grpc 1.70.1 → 1.71.0

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/thash.cc.inc

@@ -0,0 +1,173 @@
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <openssl/base.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/sha.h>
+
+#include "../../internal.h"
+#include "./params.h"
+#include "./thash.h"
+
+
+// Internal thash function used by F, H, and T_l (Section 11.2, pages 44-46)
+static void slhdsa_thash(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t *input, size_t input_blocks,
+                         const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                         uint8_t addr[32]) {
+  SHA256_CTX sha256;
+  SHA256_Init(&sha256);
+
+  // Process pubseed with padding to full block.
+  static const uint8_t kZeros[64 - BCM_SLHDSA_SHA2_128S_N] = {0};
+  SHA256_Update(&sha256, pk_seed, BCM_SLHDSA_SHA2_128S_N);
+  SHA256_Update(&sha256, kZeros, sizeof(kZeros));
+  SHA256_Update(&sha256, addr, SLHDSA_SHA2_128S_SHA256_ADDR_BYTES);
+  SHA256_Update(&sha256, input, input_blocks * BCM_SLHDSA_SHA2_128S_N);
+
+  uint8_t hash[32];
+  SHA256_Final(hash, &sha256);
+  OPENSSL_memcpy(output, hash, BCM_SLHDSA_SHA2_128S_N);
+}
+
+// Implements PRF_msg function (Section 4.1, page 11 and Section 11.2, pages
+// 44-46)
+void slhdsa_thash_prfmsg(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t sk_prf[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t entropy[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],
+                         const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,
+                         size_t msg_len) {
+  // Compute HMAC-SHA256(sk_prf, entropy || header || ctx || msg). We inline
+  // HMAC to avoid an allocation.
+  uint8_t hmac_key[SHA256_CBLOCK];
+  static_assert(BCM_SLHDSA_SHA2_128S_N <= SHA256_CBLOCK,
+                "HMAC key is larger than block size");
+  OPENSSL_memcpy(hmac_key, sk_prf, BCM_SLHDSA_SHA2_128S_N);
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; i++) {
+    hmac_key[i] ^= 0x36;
+  }
+  OPENSSL_memset(hmac_key + BCM_SLHDSA_SHA2_128S_N, 0x36,
+                 sizeof(hmac_key) - BCM_SLHDSA_SHA2_128S_N);
+
+  SHA256_CTX sha_ctx;
+  SHA256_Init(&sha_ctx);
+  SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key));
+  SHA256_Update(&sha_ctx, entropy, BCM_SLHDSA_SHA2_128S_N);
+  if (header) {
+    SHA256_Update(&sha_ctx, header, BCM_SLHDSA_M_PRIME_HEADER_LEN);
+  }
+  SHA256_Update(&sha_ctx, ctx, ctx_len);
+  SHA256_Update(&sha_ctx, msg, msg_len);
+  uint8_t hash[SHA256_DIGEST_LENGTH];
+  SHA256_Final(hash, &sha_ctx);
+
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; i++) {
+    hmac_key[i] ^= 0x36 ^ 0x5c;
+  }
+  OPENSSL_memset(hmac_key + BCM_SLHDSA_SHA2_128S_N, 0x5c,
+                 sizeof(hmac_key) - BCM_SLHDSA_SHA2_128S_N);
+
+  SHA256_Init(&sha_ctx);
+  SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key));
+  SHA256_Update(&sha_ctx, hash, sizeof(hash));
+  SHA256_Final(hash, &sha_ctx);
+
+  // Truncate to BCM_SLHDSA_SHA2_128S_N bytes
+  OPENSSL_memcpy(output, hash, BCM_SLHDSA_SHA2_128S_N);
+}
+
+// Implements H_msg function (Section 4.1, page 11 and Section 11.2, pages
+// 44-46)
+void slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE],
+                       const uint8_t r[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],
+                       const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,
+                       size_t msg_len) {
+  // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || header ||
+  // ctx || M), m) input_buffer stores R || PK_SEED || SHA256(..) || 4-byte
+  // index
+  uint8_t input_buffer[2 * BCM_SLHDSA_SHA2_128S_N + 32 + 4] = {0};
+  OPENSSL_memcpy(input_buffer, r, BCM_SLHDSA_SHA2_128S_N);
+  OPENSSL_memcpy(input_buffer + BCM_SLHDSA_SHA2_128S_N, pk_seed,
+                 BCM_SLHDSA_SHA2_128S_N);
+
+  // Inner hash
+  SHA256_CTX sha_ctx;
+  SHA256_Init(&sha_ctx);
+  SHA256_Update(&sha_ctx, r, BCM_SLHDSA_SHA2_128S_N);
+  SHA256_Update(&sha_ctx, pk_seed, BCM_SLHDSA_SHA2_128S_N);
+  SHA256_Update(&sha_ctx, pk_root, BCM_SLHDSA_SHA2_128S_N);
+  if (header) {
+    SHA256_Update(&sha_ctx, header, BCM_SLHDSA_M_PRIME_HEADER_LEN);
+  }
+  SHA256_Update(&sha_ctx, ctx, ctx_len);
+  SHA256_Update(&sha_ctx, msg, msg_len);
+  // Write directly into the input buffer
+  SHA256_Final(input_buffer + 2 * BCM_SLHDSA_SHA2_128S_N, &sha_ctx);
+
+  // MGF1-SHA-256
+  uint8_t hash[32];
+  static_assert(SLHDSA_SHA2_128S_DIGEST_SIZE < sizeof(hash),
+                "More MGF1 iterations required");
+  SHA256(input_buffer, sizeof(input_buffer), hash);
+  OPENSSL_memcpy(output, hash, SLHDSA_SHA2_128S_DIGEST_SIZE);
+}
+
+// Implements PRF function (Section 4.1, page 11 and Section 11.2, pages 44-46)
+void slhdsa_thash_prf(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]) {
+  slhdsa_thash(output, sk_seed, 1, pk_seed, addr);
+}
+
+// Implements T_l function for WOTS+ public key compression (Section 4.1, page
+// 11 and Section 11.2, pages 44-46)
+void slhdsa_thash_tl(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                     const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES],
+                     const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                     uint8_t addr[32]) {
+  slhdsa_thash(output, input, SLHDSA_SHA2_128S_WOTS_LEN, pk_seed, addr);
+}
+
+// Implements H function (Section 4.1, page 11 and Section 11.2, pages 44-46)
+void slhdsa_thash_h(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t input[2 * BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                    uint8_t addr[32]) {
+  slhdsa_thash(output, input, 2, pk_seed, addr);
+}
+
+// Implements F function (Section 4.1, page 11 and Section 11.2, pages 44-46)
+void slhdsa_thash_f(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t input[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                    uint8_t addr[32]) {
+  slhdsa_thash(output, input, 1, pk_seed, addr);
+}
+
+// Implements T_k function for FORS public key compression (Section 4.1, page 11
+// and Section 11.2, pages 44-46)
+void slhdsa_thash_tk(
+    uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+    const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * BCM_SLHDSA_SHA2_128S_N],
+    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]) {
+  slhdsa_thash(output, input, SLHDSA_SHA2_128S_FORS_TREES, pk_seed, addr);
+}

