grpc 1.37.1 → 1.40.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c

@@ -60,8 +60,9 @@
 
 #include <openssl/mem.h>
 
-#include "internal.h"
 #include "../../internal.h"
+#include "../digest/md32_common.h"
+#include "internal.h"
 
 
 int SHA224_Init(SHA256_CTX *sha) {
@@ -112,71 +113,60 @@ uint8_t *SHA256(const uint8_t *data, size_t len,
   return out;
 }
 
-int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
-  return SHA256_Update(ctx, data, len);
-}
+#ifndef SHA256_ASM
+static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
+                                    size_t num);
+#endif
 
-int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
-  // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
-  // smaller output.
-  return SHA256_Final(out, ctx);
+void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) {
+  sha256_block_data_order(c->h, data, 1);
 }
 
-#define DATA_ORDER_IS_BIG_ENDIAN
+int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) {
+  crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
+                     &c->num, &c->Nh, &c->Nl, data, len);
+  return 1;
+}
 
-#define HASH_CTX SHA256_CTX
-#define HASH_CBLOCK 64
-#define HASH_DIGEST_LENGTH 32
+int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
+  return SHA256_Update(ctx, data, len);
+}
 
-// Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
-// default: case below covers for it. It's not clear however if it's permitted
-// to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
-// then default: case shall be extended. For reference. Idea behind separate
-// cases for pre-defined lenghts is to let the compiler decide if it's
-// appropriate to unroll small loops.
-//
-// TODO(davidben): The small |md_len| case is one of the few places a low-level
-// hash 'final' function can fail. This should never happen.
-#define HASH_MAKE_STRING(c, s)                              \
-  do {                                                      \
-    uint32_t ll;                                            \
-    unsigned int nn;                                        \
-    switch ((c)->md_len) {                                  \
-      case SHA224_DIGEST_LENGTH:                            \
-        for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-      case SHA256_DIGEST_LENGTH:                            \
-        for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-      default:                                              \
-        if ((c)->md_len > SHA256_DIGEST_LENGTH) {           \
-          return 0;                                         \
-        }                                                   \
-        for (nn = 0; nn < (c)->md_len / 4; nn++) {          \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-    }                                                       \
-  } while (0)
+static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) {
+  crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
+                    &c->num, c->Nh, c->Nl, /*is_big_endian=*/1);
 
+  // TODO(davidben): This overflow check one of the few places a low-level hash
+  // 'final' function can fail. SHA-512 does not have a corresponding check.
+  // These functions already misbehave if the caller arbitrarily mutates |c|, so
+  // can we assume one of |SHA256_Init| or |SHA224_Init| was used?
+  if (c->md_len > SHA256_DIGEST_LENGTH) {
+    return 0;
+  }
 
-#define HASH_UPDATE SHA256_Update
-#define HASH_TRANSFORM SHA256_Transform
-#define HASH_FINAL SHA256_Final
-#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
-#ifndef SHA256_ASM
-static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
-                                    size_t num);
-#endif
+  assert(c->md_len % 4 == 0);
+  const size_t out_words = c->md_len / 4;
+  for (size_t i = 0; i < out_words; i++) {
+    CRYPTO_store_u32_be(out, c->h[i]);
+    out += 4;
+  }
+  return 1;
+}
 
-#include "../digest/md32_common.h"
+int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) {
+  // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match
+  // the size hint, but calling code often pairs |SHA224_Init| with
+  // |SHA256_Final| and expects |sha->md_len| to carry the size over.
+  //
+  // TODO(davidben): Add an assert and fix code to match them up.
+  return sha256_final_impl(out, c);
+}
+int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
+  // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
+  // smaller output.
+  assert(ctx->md_len == SHA224_DIGEST_LENGTH);
+  return sha256_final_impl(out, ctx);
+}
 
 #ifndef SHA256_ASM
 static const uint32_t K256[64] = {
@@ -241,55 +231,53 @@ static void sha256_block_data_order(uint32_t *state, const uint8_t *data,
     g = state[6];
     h = state[7];
 
-    uint32_t l;
-
-    HOST_c2l(data, l);
-    T1 = X[0] = l;
+    T1 = X[0] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(0, a, b, c, d, e, f, g, h);
-    HOST_c2l(data, l);
-    T1 = X[1] = l;
+    T1 = X[1] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(1, h, a, b, c, d, e, f, g);
-    HOST_c2l(data, l);
-    T1 = X[2] = l;
+    T1 = X[2] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(2, g, h, a, b, c, d, e, f);
-    HOST_c2l(data, l);
-    T1 = X[3] = l;
+    T1 = X[3] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(3, f, g, h, a, b, c, d, e);
-    HOST_c2l(data, l);
-    T1 = X[4] = l;
+    T1 = X[4] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(4, e, f, g, h, a, b, c, d);
-    HOST_c2l(data, l);
-    T1 = X[5] = l;
+    T1 = X[5] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(5, d, e, f, g, h, a, b, c);
-    HOST_c2l(data, l);
-    T1 = X[6] = l;
+    T1 = X[6] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(6, c, d, e, f, g, h, a, b);
-    HOST_c2l(data, l);
-    T1 = X[7] = l;
+    T1 = X[7] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(7, b, c, d, e, f, g, h, a);
-    HOST_c2l(data, l);
-    T1 = X[8] = l;
+    T1 = X[8] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(8, a, b, c, d, e, f, g, h);
-    HOST_c2l(data, l);
-    T1 = X[9] = l;
+    T1 = X[9] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(9, h, a, b, c, d, e, f, g);
-    HOST_c2l(data, l);
-    T1 = X[10] = l;
+    T1 = X[10] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(10, g, h, a, b, c, d, e, f);
-    HOST_c2l(data, l);
-    T1 = X[11] = l;
+    T1 = X[11] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(11, f, g, h, a, b, c, d, e);
-    HOST_c2l(data, l);
-    T1 = X[12] = l;
+    T1 = X[12] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(12, e, f, g, h, a, b, c, d);
-    HOST_c2l(data, l);
-    T1 = X[13] = l;
+    T1 = X[13] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(13, d, e, f, g, h, a, b, c);
-    HOST_c2l(data, l);
-    T1 = X[14] = l;
+    T1 = X[14] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(14, c, d, e, f, g, h, a, b);
-    HOST_c2l(data, l);
-    T1 = X[15] = l;
+    T1 = X[15] = CRYPTO_load_u32_be(data);
+    data += 4;
     ROUND_00_15(15, b, c, d, e, f, g, h, a);
 
