| /* Copyright 2024 The BoringSSL Authors |
| * |
| * Permission to use, copy, modify, and/or distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| |
| #ifndef OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H |
| #define OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H |
| |
| #include <openssl/bcm_public.h> |
| |
| // This header will eventually become the interface between BCM and the |
| // rest of libcrypto. More cleanly separating the two is still a work in |
| // progress (see https://crbug.com/boringssl/722) so, at the moment, we |
| // consider this no different from any other header in BCM. |
| // |
| // Over time, calls from libcrypto to BCM will all move to this header |
| // and the separation will become more meaningful. |
| |
| #if defined(__cplusplus) |
| extern "C" { |
| #endif |
| |
| // Enumerated types for return values from bcm functions, both infallible |
| // and fallible functions. Two success values are used to correspond to the |
| // FIPS service indicator. For the moment, the official service indicator |
| // remains the counter, not these values. Once we fully transition to |
| // these return values from bcm we will change that. |
| enum class bcm_infallible_t { |
| approved, |
| not_approved, |
| }; |
| |
| enum class bcm_status_t { |
| approved, |
| not_approved, |
| failure, |
| }; |
| typedef enum bcm_status_t bcm_status; |
| typedef enum bcm_infallible_t bcm_infallible; |
| |
| OPENSSL_INLINE int bcm_success(bcm_status status) { |
| return status == bcm_status::approved || status == bcm_status::not_approved; |
| } |
| |
| OPENSSL_INLINE bcm_status_t bcm_as_approved_status(int result) { |
| return result ? bcm_status::approved : bcm_status::failure; |
| } |
| |
| |
| // Random number generator. |
| |
| #if defined(BORINGSSL_FIPS) |
| |
| // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten. |
| // TODO(bbe): disentangle this value which is used to calculate the size of the |
| // stack buffer in RAND_need entropy based on a calculation. |
| #define BORINGSSL_FIPS_OVERREAD 10 |
| |
| #endif // BORINGSSL_FIPS |
| |
| // BCM_rand_load_entropy supplies |entropy_len| bytes of entropy to the BCM |
| // module. The |want_additional_input| parameter is true iff the entropy was |
| // obtained from a source other than the system, e.g. directly from the CPU. |
| bcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len, |
| int want_additional_input); |
| |
| // BCM_rand_bytes is the same as the public |RAND_bytes| function, other |
| // than returning a bcm_infallible status indicator. |
| OPENSSL_EXPORT bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len); |
| |
| // BCM_rand_bytes_hwrng attempts to fill |out| with |len| bytes of entropy from |
| // the CPU hardware random number generator if one is present. |
| // bcm_status_approved is returned on success, and a failure status is |
| // returned otherwise. |
| bcm_status BCM_rand_bytes_hwrng(uint8_t *out, size_t len); |
| |
| // BCM_rand_bytes_with_additional_data samples from the RNG after mixing 32 |
| // bytes from |user_additional_data| in. |
| bcm_infallible BCM_rand_bytes_with_additional_data( |
| uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]); |
| |
| |
| // SHA-1 |
| |
| // BCM_SHA_DIGEST_LENGTH is the length of a SHA-1 digest. |
| #define BCM_SHA_DIGEST_LENGTH 20 |
| |
| // BCM_sha1_init initialises |sha|. |
| bcm_infallible BCM_sha1_init(SHA_CTX *sha); |
| |
| // BCM_SHA1_transform is a low-level function that performs a single, SHA-1 |
| // block transformation using the state from |sha| and |SHA_CBLOCK| bytes from |
| // |block|. |
| bcm_infallible BCM_sha1_transform(SHA_CTX *c, |
| const uint8_t data[BCM_SHA_CBLOCK]); |
| |
| // BCM_sha1_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len); |
| |
| // BCM_sha1_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. |
| bcm_infallible BCM_sha1_final(uint8_t out[BCM_SHA_DIGEST_LENGTH], SHA_CTX *c); |
| |
| |
| // BCM_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF |
| // defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b |
| // parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user |
| // input is all zeros. |
| // |
| // The PRF generates a sequence of 320-bit numbers. Each number is encoded as a |
| // 40-byte string in big-endian and then concatenated to form |out|. If |
| // |out_len| is not a multiple of 40, the result is truncated. This matches the |
| // construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. |
| // |
| // This PRF is based on SHA-1, a weak hash function, and should not be used |
| // in new protocols. It is provided for compatibility with some legacy EAP |
| // methods. |
| bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len, |
| const uint8_t xkey[BCM_SHA_DIGEST_LENGTH]); |
| |
| |
| // SHA-224 |
| |
| // SHA224_DIGEST_LENGTH is the length of a SHA-224 digest. |
| #define BCM_SHA224_DIGEST_LENGTH 28 |
| |
| // BCM_sha224_unit initialises |sha|. |
| bcm_infallible BCM_sha224_init(SHA256_CTX *sha); |
| |
| // BCM_sha224_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha224_update(SHA256_CTX *sha, const void *data, size_t len); |
| |
