grpc 1.37.1 → 1.38.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c

@@ -70,6 +70,8 @@
 // this writing, so there is no need for a common collector/padding
 // implementation yet.
 
+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha);
+
 int SHA384_Init(SHA512_CTX *sha) {
   sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
   sha->h[1] = UINT64_C(0x629a292a367cd507);
@@ -146,8 +148,8 @@ uint8_t *SHA512_256(const uint8_t *data, size_t len,
                     uint8_t out[SHA512_256_DIGEST_LENGTH]) {
   SHA512_CTX ctx;
   SHA512_256_Init(&ctx);
-  SHA512_Update(&ctx, data, len);
-  SHA512_Final(out, &ctx);
+  SHA512_256_Update(&ctx, data, len);
+  SHA512_256_Final(out, &ctx);
   OPENSSL_cleanse(&ctx, sizeof(ctx));
   return out;
 }
@@ -161,7 +163,8 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
 int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
   // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a
   // |smaller output.
-  return SHA512_Final(out, sha);
+  assert(sha->md_len == SHA384_DIGEST_LENGTH);
+  return sha512_final_impl(out, sha);
 }
 
 int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
@@ -172,11 +175,11 @@ int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
   return SHA512_Update(sha, data, len);
 }
 
-int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],
-                                    SHA512_CTX *sha) {
+int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
   // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this
   // has a |smaller output.
-  return SHA512_Final(out, sha);
+  assert(sha->md_len == SHA512_256_DIGEST_LENGTH);
+  return sha512_final_impl(out, sha);
 }
 
 void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
@@ -232,6 +235,15 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
 }
 
 int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
+  // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
+  // the size hint, but calling code often pairs |SHA384_Init| with
+  // |SHA512_Final| and expects |sha->md_len| to carry the over.
+  //
+  // TODO(davidben): Add an assert and fix code to match them up.
+  return sha512_final_impl(out, sha);
+}
+
+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
   uint8_t *p = sha->p;
   size_t n = sha->num;
 
@@ -244,22 +256,8 @@ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
   }
 
   OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n);
-  p[sizeof(sha->p) - 1] = (uint8_t)(sha->Nl);
-  p[sizeof(sha->p) - 2] = (uint8_t)(sha->Nl >> 8);
-  p[sizeof(sha->p) - 3] = (uint8_t)(sha->Nl >> 16);
-  p[sizeof(sha->p) - 4] = (uint8_t)(sha->Nl >> 24);
-  p[sizeof(sha->p) - 5] = (uint8_t)(sha->Nl >> 32);
-  p[sizeof(sha->p) - 6] = (uint8_t)(sha->Nl >> 40);
-  p[sizeof(sha->p) - 7] = (uint8_t)(sha->Nl >> 48);
-  p[sizeof(sha->p) - 8] = (uint8_t)(sha->Nl >> 56);
-  p[sizeof(sha->p) - 9] = (uint8_t)(sha->Nh);
-  p[sizeof(sha->p) - 10] = (uint8_t)(sha->Nh >> 8);
-  p[sizeof(sha->p) - 11] = (uint8_t)(sha->Nh >> 16);
-  p[sizeof(sha->p) - 12] = (uint8_t)(sha->Nh >> 24);
-  p[sizeof(sha->p) - 13] = (uint8_t)(sha->Nh >> 32);
-  p[sizeof(sha->p) - 14] = (uint8_t)(sha->Nh >> 40);
-  p[sizeof(sha->p) - 15] = (uint8_t)(sha->Nh >> 48);
-  p[sizeof(sha->p) - 16] = (uint8_t)(sha->Nh >> 56);
+  CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh);
+  CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl);
 
   sha512_block_data_order(sha->h, p, 1);
 
@@ -356,12 +354,6 @@ static const uint64_t K512[80] = {
 #define ROTR(x, s) (((x) >> s) | (x) << (64 - s))
 #endif
 
-static inline uint64_t load_u64_be(const void *ptr) {
-  uint64_t ret;
-  OPENSSL_memcpy(&ret, ptr, sizeof(ret));
-  return CRYPTO_bswap8(ret);
-}
-
 #define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
 #define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
 #define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7))
@@ -392,7 +384,7 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
     F[7] = state[7];
 
     for (i = 0; i < 16; i++, F--) {
-      T = load_u64_be(in + i * 8);
+      T = CRYPTO_load_u64_be(in + i * 8);
       F[0] = A;
       F[4] = E;
       F[8] = T;
@@ -464,37 +456,37 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
     g = state[6];
     h = state[7];
 