     for (i = 16; i < 64; i += 8) {
@@ -321,15 +309,6 @@ void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
   sha256_block_data_order(state, data, num_blocks);
 }
 
-#undef DATA_ORDER_IS_BIG_ENDIAN
-#undef HASH_CTX
-#undef HASH_CBLOCK
-#undef HASH_DIGEST_LENGTH
-#undef HASH_MAKE_STRING
-#undef HASH_UPDATE
-#undef HASH_TRANSFORM
-#undef HASH_FINAL
-#undef HASH_BLOCK_DATA_ORDER
 #undef ROTATE
 #undef Sigma0
 #undef Sigma1
@@ -339,5 +318,3 @@ void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
 #undef Maj
 #undef ROUND_00_15
 #undef ROUND_16_63
-#undef HOST_c2l
-#undef HOST_l2c

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c

@@ -70,6 +70,8 @@
 // this writing, so there is no need for a common collector/padding
 // implementation yet.
 
+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha);
+
 int SHA384_Init(SHA512_CTX *sha) {
   sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
   sha->h[1] = UINT64_C(0x629a292a367cd507);
@@ -146,8 +148,8 @@ uint8_t *SHA512_256(const uint8_t *data, size_t len,
                     uint8_t out[SHA512_256_DIGEST_LENGTH]) {
   SHA512_CTX ctx;
   SHA512_256_Init(&ctx);
-  SHA512_Update(&ctx, data, len);
-  SHA512_Final(out, &ctx);
+  SHA512_256_Update(&ctx, data, len);
+  SHA512_256_Final(out, &ctx);
   OPENSSL_cleanse(&ctx, sizeof(ctx));
   return out;
 }
@@ -160,8 +162,9 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
 
 int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
   // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a
-  // |smaller output.
-  return SHA512_Final(out, sha);
+  // smaller output.
+  assert(sha->md_len == SHA384_DIGEST_LENGTH);
+  return sha512_final_impl(out, sha);
 }
 
 int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
@@ -172,11 +175,11 @@ int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
   return SHA512_Update(sha, data, len);
 }
 
-int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],
-                                    SHA512_CTX *sha) {
+int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
   // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this
   // has a |smaller output.
-  return SHA512_Final(out, sha);
+  assert(sha->md_len == SHA512_256_DIGEST_LENGTH);
+  return sha512_final_impl(out, sha);
 }
 
 void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
@@ -232,6 +235,15 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
 }
 
 int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
+  // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
+  // the size hint, but calling code often pairs |SHA384_Init| with
+  // |SHA512_Final| and expects |sha->md_len| to carry the size over.
+  //
+  // TODO(davidben): Add an assert and fix code to match them up.
+  return sha512_final_impl(out, sha);
+}
+
+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
   uint8_t *p = sha->p;
   size_t n = sha->num;
 
@@ -244,22 +256,8 @@ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
   }
 
   OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n);
-  p[sizeof(sha->p) - 1] = (uint8_t)(sha->Nl);
-  p[sizeof(sha->p) - 2] = (uint8_t)(sha->Nl >> 8);
-  p[sizeof(sha->p) - 3] = (uint8_t)(sha->Nl >> 16);
-  p[sizeof(sha->p) - 4] = (uint8_t)(sha->Nl >> 24);
-  p[sizeof(sha->p) - 5] = (uint8_t)(sha->Nl >> 32);
-  p[sizeof(sha->p) - 6] = (uint8_t)(sha->Nl >> 40);
-  p[sizeof(sha->p) - 7] = (uint8_t)(sha->Nl >> 48);
-  p[sizeof(sha->p) - 8] = (uint8_t)(sha->Nl >> 56);
-  p[sizeof(sha->p) - 9] = (uint8_t)(sha->Nh);
-  p[sizeof(sha->p) - 10] = (uint8_t)(sha->Nh >> 8);
-  p[sizeof(sha->p) - 11] = (uint8_t)(sha->Nh >> 16);
-  p[sizeof(sha->p) - 12] = (uint8_t)(sha->Nh >> 24);
-  p[sizeof(sha->p) - 13] = (uint8_t)(sha->Nh >> 32);
-  p[sizeof(sha->p) - 14] = (uint8_t)(sha->Nh >> 40);
-  p[sizeof(sha->p) - 15] = (uint8_t)(sha->Nh >> 48);
-  p[sizeof(sha->p) - 16] = (uint8_t)(sha->Nh >> 56);
+  CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh);
+  CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl);
 
   sha512_block_data_order(sha->h, p, 1);
 