| // BCM_sha224_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of |
| // space. It aborts on programmer error. |
| bcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH], |
| SHA256_CTX *sha); |
| |
| |
| // SHA-256 |
| |
| // BCM_SHA256_DIGEST_LENGTH is the length of a SHA-256 digest. |
| #define BCM_SHA256_DIGEST_LENGTH 32 |
| |
| // BCM_sha256_init initialises |sha|. |
| bcm_infallible BCM_sha256_init(SHA256_CTX *sha); |
| |
| // BCM_sha256_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha256_update(SHA256_CTX *sha, const void *data, size_t len); |
| |
| // BCM_sha256_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |BCM_SHA256_DIGEST_LENGTH| bytes of |
| // space. It aborts on programmer error. |
| bcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH], |
| SHA256_CTX *sha); |
| |
| // BCM_sha256_transform is a low-level function that performs a single, SHA-256 |
| // block transformation using the state from |sha| and |BCM_SHA256_CBLOCK| bytes |
| // from |block|. |
| bcm_infallible BCM_sha256_transform(SHA256_CTX *sha, |
| const uint8_t block[BCM_SHA256_CBLOCK]); |
| |
| // BCM_sha256_transform_blocks is a low-level function that takes |num_blocks| * |
| // |BCM_SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to |
| // update |state|. |
| bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8], |
| const uint8_t *data, |
| size_t num_blocks); |
| |
| |
| // SHA-384. |
| |
| // BCM_SHA384_DIGEST_LENGTH is the length of a SHA-384 digest. |
| #define BCM_SHA384_DIGEST_LENGTH 48 |
| |
| // BCM_sha384_init initialises |sha|. |
| bcm_infallible BCM_sha384_init(SHA512_CTX *sha); |
| |
| // BCM_sha384_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, size_t len); |
| |
| // BCM_sha384_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |BCM_sha384_DIGEST_LENGTH| bytes of |
| // space. It may abort on programmer error. |
| bcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH], |
| SHA512_CTX *sha); |
| |
| |
| // SHA-512. |
| |
| // BCM_SHA512_DIGEST_LENGTH is the length of a SHA-512 digest. |
| #define BCM_SHA512_DIGEST_LENGTH 64 |
| |
| // BCM_sha512_init initialises |sha|. |
| bcm_infallible BCM_sha512_init(SHA512_CTX *sha); |
| |
| // BCM_sha512_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha512_update(SHA512_CTX *sha, const void *data, size_t len); |
| |
| // BCM_sha512_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |BCM_sha512_DIGEST_LENGTH| bytes of |
| // space. |
| bcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH], |
| SHA512_CTX *sha); |
| |
| // BCM_sha512_transform is a low-level function that performs a single, SHA-512 |
| // block transformation using the state from |sha| and |BCM_sha512_CBLOCK| bytes |
| // from |block|. |
| bcm_infallible BCM_sha512_transform(SHA512_CTX *sha, |
| const uint8_t block[BCM_SHA512_CBLOCK]); |
| |
| |
| // SHA-512-256 |
| // |
| // See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6 |
| |
| #define BCM_SHA512_256_DIGEST_LENGTH 32 |
| |
| // BCM_sha512_256_init initialises |sha|. |
| bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha); |
| |
| // BCM_sha512_256_update adds |len| bytes from |data| to |sha|. |
| bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data, |
| size_t len); |
| |
| // BCM_sha512_256_final adds the final padding to |sha| and writes the resulting |
| // digest to |out|, which must have at least |BCM_sha512_256_DIGEST_LENGTH| |
| // bytes of space. It may abort on programmer error. |
| bcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH], |
| SHA512_CTX *sha); |
| |
| |
| // ML-DSA |
| // |
| // Where not commented, these functions have the same signature as the |
| // corresponding public function. |
| |
| // BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly |
| // random entropy necessary to generate a signature in randomized mode. |
| #define BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES 32 |
| |
| // BCM_MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value. |
| #define BCM_MLDSA_SEED_BYTES 32 |
| |
| // BCM_MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65 |
| // private key. |
| #define BCM_MLDSA65_PRIVATE_KEY_BYTES 4032 |
| |
| // BCM_MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65 |
| // public key. |
| #define BCM_MLDSA65_PUBLIC_KEY_BYTES 1952 |
| |
| // BCM_MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65 |
| // signature. |
| #define BCM_MLDSA65_SIGNATURE_BYTES 3309 |
| |
| struct BCM_mldsa65_private_key { |
| union { |
| uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)]; |
| uint32_t alignment; |
| } opaque; |
| }; |
| |
| struct BCM_mldsa65_public_key { |
| union { |
| uint8_t bytes[32 + 64 + 256 * 4 * 6]; |
| uint32_t alignment; |
| } opaque; |
| }; |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key( |
| uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES], |
| uint8_t out_seed[BCM_MLDSA_SEED_BYTES], |
| struct BCM_mldsa65_private_key *out_private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_private_key_from_seed( |
| struct BCM_mldsa65_private_key *out_private_key, |
| const uint8_t seed[BCM_MLDSA_SEED_BYTES]); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_public_from_private( |
| struct BCM_mldsa65_public_key *out_public_key, |