-    T1 = X[0] = load_u64_be(in);
+    T1 = X[0] = CRYPTO_load_u64_be(in);
     ROUND_00_15(0, a, b, c, d, e, f, g, h);
-    T1 = X[1] = load_u64_be(in + 8);
+    T1 = X[1] = CRYPTO_load_u64_be(in + 8);
     ROUND_00_15(1, h, a, b, c, d, e, f, g);
-    T1 = X[2] = load_u64_be(in + 2 * 8);
+    T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8);
     ROUND_00_15(2, g, h, a, b, c, d, e, f);
-    T1 = X[3] = load_u64_be(in + 3 * 8);
+    T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8);
     ROUND_00_15(3, f, g, h, a, b, c, d, e);
-    T1 = X[4] = load_u64_be(in + 4 * 8);
+    T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8);
     ROUND_00_15(4, e, f, g, h, a, b, c, d);
-    T1 = X[5] = load_u64_be(in + 5 * 8);
+    T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8);
     ROUND_00_15(5, d, e, f, g, h, a, b, c);
-    T1 = X[6] = load_u64_be(in + 6 * 8);
+    T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8);
     ROUND_00_15(6, c, d, e, f, g, h, a, b);
-    T1 = X[7] = load_u64_be(in + 7 * 8);
+    T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8);
     ROUND_00_15(7, b, c, d, e, f, g, h, a);
-    T1 = X[8] = load_u64_be(in + 8 * 8);
+    T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8);
     ROUND_00_15(8, a, b, c, d, e, f, g, h);
-    T1 = X[9] = load_u64_be(in + 9 * 8);
+    T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8);
     ROUND_00_15(9, h, a, b, c, d, e, f, g);
-    T1 = X[10] = load_u64_be(in + 10 * 8);
+    T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8);
     ROUND_00_15(10, g, h, a, b, c, d, e, f);
-    T1 = X[11] = load_u64_be(in + 11 * 8);
+    T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8);
     ROUND_00_15(11, f, g, h, a, b, c, d, e);
-    T1 = X[12] = load_u64_be(in + 12 * 8);
+    T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8);
     ROUND_00_15(12, e, f, g, h, a, b, c, d);
-    T1 = X[13] = load_u64_be(in + 13 * 8);
+    T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8);
     ROUND_00_15(13, d, e, f, g, h, a, b, c);
-    T1 = X[14] = load_u64_be(in + 14 * 8);
+    T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8);
     ROUND_00_15(14, c, d, e, f, g, h, a, b);
-    T1 = X[15] = load_u64_be(in + 15 * 8);
+    T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8);
     ROUND_00_15(15, b, c, d, e, f, g, h, a);
 
     for (i = 16; i < 80; i += 16) {

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -17,9 +17,10 @@
 
 #include <openssl/aead.h>
 #include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
-#include <openssl/evp.h>
+#include <openssl/evp_errors.h>
 #include <openssl/hkdf.h>
 #include <openssl/sha.h>
 
@@ -31,9 +32,6 @@
 
 #define KEM_CONTEXT_LEN (2 * X25519_PUBLIC_VALUE_LEN)
 
-// HPKE KEM scheme IDs.
-#define HPKE_DHKEM_X25519_HKDF_SHA256 0x0020
-
 // This is strlen("HPKE") + 3 * sizeof(uint16_t).
 #define HPKE_SUITE_ID_LEN 10
 
@@ -50,8 +48,8 @@ static int add_label_string(CBB *cbb, const char *label) {
 // that the suite_id used outside of the KEM also includes the kdf_id and
 // aead_id.
 static const uint8_t kX25519SuiteID[] = {
-    'K', 'E', 'M', HPKE_DHKEM_X25519_HKDF_SHA256 >> 8,
-    HPKE_DHKEM_X25519_HKDF_SHA256 & 0x00ff};
+    'K', 'E', 'M', EVP_HPKE_DHKEM_X25519_HKDF_SHA256 >> 8,
+    EVP_HPKE_DHKEM_X25519_HKDF_SHA256 & 0x00ff};
 
