2 files changed, 43 insertions, 27 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c
index b20545defc..82adea7b42 100644
--- a/src/lib/libcrypto/mlkem/mlkem768.c
+++ b/src/lib/libcrypto/mlkem/mlkem768.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mlkem768.c,v 1.10 2025/05/19 07:40:17 beck Exp $ */
+/* $OpenBSD: mlkem768.c,v 1.11 2025/05/19 07:53:00 beck Exp $ */
 /*
 * Copyright (c) 2024, Google Inc.
 * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -611,6 +611,19 @@ vector_encode(uint8_t *out, const vector *a, int bits)
        }
 }
+/* Encodes an entire vector as above, but adding it to a CBB */
+static int
+vector_encode_cbb(CBB *cbb, const vector *a, int bits)
+{
+        uint8_t *encoded_vector;
+        if (!CBB_add_space(cbb, &encoded_vector, kEncodedVectorSize))
+                return 0;
+        vector_encode(encoded_vector, a, bits);
+        return 1;
+}
 /*
 * scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
 * |out|. It returns one on success and zero if any parsed value is >=
@@ -850,16 +863,9 @@ LCRYPTO_ALIAS(MLKEM768_private_key_from_seed);
 static int
 mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
 {
-        uint8_t *vector_output;
+        if (!vector_encode_cbb(out, &pub->t, kLog2Prime))
-        if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
                return 0;
-        }
+        return CBB_add_bytes(out, pub->rho, sizeof(pub->rho));
-        vector_encode(vector_output, &pub->t, kLog2Prime);
-        if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
-                return 0;
-        }
-        return 1;
 }
 int
@@ -1117,27 +1123,37 @@ MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key,
 LCRYPTO_ALIAS(MLKEM768_parse_public_key);
 int
-MLKEM768_marshal_private_key(CBB *out,
+MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key,
-    const struct MLKEM768_private_key *private_key)
+    uint8_t **out_private_key, size_t *out_private_key_len)
 {
        const struct private_key *const priv = private_key_768_from_external(
            private_key);
-        uint8_t *s_output;
+        CBB cbb;
+        int ret = 0;
-        if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {
+        if (!CBB_init(&cbb, MLKEM768_PRIVATE_KEY_BYTES))
-                return 0;
+                goto err;
-        }
-        vector_encode(s_output, &priv->s, kLog2Prime);
+        if (!vector_encode_cbb(&cbb, &priv->s, kLog2Prime))
-        if (!mlkem_marshal_public_key(out, &priv->pub))
+                goto err;
-                return 0;
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
-        if (!CBB_add_bytes(out, priv->pub.public_key_hash,
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv->pub.public_key_hash,
            sizeof(priv->pub.public_key_hash)))
-                return 0;
+                goto err;
-        if (!CBB_add_bytes(out, priv->fo_failure_secret,
+        if (!CBB_add_bytes(&cbb, priv->fo_failure_secret,
            sizeof(priv->fo_failure_secret)))
-                return 0;
+                goto err;
-        return 1;
+        if (!CBB_finish(&cbb, out_private_key, out_private_key_len))
+                goto err;
+        ret = 1;
+ err:
+        CBB_cleanup(&cbb);
+        return ret;
 }
 int
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h
index 7a51197c36..aed051e980 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.h
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_internal.h,v 1.5 2025/05/19 06:47:40 beck Exp $ */
+/*      $OpenBSD: mlkem_internal.h,v 1.6 2025/05/19 07:53:00 beck Exp $ */
 /*
 * Copyright (c) 2023, Google Inc.
 *
@@ -57,8 +57,8 @@ int MLKEM768_generate_key_external_entropy(
 * format for ML-KEM private keys. It returns one on success or zero on
 * allocation error.
 */
-int MLKEM768_marshal_private_key(CBB *out,
+int MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key,
-    const struct MLKEM768_private_key *private_key);
+    uint8_t **out_private_key, size_t *out_private_key_len);
 /*
 * MLKEM_encap_external_entropy behaves like |MLKEM_encap|, but uses

diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c index b20545defc..82adea7b42 100644 --- a/src/lib/libcrypto/mlkem/mlkem768.c +++ b/src/lib/libcrypto/mlkem/mlkem768.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem768.c,v 1.10 2025/05/19 07:40:17 beck Exp $ */	1	/* $OpenBSD: mlkem768.c,v 1.11 2025/05/19 07:53:00 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2024, Google Inc.	3	* Copyright (c) 2024, Google Inc.
