grpc 1.38.0 → 1.39.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c

@@ -162,7 +162,7 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
 
 int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
   // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a
-  // |smaller output.
+  // smaller output.
   assert(sha->md_len == SHA384_DIGEST_LENGTH);
   return sha512_final_impl(out, sha);
 }
@@ -237,7 +237,7 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
 int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
   // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
   // the size hint, but calling code often pairs |SHA384_Init| with
-  // |SHA512_Final| and expects |sha->md_len| to carry the over.
+  // |SHA512_Final| and expects |sha->md_len| to carry the size over.
   //
   // TODO(davidben): Add an assert and fix code to match them up.
   return sha512_final_impl(out, sha);
@@ -270,9 +270,8 @@ static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
   assert(sha->md_len % 8 == 0);
   const size_t out_words = sha->md_len / 8;
   for (size_t i = 0; i < out_words; i++) {
-    const uint64_t t = CRYPTO_bswap8(sha->h[i]);
-    memcpy(out, &t, sizeof(t));
-    out += sizeof(t);
+    CRYPTO_store_u64_be(out, sha->h[i]);
+    out += 8;
   }
 
   return 1;

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -12,6 +12,8 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#include <openssl/hpke.h>
+
 #include <assert.h>
 #include <string.h>
 
@@ -22,47 +24,54 @@
 #include <openssl/err.h>
 #include <openssl/evp_errors.h>
 #include <openssl/hkdf.h>
+#include <openssl/rand.h>
 #include <openssl/sha.h>
 
 #include "../internal.h"
-#include "internal.h"
 
 
-// This file implements draft-irtf-cfrg-hpke-07.
+// This file implements draft-irtf-cfrg-hpke-08.
 
-#define KEM_CONTEXT_LEN (2 * X25519_PUBLIC_VALUE_LEN)
+#define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN
+#define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH
 
-// This is strlen("HPKE") + 3 * sizeof(uint16_t).
-#define HPKE_SUITE_ID_LEN 10
+struct evp_hpke_kem_st {
+  uint16_t id;
+  size_t public_key_len;
+  size_t private_key_len;
+  size_t seed_len;
+  int (*init_key)(EVP_HPKE_KEY *key, const uint8_t *priv_key,
+                  size_t priv_key_len);
+  int (*generate_key)(EVP_HPKE_KEY *key);
+  int (*encap_with_seed)(const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
+                         size_t *out_shared_secret_len, uint8_t *out_enc,
+                         size_t *out_enc_len, size_t max_enc,
+                         const uint8_t *peer_public_key,
+                         size_t peer_public_key_len, const uint8_t *seed,
+                         size_t seed_len);
+  int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+               size_t *out_shared_secret_len, const uint8_t *enc,
+               size_t enc_len);
+};
 
-#define HPKE_MODE_BASE 0
-#define HPKE_MODE_PSK 1
+struct evp_hpke_kdf_st {
+  uint16_t id;
+  // We only support HKDF-based KDFs.
+  const EVP_MD *(*hkdf_md_func)(void);
+};
 
-static const char kHpkeRfcId[] = "HPKE-07";
+struct evp_hpke_aead_st {
+  uint16_t id;
+  const EVP_AEAD *(*aead_func)(void);
+};
 
-static int add_label_string(CBB *cbb, const char *label) {
-  return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
-}
 
-// The suite_id for the KEM is defined as concat("KEM", I2OSP(kem_id, 2)). Note
-// that the suite_id used outside of the KEM also includes the kdf_id and
-// aead_id.
-static const uint8_t kX25519SuiteID[] = {
-    'K', 'E', 'M', EVP_HPKE_DHKEM_X25519_HKDF_SHA256 >> 8,
-    EVP_HPKE_DHKEM_X25519_HKDF_SHA256 & 0x00ff};
+// Low-level labeled KDF functions.
 
-// The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
-// I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
-static int hpke_build_suite_id(uint8_t out[HPKE_SUITE_ID_LEN], uint16_t kdf_id,
-                               uint16_t aead_id) {
-  CBB cbb;
-  int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
-            add_label_string(&cbb, "HPKE") &&
-            CBB_add_u16(&cbb, EVP_HPKE_DHKEM_X25519_HKDF_SHA256) &&
-            CBB_add_u16(&cbb, kdf_id) &&
-            CBB_add_u16(&cbb, aead_id);
-  CBB_cleanup(&cbb);
-  return ret;
+static const char kHpkeVersionId[] = "HPKE-v1";
+
+static int add_label_string(CBB *cbb, const char *label) {
+  return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
 }
 
 static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
@@ -70,10 +79,10 @@ static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
                                 size_t salt_len, const uint8_t *suite_id,
                                 size_t suite_id_len, const char *label,
                                 const uint8_t *ikm, size_t ikm_len) {
-  // labeledIKM = concat("RFCXXXX ", suite_id, label, IKM)
+  // labeledIKM = concat("HPKE-v1", suite_id, label, IKM)
   CBB labeled_ikm;
   int ok = CBB_init(&labeled_ikm, 0) &&
-           add_label_string(&labeled_ikm, kHpkeRfcId) &&
+           add_label_string(&labeled_ikm, kHpkeVersionId) &&
            CBB_add_bytes(&labeled_ikm, suite_id, suite_id_len) &&
            add_label_string(&labeled_ikm, label) &&
            CBB_add_bytes(&labeled_ikm, ikm, ikm_len) &&
@@ -88,11 +97,11 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
                                size_t prk_len, const uint8_t *suite_id,
                                size_t suite_id_len, const char *label,
                                const uint8_t *info, size_t info_len) {
-  // labeledInfo = concat(I2OSP(L, 2), "RFCXXXX ", suite_id, label, info)
+  // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info)
   CBB labeled_info;
   int ok = CBB_init(&labeled_info, 0) &&
            CBB_add_u16(&labeled_info, out_len) &&
-           add_label_string(&labeled_info, kHpkeRfcId) &&
+           add_label_string(&labeled_info, kHpkeVersionId) &&
            CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&
            add_label_string(&labeled_info, label) &&
            CBB_add_bytes(&labeled_info, info, info_len) &&
@@ -102,110 +111,263 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
   return ok;
 }
 
