RubyGems - grpc - Versions diffs - 1.70.1 → 1.71.0 - Mend

grpc 1.70.1 → 1.71.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1064) hide show

data/third_party/boringssl-with-bazel/src/crypto/slhdsa/slhdsa.cc CHANGED Viewed

@@ -1,135 +1,44 @@
-/* Copyright 2024 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 #include <openssl/slhdsa.h>
-#include <string.h>
-#include <openssl/bytestring.h>
 #include <openssl/obj.h>
-#include <openssl/rand.h>
-#include "../internal.h"
-#include "address.h"
-#include "fors.h"
-#include "internal.h"
-#include "merkle.h"
-#include "params.h"
-#include "thash.h"
-// The OBJECT IDENTIFIER header is also included in these values, per the spec.
-static const uint8_t kSHA384OID[] = {0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
-                                     0x65, 0x03, 0x04, 0x02, 0x02};
-#define MAX_OID_LENGTH 11
-#define MAX_CONTEXT_LENGTH 255
-void SLHDSA_SHA2_128S_generate_key_from_seed(
-    uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
-    uint8_t out_secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
-    const uint8_t seed[3 * SLHDSA_SHA2_128S_N]) {
-  // Initialize SK.seed || SK.prf || PK.seed from seed.
-  OPENSSL_memcpy(out_secret_key, seed, 3 * SLHDSA_SHA2_128S_N);
-  // Initialize PK.seed from seed.
-  OPENSSL_memcpy(out_public_key, seed + 2 * SLHDSA_SHA2_128S_N,
-                 SLHDSA_SHA2_128S_N);
+#include "../fipsmodule/bcm_interface.h"
-  uint8_t addr[32] = {0};
-  slhdsa_set_layer_addr(addr, SLHDSA_SHA2_128S_D - 1);
-  // Set PK.root
-  slhdsa_treehash(out_public_key + SLHDSA_SHA2_128S_N, out_secret_key, 0,
-                  SLHDSA_SHA2_128S_TREE_HEIGHT, out_public_key, addr);
-  OPENSSL_memcpy(out_secret_key + 3 * SLHDSA_SHA2_128S_N,
-                 out_public_key + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N);
-}
+static_assert(SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES ==
+                  BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES,
+              "");
+static_assert(SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES ==
+                  BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES,
+              "");
+static_assert(SLHDSA_SHA2_128S_SIGNATURE_BYTES ==
+                  BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES,
+              "");
 void SLHDSA_SHA2_128S_generate_key(
     uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
     uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {
-  uint8_t seed[3 * SLHDSA_SHA2_128S_N];
-  RAND_bytes(seed, 3 * SLHDSA_SHA2_128S_N);
-  SLHDSA_SHA2_128S_generate_key_from_seed(out_public_key, out_private_key,
-                                          seed);
+  BCM_slhdsa_sha2_128s_generate_key(out_public_key, out_private_key);
 }
-OPENSSL_EXPORT void SLHDSA_SHA2_128S_public_from_private(
+void SLHDSA_SHA2_128S_public_from_private(
     uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
     const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {
-  OPENSSL_memcpy(out_public_key, private_key + 2 * SLHDSA_SHA2_128S_N,
-                 SLHDSA_SHA2_128S_N * 2);
-}
-// Note that this overreads by a byte. This is fine in the context that it's
-// used.