@@ -272,9 +270,8 @@ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
   assert(sha->md_len % 8 == 0);
   const size_t out_words = sha->md_len / 8;
   for (size_t i = 0; i < out_words; i++) {
-    const uint64_t t = CRYPTO_bswap8(sha->h[i]);
-    memcpy(out, &t, sizeof(t));
-    out += sizeof(t);
+    CRYPTO_store_u64_be(out, sha->h[i]);
+    out += 8;
   }
 
   return 1;
@@ -356,12 +353,6 @@ static const uint64_t K512[80] = {
 #define ROTR(x, s) (((x) >> s) | (x) << (64 - s))
 #endif
 
-static inline uint64_t load_u64_be(const void *ptr) {
-  uint64_t ret;
-  OPENSSL_memcpy(&ret, ptr, sizeof(ret));
-  return CRYPTO_bswap8(ret);
-}
-
 #define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
 #define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
 #define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7))
@@ -392,7 +383,7 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
     F[7] = state[7];
 
     for (i = 0; i < 16; i++, F--) {
-      T = load_u64_be(in + i * 8);
+      T = CRYPTO_load_u64_be(in + i * 8);
       F[0] = A;
       F[4] = E;
       F[8] = T;
@@ -464,37 +455,37 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
     g = state[6];
     h = state[7];
 
-    T1 = X[0] = load_u64_be(in);
+    T1 = X[0] = CRYPTO_load_u64_be(in);
     ROUND_00_15(0, a, b, c, d, e, f, g, h);
-    T1 = X[1] = load_u64_be(in + 8);
+    T1 = X[1] = CRYPTO_load_u64_be(in + 8);
     ROUND_00_15(1, h, a, b, c, d, e, f, g);
-    T1 = X[2] = load_u64_be(in + 2 * 8);
+    T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8);
     ROUND_00_15(2, g, h, a, b, c, d, e, f);
-    T1 = X[3] = load_u64_be(in + 3 * 8);
+    T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8);
     ROUND_00_15(3, f, g, h, a, b, c, d, e);
-    T1 = X[4] = load_u64_be(in + 4 * 8);
+    T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8);
     ROUND_00_15(4, e, f, g, h, a, b, c, d);
-    T1 = X[5] = load_u64_be(in + 5 * 8);
+    T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8);
     ROUND_00_15(5, d, e, f, g, h, a, b, c);
-    T1 = X[6] = load_u64_be(in + 6 * 8);
+    T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8);
     ROUND_00_15(6, c, d, e, f, g, h, a, b);
-    T1 = X[7] = load_u64_be(in + 7 * 8);
+    T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8);
     ROUND_00_15(7, b, c, d, e, f, g, h, a);
-    T1 = X[8] = load_u64_be(in + 8 * 8);
+    T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8);
     ROUND_00_15(8, a, b, c, d, e, f, g, h);
-    T1 = X[9] = load_u64_be(in + 9 * 8);
+    T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8);
     ROUND_00_15(9, h, a, b, c, d, e, f, g);
-    T1 = X[10] = load_u64_be(in + 10 * 8);
+    T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8);
     ROUND_00_15(10, g, h, a, b, c, d, e, f);
-    T1 = X[11] = load_u64_be(in + 11 * 8);
+    T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8);
     ROUND_00_15(11, f, g, h, a, b, c, d, e);
-    T1 = X[12] = load_u64_be(in + 12 * 8);
+    T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8);
     ROUND_00_15(12, e, f, g, h, a, b, c, d);
-    T1 = X[13] = load_u64_be(in + 13 * 8);
+    T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8);
     ROUND_00_15(13, d, e, f, g, h, a, b, c);
-    T1 = X[14] = load_u64_be(in + 14 * 8);
+    T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8);
     ROUND_00_15(14, c, d, e, f, g, h, a, b);
-    T1 = X[15] = load_u64_be(in + 15 * 8);
+    T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8);
     ROUND_00_15(15, b, c, d, e, f, g, h, a);
 
     for (i = 16; i < 80; i += 16) {

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -12,59 +12,66 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#include <openssl/hpke.h>
+
 #include <assert.h>
 #include <string.h>
 
 #include <openssl/aead.h>
 #include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
-#include <openssl/evp.h>
+#include <openssl/evp_errors.h>
 #include <openssl/hkdf.h>
+#include <openssl/rand.h>
 #include <openssl/sha.h>
 
 #include "../internal.h"
-#include "internal.h"
 
 
-// This file implements draft-irtf-cfrg-hpke-07.
+// This file implements draft-irtf-cfrg-hpke-08.
 