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/thash.h

@@ -0,0 +1,85 @@
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H
+
+#include "./params.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// Implements PRF_msg: a pseudo-random function that is used to generate the
+// randomizer r for the randomized hashing of the message to be signed.
+// (Section 4.1, page 11)
+void slhdsa_thash_prfmsg(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t sk_prf[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t opt_rand[BCM_SLHDSA_SHA2_128S_N],
+                         const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],
+                         const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,
+                         size_t msg_len);
+
+// Implements H_msg: a hash function used to generate the digest of the message
+// to be signed. (Section 4.1, page 11)
+void slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE],
+                       const uint8_t r[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],
+                       const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],
+                       const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,
+                       size_t msg_len);
+
+// Implements PRF: a pseudo-random function that is used to generate the secret
+// values in WOTS+ and FORS private keys. (Section 4.1, page 11)
+void slhdsa_thash_prf(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]);
+
+// Implements T_l: a hash function that maps an l*n-byte message to an n-byte
+// message. Used for WOTS+ public key compression. (Section 4.1, page 11)
+void slhdsa_thash_tl(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                     const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES],
+                     const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                     uint8_t addr[32]);
+
+// Implements H: a hash function that takes a 2*n-byte message as input and
+// produces an n-byte output. (Section 4.1, page 11)
+void slhdsa_thash_h(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t input[2 * BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                    uint8_t addr[32]);
+
+// Implements F: a hash function that takes an n-byte message as input and
+// produces an n-byte output. (Section 4.1, page 11)
+void slhdsa_thash_f(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t input[BCM_SLHDSA_SHA2_128S_N],
+                    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],
+                    uint8_t addr[32]);
+
+// Implements T_k: a hash function that maps a k*n-byte message to an n-byte
+// message. Used for FORS public key compression. (Section 4.1, page 11)
+void slhdsa_thash_tk(
+    uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+    const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * BCM_SLHDSA_SHA2_128S_N],
+    const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H

data/third_party/boringssl-with-bazel/src/crypto/{slhdsa/wots.cc → fipsmodule/slhdsa/wots.cc.inc}