-static uint64_t load_tree_index(const uint8_t in[8]) {
-  static_assert(SLHDSA_SHA2_128S_TREE_BYTES == 7,
-                "This code needs to be updated");
-  uint64_t index = CRYPTO_load_u64_be(in);
-  index >>= 8;
-  index &= (~(uint64_t)0) >> (64 - SLHDSA_SHA2_128S_TREE_BITS);
-  return index;
-}
-// Implements Algorithm 22: slh_sign function (Section 10.2.1, page 39)
-void SLHDSA_SHA2_128S_sign_internal(
-    uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],
-    const uint8_t secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
-    const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
-    size_t context_len, const uint8_t *msg, size_t msg_len,
-    const uint8_t entropy[SLHDSA_SHA2_128S_N]) {
-  const uint8_t *sk_seed = secret_key;
-  const uint8_t *sk_prf = secret_key + SLHDSA_SHA2_128S_N;
-  const uint8_t *pk_seed = secret_key + 2 * SLHDSA_SHA2_128S_N;
-  const uint8_t *pk_root = secret_key + 3 * SLHDSA_SHA2_128S_N;
-  // Derive randomizer R and copy it to signature
-  uint8_t R[SLHDSA_SHA2_128S_N];
-  slhdsa_thash_prfmsg(R, sk_prf, entropy, header, context, context_len, msg,
-                      msg_len);
-  OPENSSL_memcpy(out_signature, R, SLHDSA_SHA2_128S_N);
-  // Compute message digest
-  uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE];
-  slhdsa_thash_hmsg(digest, R, pk_seed, pk_root, header, context, context_len,
-                    msg, msg_len);
-  uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES];
-  OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES);
-  const uint64_t idx_tree =
-      load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES);
-  uint32_t idx_leaf = CRYPTO_load_u16_be(
-      digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES);
-  idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS);
-  uint8_t addr[32] = {0};
-  slhdsa_set_tree_addr(addr, idx_tree);
-  slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE);
-  slhdsa_set_keypair_addr(addr, idx_leaf);
-  slhdsa_fors_sign(out_signature + SLHDSA_SHA2_128S_N, fors_digest, sk_seed,
-                   pk_seed, addr);
-  uint8_t pk_fors[SLHDSA_SHA2_128S_N];
-  slhdsa_fors_pk_from_sig(pk_fors, out_signature + SLHDSA_SHA2_128S_N,
-                          fors_digest, pk_seed, addr);
-  slhdsa_ht_sign(
-      out_signature + SLHDSA_SHA2_128S_N + SLHDSA_SHA2_128S_FORS_BYTES, pk_fors,
-      idx_tree, idx_leaf, sk_seed, pk_seed);
+  BCM_slhdsa_sha2_128s_public_from_private(out_public_key, private_key);
 }
 int SLHDSA_SHA2_128S_sign(
@@ -137,171 +46,68 @@ int SLHDSA_SHA2_128S_sign(
     const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
     const uint8_t *msg, size_t msg_len, const uint8_t *context,
     size_t context_len) {
-  if (context_len > MAX_CONTEXT_LENGTH) {
-    return 0;
-  }
-  // Construct header for M' as specified in Algorithm 22
-  uint8_t M_prime_header[2];
-  M_prime_header[0] = 0;  // domain separator for pure signing
-  M_prime_header[1] = (uint8_t)context_len;
-  uint8_t entropy[SLHDSA_SHA2_128S_N];
-  RAND_bytes(entropy, sizeof(entropy));
-  SLHDSA_SHA2_128S_sign_internal(out_signature, private_key, M_prime_header,
-                                 context, context_len, msg, msg_len, entropy);
-  return 1;
+  return bcm_success(BCM_slhdsa_sha2_128s_sign(out_signature, private_key, msg,
+                                               msg_len, context, context_len));
 }
-static int slhdsa_get_nonstandard_context_and_oid(
-    uint8_t *out_context_and_oid, size_t *out_context_and_oid_len,
-    size_t max_out_context_and_oid, const uint8_t *context, size_t context_len,
-    int hash_nid, size_t hashed_msg_len) {
-  const uint8_t *oid;
-  size_t oid_len;
-  size_t expected_hash_len;
-  switch (hash_nid) {
-    // The SLH-DSA spec only lists SHA-256 and SHA-512. This function supports
-    // SHA-384, which is non-standard.
-    case NID_sha384:
-      oid = kSHA384OID;
-      oid_len = sizeof(kSHA384OID);
-      static_assert(sizeof(kSHA384OID) <= MAX_OID_LENGTH, "");
-      expected_hash_len = 48;
-      break;
-    // If adding a hash function with a larger `oid_len`, update the size of
-    // `context_and_oid` in the callers.
