2 files changed, 2 insertions, 58 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.c b/src/lib/libcrypto/mlkem/mlkem_internal.c
index c8305bb0d9..048b147806 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.c
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mlkem_internal.c,v 1.5 2026/01/01 13:36:09 tb Exp $ */
+/* $OpenBSD: mlkem_internal.c,v 1.6 2026/01/18 08:49:42 tb Exp $ */
 /*
 * Copyright (c) 2024, Google Inc.
 * Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
@@ -875,28 +875,6 @@ private_key_from_external(const MLKEM_private_key *external,
        offset += 32;
 }
-/*
- * Calls |mlkem_generate_key_external_entropy| with random bytes from
- * |RAND_bytes|.
- */
-int
-mlkem_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_LENGTH],
-    MLKEM_private_key *out_private_key)
-{
-        uint8_t entropy_buf[MLKEM_SEED_LENGTH];
-        uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
-            entropy_buf;
-        int ret;
-        arc4random_buf(entropy, MLKEM_SEED_LENGTH);
-        ret = mlkem_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-        explicit_bzero(entropy_buf, sizeof(entropy_buf));
-        return ret;
-}
 int
 mlkem_private_key_from_seed(const uint8_t *seed, size_t seed_len,
    MLKEM_private_key *out_private_key)
@@ -1057,20 +1035,6 @@ encrypt_cpa(uint8_t *out, const struct public_key *pub,
        explicit_bzero(input, sizeof(input));
 }
-/* Calls mlkem_encap_external_entropy| with random bytes */
-void
-mlkem_encap(const MLKEM_public_key *public_key,
-    uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH])
-{
-        uint8_t entropy[MLKEM_ENCAP_ENTROPY];
-        arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
-        mlkem_encap_external_entropy(out_ciphertext,
-            out_shared_secret, public_key, entropy);
-        explicit_bzero(entropy, sizeof(entropy));
-}
 /* See section 6.2 of the spec. */
 void
 mlkem_encap_external_entropy(uint8_t *out_ciphertext,
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h
index c8bfb65431..a8b1a16359 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.h
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_internal.h,v 1.12 2026/01/16 18:31:12 tb Exp $ */
+/*      $OpenBSD: mlkem_internal.h,v 1.13 2026/01/18 08:49:42 tb Exp $ */
 /*
 * Copyright (c) 2023, Google Inc.
 * Copyright (c) 2025, Bob Beck <beck@obtuse.com>
@@ -175,17 +175,6 @@ struct MLKEM768_private_key {
 /* Key generation. */
 /*
- * mlkem_generate_key generates a random public/private key pair, writes the
- * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
- * the private key. If |optional_out_seed| is not NULL then the seed used to
- * generate the private key is written to it. The caller is responsible for
- * ensuring that |out_encoded_public_key| and |out_optonal_seed| point to
- * enough memory to contain a key and seed for the rank of |out_private_key|.
- */
-int mlkem_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t *optional_out_seed, MLKEM_private_key *out_private_key);
-/*
 * mlkem_private_key_from_seed modifies |out_private_key| to contain a key of
 * the rank of |*out_private_key| from a seed that was generated by
 * |MLKEM_generate_key|. It fails and returns 0 if |seed_len| is incorrect, or
@@ -208,15 +197,6 @@ void mlkem_public_from_private(const MLKEM_private_key *private_key,
 /* Encapsulation and decapsulation of secrets. */
 /*
- * mlkem_encap encrypts a random shared secret for |public_key|, writes the
- * ciphertext to |out_ciphertext|, and writes the random shared secret to
- * |out_shared_secret|.
- */
-void mlkem_encap(const MLKEM_public_key *public_key,
-    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH]);
-/*
 * mlkem_decap decrypts a shared secret from |ciphertext| using |private_key|
 * and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
 * returns 0, otherwise it returns 1. If |ciphertext| is invalid,

diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.c b/src/lib/libcrypto/mlkem/mlkem_internal.c index c8305bb0d9..048b147806 100644 --- a/src/lib/libcrypto/mlkem/mlkem_internal.c +++ b/src/lib/libcrypto/mlkem/mlkem_internal.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem_internal.c,v 1.5 2026/01/01 13:36:09 tb Exp $ */	1	/* $OpenBSD: mlkem_internal.c,v 1.6 2026/01/18 08:49:42 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2024, Google Inc.	3	* Copyright (c) 2024, Google Inc.
4	* Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>	4	* Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
@@ -875,28 +875,6 @@ private_key_from_external(const MLKEM_private_key *external,
875	offset += 32;	875	offset += 32;
876	}	876	}
877		877
878	/*
879	* Calls \|mlkem_generate_key_external_entropy\| with random bytes from
880	* \|RAND_bytes\|.
