/src/core/lib/channel/channel_args.h +8 -8
- data/src/core/lib/channel/connected_channel.cc +1 -1
- data/src/core/lib/channel/promise_based_filter.cc +9 -9
- data/src/core/lib/channel/promise_based_filter.h +79 -80
- data/src/core/lib/compression/compression.cc +3 -2
- data/src/core/lib/compression/compression_internal.cc +9 -9
- data/src/core/lib/compression/compression_internal.h +3 -3
- data/src/core/lib/debug/trace_flags.cc +3 -2
- data/src/core/lib/debug/trace_flags.h +1 -1
- data/src/core/lib/event_engine/ares_resolver.cc +9 -11
- data/src/core/lib/event_engine/ares_resolver.h +6 -10
- data/src/core/lib/event_engine/cf_engine/cf_engine.cc +2 -4
- data/src/core/lib/event_engine/cf_engine/cf_engine.h +2 -4
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +6 -7
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +2 -4
- data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +2 -4
- data/src/core/lib/event_engine/cf_engine/dns_service_resolver.cc +3 -7
- data/src/core/lib/event_engine/cf_engine/dns_service_resolver.h +2 -4
- data/src/core/lib/event_engine/channel_args_endpoint_config.cc +5 -7
- data/src/core/lib/event_engine/channel_args_endpoint_config.h +6 -7
- data/src/core/lib/event_engine/common_closures.h +2 -4
- data/src/core/lib/event_engine/default_event_engine.cc +62 -33
- data/src/core/lib/event_engine/default_event_engine.h +24 -33
- data/src/core/lib/event_engine/default_event_engine_factory.cc +6 -12
- data/src/core/lib/event_engine/default_event_engine_factory.h +2 -4
- data/src/core/lib/event_engine/event_engine.cc +2 -4
- data/src/core/lib/event_engine/extensions/can_track_errors.h +2 -4
- data/src/core/lib/event_engine/extensions/chaotic_good_extension.h +2 -4
- data/src/core/lib/event_engine/extensions/supports_fd.h +2 -4
- data/src/core/lib/event_engine/extensions/tcp_trace.h +2 -4
- data/src/core/lib/event_engine/forkable.cc +2 -4
- data/src/core/lib/event_engine/forkable.h +2 -4
- data/src/core/lib/event_engine/grpc_polled_fd.h +2 -4
- data/src/core/lib/event_engine/handle_containers.h +2 -4
- data/src/core/lib/event_engine/memory_allocator_factory.h +2 -4
- data/src/core/lib/event_engine/poller.h +2 -4
- data/src/core/lib/event_engine/posix.h +2 -4
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +4 -50
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.h +2 -4
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +4 -51
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.h +2 -4
- data/src/core/lib/event_engine/posix_engine/event_poller.h +2 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.h +2 -4
- data/src/core/lib/event_engine/posix_engine/grpc_polled_fd_posix.h +2 -4
- data/src/core/lib/event_engine/posix_engine/internal_errqueue.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/internal_errqueue.h +2 -4
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/lockfree_event.h +2 -4
- data/src/core/lib/event_engine/posix_engine/native_posix_dns_resolver.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/native_posix_dns_resolver.h +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +6 -10
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_closure.h +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +3 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.h +2 -4
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +5 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +2 -4
- data/src/core/lib/event_engine/posix_engine/timer.cc +4 -6
- data/src/core/lib/event_engine/posix_engine/timer.h +4 -6
- data/src/core/lib/event_engine/posix_engine/timer_heap.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/timer_heap.h +2 -4
- data/src/core/lib/event_engine/posix_engine/timer_manager.cc +5 -7
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +4 -6
- data/src/core/lib/event_engine/posix_engine/traced_buffer_list.cc +4 -8
- data/src/core/lib/event_engine/posix_engine/traced_buffer_list.h +24 -25
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_eventfd.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_eventfd.h +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_pipe.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_pipe.h +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix.h +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix_default.cc +2 -4
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix_default.h +2 -4
- data/src/core/lib/event_engine/query_extensions.h +2 -4
- data/src/core/lib/event_engine/ref_counted_dns_resolver_interface.h +2 -4
- data/src/core/lib/event_engine/resolved_address.cc +2 -4
- data/src/core/lib/event_engine/resolved_address_internal.h +2 -4
- data/src/core/lib/event_engine/shim.cc +2 -4
- data/src/core/lib/event_engine/shim.h +2 -4
- data/src/core/lib/event_engine/slice.cc +2 -4
- data/src/core/lib/event_engine/slice_buffer.cc +2 -4
- data/src/core/lib/event_engine/tcp_socket_utils.cc +6 -8
- data/src/core/lib/event_engine/tcp_socket_utils.h +5 -7
- data/src/core/lib/event_engine/thread_local.cc +2 -4
- data/src/core/lib/event_engine/thread_local.h +2 -4
- data/src/core/lib/event_engine/thread_pool/thread_count.cc +2 -4
- data/src/core/lib/event_engine/thread_pool/thread_count.h +4 -18
- data/src/core/lib/event_engine/thread_pool/thread_pool.h +2 -4
- data/src/core/lib/event_engine/thread_pool/thread_pool_factory.cc +2 -4
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -5
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +2 -4
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +2 -4
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +2 -4
- data/src/core/lib/event_engine/time_util.cc +2 -4
- data/src/core/lib/event_engine/time_util.h +2 -4
- data/src/core/lib/event_engine/utils.cc +2 -4
- data/src/core/lib/event_engine/utils.h +2 -4
- data/src/core/lib/event_engine/windows/grpc_polled_fd_windows.cc +2 -4
- data/src/core/lib/event_engine/windows/grpc_polled_fd_windows.h +2 -4
- data/src/core/lib/event_engine/windows/iocp.cc +2 -4
- data/src/core/lib/event_engine/windows/iocp.h +2 -4
- data/src/core/lib/event_engine/windows/native_windows_dns_resolver.cc +2 -4
- data/src/core/lib/event_engine/windows/native_windows_dns_resolver.h +2 -4
- data/src/core/lib/event_engine/windows/win_socket.cc +2 -4
- data/src/core/lib/event_engine/windows/win_socket.h +2 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +2 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.h +4 -6
- data/src/core/lib/event_engine/windows/windows_engine.cc +2 -4
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -4
- data/src/core/lib/event_engine/windows/windows_listener.cc +2 -4
- data/src/core/lib/event_engine/windows/windows_listener.h +2 -4
- data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +2 -4
- data/src/core/lib/event_engine/work_queue/basic_work_queue.h +2 -4
- data/src/core/lib/event_engine/work_queue/work_queue.h +2 -4
- data/src/core/lib/experiments/experiments.cc +102 -213
- data/src/core/lib/experiments/experiments.h +53 -89
- data/src/core/lib/iomgr/buffer_list.h +22 -21
- data/src/core/lib/iomgr/cfstream_handle.cc +0 -2
- data/src/core/lib/iomgr/closure.h +1 -4
- data/src/core/lib/iomgr/combiner.cc +0 -1
- data/src/core/lib/iomgr/error.cc +2 -2
- data/src/core/lib/iomgr/event_engine_shims/closure.cc +0 -1
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +0 -2
- data/src/core/lib/iomgr/event_engine_shims/tcp_client.cc +0 -1
- data/src/core/lib/iomgr/exec_ctx.cc +1 -7
- data/src/core/lib/iomgr/exec_ctx.h +1 -132
- data/src/core/lib/iomgr/executor.cc +0 -11
- data/src/core/lib/iomgr/resolve_address_posix.cc +0 -2
- data/src/core/lib/iomgr/resolve_address_windows.cc +0 -2
- data/src/core/lib/iomgr/socket_utils_posix.cc +3 -2
- data/src/core/lib/iomgr/tcp_posix.cc +3 -2
- data/src/core/lib/iomgr/tcp_server_posix.cc +1 -3
- data/src/core/lib/iomgr/tcp_server_windows.cc +0 -1
- data/src/core/lib/iomgr/timer_manager.cc +1 -9
- data/src/core/lib/promise/activity.h +4 -4
- data/src/core/lib/promise/detail/join_state.h +16 -68
- data/src/core/lib/promise/detail/promise_factory.h +85 -25
- data/src/core/lib/promise/detail/promise_like.h +16 -19
- data/src/core/lib/promise/detail/seq_state.h +102 -315
- data/src/core/lib/promise/for_each.h +14 -5
- data/src/core/lib/promise/if.h +48 -20
- data/src/core/lib/promise/interceptor_list.h +9 -9
- data/src/core/lib/promise/latch.h +14 -6
- data/src/core/lib/promise/loop.h +58 -18
- data/src/core/lib/promise/map.h +103 -49
- data/src/core/lib/promise/party.cc +48 -14
- data/src/core/lib/promise/party.h +216 -27
- data/src/core/lib/promise/pipe.h +12 -12
- data/src/core/lib/promise/poll.h +8 -5
- data/src/core/lib/promise/prioritized_race.h +16 -22
- data/src/core/lib/promise/promise.h +2 -3
- data/src/core/lib/promise/race.h +4 -12
- data/src/core/lib/promise/seq.h +41 -6
- data/src/core/lib/promise/sleep.cc +3 -3
- data/src/core/lib/promise/sleep.h +14 -1
- data/src/core/lib/promise/status_flag.h +9 -3
- data/src/core/lib/promise/try_join.h +119 -5
- data/src/core/lib/promise/try_seq.h +39 -12
- data/src/core/lib/resource_quota/arena.h +79 -0
- data/src/core/lib/resource_quota/memory_quota.cc +53 -49
- data/src/core/lib/resource_quota/memory_quota.h +4 -4
- data/src/core/lib/security/authorization/evaluate_args.cc +3 -3
- data/src/core/lib/security/authorization/evaluate_args.h +3 -3
- data/src/core/lib/security/authorization/grpc_server_authz_filter.cc +0 -7
- data/src/core/lib/security/authorization/grpc_server_authz_filter.h +6 -6
- data/src/core/lib/security/authorization/matchers.h +3 -3
- data/src/core/lib/security/authorization/rbac_policy.cc +1 -1
- data/src/core/lib/security/authorization/rbac_policy.h +3 -3
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -2
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +1 -3
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +0 -1
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +2 -2
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +1 -1
- data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +1 -2
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -1
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +4 -4
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +3 -3
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +0 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -2
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +12 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +14 -14
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +23 -15
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +3 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc +0 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h +1 -2
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -2
- data/src/core/lib/security/credentials/token_fetcher/token_fetcher_credentials.cc +4 -5
- data/src/core/lib/security/credentials/token_fetcher/token_fetcher_credentials.h +4 -4
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +2 -1
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -1
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +3 -3
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +1 -1
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +9 -9
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +13 -13
- data/src/core/lib/security/transport/auth_filters.h +95 -7
- data/src/core/lib/security/transport/client_auth_filter.cc +96 -6
- data/src/core/lib/security/transport/server_auth_filter.cc +0 -8
- data/src/core/lib/slice/slice_buffer.cc +2 -2
- data/src/core/lib/slice/slice_buffer.h +2 -2
- data/src/core/lib/surface/call.cc +0 -4
- data/src/core/lib/surface/call.h +4 -3
- data/src/core/lib/surface/call_utils.cc +2 -2
- data/src/core/lib/surface/call_utils.h +8 -4
- data/src/core/lib/surface/channel.cc +6 -14
- data/src/core/lib/surface/channel.h +3 -3
- data/src/core/lib/surface/channel_init.cc +1 -1
- data/src/core/lib/surface/client_call.cc +13 -6
- data/src/core/lib/surface/client_call.h +2 -2
- data/src/core/lib/surface/completion_queue.cc +10 -49
- data/src/core/lib/surface/filter_stack_call.cc +2 -4
- data/src/core/lib/surface/filter_stack_call.h +1 -1
- data/src/core/lib/surface/init.cc +17 -12
- data/src/core/lib/surface/legacy_channel.cc +10 -8
- data/src/core/lib/surface/legacy_channel.h +2 -2
- data/src/core/lib/surface/server_call.cc +23 -6
- data/src/core/lib/surface/server_call.h +2 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/call_filters.h +100 -59
- data/src/core/lib/transport/call_spine.cc +32 -34
- data/src/core/lib/transport/call_spine.h +66 -23
- data/src/core/lib/transport/call_state.h +8 -8
- data/src/core/lib/transport/connectivity_state.cc +8 -9
- data/src/core/lib/transport/connectivity_state.h +2 -4
- data/src/core/lib/transport/http2_errors.h +5 -3
- data/src/core/lib/transport/interception_chain.h +27 -7
- data/src/core/lib/transport/metadata.h +88 -0
- data/src/core/lib/transport/metadata_batch.cc +2 -2
- data/src/core/lib/transport/metadata_batch.h +79 -18
- data/src/core/lib/transport/timeout_encoding.cc +15 -15
- data/src/core/lib/transport/timeout_encoding.h +3 -2
- data/src/core/lib/transport/transport.cc +0 -1
- data/src/core/lib/transport/transport.h +12 -7
- data/src/core/load_balancing/backend_metric_parser.cc +21 -28
- data/src/core/load_balancing/endpoint_list.cc +1 -1
- data/src/core/load_balancing/endpoint_list.h +7 -7
- data/src/core/load_balancing/grpclb/client_load_reporting_filter.cc +1 -6
- data/src/core/load_balancing/grpclb/client_load_reporting_filter.h +4 -4
- data/src/core/load_balancing/grpclb/grpclb.cc +21 -38
- data/src/core/load_balancing/health_check_client.cc +16 -48
- data/src/core/load_balancing/health_check_client_internal.h +7 -7
- data/src/core/load_balancing/lb_policy.cc +4 -6
- data/src/core/load_balancing/lb_policy.h +4 -4
- data/src/core/load_balancing/lb_policy_registry.cc +10 -8
- data/src/core/load_balancing/outlier_detection/outlier_detection.cc +57 -68
- data/src/core/load_balancing/outlier_detection/outlier_detection.h +4 -3
- data/src/core/load_balancing/pick_first/pick_first.cc +21 -21
- data/src/core/load_balancing/priority/priority.cc +8 -13
- data/src/core/load_balancing/ring_hash/ring_hash.cc +54 -90
- data/src/core/load_balancing/rls/rls.cc +105 -194
- data/src/core/load_balancing/rls/rls.h +97 -1
- data/src/core/load_balancing/round_robin/round_robin.cc +5 -5
- data/src/core/load_balancing/weighted_round_robin/static_stride_scheduler.cc +4 -4
- data/src/core/load_balancing/weighted_round_robin/static_stride_scheduler.h +2 -2
- data/src/core/load_balancing/weighted_round_robin/weighted_round_robin.cc +8 -14
- data/src/core/load_balancing/weighted_target/weighted_target.cc +7 -15
- data/src/core/load_balancing/xds/cds.cc +11 -15
- data/src/core/load_balancing/xds/xds_cluster_impl.cc +15 -18
- data/src/core/load_balancing/xds/xds_cluster_manager.cc +10 -18
- data/src/core/load_balancing/xds/xds_override_host.cc +45 -92
- data/src/core/load_balancing/xds/xds_wrr_locality.cc +10 -12
- data/src/core/resolver/dns/c_ares/dns_resolver_ares.cc +7 -7
- data/src/core/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +10 -15
- data/src/core/resolver/dns/native/dns_resolver.cc +1 -1
- data/src/core/resolver/fake/fake_resolver.cc +10 -11
- data/src/core/resolver/fake/fake_resolver.h +2 -2
- data/src/core/resolver/google_c2p/google_c2p_resolver.cc +9 -12
- data/src/core/resolver/polling_resolver.cc +2 -5
- data/src/core/resolver/polling_resolver.h +3 -3
- data/src/core/resolver/resolver_registry.cc +4 -3
- data/src/core/resolver/xds/xds_config.cc +6 -6
- data/src/core/resolver/xds/xds_config.h +2 -2
- data/src/core/resolver/xds/xds_dependency_manager.cc +80 -77
- data/src/core/resolver/xds/xds_dependency_manager.h +4 -0
- data/src/core/resolver/xds/xds_resolver.cc +53 -75
- data/src/core/server/server.cc +71 -79
- data/src/core/server/server.h +16 -5
- data/src/core/server/server_call_tracer_filter.cc +3 -7
- data/src/core/server/server_config_selector_filter.cc +8 -15
- data/src/core/server/xds_server_config_fetcher.cc +16 -18
- data/src/core/service_config/service_config_channel_arg_filter.cc +7 -19