-#define KEM_CONTEXT_LEN (2 * X25519_PUBLIC_VALUE_LEN)
+#define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN
+#define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH
 
-// HPKE KEM scheme IDs.
-#define HPKE_DHKEM_X25519_HKDF_SHA256 0x0020
+struct evp_hpke_kem_st {
+  uint16_t id;
+  size_t public_key_len;
+  size_t private_key_len;
+  size_t seed_len;
+  int (*init_key)(EVP_HPKE_KEY *key, const uint8_t *priv_key,
+                  size_t priv_key_len);
+  int (*generate_key)(EVP_HPKE_KEY *key);
+  int (*encap_with_seed)(const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
+                         size_t *out_shared_secret_len, uint8_t *out_enc,
+                         size_t *out_enc_len, size_t max_enc,
+                         const uint8_t *peer_public_key,
+                         size_t peer_public_key_len, const uint8_t *seed,
+                         size_t seed_len);
+  int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+               size_t *out_shared_secret_len, const uint8_t *enc,
+               size_t enc_len);
+};
 
-// This is strlen("HPKE") + 3 * sizeof(uint16_t).
-#define HPKE_SUITE_ID_LEN 10
+struct evp_hpke_kdf_st {
+  uint16_t id;
+  // We only support HKDF-based KDFs.
+  const EVP_MD *(*hkdf_md_func)(void);
+};
 
-#define HPKE_MODE_BASE 0
-#define HPKE_MODE_PSK 1
+struct evp_hpke_aead_st {
+  uint16_t id;
+  const EVP_AEAD *(*aead_func)(void);
+};
 
-static const char kHpkeRfcId[] = "HPKE-07";
 
-static int add_label_string(CBB *cbb, const char *label) {
-  return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
-}
+// Low-level labeled KDF functions.
 
-// The suite_id for the KEM is defined as concat("KEM", I2OSP(kem_id, 2)). Note
-// that the suite_id used outside of the KEM also includes the kdf_id and
-// aead_id.
-static const uint8_t kX25519SuiteID[] = {
-    'K', 'E', 'M', HPKE_DHKEM_X25519_HKDF_SHA256 >> 8,
-    HPKE_DHKEM_X25519_HKDF_SHA256 & 0x00ff};
+static const char kHpkeVersionId[] = "HPKE-v1";
 
-// The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
-// I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
-static int hpke_build_suite_id(uint8_t out[HPKE_SUITE_ID_LEN], uint16_t kdf_id,
-                               uint16_t aead_id) {
-  CBB cbb;
-  int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
-            add_label_string(&cbb, "HPKE") &&
-            CBB_add_u16(&cbb, HPKE_DHKEM_X25519_HKDF_SHA256) &&
-            CBB_add_u16(&cbb, kdf_id) &&
-            CBB_add_u16(&cbb, aead_id);
-  CBB_cleanup(&cbb);
-  return ret;
+static int add_label_string(CBB *cbb, const char *label) {
+  return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
 }
 
 static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
@@ -72,10 +79,10 @@ static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
                                 size_t salt_len, const uint8_t *suite_id,
                                 size_t suite_id_len, const char *label,
                                 const uint8_t *ikm, size_t ikm_len) {
-  // labeledIKM = concat("RFCXXXX ", suite_id, label, IKM)
+  // labeledIKM = concat("HPKE-v1", suite_id, label, IKM)
   CBB labeled_ikm;
   int ok = CBB_init(&labeled_ikm, 0) &&
-           add_label_string(&labeled_ikm, kHpkeRfcId) &&
+           add_label_string(&labeled_ikm, kHpkeVersionId) &&
            CBB_add_bytes(&labeled_ikm, suite_id, suite_id_len) &&
            add_label_string(&labeled_ikm, label) &&
            CBB_add_bytes(&labeled_ikm, ikm, ikm_len) &&
@@ -90,11 +97,11 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
                                size_t prk_len, const uint8_t *suite_id,
                                size_t suite_id_len, const char *label,
                                const uint8_t *info, size_t info_len) {
-  // labeledInfo = concat(I2OSP(L, 2), "RFCXXXX ", suite_id, label, info)
+  // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info)
   CBB labeled_info;
   int ok = CBB_init(&labeled_info, 0) &&
            CBB_add_u16(&labeled_info, out_len) &&
-           add_label_string(&labeled_info, kHpkeRfcId) &&
+           add_label_string(&labeled_info, kHpkeVersionId) &&
            CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&
            add_label_string(&labeled_info, label) &&
            CBB_add_bytes(&labeled_info, info, info_len) &&
@@ -104,102 +111,263 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
   return ok;
 }
 
-static int hpke_extract_and_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
-                                   size_t out_len,
-                                   const uint8_t dh[X25519_PUBLIC_VALUE_LEN],
-                                   const uint8_t kem_context[KEM_CONTEXT_LEN]) {
+
+// KEM implementations.
+
+// dhkem_extract_and_expand implements the ExtractAndExpand operation in the
+// DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-08.
+static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
+                                    uint8_t *out_key, size_t out_len,
+                                    const uint8_t *dh, size_t dh_len,
+                                    const uint8_t *kem_context,
+                                    size_t kem_context_len) {
+  // concat("KEM", I2OSP(kem_id, 2))
+  uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
   uint8_t prk[EVP_MAX_MD_SIZE];
   size_t prk_len;
-  static const char kEaePrkLabel[] = "eae_prk";
-  if (!hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, kX25519SuiteID,
-                            sizeof(kX25519SuiteID), kEaePrkLabel, dh,
-                            X25519_PUBLIC_VALUE_LEN)) {
+  return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
+                              sizeof(suite_id), "eae_prk", dh, dh_len) &&
+         hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,
+                             sizeof(suite_id), "shared_secret", kem_context,
+                             kem_context_len);
+}
+
+static int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
+                           size_t priv_key_len) {
+  if (priv_key_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  static const char kPRKExpandLabel[] = "shared_secret";
-  if (!hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len,
-                           kX25519SuiteID, sizeof(kX25519SuiteID),
-                           kPRKExpandLabel, kem_context, KEM_CONTEXT_LEN)) {
+
+  OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);
+  X25519_public_from_private(key->public_key, priv_key);
+  return 1;
+}
+
+static int x25519_generate_key(EVP_HPKE_KEY *key) {
+  X25519_keypair(key->public_key, key->private_key);
+  return 1;
+}
+
+static int x25519_encap_with_seed(
+    const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
+    size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
+    size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *seed, size_t seed_len) {
+  if (max_enc < X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
     return 0;
   }
+  if (seed_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+  X25519_public_from_private(out_enc, seed);
+
+  uint8_t dh[X25519_SHARED_KEY_LEN];
+  if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, seed, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_enc_len = X25519_PUBLIC_VALUE_LEN;
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
   return 1;
 }
 