4	* Copyright (c) 2024, Bob Beck <beck@obtuse.com>	4	* Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -611,6 +611,19 @@ vector_encode(uint8_t out, const vector a, int bits)
611	}	611	}
612	}	612	}
613		613
		614	/* Encodes an entire vector as above, but adding it to a CBB */
		615	static int
		616	vector_encode_cbb(CBB cbb, const vector a, int bits)
		617	{
		618	uint8_t *encoded_vector;
		619
		620	if (!CBB_add_space(cbb, &encoded_vector, kEncodedVectorSize))
		621	return 0;
		622	vector_encode(encoded_vector, a, bits);
		623
		624	return 1;
		625	}
		626
614	/*	627	/*
615	* scalar_decode parses \|DEGREE * bits\| bits from \|in\| into \|DEGREE\| values in	628	* scalar_decode parses \|DEGREE * bits\| bits from \|in\| into \|DEGREE\| values in
616	* \|out\|. It returns one on success and zero if any parsed value is >=	629	* \|out\|. It returns one on success and zero if any parsed value is >=
@@ -850,16 +863,9 @@ LCRYPTO_ALIAS(MLKEM768_private_key_from_seed);
850	static int	863	static int
851	mlkem_marshal_public_key(CBB out, const struct public_key pub)	864	mlkem_marshal_public_key(CBB out, const struct public_key pub)
852	{	865	{
853	uint8_t *vector_output;	866	if (!vector_encode_cbb(out, &pub->t, kLog2Prime))
854
855	if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
856	return 0;	867	return 0;
857	}	868	return CBB_add_bytes(out, pub->rho, sizeof(pub->rho));
858	vector_encode(vector_output, &pub->t, kLog2Prime);
859	if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
860	return 0;
861	}
862	return 1;
863	}	869	}
864		870
865	int	871	int
@@ -1117,27 +1123,37 @@ MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key,
1117	LCRYPTO_ALIAS(MLKEM768_parse_public_key);	1123	LCRYPTO_ALIAS(MLKEM768_parse_public_key);
1118		1124
1119	int	1125	int
1120	MLKEM768_marshal_private_key(CBB *out,	1126	MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key,
1121	const struct MLKEM768_private_key *private_key)	1127	uint8_t *out_private_key, size_t out_private_key_len)
1122	{	1128	{
1123	const struct private_key *const priv = private_key_768_from_external(	1129	const struct private_key *const priv = private_key_768_from_external(
1124	private_key);	1130	private_key);
1125	uint8_t *s_output;	1131	CBB cbb;
		1132	int ret = 0;
1126		1133
1127	if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {	1134	if (!CBB_init(&cbb, MLKEM768_PRIVATE_KEY_BYTES))
1128	return 0;	1135	goto err;
1129	}	1136
1130	vector_encode(s_output, &priv->s, kLog2Prime);	1137	if (!vector_encode_cbb(&cbb, &priv->s, kLog2Prime))
1131	if (!mlkem_marshal_public_key(out, &priv->pub))	1138	goto err;
1132	return 0;	1139	if (!mlkem_marshal_public_key(&cbb, &priv->pub))
1133	if (!CBB_add_bytes(out, priv->pub.public_key_hash,	1140	goto err;
		1141	if (!CBB_add_bytes(&cbb, priv->pub.public_key_hash,
1134	sizeof(priv->pub.public_key_hash)))	1142	sizeof(priv->pub.public_key_hash)))
1135	return 0;	1143	goto err;
1136	if (!CBB_add_bytes(out, priv->fo_failure_secret,	1144	if (!CBB_add_bytes(&cbb, priv->fo_failure_secret,
1137	sizeof(priv->fo_failure_secret)))	1145	sizeof(priv->fo_failure_secret)))
1138	return 0;	1146	goto err;
1139		1147
1140	return 1;	1148	if (!CBB_finish(&cbb, out_private_key, out_private_key_len))
		1149	goto err;
		1150
		1151	ret = 1;
		1152
		1153	err:
		1154	CBB_cleanup(&cbb);
		1155
		1156	return ret;
1141	}	1157	}
1142		1158
1143	int	1159	int


diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h index 7a51197c36..aed051e980 100644 --- a/src/lib/libcrypto/mlkem/mlkem_internal.h +++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem_internal.h,v 1.5 2025/05/19 06:47:40 beck Exp $ */	1	/* $OpenBSD: mlkem_internal.h,v 1.6 2025/05/19 07:53:00 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2023, Google Inc.	3	* Copyright (c) 2023, Google Inc.
4	*	4	*
@@ -57,8 +57,8 @@ int MLKEM768_generate_key_external_entropy(
57	* format for ML-KEM private keys. It returns one on success or zero on	57	* format for ML-KEM private keys. It returns one on success or zero on
58	* allocation error.	58	* allocation error.
59	*/	59	*/
60	int MLKEM768_marshal_private_key(CBB *out,	60	int MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key,
61	const struct MLKEM768_private_key *private_key);	61	uint8_t *out_private_key, size_t out_private_key_len);
62		62
63	/*	63	/*
64	* MLKEM_encap_external_entropy behaves like \|MLKEM_encap\|, but uses	64	* MLKEM_encap_external_entropy behaves like \|MLKEM_encap\|, but uses