- data/src/core/service_config/service_config_impl.cc +3 -3
- data/src/core/telemetry/call_tracer.cc +8 -8
- data/src/core/telemetry/call_tracer.h +6 -5
- data/src/core/telemetry/metrics.cc +3 -3
- data/src/core/telemetry/metrics.h +2 -8
- data/src/core/telemetry/tcp_tracer.h +32 -32
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +2 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +14 -14
- data/src/core/tsi/fake_transport_security.cc +5 -0
- data/src/core/util/dump_args.h +1 -9
- data/src/core/util/env.h +3 -4
- data/src/core/util/examine_stack.cc +2 -2
- data/src/core/util/examine_stack.h +3 -4
- data/src/core/util/gpr_time.cc +0 -2
- data/src/core/util/http_client/httpcli.cc +4 -5
- data/src/core/util/http_client/httpcli.h +4 -4
- data/src/core/util/http_client/httpcli_security_connector.cc +2 -2
- data/src/core/util/json/json_channel_args.h +2 -1
- data/src/core/util/json/json_object_loader.cc +4 -4
- data/src/core/util/json/json_object_loader.h +12 -12
- data/src/core/util/json/json_reader.cc +4 -4
- data/src/core/util/json/json_writer.cc +3 -3
- data/src/core/util/latent_see.cc +3 -3
- data/src/core/util/latent_see.h +2 -2
- data/src/core/util/linux/env.cc +3 -4
- data/src/core/util/lru_cache.h +4 -4
- data/src/core/util/match.h +7 -7
- data/src/core/util/matchers.cc +1 -2
- data/src/core/util/matchers.h +2 -2
- data/src/core/util/posix/env.cc +2 -2
- data/src/core/util/posix/sync.cc +0 -1
- data/src/core/util/posix/time.cc +0 -1
- data/src/core/util/ring_buffer.h +4 -5
- data/src/core/util/status_helper.cc +16 -20
- data/src/core/util/status_helper.h +5 -5
- data/src/core/util/sync_abseil.cc +0 -1
- data/src/core/util/table.h +6 -21
- data/src/core/util/time.cc +1 -1
- data/src/core/util/time.h +3 -3
- data/src/core/util/time_precise.cc +0 -1
- data/src/core/util/type_list.h +56 -0
- data/src/core/util/uri.cc +6 -4
- data/src/core/util/uri.h +7 -0
- data/src/core/util/useful.h +4 -4
- data/src/core/util/validation_errors.cc +5 -5
- data/src/core/util/wait_for_single_owner.h +62 -0
- data/src/core/util/windows/env.cc +3 -3
- data/src/core/util/windows/sync.cc +0 -1
- data/src/core/util/windows/time.cc +0 -1
- data/src/core/util/work_serializer.cc +27 -267
- data/src/core/util/work_serializer.h +3 -27
- data/src/core/xds/grpc/certificate_provider_store.cc +12 -17
- data/src/core/xds/grpc/file_watcher_certificate_provider_factory.cc +2 -2
- data/src/core/xds/grpc/xds_audit_logger_registry.cc +1 -1
- data/src/core/xds/grpc/xds_bootstrap_grpc.cc +11 -14
- data/src/core/xds/grpc/xds_bootstrap_grpc.h +2 -2
- data/src/core/xds/grpc/xds_certificate_provider.cc +15 -15
- data/src/core/xds/grpc/xds_client_grpc.cc +7 -8
- data/src/core/xds/grpc/xds_cluster.h +4 -4
- data/src/core/xds/grpc/xds_cluster_parser.cc +26 -26
- data/src/core/xds/grpc/xds_cluster_specifier_plugin.cc +4 -4
- data/src/core/xds/grpc/xds_common_types.cc +2 -2
- data/src/core/xds/grpc/xds_common_types.h +4 -4
- data/src/core/xds/grpc/xds_common_types_parser.cc +29 -31
- data/src/core/xds/grpc/xds_common_types_parser.h +8 -7
- data/src/core/xds/grpc/xds_endpoint.cc +3 -4
- data/src/core/xds/grpc/xds_endpoint_parser.cc +14 -14
- data/src/core/xds/grpc/xds_health_status.cc +4 -4
- data/src/core/xds/grpc/xds_health_status.h +4 -3
- data/src/core/xds/grpc/xds_http_fault_filter.cc +18 -20
- data/src/core/xds/grpc/xds_http_fault_filter.h +4 -3
- data/src/core/xds/grpc/xds_http_filter.h +3 -3
- data/src/core/xds/grpc/xds_http_filter_registry.cc +7 -7
- data/src/core/xds/grpc/xds_http_filter_registry.h +3 -3
- data/src/core/xds/grpc/xds_http_gcp_authn_filter.cc +7 -7
- data/src/core/xds/grpc/xds_http_gcp_authn_filter.h +4 -3
- data/src/core/xds/grpc/xds_http_rbac_filter.cc +30 -23
- data/src/core/xds/grpc/xds_http_rbac_filter.h +4 -3
- data/src/core/xds/grpc/xds_http_stateful_session_filter.cc +10 -10
- data/src/core/xds/grpc/xds_http_stateful_session_filter.h +4 -3
- data/src/core/xds/grpc/xds_lb_policy_registry.cc +4 -4
- data/src/core/xds/grpc/xds_listener.cc +4 -6
- data/src/core/xds/grpc/xds_listener.h +10 -10
- data/src/core/xds/grpc/xds_listener_parser.cc +58 -51
- data/src/core/xds/grpc/xds_listener_parser.h +2 -1
- data/src/core/xds/grpc/xds_metadata.cc +5 -5
- data/src/core/xds/grpc/xds_metadata_parser.cc +65 -52
- data/src/core/xds/grpc/xds_route_config.cc +9 -15
- data/src/core/xds/grpc/xds_route_config.h +9 -9
- data/src/core/xds/grpc/xds_route_config_parser.cc +114 -116
- data/src/core/xds/grpc/xds_route_config_parser.h +4 -4
- data/src/core/xds/grpc/xds_routing.cc +6 -6
- data/src/core/xds/grpc/xds_routing.h +5 -5
- data/src/core/xds/grpc/xds_server_grpc.cc +22 -1
- data/src/core/xds/grpc/xds_server_grpc.h +5 -2
- data/src/core/xds/grpc/xds_server_grpc_interface.h +33 -0
- data/src/core/xds/grpc/xds_transport_grpc.cc +5 -6
- data/src/core/xds/xds_client/lrs_client.cc +71 -83
- data/src/core/xds/xds_client/lrs_client.h +8 -8
- data/src/core/xds/xds_client/xds_api.cc +5 -5
- data/src/core/xds/xds_client/xds_bootstrap.cc +11 -1
- data/src/core/xds/xds_client/xds_bootstrap.h +7 -0
- data/src/core/xds/xds_client/xds_client.cc +552 -359
- data/src/core/xds/xds_client/xds_client.h +39 -14
- data/src/core/xds/xds_client/xds_resource_type.h +2 -3
- data/src/core/xds/xds_client/xds_resource_type_impl.h +3 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.cc +17 -59
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.cc +41 -76
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.cc +17 -91
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +13 -57
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bcm_support.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.cc +16 -57
- data/third_party/boringssl-with-bazel/src/crypto/bio/errno.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.cc +14 -56
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.cc +14 -56
- data/third_party/boringssl-with-bazel/src/crypto/bio/hexdump.cc +18 -58
- data/third_party/boringssl-with-bazel/src/crypto/bio/internal.h +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.cc +15 -51
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.cc +17 -60
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{bn_extra → bn}/bn_asn1.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{bn_extra → bn}/convert.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.cc +14 -57
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.cc +23 -15
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/unicode.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/chacha/internal.h +18 -18
- data/third_party/boringssl-with-bazel/src/crypto/cipher/derive_key.cc +110 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_aesctrhmac.cc +18 -23
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_aesgcmsiv.cc +20 -13
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_chacha20poly1305.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_des.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/cipher/e_null.cc +51 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_rc2.cc +27 -69
- data/third_party/boringssl-with-bazel/src/crypto/cipher/e_rc4.cc +54 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/e_tls.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cipher/get_cipher.cc +85 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/internal.h +29 -69
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → cipher}/tls_cbc.cc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.cc +14 -58
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_fuchsia.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_linux.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_sysreg.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_win.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.cc +13 -67
- data/third_party/boringssl-with-bazel/src/crypto/crypto.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_64_adx.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.cc +15 -13
- data/third_party/boringssl-with-bazel/src/crypto/des/des.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/des/internal.h +27 -69
- data/third_party/boringssl-with-bazel/src/crypto/dh/dh_asn1.cc +124 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh_extra → dh}/params.cc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/{digest_extra → digest}/digest_extra.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.cc +13 -58
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.cc +13 -53
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{ec_extra → ec}/ec_asn1.cc +24 -61
- data/third_party/boringssl-with-bazel/src/crypto/{ec_extra → ec}/ec_derive.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{ec_extra → ec}/hash_to_curve.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/{ec_extra → ec}/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/ecdh/ecdh.cc +73 -0
- data/third_party/boringssl-with-bazel/src/crypto/{ecdsa_extra → ecdsa}/ecdsa_asn1.cc +17 -61
- data/third_party/boringssl-with-bazel/src/crypto/engine/engine.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/err/err.cc +17 -107
- data/third_party/boringssl-with-bazel/src/crypto/err/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.cc +29 -79
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.cc +122 -198
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dh.cc +15 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dh_asn1.cc +13 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.cc +56 -110
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.cc +20 -66
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.cc +19 -57
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/evp/pbkdf.cc +29 -77
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.cc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.cc +13 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.cc +13 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.cc.inc +112 -48
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{modes → aes}/cbc.cc.inc +13 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{modes → aes}/cfb.cc.inc +13 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/ctr.cc.inc +100 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{modes → aes}/gcm.cc.inc +127 -314
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{modes → aes}/gcm_nohw.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +419 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.cc.inc +13 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.cc.inc +13 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/ofb.cc.inc +53 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{modes → aes}/polyval.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.cc +28 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm_interface.h +501 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/add.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc +15 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.cc.inc +16 -57
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.cc.inc +16 -109
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.cc.inc +13 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +25 -134
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/jacobi.cc.inc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.cc.inc +14 -109
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.cc.inc +13 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.cc.inc +13 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.cc.inc +18 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +20 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.cc.inc +13 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.cc.inc +14 -56
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.cc.inc +69 -283
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aesccm.cc.inc +21 -58
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +14 -65
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cmac/cmac.cc.inc +13 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/delocate.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/internal.h +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +13 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digestsign/digestsign.cc.inc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/builtin_curves.h +91 -91
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.cc.inc +14 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.cc.inc +14 -72
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.cc.inc +14 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +19 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.cc.inc +14 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz-table.h +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.cc.inc +22 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.h +22 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.cc.inc +21 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.cc.inc +14 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.cc.inc +14 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.cc.inc +14 -65
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.cc.inc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/fips_shared_support.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hkdf/hkdf.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/{keccak → fipsmodule/keccak}/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{keccak/keccak.cc → fipsmodule/keccak/keccak.cc.inc} +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/mldsa/mldsa.cc.inc +1993 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/mlkem/mlkem.cc.inc +1165 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.cc.inc +18 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +18 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.cc.inc +15 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.cc.inc +14 -109
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +13 -56
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.cc.inc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.cc.inc +18 -77
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.cc.inc +38 -90
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +34 -34
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.cc.inc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +44 -56
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.cc.inc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/{slhdsa → fipsmodule/slhdsa}/address.h +28 -32
- data/third_party/boringssl-with-bazel/src/crypto/{slhdsa/fors.cc → fipsmodule/slhdsa/fors.cc.inc} +44 -44
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/fors.h +58 -0
- data/third_party/boringssl-with-bazel/src/crypto/{slhdsa/merkle.cc → fipsmodule/slhdsa/merkle.cc.inc} +46 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/merkle.h +70 -0
- data/third_party/boringssl-with-bazel/src/crypto/{slhdsa → fipsmodule/slhdsa}/params.h +20 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/slhdsa.cc.inc +329 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/thash.cc.inc +173 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/thash.h +85 -0
- data/third_party/boringssl-with-bazel/src/crypto/{slhdsa/wots.cc → fipsmodule/slhdsa/wots.cc.inc} +46 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/wots.h +50 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.cc.inc +13 -51
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.cc +21 -13
- data/third_party/boringssl-with-bazel/src/crypto/hrss/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +62 -205
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.cc +52 -28
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +31 -75
- data/third_party/boringssl-with-bazel/src/crypto/lhash/lhash.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/md4/md4.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/md5/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/md5/md5.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/mem.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/mldsa/mldsa.cc +47 -1747