 // The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
 // I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
@@ -60,7 +58,7 @@ static int hpke_build_suite_id(uint8_t out[HPKE_SUITE_ID_LEN], uint16_t kdf_id,
   CBB cbb;
   int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
             add_label_string(&cbb, "HPKE") &&
-            CBB_add_u16(&cbb, HPKE_DHKEM_X25519_HKDF_SHA256) &&
+            CBB_add_u16(&cbb, EVP_HPKE_DHKEM_X25519_HKDF_SHA256) &&
             CBB_add_u16(&cbb, kdf_id) &&
             CBB_add_u16(&cbb, aead_id);
   CBB_cleanup(&cbb);
@@ -125,11 +123,19 @@ static int hpke_extract_and_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
   return 1;
 }
 
+uint16_t EVP_HPKE_CTX_get_aead_id(const EVP_HPKE_CTX *hpke) {
+  return hpke->aead_id;
+}
+
+uint16_t EVP_HPKE_CTX_get_kdf_id(const EVP_HPKE_CTX *hpke) {
+  return hpke->kdf_id;
+}
+
 const EVP_AEAD *EVP_HPKE_get_aead(uint16_t aead_id) {
   switch (aead_id) {
-    case EVP_HPKE_AEAD_AES_GCM_128:
+    case EVP_HPKE_AEAD_AES_128_GCM:
       return EVP_aead_aes_128_gcm();
-    case EVP_HPKE_AEAD_AES_GCM_256:
+    case EVP_HPKE_AEAD_AES_256_GCM:
       return EVP_aead_aes_256_gcm();
     case EVP_HPKE_AEAD_CHACHA20POLY1305:
       return EVP_aead_chacha20_poly1305();
@@ -316,27 +322,44 @@ void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
   EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);
 }
 
-int EVP_HPKE_CTX_setup_base_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len) {
+int EVP_HPKE_CTX_setup_base_s_x25519(EVP_HPKE_CTX *hpke, uint8_t *out_enc,
+                                     size_t out_enc_len, uint16_t kdf_id,
+                                     uint16_t aead_id,
+                                     const uint8_t *peer_public_value,
+                                     size_t peer_public_value_len,
+                                     const uint8_t *info, size_t info_len) {
+  if (out_enc_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+
   // The GenerateKeyPair() step technically belongs in the KEM's Encap()
   // function, but we've moved it up a layer to make it easier for tests to
   // inject an ephemeral keypair.
   uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
   X25519_keypair(out_enc, ephemeral_private);
   return EVP_HPKE_CTX_setup_base_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, info, info_len,
-      ephemeral_private, out_enc);
+      hpke, kdf_id, aead_id, peer_public_value, peer_public_value_len, info,
+      info_len, ephemeral_private, sizeof(ephemeral_private), out_enc,
+      out_enc_len);
 }
 
 int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
     EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
+    const uint8_t *peer_public_value, size_t peer_public_value_len,
+    const uint8_t *info, size_t info_len, const uint8_t *ephemeral_private,
+    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
+    size_t ephemeral_public_len) {
+  if (peer_public_value_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+  if (ephemeral_private_len != X25519_PRIVATE_KEY_LEN ||
+      ephemeral_public_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   hpke->is_sender = 1;
   hpke->kdf_id = kdf_id;
   hpke->aead_id = aead_id;
@@ -355,12 +378,23 @@ int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
   return 1;
 }
 
-int EVP_HPKE_CTX_setup_base_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
-    size_t info_len) {
+int EVP_HPKE_CTX_setup_base_r_x25519(EVP_HPKE_CTX *hpke, uint16_t kdf_id,
+                                     uint16_t aead_id, const uint8_t *enc,
+                                     size_t enc_len, const uint8_t *public_key,
+                                     size_t public_key_len,
+                                     const uint8_t *private_key,
+                                     size_t private_key_len,
+                                     const uint8_t *info, size_t info_len) {
+  if (enc_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+  if (public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      private_key_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   hpke->is_sender = 0;
   hpke->kdf_id = kdf_id;
   hpke->aead_id = aead_id;
@@ -378,29 +412,47 @@ int EVP_HPKE_CTX_setup_base_r_x25519(
   return 1;
 }
 