@@ -1,16 +1,16 @@
-/* Copyright 2024 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/base.h>
 
@@ -18,7 +18,7 @@
 #include <stdint.h>
 #include <string.h>
 
-#include "../internal.h"
+#include "../../internal.h"
 #include "./address.h"
 #include "./params.h"
 #include "./thash.h"
@@ -26,14 +26,14 @@
 
 
 // Implements Algorithm 5: chain function, page 18
-static void chain(uint8_t output[SLHDSA_SHA2_128S_N],
-                  const uint8_t input[SLHDSA_SHA2_128S_N], uint32_t start,
-                  uint32_t steps, const uint8_t pub_seed[SLHDSA_SHA2_128S_N],
+static void chain(uint8_t output[BCM_SLHDSA_SHA2_128S_N],
+                  const uint8_t input[BCM_SLHDSA_SHA2_128S_N], uint32_t start,
+                  uint32_t steps, const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
                   uint8_t addr[32]) {
   assert(start < SLHDSA_SHA2_128S_WOTS_W);
   assert(steps < SLHDSA_SHA2_128S_WOTS_W);
 
-  OPENSSL_memcpy(output, input, SLHDSA_SHA2_128S_N);
+  OPENSSL_memcpy(output, input, BCM_SLHDSA_SHA2_128S_N);
 
   for (size_t i = start; i < (start + steps) && i < SLHDSA_SHA2_128S_WOTS_W;
        ++i) {
@@ -42,13 +42,13 @@ static void chain(uint8_t output[SLHDSA_SHA2_128S_N],
   }
 }
 
-static void slhdsa_wots_do_chain(uint8_t out[SLHDSA_SHA2_128S_N],
+static void slhdsa_wots_do_chain(uint8_t out[BCM_SLHDSA_SHA2_128S_N],
                                  uint8_t sk_addr[32], uint8_t addr[32],
                                  uint8_t value,
-                                 const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
-                                 const uint8_t pub_seed[SLHDSA_SHA2_128S_N],
+                                 const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                                 const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
                                  uint32_t chain_index) {
-  uint8_t tmp_sk[SLHDSA_SHA2_128S_N];
+  uint8_t tmp_sk[BCM_SLHDSA_SHA2_128S_N];
   slhdsa_set_chain_addr(sk_addr, chain_index);
   slhdsa_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr);
   slhdsa_set_chain_addr(addr, chain_index);
@@ -56,9 +56,9 @@ static void slhdsa_wots_do_chain(uint8_t out[SLHDSA_SHA2_128S_N],
 }
 
 // Implements Algorithm 6: wots_pkGen function, page 18
-void slhdsa_wots_pk_gen(uint8_t pk[SLHDSA_SHA2_128S_N],
-                        const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
-                        const uint8_t pub_seed[SLHDSA_SHA2_128S_N],
+void slhdsa_wots_pk_gen(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],
+                        const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                        const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
                         uint8_t addr[32]) {
   uint8_t wots_pk_addr[32], sk_addr[32];
   OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr));
@@ -68,7 +68,7 @@ void slhdsa_wots_pk_gen(uint8_t pk[SLHDSA_SHA2_128S_N],
 
   uint8_t tmp[SLHDSA_SHA2_128S_WOTS_BYTES];
   for (size_t i = 0; i < SLHDSA_SHA2_128S_WOTS_LEN; ++i) {
-    slhdsa_wots_do_chain(tmp + i * SLHDSA_SHA2_128S_N, sk_addr, addr,
+    slhdsa_wots_do_chain(tmp + i * BCM_SLHDSA_SHA2_128S_N, sk_addr, addr,
                          SLHDSA_SHA2_128S_WOTS_W - 1, sk_seed, pub_seed, i);
   }
 