- data/third_party/boringssl-with-bazel/src/crypto/mlkem/mlkem.cc +97 -1042
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +14 -56
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_xref.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pem/internal.h +44 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.cc +13 -107
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.cc +18 -58
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.cc +56 -103
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.cc +15 -13
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/p5_pbev2.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/deterministic.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/fork_detect.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/rand/forkunsafe.cc +44 -0
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/getentropy.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/getrandom_fillin.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/rand/ios.cc +42 -0
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/passive.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra/rand_extra.cc → rand/rand.cc} +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/rand/sysrand_internal.h +37 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand/trusty.cc +46 -0
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/urandom.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/{rand_extra → rand}/windows.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/rc4/rc4.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/refcount.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/rsa/internal.h +36 -0
- data/third_party/boringssl-with-bazel/src/crypto/{rsa_extra → rsa}/rsa_asn1.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/{rsa_extra → rsa}/rsa_crypt.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/rsa/rsa_extra.cc +19 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa/rsa_print.cc +27 -0
- data/third_party/boringssl-with-bazel/src/crypto/sha/sha1.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/sha/sha256.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/sha/sha512.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/slhdsa.cc +62 -256
- data/third_party/boringssl-with-bazel/src/crypto/spake2plus/internal.h +204 -0
- data/third_party/boringssl-with-bazel/src/crypto/spake2plus/spake2plus.cc +501 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/thread.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/thread_none.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.cc +14 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.cc +14 -56
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.cc +25 -71
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/ext_dat.h +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +13 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.cc +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_akey.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_akeya.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_alt.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_bcons.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_bitst.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_conf.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_cpols.cc +13 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_crld.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_enum.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_extku.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_genn.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_ia5.cc +13 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_info.cc +17 -66
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_int.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_lib.cc +14 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_ncons.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_ocsp.cc +13 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_pcons.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_pmaps.cc +13 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_prn.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_purp.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_skey.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/v3_utl.cc +17 -70
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.cc +14 -60
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.cc +13 -58
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.cc +13 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.cc +13 -55
- data/third_party/boringssl-with-bazel/src/gen/crypto/err_data.cc +465 -451
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/aes.h +13 -47
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +13 -51
- data/third_party/boringssl-with-bazel/src/include/openssl/asm_base.h +14 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +23 -62
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1_mac.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +14 -56
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +15 -53
- data/third_party/boringssl-with-bazel/src/include/openssl/base64.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/bcm_public.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/blowfish.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +14 -121
- data/third_party/boringssl-with-bazel/src/include/openssl/buf.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/buffer.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +31 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/cast.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +31 -59
- data/third_party/boringssl-with-bazel/src/include/openssl/cmac.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/curve25519.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/des.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +13 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/dtls1.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/e_os2.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +14 -66
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +14 -71
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdh.h +14 -65
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +13 -51
- data/third_party/boringssl-with-bazel/src/include/openssl/engine.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +13 -107
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/evp_errors.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +13 -107
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/hrss.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/is_boringssl.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/lhash.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/md4.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/md5.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/mldsa.h +13 -19
- data/third_party/boringssl-with-bazel/src/include/openssl/mlkem.h +13 -37
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +27 -69
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/obj_mac.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/objects.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslv.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/ossl_typ.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +22 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs12.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/poly1305.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/pool.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/posix_time.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/rc4.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/ripemd.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +13 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/safestack.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/siphash.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/slhdsa.h +54 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +19 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/srtp.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +198 -174
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +14 -114
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/target.h +23 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -156
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +15 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +13 -55
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +14 -61
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +13 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3_errors.h +13 -53
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +13 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +15 -114
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +13 -55
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +13 -110
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +17 -115
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +13 -55
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +16 -115
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +32 -34
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +314 -132
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +19 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +23 -123
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +55 -174
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +26 -157
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +104 -240
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +22 -120
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +16 -148
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +16 -110
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +16 -16
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +14 -81
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +15 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +14 -113
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +19 -145
- data/third_party/boringssl-with-bazel/src/ssl/ssl_credential.cc +164 -37
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +13 -109
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +15 -17
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +51 -184
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +23 -67
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +25 -144
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +14 -82
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +20 -143
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +15 -139
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +28 -156
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +16 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +91 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +68 -80
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +154 -52
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +13 -55
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +15 -109
- metadata +75 -66
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.cc +0 -127
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.cc +0 -152
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.cc +0 -93
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.cc +0 -96
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.cc +0 -165
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.cc +0 -124
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.cc.inc +0 -196
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +0 -448
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.cc.inc +0 -87
- data/third_party/boringssl-with-bazel/src/crypto/mldsa/internal.h +0 -76
- data/third_party/boringssl-with-bazel/src/crypto/mlkem/internal.h +0 -90
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/forkunsafe.cc +0 -44
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/ios.cc +0 -42
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/sysrand_internal.h +0 -37
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/trusty.cc +0 -46
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +0 -79
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_extra.cc +0 -17
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_print.cc +0 -22
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/fors.h +0 -58
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/internal.h +0 -63
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/merkle.h +0 -70
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/thash.cc +0 -173
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/thash.h +0 -85
- data/third_party/boringssl-with-bazel/src/crypto/slhdsa/wots.h +0 -50
|
@@ -0,0 +1,1165 @@
|
|
|
1
|
+
// Copyright 2014 The BoringSSL Authors
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// https://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include <openssl/base.h>
|
|
16
|
+
|
|
17
|
+
#include <assert.h>
|
|
18
|
+
#include <stdint.h>
|
|
19
|
+
#include <stdlib.h>
|
|
20
|
+
#include <string.h>
|
|
21
|
+
|
|
22
|
+
#include <openssl/base.h>
|
|
23
|
+
#include <openssl/bytestring.h>
|
|
24
|
+
#include <openssl/mem.h>
|
|
25
|
+
#include <openssl/rand.h>
|
|
26
|
+
|
|
27
|
+
#include "../../internal.h"
|
|
28
|
+
#include "../bcm_interface.h"
|
|
29
|
+
#include "../keccak/internal.h"
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
namespace mlkem {
|
|
33
|
+
namespace {
|
|
34
|
+
|
|
35
|
+
// See
|
|
36
|
+
// https://csrc.nist.gov/pubs/fips/203/final
|
|
37
|
+
|
|
38
|
+
static void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) {
|
|
39
|
+
BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256);
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
// Section 4.1
|
|
43
|
+
void hash_h(uint8_t out[32], const uint8_t *in, size_t len) {
|
|
44
|
+
BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256);
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
void hash_g(uint8_t out[64], const uint8_t *in, size_t len) {
|
|
48
|
+
BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512);
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
// This is called `J` in the spec.
|
|
52
|
+
void kdf(uint8_t out[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
53
|
+
const uint8_t failure_secret[32], const uint8_t *ciphertext,
|
|
54
|
+
size_t ciphertext_len) {
|
|
55
|
+
struct BORINGSSL_keccak_st st;
|
|
56
|
+
BORINGSSL_keccak_init(&st, boringssl_shake256);
|
|
57
|
+
BORINGSSL_keccak_absorb(&st, failure_secret, 32);
|
|
58
|
+
BORINGSSL_keccak_absorb(&st, ciphertext, ciphertext_len);
|
|
59
|
+
BORINGSSL_keccak_squeeze(&st, out, BCM_MLKEM_SHARED_SECRET_BYTES);
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
// Constants that are common across all sizes.
|
|
63
|
+
#define DEGREE 256
|
|
64
|
+
const size_t kBarrettMultiplier = 5039;
|
|
65
|
+
const unsigned kBarrettShift = 24;
|
|
66
|
+
static const uint16_t kPrime = 3329;
|
|
67
|
+
const int kLog2Prime = 12;
|
|
68
|
+
const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;
|
|
69
|
+
// kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th
|
|
70
|
+
// root of unity.
|
|
71
|
+
const uint16_t kInverseDegree = 3303;
|
|
72
|
+
|
|
73
|
+
// Rank-specific constants.
|
|
74
|
+
#define RANK768 3
|
|
75
|
+
static const int kDU768 = 10;
|
|
76
|
+
const int kDV768 = 4;
|
|
77
|
+
#define RANK1024 4
|
|
78
|
+
static const int kDU1024 = 11;
|
|
79
|
+
const int kDV1024 = 5;
|
|
80
|
+
|
|
81
|
+
constexpr size_t encoded_vector_size(int rank) {
|
|
82
|
+
return (kLog2Prime * DEGREE / 8) * static_cast<size_t>(rank);
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
constexpr size_t encoded_public_key_size(int rank) {
|
|
86
|
+
return encoded_vector_size(rank) + /*sizeof(rho)=*/32;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
static_assert(encoded_public_key_size(RANK768) == BCM_MLKEM768_PUBLIC_KEY_BYTES,
|
|
90
|
+
"");
|
|
91
|
+
static_assert(encoded_public_key_size(RANK1024) ==
|
|
92
|
+
BCM_MLKEM1024_PUBLIC_KEY_BYTES,
|
|
93
|
+
"");
|
|
94
|
+
|
|
95
|
+
constexpr size_t compressed_vector_size(int rank) {
|
|
96
|
+
// `if constexpr` isn't available in C++17.