-int EVP_HPKE_CTX_setup_psk_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len) {
+int EVP_HPKE_CTX_setup_psk_s_x25519(EVP_HPKE_CTX *hpke, uint8_t *out_enc,
+                                    size_t out_enc_len, uint16_t kdf_id,
+                                    uint16_t aead_id,
+                                    const uint8_t *peer_public_value,
+                                    size_t peer_public_value_len,
+                                    const uint8_t *info, size_t info_len,
+                                    const uint8_t *psk, size_t psk_len,
+                                    const uint8_t *psk_id, size_t psk_id_len) {
+  if (out_enc_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+
   // The GenerateKeyPair() step technically belongs in the KEM's Encap()
   // function, but we've moved it up a layer to make it easier for tests to
   // inject an ephemeral keypair.
   uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
   X25519_keypair(out_enc, ephemeral_private);
   return EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, info, info_len, psk, psk_len,
-      psk_id, psk_id_len, ephemeral_private, out_enc);
+      hpke, kdf_id, aead_id, peer_public_value, peer_public_value_len, info,
+      info_len, psk, psk_len, psk_id, psk_id_len, ephemeral_private,
+      sizeof(ephemeral_private), out_enc, out_enc_len);
 }
 
 int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
     EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
+    const uint8_t *peer_public_value, size_t peer_public_value_len,
     const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
+    const uint8_t *psk_id, size_t psk_id_len, const uint8_t *ephemeral_private,
+    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
+    size_t ephemeral_public_len) {
+  if (peer_public_value_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+  if (ephemeral_private_len != X25519_PRIVATE_KEY_LEN ||
+      ephemeral_public_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   hpke->is_sender = 1;
   hpke->kdf_id = kdf_id;
   hpke->aead_id = aead_id;
@@ -420,12 +472,21 @@ int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
 }
 
 int EVP_HPKE_CTX_setup_psk_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
+    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id, const uint8_t *enc,
+    size_t enc_len, const uint8_t *public_key, size_t public_key_len,
+    const uint8_t *private_key, size_t private_key_len, const uint8_t *info,
     size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
     size_t psk_id_len) {
+  if (enc_len != X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+  if (public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      private_key_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   hpke->is_sender = 0;
   hpke->kdf_id = kdf_id;
   hpke->aead_id = aead_id;

data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h

@@ -33,9 +33,12 @@ extern "C" {
 //
 // See https://tools.ietf.org/html/draft-irtf-cfrg-hpke-07.
 
+// EVP_HPKE_DHKEM_* are KEM identifiers.
+#define EVP_HPKE_DHKEM_X25519_HKDF_SHA256 0x0020
+
 // EVP_HPKE_AEAD_* are AEAD identifiers.
-#define EVP_HPKE_AEAD_AES_GCM_128 0x0001
-#define EVP_HPKE_AEAD_AES_GCM_256 0x0002
+#define EVP_HPKE_AEAD_AES_128_GCM 0x0001
+#define EVP_HPKE_AEAD_AES_256_GCM 0x0002
 #define EVP_HPKE_AEAD_CHACHA20POLY1305 0x0003
 
 // EVP_HPKE_HKDF_* are HKDF identifiers.
@@ -86,32 +89,35 @@ OPENSSL_EXPORT void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx);
 // recipient's public key). It returns one on success, and zero otherwise. Note
 // that this function will fail if |peer_public_value| is invalid.
 //
-// This function writes the encapsulated shared secret to |out_enc|.
+// This function writes the encapsulated shared secret, a Diffie-Hellman public
+// key, to |out_enc|. It will fail if the buffer's size in |out_enc_len| is not
+// exactly |X25519_PUBLIC_VALUE_LEN|.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len);
+    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t out_enc_len, uint16_t kdf_id,
+    uint16_t aead_id, const uint8_t *peer_public_value,
+    size_t peer_public_value_len, const uint8_t *info, size_t info_len);
 
 // EVP_HPKE_CTX_setup_base_s_x25519_for_test behaves like
 // |EVP_HPKE_CTX_setup_base_s_x25519|, but takes a pre-generated ephemeral
-// sender key.
+// sender key. The caller ensures that |ephemeral_public| and
+// |ephemeral_private| are a valid keypair.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
     EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]);
+    const uint8_t *peer_public_value, size_t peer_public_value_len,
+    const uint8_t *info, size_t info_len, const uint8_t *ephemeral_private,
+    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
+    size_t ephemeral_public_len);
 
