1 // Copyright 2024 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_BCM_INTERFACE_H
16 #define OPENSSL_HEADER_CRYPTO_FIPSMODULE_BCM_INTERFACE_H
17
18 // For the moment, we reach out for AES_KEY.
19 #include <openssl/aes.h>
20 #include <openssl/bcm_public.h>
21
22
23 // This header will eventually become the interface between BCM and the
24 // rest of libcrypto. More cleanly separating the two is still a work in
25 // progress (see https://crbug.com/boringssl/722) so, at the moment, we
26 // consider this no different from any other header in BCM.
27 //
28 // Over time, calls from libcrypto to BCM will all move to this header
29 // and the separation will become more meaningful.
30
31 #if defined(__cplusplus)
32 extern "C" {
33 #endif
34
35 // Enumerated types for return values from bcm functions, both infallible
36 // and fallible functions. Two success values are used to correspond to the
37 // FIPS service indicator. For the moment, the official service indicator
38 // remains the counter, not these values. Once we fully transition to
39 // these return values from bcm we will change that.
40 enum class bcm_infallible_t {
41 approved,
42 not_approved,
43 };
44
45 enum class bcm_status_t {
46 approved,
47 not_approved,
48 failure,
49 };
50 typedef enum bcm_status_t bcm_status;
51 typedef enum bcm_infallible_t bcm_infallible;
52
bcm_success(bcm_status status)53 inline int bcm_success(bcm_status status) {
54 return status == bcm_status::approved || status == bcm_status::not_approved;
55 }
56
bcm_as_approved_status(int result)57 inline bcm_status_t bcm_as_approved_status(int result) {
58 return result ? bcm_status::approved : bcm_status::failure;
59 }
60
bcm_as_not_approved_status(int result)61 inline bcm_status_t bcm_as_not_approved_status(int result) {
62 return result ? bcm_status::not_approved : bcm_status::failure;
63 }
64
65 // Random number generator.
66
67 #if defined(BORINGSSL_FIPS)
68
69 // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten.
70 // TODO(bbe): disentangle this value which is used to calculate the size of the
71 // stack buffer in RAND_need entropy based on a calculation.
72 #define BORINGSSL_FIPS_OVERREAD 10
73
74 #endif // BORINGSSL_FIPS
75
76 // BCM_rand_load_entropy supplies |entropy_len| bytes of entropy to the BCM
77 // module. The |want_additional_input| parameter is true iff the entropy was
78 // obtained from a source other than the system, e.g. directly from the CPU.
79 bcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len,
80 int want_additional_input);
81
82 // BCM_rand_bytes is the same as the public |RAND_bytes| function, other
83 // than returning a bcm_infallible status indicator.
84 OPENSSL_EXPORT bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len);
85
86 // BCM_rand_bytes_hwrng attempts to fill |out| with |len| bytes of entropy from
87 // the CPU hardware random number generator if one is present.
88 // bcm_status_approved is returned on success, and a failure status is
89 // returned otherwise.
90 bcm_status BCM_rand_bytes_hwrng(uint8_t *out, size_t len);
91
92 // BCM_rand_bytes_with_additional_data samples from the RNG after mixing 32
93 // bytes from |user_additional_data| in.
94 bcm_infallible BCM_rand_bytes_with_additional_data(
95 uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]);
96
97
98 // SHA-1
99
100 // BCM_SHA_DIGEST_LENGTH is the length of a SHA-1 digest.
101 #define BCM_SHA_DIGEST_LENGTH 20
102
103 // BCM_sha1_init initialises |sha|.
104 bcm_infallible BCM_sha1_init(SHA_CTX *sha);
105
106 // BCM_SHA1_transform is a low-level function that performs a single, SHA-1
107 // block transformation using the state from |sha| and |SHA_CBLOCK| bytes from
108 // |block|.
109 bcm_infallible BCM_sha1_transform(SHA_CTX *c,
110 const uint8_t data[BCM_SHA_CBLOCK]);
111
112 // BCM_sha1_update adds |len| bytes from |data| to |sha|.
113 bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len);
114
115 // BCM_sha1_final adds the final padding to |sha| and writes the resulting
116 // digest to |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space.
117 bcm_infallible BCM_sha1_final(uint8_t out[BCM_SHA_DIGEST_LENGTH], SHA_CTX *c);
118
119
120 // BCM_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF
121 // defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b
122 // parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user
123 // input is all zeros.
124 //
125 // The PRF generates a sequence of 320-bit numbers. Each number is encoded as a
126 // 40-byte string in big-endian and then concatenated to form |out|. If
127 // |out_len| is not a multiple of 40, the result is truncated. This matches the
128 // construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187.
129 //
130 // This PRF is based on SHA-1, a weak hash function, and should not be used
131 // in new protocols. It is provided for compatibility with some legacy EAP
132 // methods.
133 bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len,
134 const uint8_t xkey[BCM_SHA_DIGEST_LENGTH]);
135
136
137 // SHA-224
138
139 // SHA224_DIGEST_LENGTH is the length of a SHA-224 digest.
140 #define BCM_SHA224_DIGEST_LENGTH 28
141
142 // BCM_sha224_unit initialises |sha|.
143 bcm_infallible BCM_sha224_init(SHA256_CTX *sha);
144
145 // BCM_sha224_update adds |len| bytes from |data| to |sha|.