|
|
97
|
+
return (rank == RANK768 ? kDU768 : kDU1024) * static_cast<size_t>(rank) *
|
|
98
|
+
DEGREE / 8;
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
constexpr size_t ciphertext_size(int rank) {
|
|
102
|
+
return compressed_vector_size(rank) +
|
|
103
|
+
(rank == RANK768 ? kDV768 : kDV1024) * DEGREE / 8;
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
static_assert(ciphertext_size(RANK768) == BCM_MLKEM768_CIPHERTEXT_BYTES, "");
|
|
107
|
+
static_assert(ciphertext_size(RANK1024) == BCM_MLKEM1024_CIPHERTEXT_BYTES, "");
|
|
108
|
+
|
|
109
|
+
typedef struct scalar {
|
|
110
|
+
// On every function entry and exit, 0 <= c < kPrime.
|
|
111
|
+
uint16_t c[DEGREE];
|
|
112
|
+
} scalar;
|
|
113
|
+
|
|
114
|
+
template <int RANK>
|
|
115
|
+
struct vector {
|
|
116
|
+
scalar v[RANK];
|
|
117
|
+
};
|
|
118
|
+
|
|
119
|
+
template <int RANK>
|
|
120
|
+
struct matrix {
|
|
121
|
+
scalar v[RANK][RANK];
|
|
122
|
+
};
|
|
123
|
+
|
|
124
|
+
// This bit of Python will be referenced in some of the following comments:
|
|
125
|
+
//
|
|
126
|
+
// p = 3329
|
|
127
|
+
//
|
|
128
|
+
// def bitreverse(i):
|
|
129
|
+
// ret = 0
|
|
130
|
+
// for n in range(7):
|
|
131
|
+
// bit = i & 1
|
|
132
|
+
// ret <<= 1
|
|
133
|
+
// ret |= bit
|
|
134
|
+
// i >>= 1
|
|
135
|
+
// return ret
|
|
136
|
+
|
|
137
|
+
// kNTTRoots = [pow(17, bitreverse(i), p) for i in range(128)]
|
|
138
|
+
const uint16_t kNTTRoots[128] = {
|
|
139
|
+
1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797,
|
|
140
|
+
2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333,
|
|
141
|
+
1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756,
|
|
142
|
+
1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915,
|
|
143
|
+
2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648,
|
|
144
|
+
2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100,
|
|
145
|
+
1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789,
|
|
146
|
+
1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641,
|
|
147
|
+
1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757,
|
|
148
|
+
2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886,
|
|
149
|
+
1722, 1212, 1874, 1029, 2110, 2935, 885, 2154,
|
|
150
|
+
};
|
|
151
|
+
|
|
152
|
+
// kInverseNTTRoots = [pow(17, -bitreverse(i), p) for i in range(128)]
|
|
153
|
+
const uint16_t kInverseNTTRoots[128] = {
|
|
154
|
+
1, 1600, 40, 749, 2481, 1432, 2699, 687, 1583, 2760, 69, 543,
|
|
155
|
+
2532, 3136, 1410, 2267, 2508, 1355, 450, 936, 447, 2794, 1235, 1903,
|
|
156
|
+
1996, 1089, 3273, 283, 1853, 1990, 882, 3033, 2419, 2102, 219, 855,
|
|
157
|
+
2681, 1848, 712, 682, 927, 1795, 461, 1891, 2877, 2522, 1894, 1010,
|
|
158
|
+
1414, 2009, 3296, 464, 2697, 816, 1352, 2679, 1274, 1052, 1025, 2132,
|
|
159
|
+
1573, 76, 2998, 3040, 1175, 2444, 394, 1219, 2300, 1455, 2117, 1607,
|
|
160
|
+
2443, 554, 1179, 2186, 2303, 2926, 2237, 525, 735, 863, 2768, 1230,
|
|
161
|
+
2572, 556, 3010, 2266, 1684, 1239, 780, 2954, 109, 1292, 1031, 1745,
|
|
162
|
+
2688, 3061, 992, 2596, 941, 892, 1021, 2390, 642, 1868, 2377, 1482,
|
|
163
|
+
1540, 540, 1678, 1626, 279, 314, 1173, 2573, 3096, 48, 667, 1920,
|
|
164
|
+
2229, 1041, 2606, 1692, 680, 2746, 568, 3312,
|
|
165
|
+
};
|
|
166
|
+
|
|
167
|
+
// kModRoots = [pow(17, 2*bitreverse(i) + 1, p) for i in range(128)]
|
|
168
|
+
const uint16_t kModRoots[128] = {
|
|
169
|
+
17, 3312, 2761, 568, 583, 2746, 2649, 680, 1637, 1692, 723, 2606,
|
|
170
|
+
2288, 1041, 1100, 2229, 1409, 1920, 2662, 667, 3281, 48, 233, 3096,
|
|
171
|
+
756, 2573, 2156, 1173, 3015, 314, 3050, 279, 1703, 1626, 1651, 1678,
|
|
172
|
+
2789, 540, 1789, 1540, 1847, 1482, 952, 2377, 1461, 1868, 2687, 642,
|
|
173
|
+
939, 2390, 2308, 1021, 2437, 892, 2388, 941, 733, 2596, 2337, 992,
|
|
174
|
+
268, 3061, 641, 2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109,
|
|
175
|
+
375, 2954, 2549, 780, 2090, 1239, 1645, 1684, 1063, 2266, 319, 3010,
|
|
176
|
+
2773, 556, 757, 2572, 2099, 1230, 561, 2768, 2466, 863, 2594, 735,
|
|
177
|
+
2804, 525, 1092, 2237, 403, 2926, 1026, 2303, 1143, 2186, 2150, 1179,
|
|
178
|
+
2775, 554, 886, 2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300,
|
|
179
|
+
2110, 1219, 2935, 394, 885, 2444, 2154, 1175,
|
|
180
|
+
};
|
|
181
|
+
|
|
182
|
+
// reduce_once reduces 0 <= x < 2*kPrime, mod kPrime.
|
|
183
|
+
uint16_t reduce_once(uint16_t x) {
|
|
184
|
+
declassify_assert(x < 2 * kPrime);
|
|
185
|
+
const uint16_t subtracted = x - kPrime;
|
|
186
|
+
uint16_t mask = 0u - (subtracted >> 15);
|
|
187
|
+
// Although this is a constant-time select, we omit a value barrier here.
|
|
188
|
+
// Value barriers impede auto-vectorization (likely because it forces the
|
|
189
|
+
// value to transit through a general-purpose register). On AArch64, this is a
|
|
190
|
+
// difference of 2x.
|
|
191
|
+
//
|
|
192
|
+
// We usually add value barriers to selects because Clang turns consecutive
|
|
193
|
+
// selects with the same condition into a branch instead of CMOV/CSEL. This
|
|
194
|
+
// condition does not occur in ML-KEM, so omitting it seems to be safe so far,
|
|
195
|
+
// but see |scalar_centered_binomial_distribution_eta_2_with_prf|.
|
|
196
|
+
return (mask & x) | (~mask & subtracted);
|
|
197
|
+
}
|
|
198
|
+
|
|
199
|
+
// constant time reduce x mod kPrime using Barrett reduction. x must be less
|
|
200
|
+
// than kPrime + 2×kPrime².
|
|
201
|
+
static uint16_t reduce(uint32_t x) {
|
|
202
|
+
declassify_assert(x < kPrime + 2u * kPrime * kPrime);
|
|
203
|
+
uint64_t product = (uint64_t)x * kBarrettMultiplier;
|
|
204
|
+
uint32_t quotient = (uint32_t)(product >> kBarrettShift);
|
|
205
|
+
uint32_t remainder = x - quotient * kPrime;
|
|
206
|
+
return reduce_once(remainder);
|
|
207
|
+
}
|
|
208
|
+
|
|
209
|
+
void scalar_zero(scalar *out) { OPENSSL_memset(out, 0, sizeof(*out)); }
|
|
210
|
+
|
|
211
|
+
template <int RANK>
|
|
212
|
+
void vector_zero(vector<RANK> *out) {
|
|
213
|
+
OPENSSL_memset(out->v, 0, sizeof(scalar) * RANK);
|
|
214
|
+
}
|
|
215
|
+
|
|
216
|
+
// In place number theoretic transform of a given scalar.
|
|
217
|
+
// Note that MLKEM's kPrime 3329 does not have a 512th root of unity, so this
|
|
218
|
+
// transform leaves off the last iteration of the usual FFT code, with the 128
|
|
219
|
+
// relevant roots of unity being stored in |kNTTRoots|. This means the output
|
|
220
|
+
// should be seen as 128 elements in GF(3329^2), with the coefficients of the
|
|
221
|
+
// elements being consecutive entries in |s->c|.
|
|
222
|
+
static void scalar_ntt(scalar *s) {
|
|
223
|
+
int offset = DEGREE;
|
|
224
|
+
// `int` is used here because using `size_t` throughout caused a ~5% slowdown
|
|
225
|
+
// with Clang 14 on Aarch64.
|
|
226
|
+
for (int step = 1; step < DEGREE / 2; step <<= 1) {
|
|
227
|
+
offset >>= 1;
|
|
228
|
+
int k = 0;
|
|
229
|
+
for (int i = 0; i < step; i++) {
|
|
230
|
+
const uint32_t step_root = kNTTRoots[i + step];
|
|
231
|
+
for (int j = k; j < k + offset; j++) {
|
|
232
|
+
uint16_t odd = reduce(step_root * s->c[j + offset]);
|
|
233
|
+
uint16_t even = s->c[j];
|
|
234
|
+
s->c[j] = reduce_once(odd + even);
|
|
235
|
+
s->c[j + offset] = reduce_once(even - odd + kPrime);
|
|
236
|
+
}
|
|
237
|
+
k += 2 * offset;
|
|
238
|
+
}
|
|
239
|
+
}
|
|
240
|
+
}
|
|
241
|
+
|
|
242
|
+
template <int RANK>
|
|
243
|
+
static void vector_ntt(vector<RANK> *a) {
|
|
244
|
+
for (int i = 0; i < RANK; i++) {
|
|
245
|
+
scalar_ntt(&a->v[i]);
|
|
246
|
+
}
|
|
247
|
+
}
|
|
248
|
+
|
|
249
|
+
// In place inverse number theoretic transform of a given scalar, with pairs of
|
|
250
|
+
// entries of s->v being interpreted as elements of GF(3329^2). Just as with the
|
|
251
|
+
// number theoretic transform, this leaves off the first step of the normal iFFT
|
|
252
|
+
// to account for the fact that 3329 does not have a 512th root of unity, using
|
|
253
|
+
// the precomputed 128 roots of unity stored in |kInverseNTTRoots|.
|
|
254
|
+
void scalar_inverse_ntt(scalar *s) {
|
|
255
|
+
int step = DEGREE / 2;
|
|
256
|
+
// `int` is used here because using `size_t` throughout caused a ~5% slowdown
|
|
257
|
+
// with Clang 14 on Aarch64.
|
|
258
|
+
for (int offset = 2; offset < DEGREE; offset <<= 1) {
|
|
259
|
+
step >>= 1;
|
|
260
|
+
int k = 0;
|
|
261
|
+
for (int i = 0; i < step; i++) {
|
|
262
|
+
uint32_t step_root = kInverseNTTRoots[i + step];
|
|
263
|
+
for (int j = k; j < k + offset; j++) {
|
|
264
|
+
uint16_t odd = s->c[j + offset];
|
|
265
|
+
uint16_t even = s->c[j];
|
|
266
|
+
s->c[j] = reduce_once(odd + even);
|
|
267
|
+
s->c[j + offset] = reduce(step_root * (even - odd + kPrime));
|
|
268
|
+
}
|
|
269
|
+
k += 2 * offset;
|
|
270
|
+
}
|
|
271
|
+
}
|
|
272
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
273
|
+
s->c[i] = reduce(s->c[i] * kInverseDegree);
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
|
|
277
|
+
template <int RANK>
|
|
278
|
+
void vector_inverse_ntt(vector<RANK> *a) {
|
|
279
|
+
for (int i = 0; i < RANK; i++) {
|
|
280
|
+
scalar_inverse_ntt(&a->v[i]);
|
|
281
|
+
}
|
|
282
|
+
}
|
|
283
|
+
|
|
284
|
+
void scalar_add(scalar *lhs, const scalar *rhs) {
|
|
285
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
286
|
+
lhs->c[i] = reduce_once(lhs->c[i] + rhs->c[i]);
|
|
287
|
+
}
|
|
288
|
+
}
|
|
289
|
+
|
|
290
|
+
void scalar_sub(scalar *lhs, const scalar *rhs) {
|
|
291
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
292
|
+
lhs->c[i] = reduce_once(lhs->c[i] - rhs->c[i] + kPrime);
|
|
293
|
+
}
|
|
294
|
+
}
|
|
295
|
+
|
|
296
|
+
// Multiplying two scalars in the number theoretically transformed state. Since
|
|
297
|
+
// 3329 does not have a 512th root of unity, this means we have to interpret
|
|
298
|
+
// the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2
|
|
299
|
+
// - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is
|
|
300
|
+
// stored in the precomputed |kModRoots| table. Note that our Barrett transform
|
|
301
|
+
// only allows us to multipy two reduced numbers together, so we need some
|
|
302
|
+
// intermediate reduction steps, even if an uint64_t could hold 3 multiplied
|
|
303
|
+
// numbers.