@@ -80,14 +80,14 @@ void slhdsa_wots_pk_gen(uint8_t pk[SLHDSA_SHA2_128S_N],
 
 // Implements Algorithm 7: wots_sign function, page 20
 void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
-                      const uint8_t msg[SLHDSA_SHA2_128S_N],
-                      const uint8_t sk_seed[SLHDSA_SHA2_128S_N],
-                      const uint8_t pub_seed[SLHDSA_SHA2_128S_N],
+                      const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
                       uint8_t addr[32]) {
   // Compute checksum
-  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, "");
+  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, "");
   uint16_t csum = 0;
-  for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) {
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {
     csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4);
     csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15);
   }
@@ -99,23 +99,23 @@ void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
   slhdsa_copy_keypair_addr(sk_addr, addr);
 
   uint32_t chain_index = 0;
-  for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) {
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {
     slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] >> 4, sk_seed, pub_seed,
                          chain_index++);
-    sig += SLHDSA_SHA2_128S_N;
+    sig += BCM_SLHDSA_SHA2_128S_N;
 
     slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] & 15, sk_seed, pub_seed,
                          chain_index++);
-    sig += SLHDSA_SHA2_128S_N;
+    sig += BCM_SLHDSA_SHA2_128S_N;
   }
 
   // Include the SLHDSA_SHA2_128S_WOTS_LEN2 checksum values.
   slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 8) & 15, sk_seed, pub_seed,
                        chain_index++);
-  sig += SLHDSA_SHA2_128S_N;
+  sig += BCM_SLHDSA_SHA2_128S_N;
   slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 4) & 15, sk_seed, pub_seed,
                        chain_index++);
-  sig += SLHDSA_SHA2_128S_N;
+  sig += BCM_SLHDSA_SHA2_128S_N;
   slhdsa_wots_do_chain(sig, sk_addr, addr, csum & 15, sk_seed, pub_seed,
                        chain_index++);
 }
@@ -123,23 +123,23 @@ void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
 static void slhdsa_wots_pk_from_sig_do_chain(
     uint8_t out[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t addr[32],
     const uint8_t in[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t value,
-    const uint8_t pub_seed[SLHDSA_SHA2_128S_N], uint32_t chain_index) {
+    const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N], uint32_t chain_index) {
   slhdsa_set_chain_addr(addr, chain_index);
-  chain(out + chain_index * SLHDSA_SHA2_128S_N,
-        in + chain_index * SLHDSA_SHA2_128S_N, value,
+  chain(out + chain_index * BCM_SLHDSA_SHA2_128S_N,
+        in + chain_index * BCM_SLHDSA_SHA2_128S_N, value,
         SLHDSA_SHA2_128S_WOTS_W - 1 - value, pub_seed, addr);
 }
 
 // Implements Algorithm 8: wots_pkFromSig function, page 21
-void slhdsa_wots_pk_from_sig(uint8_t pk[SLHDSA_SHA2_128S_N],
+void slhdsa_wots_pk_from_sig(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],
                              const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
-                             const uint8_t msg[SLHDSA_SHA2_128S_N],
-                             const uint8_t pub_seed[SLHDSA_SHA2_128S_N],
+                             const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],
+                             const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
                              uint8_t addr[32]) {
   // Compute checksum
-  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, "");
+  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, "");
   uint16_t csum = 0;
-  for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) {
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {
     csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4);
     csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15);
   }
@@ -149,8 +149,8 @@ void slhdsa_wots_pk_from_sig(uint8_t pk[SLHDSA_SHA2_128S_N],
   OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr));
 
   uint32_t chain_index = 0;
-  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, "");
-  for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) {
+  static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, "");
+  for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {
     slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] >> 4, pub_seed,
                                      chain_index++);
     slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] & 15, pub_seed,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/slhdsa/wots.h

@@ -0,0 +1,50 @@
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H
+
+#include "./params.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// Implements Algorithm 6: wots_pkGen function, page 18
+void slhdsa_wots_pk_gen(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],
+                        const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                        const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
+                        uint8_t addr[32]);
+
+// Implements Algorithm 7: wots_sign function, page 20
+void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
+                      const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],
+                      const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
+                      uint8_t addr[32]);
+
+// Implements Algorithm 8: wots_pkFromSig function, page 21
+void slhdsa_wots_pk_from_sig(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],
+                             const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],
+                             const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],
+                             const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],
+                             uint8_t addr[32]);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h

@@ -1,16 +1,16 @@
-/* Copyright 2018 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2018 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
 #define OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.cc.inc

@@ -1,54 +1,16 @@
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
+// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <assert.h>
 

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.cc

@@ -1,16 +1,16 @@
-/* Copyright 2020 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2020 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/hpke.h>