146 bcm_infallible BCM_sha224_update(SHA256_CTX *sha, const void *data, size_t len);
147
148 // BCM_sha224_final adds the final padding to |sha| and writes the resulting
149 // digest to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of
150 // space. It aborts on programmer error.
151 bcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH],
152 SHA256_CTX *sha);
153
154
155 // SHA-256
156
157 // BCM_SHA256_DIGEST_LENGTH is the length of a SHA-256 digest.
158 #define BCM_SHA256_DIGEST_LENGTH 32
159
160 // BCM_sha256_init initialises |sha|.
161 bcm_infallible BCM_sha256_init(SHA256_CTX *sha);
162
163 // BCM_sha256_update adds |len| bytes from |data| to |sha|.
164 bcm_infallible BCM_sha256_update(SHA256_CTX *sha, const void *data, size_t len);
165
166 // BCM_sha256_final adds the final padding to |sha| and writes the resulting
167 // digest to |out|, which must have at least |BCM_SHA256_DIGEST_LENGTH| bytes of
168 // space. It aborts on programmer error.
169 bcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH],
170 SHA256_CTX *sha);
171
172 // BCM_sha256_transform is a low-level function that performs a single, SHA-256
173 // block transformation using the state from |sha| and |BCM_SHA256_CBLOCK| bytes
174 // from |block|.
175 bcm_infallible BCM_sha256_transform(SHA256_CTX *sha,
176 const uint8_t block[BCM_SHA256_CBLOCK]);
177
178 // BCM_sha256_transform_blocks is a low-level function that takes |num_blocks| *
179 // |BCM_SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to
180 // update |state|.
181 bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8],
182 const uint8_t *data,
183 size_t num_blocks);
184
185
186 // SHA-384.
187
188 // BCM_SHA384_DIGEST_LENGTH is the length of a SHA-384 digest.
189 #define BCM_SHA384_DIGEST_LENGTH 48
190
191 // BCM_sha384_init initialises |sha|.
192 bcm_infallible BCM_sha384_init(SHA512_CTX *sha);
193
194 // BCM_sha384_update adds |len| bytes from |data| to |sha|.
195 bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, size_t len);
196
197 // BCM_sha384_final adds the final padding to |sha| and writes the resulting
198 // digest to |out|, which must have at least |BCM_sha384_DIGEST_LENGTH| bytes of
199 // space. It may abort on programmer error.
200 bcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH],
201 SHA512_CTX *sha);
202
203
204 // SHA-512.
205
206 // BCM_SHA512_DIGEST_LENGTH is the length of a SHA-512 digest.
207 #define BCM_SHA512_DIGEST_LENGTH 64
208
209 // BCM_sha512_init initialises |sha|.
210 bcm_infallible BCM_sha512_init(SHA512_CTX *sha);
211
212 // BCM_sha512_update adds |len| bytes from |data| to |sha|.
213 bcm_infallible BCM_sha512_update(SHA512_CTX *sha, const void *data, size_t len);
214
215 // BCM_sha512_final adds the final padding to |sha| and writes the resulting
216 // digest to |out|, which must have at least |BCM_sha512_DIGEST_LENGTH| bytes of
217 // space.
218 bcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH],
219 SHA512_CTX *sha);
220
221 // BCM_sha512_transform is a low-level function that performs a single, SHA-512
222 // block transformation using the state from |sha| and |BCM_sha512_CBLOCK| bytes
223 // from |block|.
224 bcm_infallible BCM_sha512_transform(SHA512_CTX *sha,
225 const uint8_t block[BCM_SHA512_CBLOCK]);
226
227
228 // SHA-512-256
229 //
230 // See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6
231
232 #define BCM_SHA512_256_DIGEST_LENGTH 32
233
234 // BCM_sha512_256_init initialises |sha|.
235 bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha);
236
237 // BCM_sha512_256_update adds |len| bytes from |data| to |sha|.
238 bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data,
239 size_t len);
240
241 // BCM_sha512_256_final adds the final padding to |sha| and writes the resulting
242 // digest to |out|, which must have at least |BCM_sha512_256_DIGEST_LENGTH|
243 // bytes of space. It may abort on programmer error.
244 bcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH],
245 SHA512_CTX *sha);
246
247
248 // ML-DSA
249 //
250 // Where not commented, these functions have the same signature as the
251 // corresponding public function.
252
253 // BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly
254 // random entropy necessary to generate a signature in randomized mode.
255 #define BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES 32
256
257 // BCM_MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value.
258 #define BCM_MLDSA_SEED_BYTES 32
259
260 // BCM_MLDSA_MU_BYTES is the number of bytes in an ML-DSA mu value.
261 #define BCM_MLDSA_MU_BYTES 64
262
263 // BCM_MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65
264 // private key.
265 #define BCM_MLDSA65_PRIVATE_KEY_BYTES 4032
266
267 // BCM_MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65
268 // public key.
269 #define BCM_MLDSA65_PUBLIC_KEY_BYTES 1952
270
271 // BCM_MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65
272 // signature.