|
|
304
|
+
void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) {
|
|
305
|
+
for (int i = 0; i < DEGREE / 2; i++) {
|
|
306
|
+
uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i];
|
|
307
|
+
uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i + 1];
|
|
308
|
+
uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1];
|
|
309
|
+
uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i];
|
|
310
|
+
out->c[2 * i] =
|
|
311
|
+
reduce(real_real + (uint32_t)reduce(img_img) * kModRoots[i]);
|
|
312
|
+
out->c[2 * i + 1] = reduce(img_real + real_img);
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
|
|
316
|
+
template <int RANK>
|
|
317
|
+
void vector_add(vector<RANK> *lhs, const vector<RANK> *rhs) {
|
|
318
|
+
for (int i = 0; i < RANK; i++) {
|
|
319
|
+
scalar_add(&lhs->v[i], &rhs->v[i]);
|
|
320
|
+
}
|
|
321
|
+
}
|
|
322
|
+
|
|
323
|
+
template <int RANK>
|
|
324
|
+
static void matrix_mult(vector<RANK> *out, const matrix<RANK> *m,
|
|
325
|
+
const vector<RANK> *a) {
|
|
326
|
+
vector_zero(out);
|
|
327
|
+
for (int i = 0; i < RANK; i++) {
|
|
328
|
+
for (int j = 0; j < RANK; j++) {
|
|
329
|
+
scalar product;
|
|
330
|
+
scalar_mult(&product, &m->v[i][j], &a->v[j]);
|
|
331
|
+
scalar_add(&out->v[i], &product);
|
|
332
|
+
}
|
|
333
|
+
}
|
|
334
|
+
}
|
|
335
|
+
|
|
336
|
+
template <int RANK>
|
|
337
|
+
void matrix_mult_transpose(vector<RANK> *out, const matrix<RANK> *m,
|
|
338
|
+
const vector<RANK> *a) {
|
|
339
|
+
vector_zero(out);
|
|
340
|
+
for (int i = 0; i < RANK; i++) {
|
|
341
|
+
for (int j = 0; j < RANK; j++) {
|
|
342
|
+
scalar product;
|
|
343
|
+
scalar_mult(&product, &m->v[j][i], &a->v[j]);
|
|
344
|
+
scalar_add(&out->v[i], &product);
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
}
|
|
348
|
+
|
|
349
|
+
template <int RANK>
|
|
350
|
+
void scalar_inner_product(scalar *out, const vector<RANK> *lhs,
|
|
351
|
+
const vector<RANK> *rhs) {
|
|
352
|
+
scalar_zero(out);
|
|
353
|
+
for (int i = 0; i < RANK; i++) {
|
|
354
|
+
scalar product;
|
|
355
|
+
scalar_mult(&product, &lhs->v[i], &rhs->v[i]);
|
|
356
|
+
scalar_add(out, &product);
|
|
357
|
+
}
|
|
358
|
+
}
|
|
359
|
+
|
|
360
|
+
// Algorithm 6 from the spec. Rejection samples a Keccak stream to get
|
|
361
|
+
// uniformly distributed elements. This is used for matrix expansion and only
|
|
362
|
+
// operates on public inputs.
|
|
363
|
+
static void scalar_from_keccak_vartime(scalar *out,
|
|
364
|
+
struct BORINGSSL_keccak_st *keccak_ctx) {
|
|
365
|
+
assert(keccak_ctx->squeeze_offset == 0);
|
|
366
|
+
assert(keccak_ctx->rate_bytes == 168);
|
|
367
|
+
static_assert(168 % 3 == 0, "block and coefficient boundaries do not align");
|
|
368
|
+
|
|
369
|
+
int done = 0;
|
|
370
|
+
while (done < DEGREE) {
|
|
371
|
+
uint8_t block[168];
|
|
372
|
+
BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block));
|
|
373
|
+
for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) {
|
|
374
|
+
uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);
|
|
375
|
+
uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];
|
|
376
|
+
if (d1 < kPrime) {
|
|
377
|
+
out->c[done++] = d1;
|
|
378
|
+
}
|
|
379
|
+
if (d2 < kPrime && done < DEGREE) {
|
|
380
|
+
out->c[done++] = d2;
|
|
381
|
+
}
|
|
382
|
+
}
|
|
383
|
+
}
|
|
384
|
+
}
|
|
385
|
+
|
|
386
|
+
// Algorithm 7 from the spec, with eta fixed to two and the PRF call
|
|
387
|
+
// included. Creates binominally distributed elements by sampling 2*|eta| bits,
|
|
388
|
+
// and setting the coefficient to the count of the first bits minus the count of
|
|
389
|
+
// the second bits, resulting in a centered binomial distribution. Since eta is
|
|
390
|
+
// two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4,
|
|
391
|
+
// and 0 with probability 3/8.
|
|
392
|
+
void scalar_centered_binomial_distribution_eta_2_with_prf(
|
|
393
|
+
scalar *out, const uint8_t input[33]) {
|
|
394
|
+
uint8_t entropy[128];
|
|
395
|
+
static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, "");
|
|
396
|
+
prf(entropy, sizeof(entropy), input);
|
|
397
|
+
|
|
398
|
+
for (int i = 0; i < DEGREE; i += 2) {
|
|
399
|
+
uint8_t byte = entropy[i / 2];
|
|
400
|
+
|
|
401
|
+
uint16_t value = (byte & 1) + ((byte >> 1) & 1);
|
|
402
|
+
value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
|
|
403
|
+
// Add |kPrime| if |value| underflowed. See |reduce_once| for a discussion
|
|
404
|
+
// on why the value barrier is omitted. While this could have been written
|
|
405
|
+
// reduce_once(value + kPrime), this is one extra addition and small range
|
|
406
|
+
// of |value| tempts some versions of Clang to emit a branch.
|
|
407
|
+
uint16_t mask = 0u - (value >> 15);
|
|
408
|
+
out->c[i] = ((value + kPrime) & mask) | (value & ~mask);
|
|
409
|
+
|
|
410
|
+
byte >>= 4;
|
|
411
|
+
value = (byte & 1) + ((byte >> 1) & 1);
|
|
412
|
+
value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
|
|
413
|
+
// See above.
|
|
414
|
+
mask = 0u - (value >> 15);
|
|
415
|
+
out->c[i + 1] = ((value + kPrime) & mask) | (value & ~mask);
|
|
416
|
+
}
|
|
417
|
+
}
|
|
418
|
+
|
|
419
|
+
// Generates a secret vector by using
|
|
420
|
+
// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed
|
|
421
|
+
// appending and incrementing |counter| for entry of the vector.
|
|
422
|
+
template <int RANK>
|
|
423
|
+
void vector_generate_secret_eta_2(vector<RANK> *out, uint8_t *counter,
|
|
424
|
+
const uint8_t seed[32]) {
|
|
425
|
+
uint8_t input[33];
|
|
426
|
+
OPENSSL_memcpy(input, seed, 32);
|
|
427
|
+
for (int i = 0; i < RANK; i++) {
|
|
428
|
+
input[32] = (*counter)++;
|
|
429
|
+
scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i], input);
|
|
430
|
+
}
|
|
431
|
+
}
|
|
432
|
+
|
|
433
|
+
// Expands the matrix of a seed for key generation and for encaps-CPA.
|
|
434
|
+
template <int RANK>
|
|
435
|
+
void matrix_expand(matrix<RANK> *out, const uint8_t rho[32]) {
|
|
436
|
+
uint8_t input[34];
|
|
437
|
+
OPENSSL_memcpy(input, rho, 32);
|
|
438
|
+
for (int i = 0; i < RANK; i++) {
|
|
439
|
+
for (int j = 0; j < RANK; j++) {
|
|
440
|
+
input[32] = i;
|
|
441
|
+
input[33] = j;
|
|
442
|
+
struct BORINGSSL_keccak_st keccak_ctx;
|
|
443
|
+
BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128);
|
|
444
|
+
BORINGSSL_keccak_absorb(&keccak_ctx, input, sizeof(input));
|
|
445
|
+
scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx);
|
|
446
|
+
}
|
|
447
|
+
}
|
|
448
|
+
}
|
|
449
|
+
|
|
450
|
+
const uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f, 0xff};
|
|
451
|
+
|
|
452
|
+
void scalar_encode(uint8_t *out, const scalar *s, int bits) {
|
|
453
|
+
assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1);
|
|
454
|
+
|
|
455
|
+
uint8_t out_byte = 0;
|
|
456
|
+
int out_byte_bits = 0;
|
|
457
|
+
|
|
458
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
459
|
+
uint16_t element = s->c[i];
|
|
460
|
+
int element_bits_done = 0;
|
|
461
|
+
|
|
462
|
+
while (element_bits_done < bits) {
|
|
463
|
+
int chunk_bits = bits - element_bits_done;
|
|
464
|
+
int out_bits_remaining = 8 - out_byte_bits;
|
|
465
|
+
if (chunk_bits >= out_bits_remaining) {
|
|
466
|
+
chunk_bits = out_bits_remaining;
|
|
467
|
+
out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;
|
|
468
|
+
*out = out_byte;
|
|
469
|
+
out++;
|
|
470
|
+
out_byte_bits = 0;
|
|
471
|
+
out_byte = 0;
|
|
472
|
+
} else {
|
|
473
|
+
out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;
|
|
474
|
+
out_byte_bits += chunk_bits;
|
|
475
|
+
}
|
|
476
|
+
|
|
477
|
+
element_bits_done += chunk_bits;
|
|
478
|
+
element >>= chunk_bits;
|
|
479
|
+
}
|
|
480
|
+
}
|
|
481
|
+
|
|
482
|
+
if (out_byte_bits > 0) {
|
|
483
|
+
*out = out_byte;
|
|
484
|
+
}
|
|
485
|
+
}
|
|
486
|
+
|
|
487
|
+
// scalar_encode_1 is |scalar_encode| specialised for |bits| == 1.
|
|
488
|
+
void scalar_encode_1(uint8_t out[32], const scalar *s) {
|
|
489
|
+
for (int i = 0; i < DEGREE; i += 8) {
|
|
490
|
+
uint8_t out_byte = 0;
|
|
491
|
+
for (int j = 0; j < 8; j++) {
|
|
492
|
+
out_byte |= (s->c[i + j] & 1) << j;
|
|
493
|
+
}
|
|
494
|
+
*out = out_byte;
|
|
495
|
+
out++;
|
|
496
|
+
}
|
|
497
|
+
}
|
|
498
|
+
|
|
499
|
+
// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256
|
|
500
|
+
// (DEGREE) is divisible by 8, the individual vector entries will always fill a
|
|
501
|
+
// whole number of bytes, so we do not need to worry about bit packing here.
|
|
502
|
+
template <int RANK>
|
|
503
|
+
void vector_encode(uint8_t *out, const vector<RANK> *a, int bits) {
|
|
504
|
+
for (int i = 0; i < RANK; i++) {
|
|
505
|
+
scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits);
|
|
506
|
+
}
|
|
507
|
+
}
|
|
508
|
+
|
|
509
|
+
// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
|
|
510
|
+
// |out|. It returns one on success and zero if any parsed value is >=
|
|
511
|
+
// |kPrime|.
|
|
512
|
+
int scalar_decode(scalar *out, const uint8_t *in, int bits) {
|
|
513
|
+
assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1);
|
|
514
|
+
|
|
515
|
+
uint8_t in_byte = 0;
|
|
516
|
+
int in_byte_bits_left = 0;
|
|
517
|
+
|
|
518
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
519
|
+
uint16_t element = 0;
|
|
520
|
+
int element_bits_done = 0;
|
|
521
|
+
|
|
522
|
+
while (element_bits_done < bits) {
|
|
523
|
+
if (in_byte_bits_left == 0) {
|
|
524
|
+
in_byte = *in;
|
|
525
|
+
in++;
|
|
526
|
+
in_byte_bits_left = 8;
|
|
527
|
+
}
|
|
528
|
+
|
|
529
|
+
int chunk_bits = bits - element_bits_done;
|
|
530
|
+
if (chunk_bits > in_byte_bits_left) {
|
|
531
|
+
chunk_bits = in_byte_bits_left;
|
|
532
|
+
}
|
|
533
|
+
|
|
534
|
+
element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done;
|
|
535
|
+
in_byte_bits_left -= chunk_bits;
|
|
536
|
+
in_byte >>= chunk_bits;
|
|
537
|
+
|
|
538
|
+
element_bits_done += chunk_bits;
|
|
539
|
+
}
|
|
540
|
+
|
|
541
|
+
// An element is only out of range in the case of invalid input, in which
|
|
542
|
+
// case it is okay to leak the comparison.