-    default:
-      return 0;
-  }
-  if (hashed_msg_len != expected_hash_len) {
-    return 0;
-  }
-  *out_context_and_oid_len = context_len + oid_len;
-  if (*out_context_and_oid_len > max_out_context_and_oid) {
-    return 0;
-  }
-  OPENSSL_memcpy(out_context_and_oid, context, context_len);
-  OPENSSL_memcpy(out_context_and_oid + context_len, oid, oid_len);
-  return 1;
+int SLHDSA_SHA2_128S_verify(
+    const uint8_t *signature, size_t signature_len,
+    const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
+    const uint8_t *msg, size_t msg_len, const uint8_t *context,
+    size_t context_len) {
+  return bcm_success(BCM_slhdsa_sha2_128s_verify(signature, signature_len,
+                                                 public_key, msg, msg_len,
+                                                 context, context_len));
 }
-int SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign(
+int SLHDSA_SHA2_128S_prehash_sign(
     uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],
     const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
     const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
     const uint8_t *context, size_t context_len) {
-  if (context_len > MAX_CONTEXT_LENGTH) {
+  if (hash_nid != NID_sha256) {
     return 0;
   }
-  uint8_t M_prime_header[2];
-  M_prime_header[0] = 1;  // domain separator for prehashed signing
-  M_prime_header[1] = (uint8_t)context_len;
-  uint8_t context_and_oid[MAX_CONTEXT_LENGTH + MAX_OID_LENGTH];
-  size_t context_and_oid_len;
-  if (!slhdsa_get_nonstandard_context_and_oid(
-          context_and_oid, &context_and_oid_len, sizeof(context_and_oid),
-          context, context_len, hash_nid, hashed_msg_len)) {
-    return 0;
-  }
-  uint8_t entropy[SLHDSA_SHA2_128S_N];
-  RAND_bytes(entropy, sizeof(entropy));
-  SLHDSA_SHA2_128S_sign_internal(out_signature, private_key, M_prime_header,
-                                 context_and_oid, context_and_oid_len,
-                                 hashed_msg, hashed_msg_len, entropy);
-  return 1;
+  return bcm_success(BCM_slhdsa_sha2_128s_prehash_sign(
+      out_signature, private_key, hashed_msg, hashed_msg_len, hash_nid, context,
+      context_len));
 }
-// Implements Algorithm 24: slh_verify function (Section 10.3, page 41)
-int SLHDSA_SHA2_128S_verify(
+int SLHDSA_SHA2_128S_prehash_verify(
     const uint8_t *signature, size_t signature_len,
     const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
-    const uint8_t *msg, size_t msg_len, const uint8_t *context,
-    size_t context_len) {
-  if (context_len > MAX_CONTEXT_LENGTH) {
+    const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
+    const uint8_t *context, size_t context_len) {
+  if (hash_nid != NID_sha256) {
     return 0;
   }
-  // Construct header for M' as specified in Algorithm 24
-  uint8_t M_prime_header[2];
-  M_prime_header[0] = 0;  // domain separator for pure verification
-  M_prime_header[1] = (uint8_t)context_len;
-  return SLHDSA_SHA2_128S_verify_internal(signature, signature_len, public_key,
-                                          M_prime_header, context, context_len,
-                                          msg, msg_len);
+  return bcm_success(BCM_slhdsa_sha2_128s_prehash_verify(
+      signature, signature_len, public_key, hashed_msg, hashed_msg_len,
+      hash_nid, context, context_len));
 }
-int SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify(
-    const uint8_t *signature, size_t signature_len,
-    const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
+int SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign(
+    uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],
+    const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
     const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
     const uint8_t *context, size_t context_len) {
-  if (context_len > MAX_CONTEXT_LENGTH) {
+  if (hash_nid != NID_sha384) {
     return 0;
   }
-  uint8_t M_prime_header[2];
-  M_prime_header[0] = 1;  // domain separator for prehashed verification
-  M_prime_header[1] = (uint8_t)context_len;
-  uint8_t context_and_oid[MAX_CONTEXT_LENGTH + MAX_OID_LENGTH];
-  size_t context_and_oid_len;
-  if (!slhdsa_get_nonstandard_context_and_oid(
-          context_and_oid, &context_and_oid_len, sizeof(context_and_oid),
-          context, context_len, hash_nid, hashed_msg_len)) {
-    return 0;
-  }
-  return SLHDSA_SHA2_128S_verify_internal(
-      signature, signature_len, public_key, M_prime_header, context_and_oid,
-      context_and_oid_len, hashed_msg, hashed_msg_len);
+  return bcm_success(BCM_slhdsa_sha2_128s_prehash_sign(
+      out_signature, private_key, hashed_msg, hashed_msg_len, hash_nid, context,
+      context_len));
 }