881	*/
882	int
883	mlkem_generate_key(uint8_t *out_encoded_public_key,
884	uint8_t optional_out_seed[MLKEM_SEED_LENGTH],
885	MLKEM_private_key *out_private_key)
886	{
887	uint8_t entropy_buf[MLKEM_SEED_LENGTH];
888	uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
889	entropy_buf;
890	int ret;
891
892	arc4random_buf(entropy, MLKEM_SEED_LENGTH);
893	ret = mlkem_generate_key_external_entropy(out_encoded_public_key,
894	out_private_key, entropy);
895	explicit_bzero(entropy_buf, sizeof(entropy_buf));
896
897	return ret;
898	}
899
900	int	878	int
901	mlkem_private_key_from_seed(const uint8_t *seed, size_t seed_len,	879	mlkem_private_key_from_seed(const uint8_t *seed, size_t seed_len,
902	MLKEM_private_key *out_private_key)	880	MLKEM_private_key *out_private_key)
@@ -1057,20 +1035,6 @@ encrypt_cpa(uint8_t out, const struct public_key pub,
1057	explicit_bzero(input, sizeof(input));	1035	explicit_bzero(input, sizeof(input));
1058	}	1036	}
1059		1037
1060	/* Calls mlkem_encap_external_entropy\| with random bytes */
1061	void
1062	mlkem_encap(const MLKEM_public_key *public_key,
1063	uint8_t *out_ciphertext,
1064	uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH])
1065	{
1066	uint8_t entropy[MLKEM_ENCAP_ENTROPY];
1067
1068	arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
1069	mlkem_encap_external_entropy(out_ciphertext,
1070	out_shared_secret, public_key, entropy);
1071	explicit_bzero(entropy, sizeof(entropy));
1072	}
1073
1074	/* See section 6.2 of the spec. */	1038	/* See section 6.2 of the spec. */
1075	void	1039	void
1076	mlkem_encap_external_entropy(uint8_t *out_ciphertext,	1040	mlkem_encap_external_entropy(uint8_t *out_ciphertext,


diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h index c8bfb65431..a8b1a16359 100644 --- a/src/lib/libcrypto/mlkem/mlkem_internal.h +++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem_internal.h,v 1.12 2026/01/16 18:31:12 tb Exp $ */	1	/* $OpenBSD: mlkem_internal.h,v 1.13 2026/01/18 08:49:42 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2023, Google Inc.	3	* Copyright (c) 2023, Google Inc.
4	* Copyright (c) 2025, Bob Beck <beck@obtuse.com>	4	* Copyright (c) 2025, Bob Beck <beck@obtuse.com>
@@ -175,17 +175,6 @@ struct MLKEM768_private_key {
175	/* Key generation. */	175	/* Key generation. */
176		176
177	/*	177	/*
178	* mlkem_generate_key generates a random public/private key pair, writes the
179	* encoded public key to \|out_encoded_public_key\| and sets \|out_private_key\| to
180	* the private key. If \|optional_out_seed\| is not NULL then the seed used to
181	* generate the private key is written to it. The caller is responsible for
182	* ensuring that \|out_encoded_public_key\| and \|out_optonal_seed\| point to
183	* enough memory to contain a key and seed for the rank of \|out_private_key\|.
184	*/
185	int mlkem_generate_key(uint8_t *out_encoded_public_key,
186	uint8_t optional_out_seed, MLKEM_private_key out_private_key);
187
188	/*
189	* mlkem_private_key_from_seed modifies \|out_private_key\| to contain a key of	178	* mlkem_private_key_from_seed modifies \|out_private_key\| to contain a key of
190	* the rank of \|*out_private_key\| from a seed that was generated by	179	* the rank of \|*out_private_key\| from a seed that was generated by
191	* \|MLKEM_generate_key\|. It fails and returns 0 if \|seed_len\| is incorrect, or	180	* \|MLKEM_generate_key\|. It fails and returns 0 if \|seed_len\| is incorrect, or
@@ -208,15 +197,6 @@ void mlkem_public_from_private(const MLKEM_private_key *private_key,
208	/* Encapsulation and decapsulation of secrets. */	197	/* Encapsulation and decapsulation of secrets. */
209		198
210	/*	199	/*
211	* mlkem_encap encrypts a random shared secret for \|public_key\|, writes the
212	* ciphertext to \|out_ciphertext\|, and writes the random shared secret to
213	* \|out_shared_secret\|.
214	*/
215	void mlkem_encap(const MLKEM_public_key *public_key,
216	uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
217	uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH]);
218
219	/*
220	* mlkem_decap decrypts a shared secret from \|ciphertext\| using \|private_key\|	200	* mlkem_decap decrypts a shared secret from \|ciphertext\| using \|private_key\|
221	* and writes it to \|out_shared_secret\|. If \|ciphertext_len\| is incorrect it	201	* and writes it to \|out_shared_secret\|. If \|ciphertext_len\| is incorrect it
222	* returns 0, otherwise it returns 1. If \|ciphertext\| is invalid,	202	* returns 0, otherwise it returns 1. If \|ciphertext\| is invalid,