273 #define BCM_MLDSA65_SIGNATURE_BYTES 3309
274
275 struct BCM_mldsa65_private_key {
276 union {
277 uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)];
278 uint32_t alignment;
279 } opaque;
280 };
281
282 struct BCM_mldsa65_public_key {
283 union {
284 uint8_t bytes[32 + 64 + 256 * 4 * 6];
285 uint32_t alignment;
286 } opaque;
287 };
288
289 struct BCM_mldsa65_prehash {
290 union {
291 uint8_t bytes[200 + 4 + 4 + 4 * sizeof(size_t)];
292 uint64_t alignment;
293 } opaque;
294 };
295
296 OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key(
297 uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],
298 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
299 struct BCM_mldsa65_private_key *out_private_key);
300
301 OPENSSL_EXPORT bcm_status BCM_mldsa65_private_key_from_seed(
302 struct BCM_mldsa65_private_key *out_private_key,
303 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
304
305 OPENSSL_EXPORT bcm_status BCM_mldsa65_public_from_private(
306 struct BCM_mldsa65_public_key *out_public_key,
307 const struct BCM_mldsa65_private_key *private_key);
308
309 OPENSSL_EXPORT bcm_status
310 BCM_mldsa65_check_key_fips(struct BCM_mldsa65_private_key *private_key);
311
312 OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_fips(
313 uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],
314 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
315 struct BCM_mldsa65_private_key *out_private_key);
316
317 OPENSSL_EXPORT bcm_status BCM_mldsa65_private_key_from_seed_fips(
318 struct BCM_mldsa65_private_key *out_private_key,
319 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
320
321 OPENSSL_EXPORT bcm_status BCM_mldsa65_sign(
322 uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],
323 const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,
324 size_t msg_len, const uint8_t *context, size_t context_len);
325
326 OPENSSL_EXPORT bcm_status BCM_mldsa65_verify(
327 const struct BCM_mldsa65_public_key *public_key,
328 const uint8_t signature[BCM_MLDSA65_SIGNATURE_BYTES], const uint8_t *msg,
329 size_t msg_len, const uint8_t *context, size_t context_len);
330
331 OPENSSL_EXPORT void BCM_mldsa65_prehash_init(
332 struct BCM_mldsa65_prehash *out_prehash_ctx,
333 const struct BCM_mldsa65_public_key *public_key, const uint8_t *context,
334 size_t context_len);
335
336 OPENSSL_EXPORT void BCM_mldsa65_prehash_update(
337 struct BCM_mldsa65_prehash *inout_prehash_ctx, const uint8_t *msg,
338 size_t msg_len);
339
340 OPENSSL_EXPORT void BCM_mldsa65_prehash_finalize(
341 uint8_t out_msg_rep[BCM_MLDSA_MU_BYTES],
342 struct BCM_mldsa65_prehash *inout_prehash_ctx);
343
344 OPENSSL_EXPORT bcm_status BCM_mldsa65_sign_message_representative(
345 uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],
346 const struct BCM_mldsa65_private_key *private_key,
347 const uint8_t msg_rep[BCM_MLDSA_MU_BYTES]);
348
349 OPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_public_key(
350 CBB *out, const struct BCM_mldsa65_public_key *public_key);
351
352 OPENSSL_EXPORT bcm_status BCM_mldsa65_parse_public_key(
353 struct BCM_mldsa65_public_key *public_key, CBS *in);
354
355 OPENSSL_EXPORT bcm_status BCM_mldsa65_parse_private_key(
356 struct BCM_mldsa65_private_key *private_key, CBS *in);
357
358 // BCM_mldsa65_generate_key_external_entropy generates a public/private key pair
359 // using the given seed, writes the encoded public key to
360 // |out_encoded_public_key| and sets |out_private_key| to the private key.
361 OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy(
362 uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],
363 struct BCM_mldsa65_private_key *out_private_key,
364 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
365
366 OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy_fips(
367 uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],
368 struct BCM_mldsa65_private_key *out_private_key,
369 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
370
371 // BCM_mldsa5_sign_internal signs |msg| using |private_key| and writes the
372 // signature to |out_encoded_signature|. The |context_prefix| and |context| are
373 // prefixed to the message, in that order, before signing. The |randomizer|
374 // value can be set to zero bytes in order to make a deterministic signature, or
375 // else filled with entropy for the usual |MLDSA_sign| behavior.
376 OPENSSL_EXPORT bcm_status BCM_mldsa65_sign_internal(
377 uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],
378 const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,
379 size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,
380 const uint8_t *context, size_t context_len,
381 const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]);
382
383 // BCM_mldsa5_verify_internal verifies that |encoded_signature| is a valid
384 // signature of |msg| by |public_key|. The |context_prefix| and |context| are
385 // prefixed to the message before verification, in that order.
386 OPENSSL_EXPORT bcm_status BCM_mldsa65_verify_internal(
387 const struct BCM_mldsa65_public_key *public_key,
388 const uint8_t encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],
389 const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,
390 size_t context_prefix_len, const uint8_t *context, size_t context_len);
391
392 // BCM_mldsa65_marshal_private_key serializes |private_key| to |out| in the
393 // NIST format for ML-DSA-65 private keys.
394 OPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_private_key(
395 CBB *out, const struct BCM_mldsa65_private_key *private_key);
396
397
398 // BCM_MLDSA87_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-87
399 // private key.
400 #define BCM_MLDSA87_PRIVATE_KEY_BYTES 4896
401
402 // BCM_MLDSA87_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-87
403 // public key.