| const struct BCM_mldsa65_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_sign( |
| uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES], |
| const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg, |
| size_t msg_len, const uint8_t *context, size_t context_len); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_verify( |
| const struct BCM_mldsa65_public_key *public_key, |
| const uint8_t signature[BCM_MLDSA65_SIGNATURE_BYTES], const uint8_t *msg, |
| size_t msg_len, const uint8_t *context, size_t context_len); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_public_key( |
| CBB *out, const struct BCM_mldsa65_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_parse_public_key( |
| struct BCM_mldsa65_public_key *public_key, CBS *in); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_parse_private_key( |
| struct BCM_mldsa65_private_key *private_key, CBS *in); |
| |
| // BCM_mldsa65_generate_key_external_entropy generates a public/private key pair |
| // using the given seed, writes the encoded public key to |
| // |out_encoded_public_key| and sets |out_private_key| to the private key. |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy( |
| uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES], |
| struct BCM_mldsa65_private_key *out_private_key, |
| const uint8_t entropy[BCM_MLDSA_SEED_BYTES]); |
| |
| // BCM_mldsa5_sign_internal signs |msg| using |private_key| and writes the |
| // signature to |out_encoded_signature|. The |context_prefix| and |context| are |
| // prefixed to the message, in that order, before signing. The |randomizer| |
| // value can be set to zero bytes in order to make a deterministic signature, or |
| // else filled with entropy for the usual |MLDSA_sign| behavior. |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_sign_internal( |
| uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES], |
| const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg, |
| size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, |
| const uint8_t *context, size_t context_len, |
| const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]); |
| |
| // BCM_mldsa5_verify_internal verifies that |encoded_signature| is a valid |
| // signature of |msg| by |public_key|. The |context_prefix| and |context| are |
| // prefixed to the message before verification, in that order. |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_verify_internal( |
| const struct BCM_mldsa65_public_key *public_key, |
| const uint8_t encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES], |
| const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, |
| size_t context_prefix_len, const uint8_t *context, size_t context_len); |
| |
| // BCM_mldsa65_marshal_private_key serializes |private_key| to |out| in the |
| // NIST format for ML-DSA-65 private keys. |
| OPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_private_key( |
| CBB *out, const struct BCM_mldsa65_private_key *private_key); |
| |
| |
| // BCM_MLDSA87_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-87 |
| // private key. |
| #define BCM_MLDSA87_PRIVATE_KEY_BYTES 4896 |
| |
| // BCM_MLDSA87_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-87 |
| // public key. |
| #define BCM_MLDSA87_PUBLIC_KEY_BYTES 2592 |
| |
| // BCM_MLDSA87_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-87 |
| // signature. |
| #define BCM_MLDSA87_SIGNATURE_BYTES 4627 |
| |
| struct BCM_mldsa87_private_key { |
| union { |
| uint8_t bytes[32 + 32 + 64 + 256 * 4 * (7 + 8 + 8)]; |
| uint32_t alignment; |
| } opaque; |
| }; |
| |
| struct BCM_mldsa87_public_key { |
| union { |
| uint8_t bytes[32 + 64 + 256 * 4 * 8]; |
| uint32_t alignment; |
| } opaque; |
| }; |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key( |
| uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES], |
| uint8_t out_seed[BCM_MLDSA_SEED_BYTES], |
| struct BCM_mldsa87_private_key *out_private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_private_key_from_seed( |
| struct BCM_mldsa87_private_key *out_private_key, |
| const uint8_t seed[BCM_MLDSA_SEED_BYTES]); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_public_from_private( |
| struct BCM_mldsa87_public_key *out_public_key, |
| const struct BCM_mldsa87_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_sign( |
| uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES], |
| const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg, |
| size_t msg_len, const uint8_t *context, size_t context_len); |
| |
| OPENSSL_EXPORT bcm_status |
| BCM_mldsa87_verify(const struct BCM_mldsa87_public_key *public_key, |
| const uint8_t *signature, const uint8_t *msg, size_t msg_len, |
| const uint8_t *context, size_t context_len); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_public_key( |
| CBB *out, const struct BCM_mldsa87_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_parse_public_key( |
| struct BCM_mldsa87_public_key *public_key, CBS *in); |
| |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_parse_private_key( |
| struct BCM_mldsa87_private_key *private_key, CBS *in); |
| |
| // BCM_mldsa87_generate_key_external_entropy generates a public/private key pair |