-int SLHDSA_SHA2_128S_verify_internal(
+int SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify(
     const uint8_t *signature, size_t signature_len,
     const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
-    const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
-    size_t context_len, const uint8_t *msg, size_t msg_len) {
-  if (signature_len != SLHDSA_SHA2_128S_SIGNATURE_BYTES) {
+    const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
+    const uint8_t *context, size_t context_len) {
+  if (hash_nid != NID_sha384) {
     return 0;
   }
-  const uint8_t *pk_seed = public_key;
-  const uint8_t *pk_root = public_key + SLHDSA_SHA2_128S_N;
-  const uint8_t *r = signature;
-  const uint8_t *sig_fors = signature + SLHDSA_SHA2_128S_N;
-  const uint8_t *sig_ht = sig_fors + SLHDSA_SHA2_128S_FORS_BYTES;
-  uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE];
-  slhdsa_thash_hmsg(digest, r, pk_seed, pk_root, header, context, context_len,
-                    msg, msg_len);
-  uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES];
-  OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES);
-  const uint64_t idx_tree =
-      load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES);
-  uint32_t idx_leaf = CRYPTO_load_u16_be(
-      digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES);
-  idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS);
-  uint8_t addr[32] = {0};
-  slhdsa_set_tree_addr(addr, idx_tree);
-  slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE);
-  slhdsa_set_keypair_addr(addr, idx_leaf);
-  uint8_t pk_fors[SLHDSA_SHA2_128S_N];
-  slhdsa_fors_pk_from_sig(pk_fors, sig_fors, fors_digest, pk_seed, addr);
-  return slhdsa_ht_verify(sig_ht, pk_fors, idx_tree, idx_leaf, pk_root,
-                          pk_seed);
+  return bcm_success(BCM_slhdsa_sha2_128s_prehash_verify(
+      signature, signature_len, public_key, hashed_msg, hashed_msg_len,
+      hash_nid, context, context_len));
 }

data/third_party/boringssl-with-bazel/src/crypto/spake2plus/internal.h ADDED Viewed

@@ -0,0 +1,204 @@
+// Copyright 2024 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
+#define OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
+#include <openssl/base.h>
+#include <sys/types.h>
+#include <openssl/sha.h>
+#include <openssl/span.h>
+#include "../fipsmodule/ec/internal.h"
+BSSL_NAMESPACE_BEGIN
+// SPAKE2+.
+//
+// SPAKE2+ is an augmented password-authenticated key-exchange. It allows
+// two parties, a prover and verifier, to derive a strong shared key with no
+// risk of disclosing the password, known only to the prover, to the verifier.
+// (But note that the verifier can still attempt an offline, brute-force attack
+// to recover the password.)
+//
+// This is an implementation of SPAKE2+ using P-256 as the group, SHA-256 as
+// the hash function, HKDF-SHA256 as the key derivation function, and
+// HMAC-SHA256 as the message authentication code.
+//
+// See https://www.rfc-editor.org/rfc/rfc9383.html
+namespace spake2plus {
+// kShareSize is the size of a SPAKE2+ key share.
+constexpr size_t kShareSize = 65;
+// kConfirmSize is the size of a SPAKE2+ key confirmation message.
+constexpr size_t kConfirmSize = 32;
+// kVerifierSize is the size of the w0 and w1 values in the SPAKE2+ protocol.
+constexpr size_t kVerifierSize = 32;
+// kRegistrationRecordSize is the number of bytes in a registration record,
+// which is provided to the verifier.
+constexpr size_t kRegistrationRecordSize = 65;
+// kSecretSize is the number of bytes of shared secret that the SPAKE2+ protocol
+// generates.
+constexpr size_t kSecretSize = 32;
+// Register computes the values needed in the offline registration
+// step of the SPAKE2+ protocol. See the following for more details:
+// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2
+//
+// The |password| argument is the mandatory prover password. The |out_w0|,
+// |out_w1|, and |out_registration_record| arguments are where the password
+// verifiers (w0 and w1) and registration record (L) are stored, respectively.
+// The prover is given |out_w0| and |out_w1| while the verifier is given
+// |out_w0| and |out_registration_record|.
+//
+// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|,
+// and |out_registration_record| of size |kRegistrationRecordSize|.
+[[nodiscard]] OPENSSL_EXPORT bool Register(
+    Span<uint8_t> out_w0, Span<uint8_t> out_w1,
+    Span<uint8_t> out_registration_record, Span<const uint8_t> password,
+    Span<const uint8_t> id_prover, Span<const uint8_t> id_verifier);
+class OPENSSL_EXPORT Prover {
+ public:
+  static constexpr bool kAllowUniquePtr = true;
+  Prover();
+  ~Prover();
+  // Init creates a new prover, which can only be used for a single execution of
+  // the protocol.