-const EVP_AEAD *EVP_HPKE_get_aead(uint16_t aead_id) {
-  switch (aead_id) {
-    case EVP_HPKE_AEAD_AES_GCM_128:
-      return EVP_aead_aes_128_gcm();
-    case EVP_HPKE_AEAD_AES_GCM_256:
-      return EVP_aead_aes_256_gcm();
-    case EVP_HPKE_AEAD_CHACHA20POLY1305:
-      return EVP_aead_chacha20_poly1305();
+static int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+                        size_t *out_shared_secret_len, const uint8_t *enc,
+                        size_t enc_len) {
+  uint8_t dh[X25519_SHARED_KEY_LEN];
+  if (enc_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, key->private_key, enc)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
   }
-  OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
-  return NULL;
-}
-
-const EVP_MD *EVP_HPKE_get_hkdf_md(uint16_t kdf_id) {
-  switch (kdf_id) {
-    case EVP_HPKE_HKDF_SHA256:
-      return EVP_sha256();
-    case EVP_HPKE_HKDF_SHA384:
-      return EVP_sha384();
-    case EVP_HPKE_HKDF_SHA512:
-      return EVP_sha512();
+
+  uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
   }
-  OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
-  return NULL;
+
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
 }
 
-static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
-                             const uint8_t *shared_secret,
-                             size_t shared_secret_len, const uint8_t *info,
-                             size_t info_len, const uint8_t *psk,
-                             size_t psk_len, const uint8_t *psk_id,
-                             size_t psk_id_len) {
-  // Verify the PSK inputs.
-  switch (mode) {
-    case HPKE_MODE_BASE:
-      // This is an internal error, unreachable from the caller.
-      assert(psk_len == 0 && psk_id_len == 0);
-      break;
-    case HPKE_MODE_PSK:
-      if (psk_len == 0 || psk_id_len == 0) {
-        OPENSSL_PUT_ERROR(EVP, EVP_R_EMPTY_PSK);
-        return 0;
-      }
-      break;
-    default:
-      return 0;
+const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
+  static const EVP_HPKE_KEM kKEM = {
+      /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
+      /*public_key_len=*/X25519_PUBLIC_VALUE_LEN,
+      /*private_key_len=*/X25519_PRIVATE_KEY_LEN,
+      /*seed_len=*/X25519_PRIVATE_KEY_LEN,
+      x25519_init_key,
+      x25519_generate_key,
+      x25519_encap_with_seed,
+      x25519_decap,
+  };
+  return &kKEM;
+}
+
+uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }
+
+void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key) {
+  OPENSSL_memset(key, 0, sizeof(EVP_HPKE_KEY));
+}
+
+void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {
+  // Nothing to clean up for now, but we may introduce a cleanup process in the
+  // future.
+}
+
+int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {
+  // For now, |EVP_HPKE_KEY| is trivially copyable.
+  OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY));
+  return 1;
+}
+
+int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,
+                      const uint8_t *priv_key, size_t priv_key_len) {
+  EVP_HPKE_KEY_zero(key);
+  key->kem = kem;
+  if (!kem->init_key(key, priv_key, priv_key_len)) {
+    key->kem = NULL;
+    return 0;
   }
+  return 1;
+}
+
+int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem) {
+  EVP_HPKE_KEY_zero(key);
+  key->kem = kem;
+  if (!kem->generate_key(key)) {
+    key->kem = NULL;
+    return 0;
+  }
+  return 1;
+}
 
-  // Attempt to get an EVP_AEAD*.
-  const EVP_AEAD *aead = EVP_HPKE_get_aead(hpke->aead_id);
-  if (aead == NULL) {
+const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key) {
+  return key->kem;
+}
+
+int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,
+                            size_t *out_len, size_t max_out) {
+  if (max_out < key->kem->public_key_len) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
     return 0;
   }
+  OPENSSL_memcpy(out, key->public_key, key->kem->public_key_len);
+  *out_len = key->kem->public_key_len;
+  return 1;
+}
+
+int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,
+                            size_t *out_len, size_t max_out) {
+  if (max_out < key->kem->private_key_len) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+  OPENSSL_memcpy(out, key->private_key, key->kem->private_key_len);
+  *out_len = key->kem->private_key_len;
+  return 1;
+}
+
+
+// Supported KDFs and AEADs.
+
+const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void) {
+  static const EVP_HPKE_KDF kKDF = {EVP_HPKE_HKDF_SHA256, &EVP_sha256};
+  return &kKDF;
+}
+
+uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf) { return kdf->id; }
+
+const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_128_GCM,
+                                      &EVP_aead_aes_128_gcm};
+  return &kAEAD;
+}
+
+const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_256_GCM,
+                                      &EVP_aead_aes_256_gcm};
+  return &kAEAD;
+}
+
+const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_CHACHA20_POLY1305,
+                                      &EVP_aead_chacha20_poly1305};
+  return &kAEAD;
+}
+
+uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead) { return aead->id; }
+
+const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead) {
+  return aead->aead_func();
+}
+
+
+// HPKE implementation.
+
+// This is strlen("HPKE") + 3 * sizeof(uint16_t).
+#define HPKE_SUITE_ID_LEN 10
 