|
|
543
|
+
if (constant_time_declassify_int(element >= kPrime)) {
|
|
544
|
+
return 0;
|
|
545
|
+
}
|
|
546
|
+
out->c[i] = element;
|
|
547
|
+
}
|
|
548
|
+
|
|
549
|
+
return 1;
|
|
550
|
+
}
|
|
551
|
+
|
|
552
|
+
// scalar_decode_1 is |scalar_decode| specialised for |bits| == 1.
|
|
553
|
+
void scalar_decode_1(scalar *out, const uint8_t in[32]) {
|
|
554
|
+
for (int i = 0; i < DEGREE; i += 8) {
|
|
555
|
+
uint8_t in_byte = *in;
|
|
556
|
+
in++;
|
|
557
|
+
for (int j = 0; j < 8; j++) {
|
|
558
|
+
out->c[i + j] = in_byte & 1;
|
|
559
|
+
in_byte >>= 1;
|
|
560
|
+
}
|
|
561
|
+
}
|
|
562
|
+
}
|
|
563
|
+
|
|
564
|
+
// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on
|
|
565
|
+
// success or zero if any parsed value is >= |kPrime|.
|
|
566
|
+
template <int RANK>
|
|
567
|
+
static int vector_decode(vector<RANK> *out, const uint8_t *in, int bits) {
|
|
568
|
+
for (int i = 0; i < RANK; i++) {
|
|
569
|
+
if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits)) {
|
|
570
|
+
return 0;
|
|
571
|
+
}
|
|
572
|
+
}
|
|
573
|
+
return 1;
|
|
574
|
+
}
|
|
575
|
+
|
|
576
|
+
// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping
|
|
577
|
+
// numbers close to each other together. The formula used is
|
|
578
|
+
// round(2^|bits|/kPrime*x) mod 2^|bits|.
|
|
579
|
+
// Uses Barrett reduction to achieve constant time. Since we need both the
|
|
580
|
+
// remainder (for rounding) and the quotient (as the result), we cannot use
|
|
581
|
+
// |reduce| here, but need to do the Barrett reduction directly.
|
|
582
|
+
static uint16_t compress(uint16_t x, int bits) {
|
|
583
|
+
uint32_t shifted = (uint32_t)x << bits;
|
|
584
|
+
uint64_t product = (uint64_t)shifted * kBarrettMultiplier;
|
|
585
|
+
uint32_t quotient = (uint32_t)(product >> kBarrettShift);
|
|
586
|
+
uint32_t remainder = shifted - quotient * kPrime;
|
|
587
|
+
|
|
588
|
+
// Adjust the quotient to round correctly:
|
|
589
|
+
// 0 <= remainder <= kHalfPrime round to 0
|
|
590
|
+
// kHalfPrime < remainder <= kPrime + kHalfPrime round to 1
|
|
591
|
+
// kPrime + kHalfPrime < remainder < 2 * kPrime round to 2
|
|
592
|
+
declassify_assert(remainder < 2u * kPrime);
|
|
593
|
+
quotient += 1 & constant_time_lt_w(kHalfPrime, remainder);
|
|
594
|
+
quotient += 1 & constant_time_lt_w(kPrime + kHalfPrime, remainder);
|
|
595
|
+
return quotient & ((1 << bits) - 1);
|
|
596
|
+
}
|
|
597
|
+
|
|
598
|
+
// Decompresses |x| by using an equi-distant representative. The formula is
|
|
599
|
+
// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to
|
|
600
|
+
// implement this logic using only bit operations.
|
|
601
|
+
uint16_t decompress(uint16_t x, int bits) {
|
|
602
|
+
uint32_t product = (uint32_t)x * kPrime;
|
|
603
|
+
uint32_t power = 1 << bits;
|
|
604
|
+
// This is |product| % power, since |power| is a power of 2.
|
|
605
|
+
uint32_t remainder = product & (power - 1);
|
|
606
|
+
// This is |product| / power, since |power| is a power of 2.
|
|
607
|
+
uint32_t lower = product >> bits;
|
|
608
|
+
// The rounding logic works since the first half of numbers mod |power| have a
|
|
609
|
+
// 0 as first bit, and the second half has a 1 as first bit, since |power| is
|
|
610
|
+
// a power of 2. As a 12 bit number, |remainder| is always positive, so we
|
|
611
|
+
// will shift in 0s for a right shift.
|
|
612
|
+
return lower + (remainder >> (bits - 1));
|
|
613
|
+
}
|
|
614
|
+
|
|
615
|
+
static void scalar_compress(scalar *s, int bits) {
|
|
616
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
617
|
+
s->c[i] = compress(s->c[i], bits);
|
|
618
|
+
}
|
|
619
|
+
}
|
|
620
|
+
|
|
621
|
+
static void scalar_decompress(scalar *s, int bits) {
|
|
622
|
+
for (int i = 0; i < DEGREE; i++) {
|
|
623
|
+
s->c[i] = decompress(s->c[i], bits);
|
|
624
|
+
}
|
|
625
|
+
}
|
|
626
|
+
|
|
627
|
+
template <int RANK>
|
|
628
|
+
void vector_compress(vector<RANK> *a, int bits) {
|
|
629
|
+
for (int i = 0; i < RANK; i++) {
|
|
630
|
+
scalar_compress(&a->v[i], bits);
|
|
631
|
+
}
|
|
632
|
+
}
|
|
633
|
+
|
|
634
|
+
template <int RANK>
|
|
635
|
+
void vector_decompress(vector<RANK> *a, int bits) {
|
|
636
|
+
for (int i = 0; i < RANK; i++) {
|
|
637
|
+
scalar_decompress(&a->v[i], bits);
|
|
638
|
+
}
|
|
639
|
+
}
|
|
640
|
+
|
|
641
|
+
template <int RANK>
|
|
642
|
+
struct public_key {
|
|
643
|
+
vector<RANK> t;
|
|
644
|
+
uint8_t rho[32];
|
|
645
|
+
uint8_t public_key_hash[32];
|
|
646
|
+
matrix<RANK> m;
|
|
647
|
+
};
|
|
648
|
+
|
|
649
|
+
template <int RANK>
|
|
650
|
+
struct private_key {
|
|
651
|
+
struct public_key<RANK> pub;
|
|
652
|
+
vector<RANK> s;
|
|
653
|
+
uint8_t fo_failure_secret[32];
|
|
654
|
+
};
|
|
655
|
+
|
|
656
|
+
template <int RANK>
|
|
657
|
+
static void decrypt_cpa(
|
|
658
|
+
uint8_t out[32], const struct private_key<RANK> *priv,
|
|
659
|
+
const uint8_t ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES]) {
|
|
660
|
+
constexpr int du = RANK == RANK768 ? kDU768 : kDU1024;
|
|
661
|
+
constexpr int dv = RANK == RANK768 ? kDV768 : kDV1024;
|
|
662
|
+
|
|
663
|
+
vector<RANK> u;
|
|
664
|
+
vector_decode(&u, ciphertext, du);
|
|
665
|
+
vector_decompress(&u, du);
|
|
666
|
+
vector_ntt(&u);
|
|
667
|
+
scalar v;
|
|
668
|
+
scalar_decode(&v, ciphertext + compressed_vector_size(RANK), dv);
|
|
669
|
+
scalar_decompress(&v, dv);
|
|
670
|
+
scalar mask;
|
|
671
|
+
scalar_inner_product(&mask, &priv->s, &u);
|
|
672
|
+
scalar_inverse_ntt(&mask);
|
|
673
|
+
scalar_sub(&v, &mask);
|
|
674
|
+
scalar_compress(&v, 1);
|
|
675
|
+
scalar_encode_1(out, &v);
|
|
676
|
+
}
|
|
677
|
+
|
|
678
|
+
template <int RANK>
|
|
679
|
+
static bcm_status mlkem_marshal_public_key(CBB *out,
|
|
680
|
+
const struct public_key<RANK> *pub) {
|
|
681
|
+
uint8_t *vector_output;
|
|
682
|
+
if (!CBB_add_space(out, &vector_output, encoded_vector_size(RANK))) {
|
|
683
|
+
return bcm_status::failure;
|
|
684
|
+
}
|
|
685
|
+
vector_encode(vector_output, &pub->t, kLog2Prime);
|
|
686
|
+
if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
|
|
687
|
+
return bcm_status::failure;
|
|
688
|
+
}
|
|
689
|
+
return bcm_status::approved;
|
|
690
|
+
}
|
|
691
|
+
|
|
692
|
+
template <int RANK>
|
|
693
|
+
void mlkem_generate_key_external_seed(
|
|
694
|
+
uint8_t *out_encoded_public_key, private_key<RANK> *priv,
|
|
695
|
+
const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {
|
|
696
|
+
uint8_t augmented_seed[33];
|
|
697
|
+
OPENSSL_memcpy(augmented_seed, seed, 32);
|
|
698
|
+
augmented_seed[32] = RANK;
|
|
699
|
+
|
|
700
|
+
uint8_t hashed[64];
|
|
701
|
+
hash_g(hashed, augmented_seed, sizeof(augmented_seed));
|
|
702
|
+
const uint8_t *const rho = hashed;
|
|
703
|
+
const uint8_t *const sigma = hashed + 32;
|
|
704
|
+
// rho is public.
|
|
705
|
+
CONSTTIME_DECLASSIFY(rho, 32);
|
|
706
|
+
OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho));
|
|
707
|
+
matrix_expand(&priv->pub.m, rho);
|
|
708
|
+
uint8_t counter = 0;
|
|
709
|
+
vector_generate_secret_eta_2(&priv->s, &counter, sigma);
|
|
710
|
+
vector_ntt(&priv->s);
|
|
711
|
+
vector<RANK> error;
|
|
712
|
+
vector_generate_secret_eta_2(&error, &counter, sigma);
|
|
713
|
+
vector_ntt(&error);
|
|
714
|
+
matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
|
|
715
|
+
vector_add(&priv->pub.t, &error);
|
|
716
|
+
// t is part of the public key and thus is public.
|
|
717
|
+
CONSTTIME_DECLASSIFY(&priv->pub.t, sizeof(priv->pub.t));
|
|
718
|
+
|
|
719
|
+
CBB cbb;
|
|
720
|
+
CBB_init_fixed(&cbb, out_encoded_public_key, encoded_public_key_size(RANK));
|
|
721
|
+
if (!bcm_success(mlkem_marshal_public_key(&cbb, &priv->pub))) {
|
|
722
|
+
abort();
|
|
723
|
+
}
|
|
724
|
+
|
|
725
|
+
hash_h(priv->pub.public_key_hash, out_encoded_public_key,
|
|
726
|
+
encoded_public_key_size(RANK));
|
|
727
|
+
OPENSSL_memcpy(priv->fo_failure_secret, seed + 32, 32);
|
|
728
|
+
}
|
|
729
|
+
|
|
730
|
+
// Encrypts a message with given randomness to
|
|
731
|
+
// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this
|
|
732
|
+
// would not result in a CCA secure scheme, since lattice schemes are vulnerable
|
|
733
|
+
// to decryption failure oracles.