404 #define BCM_MLDSA87_PUBLIC_KEY_BYTES 2592
405
406 // BCM_MLDSA87_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-87
407 // signature.
408 #define BCM_MLDSA87_SIGNATURE_BYTES 4627
409
410 struct BCM_mldsa87_private_key {
411 union {
412 uint8_t bytes[32 + 32 + 64 + 256 * 4 * (7 + 8 + 8)];
413 uint32_t alignment;
414 } opaque;
415 };
416
417 struct BCM_mldsa87_public_key {
418 union {
419 uint8_t bytes[32 + 64 + 256 * 4 * 8];
420 uint32_t alignment;
421 } opaque;
422 };
423
424 struct BCM_mldsa87_prehash {
425 union {
426 uint8_t bytes[200 + 4 + 4 + 4 * sizeof(size_t)];
427 uint64_t alignment;
428 } opaque;
429 };
430
431 OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key(
432 uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],
433 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
434 struct BCM_mldsa87_private_key *out_private_key);
435
436 OPENSSL_EXPORT bcm_status BCM_mldsa87_private_key_from_seed(
437 struct BCM_mldsa87_private_key *out_private_key,
438 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
439
440 OPENSSL_EXPORT bcm_status BCM_mldsa87_public_from_private(
441 struct BCM_mldsa87_public_key *out_public_key,
442 const struct BCM_mldsa87_private_key *private_key);
443
444 OPENSSL_EXPORT bcm_status
445 BCM_mldsa87_check_key_fips(struct BCM_mldsa87_private_key *private_key);
446
447 OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_fips(
448 uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],
449 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
450 struct BCM_mldsa87_private_key *out_private_key);
451
452 OPENSSL_EXPORT bcm_status BCM_mldsa87_private_key_from_seed_fips(
453 struct BCM_mldsa87_private_key *out_private_key,
454 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
455
456 OPENSSL_EXPORT bcm_status BCM_mldsa87_sign(
457 uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],
458 const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,
459 size_t msg_len, const uint8_t *context, size_t context_len);
460
461 OPENSSL_EXPORT bcm_status
462 BCM_mldsa87_verify(const struct BCM_mldsa87_public_key *public_key,
463 const uint8_t *signature, const uint8_t *msg, size_t msg_len,
464 const uint8_t *context, size_t context_len);
465
466 OPENSSL_EXPORT void BCM_mldsa87_prehash_init(
467 struct BCM_mldsa87_prehash *out_prehash_ctx,
468 const struct BCM_mldsa87_public_key *public_key, const uint8_t *context,
469 size_t context_len);
470
471 OPENSSL_EXPORT void BCM_mldsa87_prehash_update(
472 struct BCM_mldsa87_prehash *inout_prehash_ctx, const uint8_t *msg,
473 size_t msg_len);
474
475 OPENSSL_EXPORT void BCM_mldsa87_prehash_finalize(
476 uint8_t out_msg_rep[BCM_MLDSA_MU_BYTES],
477 struct BCM_mldsa87_prehash *inout_prehash_ctx);
478
479 OPENSSL_EXPORT bcm_status BCM_mldsa87_sign_message_representative(
480 uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],
481 const struct BCM_mldsa87_private_key *private_key,
482 const uint8_t msg_rep[BCM_MLDSA_MU_BYTES]);
483
484 OPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_public_key(
485 CBB *out, const struct BCM_mldsa87_public_key *public_key);
486
487 OPENSSL_EXPORT bcm_status BCM_mldsa87_parse_public_key(
488 struct BCM_mldsa87_public_key *public_key, CBS *in);
489
490 OPENSSL_EXPORT bcm_status BCM_mldsa87_parse_private_key(
491 struct BCM_mldsa87_private_key *private_key, CBS *in);
492
493 // BCM_mldsa87_generate_key_external_entropy generates a public/private key pair
494 // using the given seed, writes the encoded public key to
495 // |out_encoded_public_key| and sets |out_private_key| to the private key.
496 OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy(
497 uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],
498 struct BCM_mldsa87_private_key *out_private_key,
499 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
500
501 OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy_fips(
502 uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],
503 struct BCM_mldsa87_private_key *out_private_key,
504 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
505
506 // BCM_mldsa87_sign_internal signs |msg| using |private_key| and writes the
507 // signature to |out_encoded_signature|. The |context_prefix| and |context| are
508 // prefixed to the message, in that order, before signing. The |randomizer|
509 // value can be set to zero bytes in order to make a deterministic signature, or
510 // else filled with entropy for the usual |MLDSA_sign| behavior.
511 OPENSSL_EXPORT bcm_status BCM_mldsa87_sign_internal(
512 uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],
513 const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,
514 size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,
515 const uint8_t *context, size_t context_len,
516 const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]);
517
518 // BCM_mldsa87_verify_internal verifies that |encoded_signature| is a valid
519 // signature of |msg| by |public_key|. The |context_prefix| and |context| are
520 // prefixed to the message before verification, in that order.
521 OPENSSL_EXPORT bcm_status BCM_mldsa87_verify_internal(
522 const struct BCM_mldsa87_public_key *public_key,
523 const uint8_t encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],
524 const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,
525 size_t context_prefix_len, const uint8_t *context, size_t context_len);
526
527 // BCM_mldsa87_marshal_private_key serializes |private_key| to |out| in the
528 // NIST format for ML-DSA-87 private keys.