+// The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
+// I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
+static int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,
+                               uint8_t out[HPKE_SUITE_ID_LEN]) {
+  CBB cbb;
+  int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
+            add_label_string(&cbb, "HPKE") &&
+            CBB_add_u16(&cbb, EVP_HPKE_DHKEM_X25519_HKDF_SHA256) &&
+            CBB_add_u16(&cbb, ctx->kdf->id) &&
+            CBB_add_u16(&cbb, ctx->aead->id);
+  CBB_cleanup(&cbb);
+  return ret;
+}
+
+#define HPKE_MODE_BASE 0
+
+static int hpke_key_schedule(EVP_HPKE_CTX *ctx, const uint8_t *shared_secret,
+                             size_t shared_secret_len, const uint8_t *info,
+                             size_t info_len) {
   uint8_t suite_id[HPKE_SUITE_ID_LEN];
-  if (!hpke_build_suite_id(suite_id, hpke->kdf_id, hpke->aead_id)) {
+  if (!hpke_build_suite_id(ctx, suite_id)) {
     return 0;
   }
 
   // psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
-  static const char kPskIdHashLabel[] = "psk_id_hash";
+  // TODO(davidben): Precompute this value and store it with the EVP_HPKE_KDF.
+  const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
   uint8_t psk_id_hash[EVP_MAX_MD_SIZE];
   size_t psk_id_hash_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, psk_id_hash, &psk_id_hash_len, NULL,
-                            0, suite_id, sizeof(suite_id), kPskIdHashLabel,
-                            psk_id, psk_id_len)) {
+  if (!hpke_labeled_extract(hkdf_md, psk_id_hash, &psk_id_hash_len, NULL, 0,
+                            suite_id, sizeof(suite_id), "psk_id_hash", NULL,
+                            0)) {
     return 0;
   }
 
   // info_hash = LabeledExtract("", "info_hash", info)
-  static const char kInfoHashLabel[] = "info_hash";
   uint8_t info_hash[EVP_MAX_MD_SIZE];
   size_t info_hash_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, info_hash, &info_hash_len, NULL, 0,
-                            suite_id, sizeof(suite_id), kInfoHashLabel, info,
+  if (!hpke_labeled_extract(hkdf_md, info_hash, &info_hash_len, NULL, 0,
+                            suite_id, sizeof(suite_id), "info_hash", info,
                             info_len)) {
     return 0;
   }
@@ -209,7 +377,7 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
   size_t context_len;
   CBB context_cbb;
   if (!CBB_init_fixed(&context_cbb, context, sizeof(context)) ||
-      !CBB_add_u8(&context_cbb, mode) ||
+      !CBB_add_u8(&context_cbb, HPKE_MODE_BASE) ||
       !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
       !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
       !CBB_finish(&context_cbb, NULL, &context_len)) {
@@ -217,97 +385,44 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
   }
 
   // secret = LabeledExtract(shared_secret, "secret", psk)
-  static const char kSecretExtractLabel[] = "secret";
   uint8_t secret[EVP_MAX_MD_SIZE];
   size_t secret_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, secret, &secret_len, shared_secret,
+  if (!hpke_labeled_extract(hkdf_md, secret, &secret_len, shared_secret,
                             shared_secret_len, suite_id, sizeof(suite_id),
-                            kSecretExtractLabel, psk, psk_len)) {
+                            "secret", NULL, 0)) {
     return 0;
   }
 
   // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
-  static const char kKeyExpandLabel[] = "key";
+  const EVP_AEAD *aead = EVP_HPKE_AEAD_aead(ctx->aead);
   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
   const size_t kKeyLen = EVP_AEAD_key_length(aead);
-  if (!hpke_labeled_expand(hpke->hkdf_md, key, kKeyLen, secret, secret_len,
-                           suite_id, sizeof(suite_id), kKeyExpandLabel, context,
-                           context_len)) {
-    return 0;
-  }
-
-  // Initialize the HPKE context's AEAD context, storing a copy of |key|.
-  if (!EVP_AEAD_CTX_init(&hpke->aead_ctx, aead, key, kKeyLen, 0, NULL)) {
+  if (!hpke_labeled_expand(hkdf_md, key, kKeyLen, secret, secret_len, suite_id,
+                           sizeof(suite_id), "key", context, context_len) ||
+      !EVP_AEAD_CTX_init(&ctx->aead_ctx, aead, key, kKeyLen,
+                         EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
     return 0;
   }
 
   // base_nonce = LabeledExpand(secret, "base_nonce", key_schedule_context, Nn)
-  static const char kNonceExpandLabel[] = "base_nonce";
-  if (!hpke_labeled_expand(hpke->hkdf_md, hpke->base_nonce,
+  if (!hpke_labeled_expand(hkdf_md, ctx->base_nonce,
                            EVP_AEAD_nonce_length(aead), secret, secret_len,
-                           suite_id, sizeof(suite_id), kNonceExpandLabel,
-                           context, context_len)) {
+                           suite_id, sizeof(suite_id), "base_nonce", context,
+                           context_len)) {
     return 0;
   }
 