| // using the given seed, writes the encoded public key to |
| // |out_encoded_public_key| and sets |out_private_key| to the private key. |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy( |
| uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES], |
| struct BCM_mldsa87_private_key *out_private_key, |
| const uint8_t entropy[BCM_MLDSA_SEED_BYTES]); |
| |
| // BCM_mldsa87_sign_internal signs |msg| using |private_key| and writes the |
| // signature to |out_encoded_signature|. The |context_prefix| and |context| are |
| // prefixed to the message, in that order, before signing. The |randomizer| |
| // value can be set to zero bytes in order to make a deterministic signature, or |
| // else filled with entropy for the usual |MLDSA_sign| behavior. |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_sign_internal( |
| uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES], |
| const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg, |
| size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, |
| const uint8_t *context, size_t context_len, |
| const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]); |
| |
| // BCM_mldsa87_verify_internal verifies that |encoded_signature| is a valid |
| // signature of |msg| by |public_key|. The |context_prefix| and |context| are |
| // prefixed to the message before verification, in that order. |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_verify_internal( |
| const struct BCM_mldsa87_public_key *public_key, |
| const uint8_t encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES], |
| const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, |
| size_t context_prefix_len, const uint8_t *context, size_t context_len); |
| |
| // BCM_mldsa87_marshal_private_key serializes |private_key| to |out| in the |
| // NIST format for ML-DSA-87 private keys. |
| OPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_private_key( |
| CBB *out, const struct BCM_mldsa87_private_key *private_key); |
| |
| |
| // ML-KEM |
| // |
| // Where not commented, these functions have the same signature as the |
| // corresponding public function. |
| |
| // BCM_MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy |
| // necessary to encapsulate a secret. The entropy will be leaked to the |
| // decapsulating party. |
| #define BCM_MLKEM_ENCAP_ENTROPY 32 |
| |
| // BCM_MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768 |
| // public key. |
| #define BCM_MLKEM768_PUBLIC_KEY_BYTES 1184 |
| |
| // BCM_MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded |
| // ML-KEM-1024 public key. |
| #define BCM_MLKEM1024_PUBLIC_KEY_BYTES 1568 |
| |
| // BCM_MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768 |
| // ciphertext. |
| #define BCM_MLKEM768_CIPHERTEXT_BYTES 1088 |
| |
| // BCM_MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 |
| // ciphertext. |
| #define BCM_MLKEM1024_CIPHERTEXT_BYTES 1568 |
| |
| // BCM_MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by |
| // |BCM_mlkem768_marshal_private_key|. |
| #define BCM_MLKEM768_PRIVATE_KEY_BYTES 2400 |
| |
| // BCM_MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by |
| // |BCM_mlkem1024_marshal_private_key|. |
| #define BCM_MLKEM1024_PRIVATE_KEY_BYTES 3168 |
| |
| // BCM_MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. |
| #define BCM_MLKEM_SEED_BYTES 64 |
| |
| // BCM_mlkem_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared |
| // secret. |
| #define BCM_MLKEM_SHARED_SECRET_BYTES 32 |
| |
| struct BCM_mlkem768_public_key { |
| union { |
| uint8_t bytes[512 * (3 + 9) + 32 + 32]; |
| uint16_t alignment; |
| } opaque; |
| }; |
| |
| struct BCM_mlkem768_private_key { |
| union { |
| uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32]; |
| uint16_t alignment; |
| } opaque; |
| }; |
| |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key( |
| uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES], |
| uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES], |
| struct BCM_mlkem768_private_key *out_private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem768_private_key_from_seed( |
| struct BCM_mlkem768_private_key *out_private_key, const uint8_t *seed, |
| size_t seed_len); |
| |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem768_public_from_private( |
| struct BCM_mlkem768_public_key *out_public_key, |
| const struct BCM_mlkem768_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_infallible |
| BCM_mlkem768_encap(uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES], |
| uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const struct BCM_mlkem768_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status |
| BCM_mlkem768_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const uint8_t *ciphertext, size_t ciphertext_len, |
| const struct BCM_mlkem768_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_public_key( |
| CBB *out, const struct BCM_mlkem768_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_public_key( |
| struct BCM_mlkem768_public_key *out_public_key, CBS *in); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_private_key( |
| struct BCM_mlkem768_private_key *out_private_key, CBS *in); |
| |