|
|
734
|
+
template <int RANK>
|
|
735
|
+
void encrypt_cpa(uint8_t *out, const struct mlkem::public_key<RANK> *pub,
|
|
736
|
+
const uint8_t message[32], const uint8_t randomness[32]) {
|
|
737
|
+
constexpr int du = RANK == RANK768 ? mlkem::kDU768 : mlkem::kDU1024;
|
|
738
|
+
constexpr int dv = RANK == RANK768 ? mlkem::kDV768 : mlkem::kDV1024;
|
|
739
|
+
|
|
740
|
+
uint8_t counter = 0;
|
|
741
|
+
mlkem::vector<RANK> secret;
|
|
742
|
+
vector_generate_secret_eta_2(&secret, &counter, randomness);
|
|
743
|
+
vector_ntt(&secret);
|
|
744
|
+
mlkem::vector<RANK> error;
|
|
745
|
+
vector_generate_secret_eta_2(&error, &counter, randomness);
|
|
746
|
+
uint8_t input[33];
|
|
747
|
+
OPENSSL_memcpy(input, randomness, 32);
|
|
748
|
+
input[32] = counter;
|
|
749
|
+
mlkem::scalar scalar_error;
|
|
750
|
+
scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error, input);
|
|
751
|
+
mlkem::vector<RANK> u;
|
|
752
|
+
matrix_mult(&u, &pub->m, &secret);
|
|
753
|
+
vector_inverse_ntt(&u);
|
|
754
|
+
vector_add(&u, &error);
|
|
755
|
+
mlkem::scalar v;
|
|
756
|
+
scalar_inner_product(&v, &pub->t, &secret);
|
|
757
|
+
scalar_inverse_ntt(&v);
|
|
758
|
+
scalar_add(&v, &scalar_error);
|
|
759
|
+
mlkem::scalar expanded_message;
|
|
760
|
+
scalar_decode_1(&expanded_message, message);
|
|
761
|
+
scalar_decompress(&expanded_message, 1);
|
|
762
|
+
scalar_add(&v, &expanded_message);
|
|
763
|
+
vector_compress(&u, du);
|
|
764
|
+
vector_encode(out, &u, du);
|
|
765
|
+
scalar_compress(&v, dv);
|
|
766
|
+
scalar_encode(out + mlkem::compressed_vector_size(RANK), &v, dv);
|
|
767
|
+
}
|
|
768
|
+
|
|
769
|
+
// See section 6.3
|
|
770
|
+
template <int RANK>
|
|
771
|
+
void mlkem_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
772
|
+
const uint8_t *ciphertext,
|
|
773
|
+
const struct private_key<RANK> *priv) {
|
|
774
|
+
uint8_t decrypted[64];
|
|
775
|
+
decrypt_cpa(decrypted, priv, ciphertext);
|
|
776
|
+
OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash,
|
|
777
|
+
sizeof(decrypted) - 32);
|
|
778
|
+
uint8_t key_and_randomness[64];
|
|
779
|
+
hash_g(key_and_randomness, decrypted, sizeof(decrypted));
|
|
780
|
+
constexpr size_t ciphertext_len = ciphertext_size(RANK);
|
|
781
|
+
uint8_t expected_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES];
|
|
782
|
+
static_assert(ciphertext_len <= sizeof(expected_ciphertext), "");
|
|
783
|
+
encrypt_cpa(expected_ciphertext, &priv->pub, decrypted,
|
|
784
|
+
key_and_randomness + 32);
|
|
785
|
+
|
|
786
|
+
uint8_t failure_key[32];
|
|
787
|
+
kdf(failure_key, priv->fo_failure_secret, ciphertext, ciphertext_len);
|
|
788
|
+
|
|
789
|
+
uint8_t mask = constant_time_eq_int_8(
|
|
790
|
+
CRYPTO_memcmp(ciphertext, expected_ciphertext, ciphertext_len), 0);
|
|
791
|
+
for (int i = 0; i < BCM_MLKEM_SHARED_SECRET_BYTES; i++) {
|
|
792
|
+
out_shared_secret[i] =
|
|
793
|
+
constant_time_select_8(mask, key_and_randomness[i], failure_key[i]);
|
|
794
|
+
}
|
|
795
|
+
}
|
|
796
|
+
|
|
797
|
+
// mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate
|
|
798
|
+
// the value of |pub->public_key_hash|.
|
|
799
|
+
template <int RANK>
|
|
800
|
+
int mlkem_parse_public_key_no_hash(struct public_key<RANK> *pub, CBS *in) {
|
|
801
|
+
CBS t_bytes;
|
|
802
|
+
if (!CBS_get_bytes(in, &t_bytes, encoded_vector_size(RANK)) ||
|
|
803
|
+
!vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime) ||
|
|
804
|
+
!CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) {
|
|
805
|
+
return 0;
|
|
806
|
+
}
|
|
807
|
+
matrix_expand(&pub->m, pub->rho);
|
|
808
|
+
return 1;
|
|
809
|
+
}
|
|
810
|
+
|
|
811
|
+
template <int RANK>
|
|
812
|
+
int mlkem_parse_public_key(struct public_key<RANK> *pub, CBS *in) {
|
|
813
|
+
CBS orig_in = *in;
|
|
814
|
+
if (!mlkem_parse_public_key_no_hash(pub, in) || //
|
|
815
|
+
CBS_len(in) != 0) {
|
|
816
|
+
return 0;
|
|
817
|
+
}
|
|
818
|
+
hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
|
|
819
|
+
return 1;
|
|
820
|
+
}
|
|
821
|
+
|
|
822
|
+
template <int RANK>
|
|
823
|
+
int mlkem_parse_private_key(struct private_key<RANK> *priv, CBS *in) {
|
|
824
|
+
CBS s_bytes;
|
|
825
|
+
if (!CBS_get_bytes(in, &s_bytes, encoded_vector_size(RANK)) ||
|
|
826
|
+
!vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
|
|
827
|
+
!mlkem_parse_public_key_no_hash(&priv->pub, in) ||
|
|
828
|
+
!CBS_copy_bytes(in, priv->pub.public_key_hash,
|
|
829
|
+
sizeof(priv->pub.public_key_hash)) ||
|
|
830
|
+
!CBS_copy_bytes(in, priv->fo_failure_secret,
|
|
831
|
+
sizeof(priv->fo_failure_secret)) ||
|
|
832
|
+
CBS_len(in) != 0) {
|
|
833
|
+
return 0;
|
|
834
|
+
}
|
|
835
|
+
return 1;
|
|
836
|
+
}
|
|
837
|
+
|
|
838
|
+
template <int RANK>
|
|
839
|
+
int mlkem_marshal_private_key(CBB *out, const struct private_key<RANK> *priv) {
|
|
840
|
+
uint8_t *s_output;
|
|
841
|
+
if (!CBB_add_space(out, &s_output, encoded_vector_size(RANK))) {
|
|
842
|
+
return 0;
|
|
843
|
+
}
|
|
844
|
+
vector_encode(s_output, &priv->s, kLog2Prime);
|
|
845
|
+
if (!bcm_success(mlkem_marshal_public_key(out, &priv->pub)) ||
|
|
846
|
+
!CBB_add_bytes(out, priv->pub.public_key_hash,
|
|
847
|
+
sizeof(priv->pub.public_key_hash)) ||
|
|
848
|
+
!CBB_add_bytes(out, priv->fo_failure_secret,
|
|
849
|
+
sizeof(priv->fo_failure_secret))) {
|
|
850
|
+
return 0;
|
|
851
|
+
}
|
|
852
|
+
return 1;
|
|
853
|
+
}
|
|
854
|
+
|
|
855
|
+
struct public_key<RANK768> *public_key_768_from_external(
|
|
856
|
+
const struct BCM_mlkem768_public_key *external) {
|
|
857
|
+
static_assert(sizeof(struct BCM_mlkem768_public_key) >=
|
|
858
|
+
sizeof(struct public_key<RANK768>),
|
|
859
|
+
"MLKEM public key is too small");
|
|
860
|
+
static_assert(alignof(struct BCM_mlkem768_public_key) >=
|
|
861
|
+
alignof(struct public_key<RANK768>),
|
|
862
|
+
"MLKEM public key alignment incorrect");
|
|
863
|
+
return (struct public_key<RANK768> *)external;
|
|
864
|
+
}
|
|
865
|
+
|
|
866
|
+
static struct public_key<RANK1024> *
|
|
867
|
+
public_key_1024_from_external(const struct BCM_mlkem1024_public_key *external) {
|
|
868
|
+
static_assert(sizeof(struct BCM_mlkem1024_public_key) >=
|
|
869
|
+
sizeof(struct public_key<RANK1024>),
|
|
870
|
+
"MLKEM1024 public key is too small");
|
|
871
|
+
static_assert(alignof(struct BCM_mlkem1024_public_key) >=
|
|
872
|
+
alignof(struct public_key<RANK1024>),
|
|
873
|
+
"MLKEM1024 public key alignment incorrect");
|
|
874
|
+
return (struct public_key<RANK1024> *)external;
|
|
875
|
+
}
|
|
876
|
+
|
|
877
|
+
struct private_key<RANK768> *
|
|
878
|
+
private_key_768_from_external(const struct BCM_mlkem768_private_key *external) {
|
|
879
|
+
static_assert(sizeof(struct BCM_mlkem768_private_key) >=
|
|
880
|
+
sizeof(struct private_key<RANK768>),
|
|
881
|
+
"MLKEM private key too small");
|
|
882
|
+
static_assert(alignof(struct BCM_mlkem768_private_key) >=
|
|
883
|
+
alignof(struct private_key<RANK768>),
|
|
884
|
+
"MLKEM private key alignment incorrect");
|
|
885
|
+
return (struct private_key<RANK768> *)external;
|
|
886
|
+
}
|
|
887
|
+
|
|
888
|
+
struct private_key<RANK1024> *
|
|
889
|
+
private_key_1024_from_external(
|
|
890
|
+
const struct BCM_mlkem1024_private_key *external) {
|
|
891
|
+
static_assert(sizeof(struct BCM_mlkem1024_private_key) >=
|
|
892
|
+
sizeof(struct private_key<RANK1024>),
|
|
893
|
+
"MLKEM1024 private key too small");
|
|
894
|
+
static_assert(alignof(struct BCM_mlkem1024_private_key) >=
|
|
895
|
+
alignof(struct private_key<RANK1024>),
|
|
896
|
+
"MLKEM1024 private key alignment incorrect");
|
|
897
|
+
return (struct private_key<RANK1024> *)external;
|
|
898
|
+
}
|
|
899
|
+
|
|
900
|
+
} // namespace
|
|
901
|
+
} // namespace mlkem
|
|
902
|
+
|
|
903
|
+
bcm_infallible BCM_mlkem768_generate_key(
|
|
904
|
+
uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],
|
|
905
|
+
uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
|
|
906
|
+
struct BCM_mlkem768_private_key *out_private_key) {
|
|
907
|
+
uint8_t seed[BCM_MLKEM_SEED_BYTES];
|
|
908
|
+
BCM_rand_bytes(seed, sizeof(seed));
|
|
909
|
+
CONSTTIME_SECRET(seed, sizeof(seed));
|
|
910
|
+
if (optional_out_seed) {
|
|
911
|
+
OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed));
|
|
912
|
+
}
|
|
913
|
+
BCM_mlkem768_generate_key_external_seed(out_encoded_public_key,
|
|
914
|
+
out_private_key, seed);
|
|
915
|
+
return bcm_infallible::approved;
|
|
916
|
+
}
|
|
917
|
+
|
|
918
|
+
bcm_status BCM_mlkem768_private_key_from_seed(
|
|
919
|
+
struct BCM_mlkem768_private_key *out_private_key, const uint8_t *seed,
|
|
920
|
+
size_t seed_len) {
|
|
921
|
+
if (seed_len != BCM_MLKEM_SEED_BYTES) {
|
|
922
|
+
return bcm_status::failure;
|
|
923
|
+
}
|
|
924
|
+
uint8_t public_key_bytes[BCM_MLKEM768_PUBLIC_KEY_BYTES];
|
|
925
|
+
BCM_mlkem768_generate_key_external_seed(public_key_bytes, out_private_key,
|
|
926
|
+
seed);
|
|
927
|
+
return bcm_status::approved;
|
|
928
|
+
}
|
|
929
|
+
|
|
930
|
+
bcm_infallible BCM_mlkem1024_generate_key(
|
|
931
|
+
uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],
|
|
932
|
+
uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
|
|
933
|
+
struct BCM_mlkem1024_private_key *out_private_key) {
|
|
934
|
+
uint8_t seed[BCM_MLKEM_SEED_BYTES];
|
|
935
|
+
BCM_rand_bytes(seed, sizeof(seed));
|
|
936
|
+
CONSTTIME_SECRET(seed, sizeof(seed));
|
|
937
|
+
if (optional_out_seed) {
|
|
938
|
+
OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed));
|
|
939
|
+
}
|
|
940
|
+
BCM_mlkem1024_generate_key_external_seed(out_encoded_public_key,
|
|
941
|
+
out_private_key, seed);
|
|
942
|
+
return bcm_infallible::approved;
|
|
943
|
+
}
|
|
944
|
+
|
|
945
|
+
bcm_status BCM_mlkem1024_private_key_from_seed(
|
|
946
|
+
struct BCM_mlkem1024_private_key *out_private_key, const uint8_t *seed,
|
|
947
|
+
size_t seed_len) {
|
|
948
|
+
if (seed_len != BCM_MLKEM_SEED_BYTES) {
|
|
949
|
+
return bcm_status::failure;
|
|
950
|
+
}
|
|
951
|
+
uint8_t public_key_bytes[BCM_MLKEM1024_PUBLIC_KEY_BYTES];
|
|
952
|
+
BCM_mlkem1024_generate_key_external_seed(public_key_bytes, out_private_key,
|
|
953
|
+
seed);
|
|
954
|
+
return bcm_status::approved;
|
|
955
|
+
}
|
|
956
|
+
|
|
957
|
+
bcm_infallible BCM_mlkem768_generate_key_external_seed(
|
|
958
|
+
uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],
|
|
959
|
+
struct BCM_mlkem768_private_key *out_private_key,
|
|
960
|
+
const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {
|
|
961
|
+
mlkem::private_key<RANK768> *priv =
|
|
962
|
+
mlkem::private_key_768_from_external(out_private_key);
|
|
963
|
+
mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed);
|
|
964
|
+
return bcm_infallible::approved;
|
|
965
|
+
}
|
|
966
|
+
|
|
967
|
+
bcm_infallible BCM_mlkem1024_generate_key_external_seed(
|
|
968
|
+
uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],
|
|
969
|
+
struct BCM_mlkem1024_private_key *out_private_key,
|
|
970
|
+
const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {
|
|
971
|
+
mlkem::private_key<RANK1024> *priv =
|
|
972
|
+
mlkem::private_key_1024_from_external(out_private_key);
|
|
973
|
+
mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed);
|
|
974
|
+
return bcm_infallible::approved;
|
|
975
|
+
}
|
|
976
|
+
|
|
977
|
+
bcm_infallible BCM_mlkem768_public_from_private(
|
|
978
|
+
struct BCM_mlkem768_public_key *out_public_key,
|
|
979
|
+
const struct BCM_mlkem768_private_key *private_key) {
|
|
980
|
+
struct mlkem::public_key<RANK768> *const pub =
|
|
981
|
+
mlkem::public_key_768_from_external(out_public_key);
|
|
982
|
+
const struct mlkem::private_key<RANK768> *const priv =
|
|
983
|
+
mlkem::private_key_768_from_external(private_key);
|
|
984
|
+
*pub = priv->pub;
|
|
985
|
+
return bcm_infallible::approved;
|
|
986
|
+
}
|
|
987
|
+
|
|
988
|
+
bcm_infallible BCM_mlkem1024_public_from_private(
|
|
989
|
+
struct BCM_mlkem1024_public_key *out_public_key,
|
|
990
|
+
const struct BCM_mlkem1024_private_key *private_key) {
|
|
991
|
+
struct mlkem::public_key<RANK1024> *const pub =
|
|
992
|
+
mlkem::public_key_1024_from_external(out_public_key);
|
|
993
|
+
const struct mlkem::private_key<RANK1024> *const priv =
|
|
994
|
+
mlkem::private_key_1024_from_external(private_key);
|
|
995
|
+
*pub = priv->pub;
|
|
996
|
+
return bcm_infallible::approved;
|
|
997
|
+
}
|
|
998
|
+
|
|
999
|
+
// Calls |MLKEM768_encap_external_entropy| with random bytes from
|
|
1000
|
+
// |BCM_rand_bytes|
|
|
1001
|
+
bcm_infallible BCM_mlkem768_encap(
|
|
1002
|
+
uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],
|
|
1003
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1004
|
+
const struct BCM_mlkem768_public_key *public_key) {
|
|
1005
|
+
uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY];
|
|
1006
|
+
BCM_rand_bytes(entropy, BCM_MLKEM_ENCAP_ENTROPY);
|
|
1007
|
+
CONSTTIME_SECRET(entropy, BCM_MLKEM_ENCAP_ENTROPY);
|
|
1008
|
+
BCM_mlkem768_encap_external_entropy(out_ciphertext, out_shared_secret,
|
|
1009
|
+
public_key, entropy);
|
|
1010
|
+
return bcm_infallible::approved;
|
|
1011
|
+
}
|
|
1012
|
+
|
|
1013
|
+
bcm_infallible BCM_mlkem1024_encap(
|
|
1014
|
+
uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],
|
|
1015
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1016
|
+
const struct BCM_mlkem1024_public_key *public_key) {
|
|
1017
|
+
uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY];
|
|
1018
|
+
BCM_rand_bytes(entropy, BCM_MLKEM_ENCAP_ENTROPY);
|
|
1019
|
+
CONSTTIME_SECRET(entropy, BCM_MLKEM_ENCAP_ENTROPY);
|
|
1020
|
+
BCM_mlkem1024_encap_external_entropy(out_ciphertext, out_shared_secret,
|
|
1021
|
+
public_key, entropy);
|
|
1022
|
+
return bcm_infallible::approved;
|
|
1023
|
+
}
|
|
1024
|
+
|
|
1025
|
+
// See section 6.2.