   // exporter_secret = LabeledExpand(secret, "exp", key_schedule_context, Nh)
-  static const char kExporterSecretExpandLabel[] = "exp";
-  if (!hpke_labeled_expand(hpke->hkdf_md, hpke->exporter_secret,
-                           EVP_MD_size(hpke->hkdf_md), secret, secret_len,
-                           suite_id, sizeof(suite_id),
-                           kExporterSecretExpandLabel, context, context_len)) {
+  if (!hpke_labeled_expand(hkdf_md, ctx->exporter_secret, EVP_MD_size(hkdf_md),
+                           secret, secret_len, suite_id, sizeof(suite_id),
+                           "exp", context, context_len)) {
     return 0;
   }
 
   return 1;
 }
 
-// The number of bytes written to |out_shared_secret| is the size of the KEM's
-// KDF (currently we only support SHA256).
-static int hpke_encap(EVP_HPKE_CTX *hpke,
-                      uint8_t out_shared_secret[SHA256_DIGEST_LENGTH],
-                      const uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-                      const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
-  uint8_t dh[X25519_PUBLIC_VALUE_LEN];
-  if (!X25519(dh, ephemeral_private, public_key_r)) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-
-  uint8_t kem_context[KEM_CONTEXT_LEN];
-  OPENSSL_memcpy(kem_context, ephemeral_public, X25519_PUBLIC_VALUE_LEN);
-  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, public_key_r,
-                 X25519_PUBLIC_VALUE_LEN);
-  if (!hpke_extract_and_expand(EVP_sha256(), out_shared_secret,
-                               SHA256_DIGEST_LENGTH, dh, kem_context)) {
-    return 0;
-  }
-  return 1;
-}
-
-static int hpke_decap(const EVP_HPKE_CTX *hpke,
-                      uint8_t out_shared_secret[SHA256_DIGEST_LENGTH],
-                      const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t secret_key_r[X25519_PRIVATE_KEY_LEN]) {
-  uint8_t dh[X25519_PUBLIC_VALUE_LEN];
-  if (!X25519(dh, secret_key_r, enc)) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  uint8_t kem_context[KEM_CONTEXT_LEN];
-  OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
-  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, public_key_r,
-                 X25519_PUBLIC_VALUE_LEN);
-  if (!hpke_extract_and_expand(EVP_sha256(), out_shared_secret,
-                               SHA256_DIGEST_LENGTH, dh, kem_context)) {
-    return 0;
-  }
-  return 1;
-}
-
-void EVP_HPKE_CTX_init(EVP_HPKE_CTX *ctx) {
+void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx) {
   OPENSSL_memset(ctx, 0, sizeof(EVP_HPKE_CTX));
   EVP_AEAD_CTX_zero(&ctx->aead_ctx);
 }
@@ -316,217 +431,154 @@ void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
   EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);
 }
 
-int EVP_HPKE_CTX_setup_base_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len) {
-  // The GenerateKeyPair() step technically belongs in the KEM's Encap()
-  // function, but we've moved it up a layer to make it easier for tests to
-  // inject an ephemeral keypair.
-  uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
-  X25519_keypair(out_enc, ephemeral_private);
-  return EVP_HPKE_CTX_setup_base_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, info, info_len,
-      ephemeral_private, out_enc);
-}
-
-int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
-  hpke->is_sender = 1;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
-                  ephemeral_public) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
-                         sizeof(shared_secret), info, info_len, NULL, 0, NULL,
-                         0)) {
-    return 0;
-  }
-  return 1;
-}
-
-int EVP_HPKE_CTX_setup_base_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
-    size_t info_len) {
-  hpke->is_sender = 0;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
-                         sizeof(shared_secret), info, info_len, NULL, 0, NULL,
-                         0)) {
-    return 0;
-  }
-  return 1;
+int EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX *ctx, uint8_t *out_enc,
+                              size_t *out_enc_len, size_t max_enc,
+                              const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf,
+                              const EVP_HPKE_AEAD *aead,
+                              const uint8_t *peer_public_key,
+                              size_t peer_public_key_len, const uint8_t *info,
+                              size_t info_len) {
+  uint8_t seed[MAX_SEED_LEN];
+  RAND_bytes(seed, kem->seed_len);
+  return EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
+      ctx, out_enc, out_enc_len, max_enc, kem, kdf, aead, peer_public_key,
+      peer_public_key_len, info, info_len, seed, kem->seed_len);
 }
 
-int EVP_HPKE_CTX_setup_psk_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
-    uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len) {
-  // The GenerateKeyPair() step technically belongs in the KEM's Encap()
-  // function, but we've moved it up a layer to make it easier for tests to
-  // inject an ephemeral keypair.
-  uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
-  X25519_keypair(out_enc, ephemeral_private);
-  return EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, info, info_len, psk, psk_len,
-      psk_id, psk_id_len, ephemeral_private, out_enc);
-}
-
-int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len,
-    const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-    const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
-  hpke->is_sender = 1;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
-                  ephemeral_public) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
-                         sizeof(shared_secret), info, info_len, psk, psk_len,
-                         psk_id, psk_id_len)) {
+int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
+    EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
+    const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
+    const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *info, size_t info_len, const uint8_t *seed,
+    size_t seed_len) {
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 1;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,
+                            out_enc_len, max_enc, peer_public_key,
+                            peer_public_key_len, seed, seed_len) ||
+      !hpke_key_schedule(ctx, shared_secret, shared_secret_len, info,
+                         info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }
   return 1;
 }
 