529 OPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_private_key(
530 CBB *out, const struct BCM_mldsa87_private_key *private_key);
531
532 // BCM_MLDSA44_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-44
533 // private key.
534 #define BCM_MLDSA44_PRIVATE_KEY_BYTES 2560
535
536 // BCM_MLDSA44_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-44
537 // public key.
538 #define BCM_MLDSA44_PUBLIC_KEY_BYTES 1312
539
540 // BCM_MLDSA44_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-44
541 // signature.
542 #define BCM_MLDSA44_SIGNATURE_BYTES 2420
543
544 struct BCM_mldsa44_private_key {
545 union {
546 uint8_t bytes[32 + 32 + 64 + 256 * 4 * (4 + 4 + 4)];
547 uint32_t alignment;
548 } opaque;
549 };
550
551 struct BCM_mldsa44_public_key {
552 union {
553 uint8_t bytes[32 + 64 + 256 * 4 * 4];
554 uint32_t alignment;
555 } opaque;
556 };
557
558 struct BCM_mldsa44_prehash {
559 union {
560 uint8_t bytes[200 + 4 + 4 + 4 * sizeof(size_t)];
561 uint64_t alignment;
562 } opaque;
563 };
564
565 OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key(
566 uint8_t out_encoded_public_key[BCM_MLDSA44_PUBLIC_KEY_BYTES],
567 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
568 struct BCM_mldsa44_private_key *out_private_key);
569
570 OPENSSL_EXPORT bcm_status BCM_mldsa44_private_key_from_seed(
571 struct BCM_mldsa44_private_key *out_private_key,
572 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
573
574 OPENSSL_EXPORT bcm_status BCM_mldsa44_public_from_private(
575 struct BCM_mldsa44_public_key *out_public_key,
576 const struct BCM_mldsa44_private_key *private_key);
577
578 OPENSSL_EXPORT bcm_status
579 BCM_mldsa44_check_key_fips(struct BCM_mldsa44_private_key *private_key);
580
581 OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key_fips(
582 uint8_t out_encoded_public_key[BCM_MLDSA44_PUBLIC_KEY_BYTES],
583 uint8_t out_seed[BCM_MLDSA_SEED_BYTES],
584 struct BCM_mldsa44_private_key *out_private_key);
585
586 OPENSSL_EXPORT bcm_status BCM_mldsa44_private_key_from_seed_fips(
587 struct BCM_mldsa44_private_key *out_private_key,
588 const uint8_t seed[BCM_MLDSA_SEED_BYTES]);
589
590 OPENSSL_EXPORT bcm_status BCM_mldsa44_sign(
591 uint8_t out_encoded_signature[BCM_MLDSA44_SIGNATURE_BYTES],
592 const struct BCM_mldsa44_private_key *private_key, const uint8_t *msg,
593 size_t msg_len, const uint8_t *context, size_t context_len);
594
595 OPENSSL_EXPORT bcm_status
596 BCM_mldsa44_verify(const struct BCM_mldsa44_public_key *public_key,
597 const uint8_t *signature, const uint8_t *msg, size_t msg_len,
598 const uint8_t *context, size_t context_len);
599
600 OPENSSL_EXPORT void BCM_mldsa44_prehash_init(
601 struct BCM_mldsa44_prehash *out_prehash_ctx,
602 const struct BCM_mldsa44_public_key *public_key, const uint8_t *context,
603 size_t context_len);
604
605 OPENSSL_EXPORT void BCM_mldsa44_prehash_update(
606 struct BCM_mldsa44_prehash *inout_prehash_ctx, const uint8_t *msg,
607 size_t msg_len);
608
609 OPENSSL_EXPORT void BCM_mldsa44_prehash_finalize(
610 uint8_t out_msg_rep[BCM_MLDSA_MU_BYTES],
611 struct BCM_mldsa44_prehash *inout_prehash_ctx);
612
613 OPENSSL_EXPORT bcm_status BCM_mldsa44_sign_message_representative(
614 uint8_t out_encoded_signature[BCM_MLDSA44_SIGNATURE_BYTES],
615 const struct BCM_mldsa44_private_key *private_key,
616 const uint8_t msg_rep[BCM_MLDSA_MU_BYTES]);
617
618 OPENSSL_EXPORT bcm_status BCM_mldsa44_marshal_public_key(
619 CBB *out, const struct BCM_mldsa44_public_key *public_key);
620
621 OPENSSL_EXPORT bcm_status BCM_mldsa44_parse_public_key(
622 struct BCM_mldsa44_public_key *public_key, CBS *in);
623
624 OPENSSL_EXPORT bcm_status BCM_mldsa44_parse_private_key(
625 struct BCM_mldsa44_private_key *private_key, CBS *in);
626
627 // BCM_mldsa44_generate_key_external_entropy generates a public/private key pair
628 // using the given seed, writes the encoded public key to
629 // |out_encoded_public_key| and sets |out_private_key| to the private key.