|
|
1026
|
+
template <int RANK>
|
|
1027
|
+
void mlkem_encap_external_entropy(
|
|
1028
|
+
uint8_t *out_ciphertext,
|
|
1029
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1030
|
+
const struct mlkem::public_key<RANK> *pub,
|
|
1031
|
+
const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {
|
|
1032
|
+
uint8_t input[64];
|
|
1033
|
+
OPENSSL_memcpy(input, entropy, BCM_MLKEM_ENCAP_ENTROPY);
|
|
1034
|
+
OPENSSL_memcpy(input + BCM_MLKEM_ENCAP_ENTROPY, pub->public_key_hash,
|
|
1035
|
+
sizeof(input) - BCM_MLKEM_ENCAP_ENTROPY);
|
|
1036
|
+
uint8_t key_and_randomness[64];
|
|
1037
|
+
mlkem::hash_g(key_and_randomness, input, sizeof(input));
|
|
1038
|
+
encrypt_cpa(out_ciphertext, pub, entropy, key_and_randomness + 32);
|
|
1039
|
+
// The ciphertext is public.
|
|
1040
|
+
CONSTTIME_DECLASSIFY(out_ciphertext, mlkem::ciphertext_size(RANK));
|
|
1041
|
+
static_assert(BCM_MLKEM_SHARED_SECRET_BYTES == 32, "");
|
|
1042
|
+
memcpy(out_shared_secret, key_and_randomness, 32);
|
|
1043
|
+
}
|
|
1044
|
+
|
|
1045
|
+
bcm_infallible BCM_mlkem768_encap_external_entropy(
|
|
1046
|
+
uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],
|
|
1047
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1048
|
+
const struct BCM_mlkem768_public_key *public_key,
|
|
1049
|
+
const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {
|
|
1050
|
+
const struct mlkem::public_key<RANK768> *pub =
|
|
1051
|
+
mlkem::public_key_768_from_external(public_key);
|
|
1052
|
+
mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy);
|
|
1053
|
+
return bcm_infallible::approved;
|
|
1054
|
+
}
|
|
1055
|
+
|
|
1056
|
+
bcm_infallible BCM_mlkem1024_encap_external_entropy(
|
|
1057
|
+
uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],
|
|
1058
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1059
|
+
const struct BCM_mlkem1024_public_key *public_key,
|
|
1060
|
+
const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {
|
|
1061
|
+
const struct mlkem::public_key<RANK1024> *pub =
|
|
1062
|
+
mlkem::public_key_1024_from_external(public_key);
|
|
1063
|
+
mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy);
|
|
1064
|
+
return bcm_infallible::approved;
|
|
1065
|
+
}
|
|
1066
|
+
|
|
1067
|
+
bcm_status BCM_mlkem768_decap(
|
|
1068
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1069
|
+
const uint8_t *ciphertext, size_t ciphertext_len,
|
|
1070
|
+
const struct BCM_mlkem768_private_key *private_key) {
|
|
1071
|
+
if (ciphertext_len != BCM_MLKEM768_CIPHERTEXT_BYTES) {
|
|
1072
|
+
BCM_rand_bytes(out_shared_secret, BCM_MLKEM_SHARED_SECRET_BYTES);
|
|
1073
|
+
return bcm_status::failure;
|
|
1074
|
+
}
|
|
1075
|
+
const struct mlkem::private_key<RANK768> *priv =
|
|
1076
|
+
mlkem::private_key_768_from_external(private_key);
|
|
1077
|
+
mlkem_decap(out_shared_secret, ciphertext, priv);
|
|
1078
|
+
return bcm_status::approved;
|
|
1079
|
+
}
|
|
1080
|
+
|
|
1081
|
+
bcm_status BCM_mlkem1024_decap(
|
|
1082
|
+
uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
|
|
1083
|
+
const uint8_t *ciphertext, size_t ciphertext_len,
|
|
1084
|
+
const struct BCM_mlkem1024_private_key *private_key) {
|
|
1085
|
+
if (ciphertext_len != BCM_MLKEM1024_CIPHERTEXT_BYTES) {
|
|
1086
|
+
BCM_rand_bytes(out_shared_secret, BCM_MLKEM_SHARED_SECRET_BYTES);
|
|
1087
|
+
return bcm_status::failure;
|
|
1088
|
+
}
|
|
1089
|
+
const struct mlkem::private_key<RANK1024> *priv =
|
|
1090
|
+
mlkem::private_key_1024_from_external(private_key);
|
|
1091
|
+
mlkem_decap(out_shared_secret, ciphertext, priv);
|
|
1092
|
+
return bcm_status::approved;
|
|
1093
|
+
}
|
|
1094
|
+
|
|
1095
|
+
bcm_status BCM_mlkem768_marshal_public_key(
|
|
1096
|
+
CBB *out, const struct BCM_mlkem768_public_key *public_key) {
|
|
1097
|
+
return mlkem_marshal_public_key(
|
|
1098
|
+
out, mlkem::public_key_768_from_external(public_key));
|
|
1099
|
+
}
|
|
1100
|
+
|
|
1101
|
+
bcm_status BCM_mlkem1024_marshal_public_key(
|
|
1102
|
+
CBB *out, const struct BCM_mlkem1024_public_key *public_key) {
|
|
1103
|
+
return mlkem_marshal_public_key(
|
|
1104
|
+
out, mlkem::public_key_1024_from_external(public_key));
|
|
1105
|
+
}
|
|
1106
|
+
|
|
1107
|
+
bcm_status BCM_mlkem768_parse_public_key(
|
|
1108
|
+
struct BCM_mlkem768_public_key *public_key, CBS *in) {
|
|
1109
|
+
struct mlkem::public_key<RANK768> *pub =
|
|
1110
|
+
mlkem::public_key_768_from_external(public_key);
|
|
1111
|
+
if (!mlkem_parse_public_key(pub, in)) {
|
|
1112
|
+
return bcm_status::failure;
|
|
1113
|
+
}
|
|
1114
|
+
return bcm_status::approved;
|
|
1115
|
+
}
|
|
1116
|
+
|
|
1117
|
+
bcm_status BCM_mlkem1024_parse_public_key(
|
|
1118
|
+
struct BCM_mlkem1024_public_key *public_key, CBS *in) {
|
|
1119
|
+
struct mlkem::public_key<RANK1024> *pub =
|
|
1120
|
+
mlkem::public_key_1024_from_external(public_key);
|
|
1121
|
+
if (!mlkem_parse_public_key(pub, in)) {
|
|
1122
|
+
return bcm_status::failure;
|
|
1123
|
+
}
|
|
1124
|
+
return bcm_status::approved;
|
|
1125
|
+
}
|
|
1126
|
+
|
|
1127
|
+
bcm_status BCM_mlkem768_marshal_private_key(
|
|
1128
|
+
CBB *out, const struct BCM_mlkem768_private_key *private_key) {
|
|
1129
|
+
const struct mlkem::private_key<RANK768> *const priv =
|
|
1130
|
+
mlkem::private_key_768_from_external(private_key);
|
|
1131
|
+
if (!mlkem_marshal_private_key(out, priv)) {
|
|
1132
|
+
return bcm_status::failure;
|
|
1133
|
+
}
|
|
1134
|
+
return bcm_status::approved;
|
|
1135
|
+
}
|
|
1136
|
+
|
|
1137
|
+
bcm_status BCM_mlkem1024_marshal_private_key(
|
|
1138
|
+
CBB *out, const struct BCM_mlkem1024_private_key *private_key) {
|
|
1139
|
+
const struct mlkem::private_key<RANK1024> *const priv =
|
|
1140
|
+
mlkem::private_key_1024_from_external(private_key);
|
|
1141
|
+
if (!mlkem_marshal_private_key(out, priv)) {
|
|
1142
|
+
return bcm_status::failure;
|
|
1143
|
+
}
|
|
1144
|
+
return bcm_status::approved;
|
|
1145
|
+
}
|
|
1146
|
+
|
|
1147
|
+
bcm_status BCM_mlkem768_parse_private_key(
|
|
1148
|
+
struct BCM_mlkem768_private_key *out_private_key, CBS *in) {
|
|
1149
|
+
struct mlkem::private_key<RANK768> *const priv =
|
|
1150
|
+
mlkem::private_key_768_from_external(out_private_key);
|
|
1151
|
+
if (!mlkem_parse_private_key(priv, in)) {
|
|
1152
|
+
return bcm_status::failure;
|
|
1153
|
+
}
|
|
1154
|
+
return bcm_status::approved;
|
|
1155
|
+
}
|
|
1156
|
+
|
|
1157
|
+
bcm_status BCM_mlkem1024_parse_private_key(
|
|
1158
|
+
struct BCM_mlkem1024_private_key *out_private_key, CBS *in) {
|
|
1159
|
+
struct mlkem::private_key<RANK1024> *const priv =
|
|
1160
|
+
mlkem::private_key_1024_from_external(out_private_key);
|
|
1161
|
+
if (!mlkem_parse_private_key(priv, in)) {
|
|
1162
|
+
return bcm_status::failure;
|
|
1163
|
+
}
|
|
1164
|
+
return bcm_status::approved;
|
|
1165
|
+
}
|