-int EVP_HPKE_CTX_setup_psk_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
-    const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
-    size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
-    size_t psk_id_len) {
-  hpke->is_sender = 0;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
-                         sizeof(shared_secret), info, info_len, psk, psk_len,
-                         psk_id, psk_id_len)) {
+int EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,
+                                 const EVP_HPKE_KDF *kdf,
+                                 const EVP_HPKE_AEAD *aead, const uint8_t *enc,
+                                 size_t enc_len, const uint8_t *info,
+                                 size_t info_len) {
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 0;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||
+      !hpke_key_schedule(ctx, shared_secret, sizeof(shared_secret), info,
+                         info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }
   return 1;
 }
 
-static void hpke_nonce(const EVP_HPKE_CTX *hpke, uint8_t *out_nonce,
+static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce,
                        size_t nonce_len) {
   assert(nonce_len >= 8);
 
-  // Write padded big-endian bytes of |hpke->seq| to |out_nonce|.
+  // Write padded big-endian bytes of |ctx->seq| to |out_nonce|.
   OPENSSL_memset(out_nonce, 0, nonce_len);
-  uint64_t seq_copy = hpke->seq;
+  uint64_t seq_copy = ctx->seq;
   for (size_t i = 0; i < 8; i++) {
     out_nonce[nonce_len - i - 1] = seq_copy & 0xff;
     seq_copy >>= 8;
   }
 
-  // XOR the encoded sequence with the |hpke->base_nonce|.
+  // XOR the encoded sequence with the |ctx->base_nonce|.
   for (size_t i = 0; i < nonce_len; i++) {
-    out_nonce[i] ^= hpke->base_nonce[i];
+    out_nonce[i] ^= ctx->base_nonce[i];
   }
 }
 
-size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *hpke) {
-  assert(hpke->is_sender);
-  return EVP_AEAD_max_overhead(hpke->aead_ctx.aead);
-}
-
-int EVP_HPKE_CTX_open(EVP_HPKE_CTX *hpke, uint8_t *out, size_t *out_len,
+int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
                       size_t max_out_len, const uint8_t *in, size_t in_len,
                       const uint8_t *ad, size_t ad_len) {
-  if (hpke->is_sender) {
+  if (ctx->is_sender) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
-  if (hpke->seq == UINT64_MAX) {
+  if (ctx->seq == UINT64_MAX) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
     return 0;
   }
 
   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
-  const size_t nonce_len = EVP_AEAD_nonce_length(hpke->aead_ctx.aead);
-  hpke_nonce(hpke, nonce, nonce_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
+  hpke_nonce(ctx, nonce, nonce_len);
 
-  if (!EVP_AEAD_CTX_open(&hpke->aead_ctx, out, out_len, max_out_len, nonce,
+  if (!EVP_AEAD_CTX_open(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
                          nonce_len, in, in_len, ad, ad_len)) {
     return 0;
   }
-  hpke->seq++;
+  ctx->seq++;
   return 1;
 }
 
-int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *hpke, uint8_t *out, size_t *out_len,
+int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
                       size_t max_out_len, const uint8_t *in, size_t in_len,
                       const uint8_t *ad, size_t ad_len) {
-  if (!hpke->is_sender) {
+  if (!ctx->is_sender) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
-  if (hpke->seq == UINT64_MAX) {
+  if (ctx->seq == UINT64_MAX) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
     return 0;
   }
 
   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
-  const size_t nonce_len = EVP_AEAD_nonce_length(hpke->aead_ctx.aead);
-  hpke_nonce(hpke, nonce, nonce_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
+  hpke_nonce(ctx, nonce, nonce_len);
 
-  if (!EVP_AEAD_CTX_seal(&hpke->aead_ctx, out, out_len, max_out_len, nonce,
+  if (!EVP_AEAD_CTX_seal(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
                          nonce_len, in, in_len, ad, ad_len)) {
     return 0;
   }
-  hpke->seq++;
+  ctx->seq++;
   return 1;
 }
 
-int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *hpke, uint8_t *out,
+int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,
                         size_t secret_len, const uint8_t *context,
                         size_t context_len) {
   uint8_t suite_id[HPKE_SUITE_ID_LEN];
-  if (!hpke_build_suite_id(suite_id, hpke->kdf_id, hpke->aead_id)) {
+  if (!hpke_build_suite_id(ctx, suite_id)) {
     return 0;
   }
-  static const char kExportExpandLabel[] = "sec";
-  if (!hpke_labeled_expand(hpke->hkdf_md, out, secret_len,
-                           hpke->exporter_secret, EVP_MD_size(hpke->hkdf_md),
-                           suite_id, sizeof(suite_id), kExportExpandLabel,
-                           context, context_len)) {
+  const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
+  if (!hpke_labeled_expand(hkdf_md, out, secret_len, ctx->exporter_secret,
+                           EVP_MD_size(hkdf_md), suite_id, sizeof(suite_id),
+                           "sec", context, context_len)) {
     return 0;
   }
   return 1;
 }
+
+size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx) {
+  assert(ctx->is_sender);
+  return EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(&ctx->aead_ctx));
+}
+
+const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx) {
+  return ctx->aead;
+}
+
+const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx) {
+  return ctx->kdf;
+}