| // BCM_mlkem768_generate_key_external_seed is a deterministic function to create |
| // a pair of ML-KEM-768 keys, using the supplied seed. The seed needs to be |
| // uniformly random. This function should only be used for tests; regular |
| // callers should use the non-deterministic |BCM_mlkem768_generate_key| |
| // directly. |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key_external_seed( |
| uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES], |
| struct BCM_mlkem768_private_key *out_private_key, |
| const uint8_t seed[BCM_MLKEM_SEED_BYTES]); |
| |
| // BCM_mlkem768_encap_external_entropy behaves like |MLKEM768_encap|, but uses |
| // |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating |
| // side will be able to recover |entropy| in full. This function should only be |
| // used for tests, regular callers should use the non-deterministic |
| // |BCM_mlkem768_encap| directly. |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem768_encap_external_entropy( |
| uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES], |
| uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const struct BCM_mlkem768_public_key *public_key, |
| const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]); |
| |
| // BCM_mlkem768_marshal_private_key serializes |private_key| to |out| in the |
| // NIST format for ML-KEM-768 private keys. (Note that one can also save just |
| // the seed value produced by |BCM_mlkem768_generate_key|, which is |
| // significantly smaller.) |
| OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_private_key( |
| CBB *out, const struct BCM_mlkem768_private_key *private_key); |
| |
| struct BCM_mlkem1024_public_key { |
| union { |
| uint8_t bytes[512 * (4 + 16) + 32 + 32]; |
| uint16_t alignment; |
| } opaque; |
| }; |
| |
| struct BCM_mlkem1024_private_key { |
| union { |
| uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32]; |
| uint16_t alignment; |
| } opaque; |
| }; |
| |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key( |
| uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES], |
| uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES], |
| struct BCM_mlkem1024_private_key *out_private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem1024_private_key_from_seed( |
| struct BCM_mlkem1024_private_key *out_private_key, const uint8_t *seed, |
| size_t seed_len); |
| |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_public_from_private( |
| struct BCM_mlkem1024_public_key *out_public_key, |
| const struct BCM_mlkem1024_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_infallible |
| BCM_mlkem1024_encap(uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES], |
| uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const struct BCM_mlkem1024_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status |
| BCM_mlkem1024_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const uint8_t *ciphertext, size_t ciphertext_len, |
| const struct BCM_mlkem1024_private_key *private_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_public_key( |
| CBB *out, const struct BCM_mlkem1024_public_key *public_key); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_public_key( |
| struct BCM_mlkem1024_public_key *out_public_key, CBS *in); |
| |
| OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_private_key( |
| struct BCM_mlkem1024_private_key *out_private_key, CBS *in); |
| |
| // BCM_mlkem1024_generate_key_external_seed is a deterministic function to |
| // create a pair of ML-KEM-1024 keys, using the supplied seed. The seed needs to |
| // be uniformly random. This function should only be used for tests, regular |
| // callers should use the non-deterministic |BCM_mlkem1024_generate_key| |
| // directly. |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key_external_seed( |
| uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES], |
| struct BCM_mlkem1024_private_key *out_private_key, |
| const uint8_t seed[BCM_MLKEM_SEED_BYTES]); |
| |
| // BCM_mlkem1024_encap_external_entropy behaves like |MLKEM1024_encap|, but uses |
| // |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The |
| // decapsulating side will be able to recover |entropy| in full. This function |
| // should only be used for tests, regular callers should use the |
| // non-deterministic |BCM_mlkem1024_encap| directly. |
| OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_encap_external_entropy( |
| uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES], |
| uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES], |
| const struct BCM_mlkem1024_public_key *public_key, |
| const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]); |
| |
| // BCM_mlkem1024_marshal_private_key serializes |private_key| to |out| in the |
| // NIST format for ML-KEM-1024 private keys. (Note that one can also save just |
| // the seed value produced by |BCM_mlkem1024_generate_key|, which is |
| // significantly smaller.) |
| OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_private_key( |
| CBB *out, const struct BCM_mlkem1024_private_key *private_key); |
| |
| |
| #if defined(__cplusplus) |
| } // extern C |
| #endif |
| |
| #endif // OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H |