 // EVP_HPKE_CTX_setup_base_r_x25519 sets up |hpke| as a recipient context that
-// can decrypt messages. |private_key| is the recipient's private key, and |enc|
-// is the encapsulated shared secret from the sender. Note that this function
-// will fail if |enc| is invalid.
+// can decrypt messages. It returns one on success, and zero otherwise.
+//
+// The recipient's keypair is composed of |public_key| and |private_key|, and
+// |enc| is the encapsulated shared secret from the sender. If |enc| is invalid,
+// this function will fail.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
+    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id, const uint8_t *enc,
+    size_t enc_len, const uint8_t *public_key, size_t public_key_len,
+    const uint8_t *private_key, size_t private_key_len, const uint8_t *info,
     size_t info_len);
 
 // EVP_HPKE_CTX_setup_psk_s_x25519 sets up |hpke| as a sender context that can
@@ -124,39 +130,44 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_r_x25519(
 // must be nonempty (|psk_len| and |psk_id_len| must be non-zero), or this
 // function will fail.
 //
-// This function writes the encapsulated shared secret to |out_enc|.
+// This function writes the encapsulated shared secret, a Diffie-Hellman public
+// key, to |out_enc|. It will fail if the buffer's size in |out_enc_len| is not
+// exactly |X25519_PUBLIC_VALUE_LEN|.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_psk_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len);
+    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t out_enc_len, uint16_t kdf_id,
+    uint16_t aead_id, const uint8_t *peer_public_value,
+    size_t peer_public_value_len, const uint8_t *info, size_t info_len,
+    const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
+    size_t psk_id_len);
 
 // EVP_HPKE_CTX_setup_psk_s_x25519_for_test behaves like
 // |EVP_HPKE_CTX_setup_psk_s_x25519|, but takes a pre-generated ephemeral sender
-// key.
+// key. The caller ensures that |ephemeral_public| and |ephemeral_private| are a
+// valid keypair.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
     EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
+    const uint8_t *peer_public_value, size_t peer_public_value_len,
     const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]);
+    const uint8_t *psk_id, size_t psk_id_len, const uint8_t *ephemeral_private,
+    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
+    size_t ephemeral_public_len);
 
 // EVP_HPKE_CTX_setup_psk_r_x25519 sets up |hpke| as a recipient context that
 // can decrypt messages. Future open (decrypt) operations will fail if the
-// sender does not possess the PSK indicated by |psk| and |psk_id|.
-// |private_key| is the recipient's private key, and |enc| is the encapsulated
-// shared secret from the sender. If |enc| is invalid, this function will fail.
+// sender does not possess the PSK indicated by |psk| and |psk_id|. It returns
+// one on success, and zero otherwise.
+//
+// The recipient's keypair is composed of |public_key| and |private_key|, and
+// |enc| is the encapsulated shared secret from the sender. If |enc| is invalid,
+// this function will fail.
 //
 // The PSK and its ID must be provided in |psk| and |psk_id|, respectively. Both
 // must be nonempty (|psk_len| and |psk_id_len| must be non-zero), or this
 // function will fail.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_psk_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
+    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id, const uint8_t *enc,
+    size_t enc_len, const uint8_t *public_key, size_t public_key_len,
+    const uint8_t *private_key, size_t private_key_len, const uint8_t *info,
     size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
     size_t psk_id_len);
 
@@ -216,6 +227,16 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *hpke, uint8_t *out,
 // set up as a sender.
 OPENSSL_EXPORT size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *hpke);
 
+// EVP_HPKE_CTX_get_aead_id returns |hpke|'s configured AEAD. The returned value
+// is one of the |EVP_HPKE_AEAD_*| constants, or zero if the context has not
+// been set up.
+OPENSSL_EXPORT uint16_t EVP_HPKE_CTX_get_aead_id(const EVP_HPKE_CTX *hpke);
+
+// EVP_HPKE_CTX_get_aead_id returns |hpke|'s configured KDF. The returned value
+// is one of the |EVP_HPKE_HKDF_*| constants, or zero if the context has not
+// been set up.
+OPENSSL_EXPORT uint16_t EVP_HPKE_CTX_get_kdf_id(const EVP_HPKE_CTX *hpke);
+
 // EVP_HPKE_get_aead returns the AEAD corresponding to |aead_id|, or NULL if
 // |aead_id| is not a known AEAD identifier.
 OPENSSL_EXPORT const EVP_AEAD *EVP_HPKE_get_aead(uint16_t aead_id);