630 OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key_external_entropy(
631 uint8_t out_encoded_public_key[BCM_MLDSA44_PUBLIC_KEY_BYTES],
632 struct BCM_mldsa44_private_key *out_private_key,
633 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
634
635 OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key_external_entropy_fips(
636 uint8_t out_encoded_public_key[BCM_MLDSA44_PUBLIC_KEY_BYTES],
637 struct BCM_mldsa44_private_key *out_private_key,
638 const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);
639
640 // BCM_mldsa44_sign_internal signs |msg| using |private_key| and writes the
641 // signature to |out_encoded_signature|. The |context_prefix| and |context| are
642 // prefixed to the message, in that order, before signing. The |randomizer|
643 // value can be set to zero bytes in order to make a deterministic signature, or
644 // else filled with entropy for the usual |MLDSA_sign| behavior.
645 OPENSSL_EXPORT bcm_status BCM_mldsa44_sign_internal(
646 uint8_t out_encoded_signature[BCM_MLDSA44_SIGNATURE_BYTES],
647 const struct BCM_mldsa44_private_key *private_key, const uint8_t *msg,
648 size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,
649 const uint8_t *context, size_t context_len,
650 const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]);
651
652 // BCM_mldsa44_verify_internal verifies that |encoded_signature| is a valid
653 // signature of |msg| by |public_key|. The |context_prefix| and |context| are
654 // prefixed to the message before verification, in that order.
655 OPENSSL_EXPORT bcm_status BCM_mldsa44_verify_internal(
656 const struct BCM_mldsa44_public_key *public_key,
657 const uint8_t encoded_signature[BCM_MLDSA44_SIGNATURE_BYTES],
658 const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,
659 size_t context_prefix_len, const uint8_t *context, size_t context_len);
660
661 // BCM_mldsa44_marshal_private_key serializes |private_key| to |out| in the
662 // NIST format for ML-DSA-44 private keys.
663 OPENSSL_EXPORT bcm_status BCM_mldsa44_marshal_private_key(
664 CBB *out, const struct BCM_mldsa44_private_key *private_key);
665
666
667 // ML-KEM
668 //
669 // Where not commented, these functions have the same signature as the
670 // corresponding public function.
671
672 // BCM_MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy
673 // necessary to encapsulate a secret. The entropy will be leaked to the
674 // decapsulating party.
675 #define BCM_MLKEM_ENCAP_ENTROPY 32
676
677 // BCM_MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768
678 // public key.
679 #define BCM_MLKEM768_PUBLIC_KEY_BYTES 1184
680
681 // BCM_MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded
682 // ML-KEM-1024 public key.
683 #define BCM_MLKEM1024_PUBLIC_KEY_BYTES 1568
684
685 // BCM_MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768
686 // ciphertext.
687 #define BCM_MLKEM768_CIPHERTEXT_BYTES 1088
688
689 // BCM_MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024
690 // ciphertext.
691 #define BCM_MLKEM1024_CIPHERTEXT_BYTES 1568
692
693 // BCM_MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by
694 // |BCM_mlkem768_marshal_private_key|.
695 #define BCM_MLKEM768_PRIVATE_KEY_BYTES 2400
696
697 // BCM_MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by
698 // |BCM_mlkem1024_marshal_private_key|.
699 #define BCM_MLKEM1024_PRIVATE_KEY_BYTES 3168
700
701 // BCM_MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed.
702 #define BCM_MLKEM_SEED_BYTES 64
703
704 // BCM_mlkem_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared
705 // secret.
706 #define BCM_MLKEM_SHARED_SECRET_BYTES 32
707
708 struct BCM_mlkem768_public_key {
709 union {
710 uint8_t bytes[512 * (3 + 9) + 32 + 32];
711 uint16_t alignment;
712 } opaque;
713 };
714
715 struct BCM_mlkem768_private_key {
716 union {
717 uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
718 uint16_t alignment;
719 } opaque;
720 };
721
722
723
724 OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key(
725 uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],
726 uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
727 struct BCM_mlkem768_private_key *out_private_key);
728
729 OPENSSL_EXPORT bcm_status BCM_mlkem768_private_key_from_seed(
730 struct BCM_mlkem768_private_key *out_private_key, const uint8_t *seed,
731 size_t seed_len);
732
733 OPENSSL_EXPORT bcm_status BCM_mlkem768_generate_key_fips(
734 uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],
735 uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
736 struct BCM_mlkem768_private_key *out_private_key);
737
738 OPENSSL_EXPORT bcm_status
739 BCM_mlkem768_check_fips(const struct BCM_mlkem768_private_key *private_key);
740
741 OPENSSL_EXPORT bcm_infallible BCM_mlkem768_public_from_private(
742 struct BCM_mlkem768_public_key *out_public_key,
743 const struct BCM_mlkem768_private_key *private_key);
744
745 OPENSSL_EXPORT bcm_infallible
746 BCM_mlkem768_encap(uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],
747 uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
748 const struct BCM_mlkem768_public_key *public_key);
749
750 OPENSSL_EXPORT bcm_status
751 BCM_mlkem768_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
752 const uint8_t *ciphertext, size_t ciphertext_len,
753 const struct BCM_mlkem768_private_key *private_key);
754
755 OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_public_key(
756 CBB *out, const struct BCM_mlkem768_public_key *public_key);
757
758 OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_public_key(
759 struct BCM_mlkem768_public_key *out_public_key, CBS *in);
760
761 // BCM_mlkem768_parse_private_key parses a private key, in NIST's format for
762 // private keys, from |in| and writes the result to |out_private_key|. It
763 // returns one on success or zero on parse error or if there are trailing bytes
764 // in |in|. This format is verbose and should be avoided. Private keys should be
765 // stored as seeds and parsed using |BCM_mlkem768_private_key_from_seed|.