+  //
+  // The |context| argument is an application-specific value meant to constrain
+  // the protocol execution. The |w0| and |w1| arguments are password verifier
+  // values computed during the offline registration phase of the protocol. The
+  // |id_prover| and |id_verifier| arguments allow optional, opaque names to be
+  // bound into the protocol. See the following for more information about how
+  // these identities may be chosen:
+  // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
+  [[nodiscard]] bool Init(Span<const uint8_t> context,
+                          Span<const uint8_t> id_prover,
+                          Span<const uint8_t> id_verifier,
+                          Span<const uint8_t> w0, Span<const uint8_t> w1,
+                          Span<const uint8_t> x = Span<const uint8_t>());
+  // GenerateShare computes a SPAKE2+ share and writes it to |out_share|.
+  //
+  // This function can only be called once for a given |Prover|. To ensure
+  // success, |out_share| must be |kShareSize| bytes.
+  [[nodiscard]] bool GenerateShare(Span<uint8_t> out_share);
+  // ComputeConfirmation computes a SPAKE2+ key confirmation
+  // message and writes it to |out_confirm|. It also computes the shared secret
+  // and writes it to |out_secret|.
+  //
+  // This function can only be called once for a given |Prover|.
+  //
+  // To ensure success, |out_confirm| must be |kConfirmSize| bytes
+  // and |out_secret| must be |kSecretSize| bytes.
+  [[nodiscard]] bool ComputeConfirmation(Span<uint8_t> out_confirm,
+                                         Span<uint8_t> out_secret,
+                                         Span<const uint8_t> peer_share,
+                                         Span<const uint8_t> peer_confirm);
+ private:
+  enum class State {
+    kInit,
+    kShareGenerated,
+    kConfirmGenerated,
+    kDone,
+  };
+  State state_ = State::kInit;
+  SHA256_CTX transcript_hash_;
+  EC_SCALAR w0_;
+  EC_SCALAR w1_;
+  EC_SCALAR x_;
+  EC_AFFINE X_;
+  uint8_t share_[kShareSize];
+};
+class OPENSSL_EXPORT Verifier {
+ public:
+  static constexpr bool kAllowUniquePtr = true;
+  Verifier();
+  ~Verifier();
+  // Init creates a new verifier, which can only be used for a single execution
+  // of the protocol.
+  //
+  // The |context| argument is an application-specific value meant to constrain
+  // the protocol execution. The |w0| and |registration_record| arguments are
+  // required, and are computed by the prover via |Register|. Only the prover
+  // can produce |w0| and |registration_record|, as they require
+  // knowledge of the password. The prover must securely transmit this to the
+  // verifier out-of-band. The |id_prover| and |id_verifier| arguments allow
+  // optional, opaque names to be bound into the protocol. See the following for
+  // more information about how these identities may be chosen:
+  // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
+  [[nodiscard]] bool Init(Span<const uint8_t> context,
+                          Span<const uint8_t> id_prover,
+                          Span<const uint8_t> id_verifier,
+                          Span<const uint8_t> w0,
+                          Span<const uint8_t> registration_record,
+                          Span<const uint8_t> y = Span<const uint8_t>());
+  // ProcessProverShare computes a SPAKE2+ share from an input share,
+  // |prover_share|, and writes it to |out_share|. It also computes the key
+  // confirmation message and writes it to |out_confirm|. Finally, it computes
+  // the shared secret and writes it to |out_secret|.
+  //
+  // This function can only be called once for a given |Verifier|.
+  //
+  // To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm|
+  // must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes.
+  [[nodiscard]] bool ProcessProverShare(Span<uint8_t> out_share,
+                                        Span<uint8_t> out_confirm,
+                                        Span<uint8_t> out_secret,
+                                        Span<const uint8_t> prover_share);
+  // VerifyProverConfirmation verifies a SPAKE2+ key confirmation message,
+  // |prover_confirm|.
+  //
+  // This function can only be called once for a given |Verifier|.
+  [[nodiscard]] bool VerifyProverConfirmation(Span<const uint8_t> peer_confirm);
+ private:
+  enum class State {
+    kInit,
+    kProverShareSeen,
+    kDone,
+  };
+  State state_ = State::kInit;
+  SHA256_CTX transcript_hash_;
+  EC_SCALAR w0_;
+  EC_AFFINE L_;
+  EC_SCALAR y_;
+  uint8_t confirm_[kConfirmSize];
+};
+}  // namespace spake2plus
+BSSL_NAMESPACE_END
+#endif  // OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H