766 OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_private_key(
767 struct BCM_mlkem768_private_key *out_private_key, CBS *in);
768
769 // BCM_mlkem768_generate_key_external_seed is a deterministic function to create
770 // a pair of ML-KEM-768 keys, using the supplied seed. The seed needs to be
771 // uniformly random. This function should only be used for tests; regular
772 // callers should use the non-deterministic |BCM_mlkem768_generate_key|
773 // directly.
774 OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key_external_seed(
775 uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],
776 struct BCM_mlkem768_private_key *out_private_key,
777 const uint8_t seed[BCM_MLKEM_SEED_BYTES]);
778
779 // BCM_mlkem768_encap_external_entropy behaves like |MLKEM768_encap|, but uses
780 // |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating
781 // side will be able to recover |entropy| in full. This function should only be
782 // used for tests, regular callers should use the non-deterministic
783 // |BCM_mlkem768_encap| directly.
784 OPENSSL_EXPORT bcm_infallible BCM_mlkem768_encap_external_entropy(
785 uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],
786 uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
787 const struct BCM_mlkem768_public_key *public_key,
788 const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]);
789
790 // BCM_mlkem768_marshal_private_key serializes |private_key| to |out| in the
791 // NIST format for ML-KEM-768 private keys. (Note that one can also save just
792 // the seed value produced by |BCM_mlkem768_generate_key|, which is
793 // significantly smaller.)
794 OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_private_key(
795 CBB *out, const struct BCM_mlkem768_private_key *private_key);
796
797 struct BCM_mlkem1024_public_key {
798 union {
799 uint8_t bytes[512 * (4 + 16) + 32 + 32];
800 uint16_t alignment;
801 } opaque;
802 };
803
804 struct BCM_mlkem1024_private_key {
805 union {
806 uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
807 uint16_t alignment;
808 } opaque;
809 };
810
811 OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key(
812 uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],
813 uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
814 struct BCM_mlkem1024_private_key *out_private_key);
815
816 OPENSSL_EXPORT bcm_status BCM_mlkem1024_generate_key_fips(
817 uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],
818 uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],
819 struct BCM_mlkem1024_private_key *out_private_key);
820
821 OPENSSL_EXPORT bcm_status
822 BCM_mlkem1024_check_fips(const struct BCM_mlkem1024_private_key *private_key);
823
824 OPENSSL_EXPORT bcm_status BCM_mlkem1024_private_key_from_seed(
825 struct BCM_mlkem1024_private_key *out_private_key, const uint8_t *seed,
826 size_t seed_len);
827
828 OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_public_from_private(
829 struct BCM_mlkem1024_public_key *out_public_key,
830 const struct BCM_mlkem1024_private_key *private_key);
831
832 OPENSSL_EXPORT bcm_infallible
833 BCM_mlkem1024_encap(uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],
834 uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
835 const struct BCM_mlkem1024_public_key *public_key);
836
837 OPENSSL_EXPORT bcm_status
838 BCM_mlkem1024_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
839 const uint8_t *ciphertext, size_t ciphertext_len,
840 const struct BCM_mlkem1024_private_key *private_key);
841
842 OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_public_key(
843 CBB *out, const struct BCM_mlkem1024_public_key *public_key);
844
845 OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_public_key(
846 struct BCM_mlkem1024_public_key *out_public_key, CBS *in);
847
848 // BCM_mlkem1024_parse_private_key parses a private key, in NIST's format for
849 // private keys, from |in| and writes the result to |out_private_key|. It
850 // returns one on success or zero on parse error or if there are trailing bytes
851 // in |in|. This format is verbose and should be avoided. Private keys should be
852 // stored as seeds and parsed using |BCM_mlkem1024_private_key_from_seed|.
853 OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_private_key(
854 struct BCM_mlkem1024_private_key *out_private_key, CBS *in);
855
856 // BCM_mlkem1024_generate_key_external_seed is a deterministic function to
857 // create a pair of ML-KEM-1024 keys, using the supplied seed. The seed needs to
858 // be uniformly random. This function should only be used for tests, regular
859 // callers should use the non-deterministic |BCM_mlkem1024_generate_key|
860 // directly.
861 OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key_external_seed(
862 uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],
863 struct BCM_mlkem1024_private_key *out_private_key,
864 const uint8_t seed[BCM_MLKEM_SEED_BYTES]);
865
866 // BCM_mlkem1024_encap_external_entropy behaves like |MLKEM1024_encap|, but uses
867 // |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The
868 // decapsulating side will be able to recover |entropy| in full. This function
869 // should only be used for tests, regular callers should use the
870 // non-deterministic |BCM_mlkem1024_encap| directly.
871 OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_encap_external_entropy(
872 uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],
873 uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],
874 const struct BCM_mlkem1024_public_key *public_key,
875 const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]);
876
877 // BCM_mlkem1024_marshal_private_key serializes |private_key| to |out| in the
878 // NIST format for ML-KEM-1024 private keys. (Note that one can also save just
879 // the seed value produced by |BCM_mlkem1024_generate_key|, which is
880 // significantly smaller.)
881 OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_private_key(
882 CBB *out, const struct BCM_mlkem1024_private_key *private_key);
883
884
885 // SLH-DSA
886
887 // Output length of the hash function.
888 #define BCM_SLHDSA_SHA2_128S_N 16
889
890 // The number of bytes at the beginning of M', the augmented message, before the
891 // context.
892 #define BCM_SLHDSA_M_PRIME_HEADER_LEN 2
893
894 // SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES is the number of bytes in an
895 // SLH-DSA-SHA2-128s public key.
896 #define BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES 32
897
898 // BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES is the number of bytes in an
899 // SLH-DSA-SHA2-128s private key.
900 #define BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES 64
901
902 // BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES is the number of bytes in an
903 // SLH-DSA-SHA2-128s signature.
904 #define BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES 7856
905
906 // BCM_slhdsa_sha2_128s_generate_key_from_seed generates an SLH-DSA-SHA2-128s
907 // key pair from a 48-byte seed and writes the result to |out_public_key| and
908 // |out_secret_key|.
909 OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_generate_key_from_seed(
910 uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
911 uint8_t out_secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
912 const uint8_t seed[3 * BCM_SLHDSA_SHA2_128S_N]);
913
914 // BCM_slhdsa_sha2_128s_generate_key_from_seed_fips does the same thing as
915 // `BCM_slhdsa_sha2_128s_generate_key_from_seed` but implements the required
916 // second check before generating a key by testing for nullptr arguments.
917 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_generate_key_from_seed_fips(
918 uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
919 uint8_t out_secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
920 const uint8_t seed[3 * BCM_SLHDSA_SHA2_128S_N]);
921
922 // BCM_slhdsa_sha2_128s_sign_internal acts like |SLHDSA_SHA2_128S_sign| but
923 // accepts an explicit entropy input, which can be PK.seed (bytes 32..48 of
924 // the private key) to generate deterministic signatures. It also takes the
925 // input message in three parts so that the "internal" version of the signing
926 // function, from section 9.2, can be implemented. The |header| argument may be
927 // NULL to omit it.
928 OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_sign_internal(
929 uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],
930 const uint8_t secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
931 const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
932 size_t context_len, const uint8_t *msg, size_t msg_len,
933 const uint8_t entropy[BCM_SLHDSA_SHA2_128S_N]);
934
935 // BCM_slhdsa_sha2_128s_verify_internal acts like |SLHDSA_SHA2_128S_verify| but
936 // takes the input message in three parts so that the "internal" version of the
937 // verification function, from section 9.3, can be implemented. The |header|
938 // argument may be NULL to omit it.
939 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_verify_internal(
940 const uint8_t *signature, size_t signature_len,
941 const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
942 const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,
943 size_t context_len, const uint8_t *msg, size_t msg_len);
944
945 OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_generate_key(
946 uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
947 uint8_t out_private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);
948
949 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_generate_key_fips(
950 uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
951 uint8_t out_private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);
952
953 OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_public_from_private(
954 uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
955 const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);
956
957 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_sign(
958 uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],
959 const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
960 const uint8_t *msg, size_t msg_len, const uint8_t *context,
961 size_t context_len);
962
963 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_verify(
964 const uint8_t *signature, size_t signature_len,
965 const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
966 const uint8_t *msg, size_t msg_len, const uint8_t *context,
967 size_t context_len);
968
969 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_prehash_sign(
970 uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],
971 const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],
972 const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
973 const uint8_t *context, size_t context_len);
974
975 OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_prehash_verify(
976 const uint8_t *signature, size_t signature_len,
977 const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],
978 const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,
979 const uint8_t *context, size_t context_len);
980
981
982 // AES
983
984 // BCM_aes_encrypt encrypts a single block from |in| to |out| with |key|. The
985 // |in| and |out| pointers may overlap.
986 OPENSSL_EXPORT bcm_infallible BCM_aes_encrypt(const uint8_t *in, uint8_t *out,
987 const AES_KEY *key);
988 // BCM_aes_decrypt decrypts a single block from |in| to |out| with |key|. The
989 // |in| and |out| pointers may overlap.
990 OPENSSL_EXPORT bcm_infallible BCM_aes_decrypt(const uint8_t *in, uint8_t *out,
991 const AES_KEY *key);
992
993 // BCM_aes_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit
994 // key, |key|. |key| must point to |bits|/8 bytes. It will return failure if
995 // |bits| is an invalid AES key size.
996 OPENSSL_EXPORT bcm_status BCM_aes_set_encrypt_key(const uint8_t *key,
997 unsigned bits,
998 AES_KEY *aeskey);
999
1000 // BCM_aes_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit
1001 // key, |key|. |key| must point to |bits|/8 bytes. It will return failure if
1002 // |bits| is an invalid AES key size.
1003 OPENSSL_EXPORT bcm_status BCM_aes_set_decrypt_key(const uint8_t *key,
1004 unsigned bits,
1005 AES_KEY *aeskey);
1006
1007
1008 #if defined(__cplusplus)
1009 } // extern C
1010 #endif
1011
1012 #endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_BCM_INTERFACE_H
1013