-static int hpke_extract_and_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
-                                   size_t out_len,
-                                   const uint8_t dh[X25519_PUBLIC_VALUE_LEN],
-                                   const uint8_t kem_context[KEM_CONTEXT_LEN]) {
+
+// KEM implementations.
+
+// dhkem_extract_and_expand implements the ExtractAndExpand operation in the
+// DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-08.
+static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
+                                    uint8_t *out_key, size_t out_len,
+                                    const uint8_t *dh, size_t dh_len,
+                                    const uint8_t *kem_context,
+                                    size_t kem_context_len) {
+  // concat("KEM", I2OSP(kem_id, 2))
+  uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
   uint8_t prk[EVP_MAX_MD_SIZE];
   size_t prk_len;
-  static const char kEaePrkLabel[] = "eae_prk";
-  if (!hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, kX25519SuiteID,
-                            sizeof(kX25519SuiteID), kEaePrkLabel, dh,
-                            X25519_PUBLIC_VALUE_LEN)) {
+  return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
+                              sizeof(suite_id), "eae_prk", dh, dh_len) &&
+         hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,
+                             sizeof(suite_id), "shared_secret", kem_context,
+                             kem_context_len);
+}
+
+static int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
+                           size_t priv_key_len) {
+  if (priv_key_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
-  static const char kPRKExpandLabel[] = "shared_secret";
-  if (!hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len,
-                           kX25519SuiteID, sizeof(kX25519SuiteID),
-                           kPRKExpandLabel, kem_context, KEM_CONTEXT_LEN)) {
+
+  OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);
+  X25519_public_from_private(key->public_key, priv_key);
+  return 1;
+}
+
+static int x25519_generate_key(EVP_HPKE_KEY *key) {
+  X25519_keypair(key->public_key, key->private_key);
+  return 1;
+}
+
+static int x25519_encap_with_seed(
+    const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
+    size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
+    size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *seed, size_t seed_len) {
+  if (max_enc < X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+  if (seed_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+  X25519_public_from_private(out_enc, seed);
+
+  uint8_t dh[X25519_SHARED_KEY_LEN];
+  if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, seed, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
     return 0;
   }
+
+  *out_enc_len = X25519_PUBLIC_VALUE_LEN;
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
   return 1;
 }
 
-uint16_t EVP_HPKE_CTX_get_aead_id(const EVP_HPKE_CTX *hpke) {
-  return hpke->aead_id;
+static int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+                        size_t *out_shared_secret_len, const uint8_t *enc,
+                        size_t enc_len) {
+  uint8_t dh[X25519_SHARED_KEY_LEN];
+  if (enc_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, key->private_key, enc)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
+  static const EVP_HPKE_KEM kKEM = {
+      /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
+      /*public_key_len=*/X25519_PUBLIC_VALUE_LEN,
+      /*private_key_len=*/X25519_PRIVATE_KEY_LEN,
+      /*seed_len=*/X25519_PRIVATE_KEY_LEN,
+      x25519_init_key,
+      x25519_generate_key,
+      x25519_encap_with_seed,
+      x25519_decap,
+  };
+  return &kKEM;
 }
 
-uint16_t EVP_HPKE_CTX_get_kdf_id(const EVP_HPKE_CTX *hpke) {
-  return hpke->kdf_id;
+uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }
+
+void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key) {
+  OPENSSL_memset(key, 0, sizeof(EVP_HPKE_KEY));
+}
+
+void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {
+  // Nothing to clean up for now, but we may introduce a cleanup process in the
+  // future.
+}
+
+int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {
+  // For now, |EVP_HPKE_KEY| is trivially copyable.
+  OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY));
+  return 1;
 }
 
-const EVP_AEAD *EVP_HPKE_get_aead(uint16_t aead_id) {
-  switch (aead_id) {
-    case EVP_HPKE_AEAD_AES_128_GCM:
-      return EVP_aead_aes_128_gcm();
-    case EVP_HPKE_AEAD_AES_256_GCM:
-      return EVP_aead_aes_256_gcm();
-    case EVP_HPKE_AEAD_CHACHA20POLY1305:
-      return EVP_aead_chacha20_poly1305();
+int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,
+                      const uint8_t *priv_key, size_t priv_key_len) {
+  EVP_HPKE_KEY_zero(key);
+  key->kem = kem;
+  if (!kem->init_key(key, priv_key, priv_key_len)) {
+    key->kem = NULL;
+    return 0;
   }
-  OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
-  return NULL;
-}
-
-const EVP_MD *EVP_HPKE_get_hkdf_md(uint16_t kdf_id) {
-  switch (kdf_id) {
-    case EVP_HPKE_HKDF_SHA256:
-      return EVP_sha256();
-    case EVP_HPKE_HKDF_SHA384:
-      return EVP_sha384();
-    case EVP_HPKE_HKDF_SHA512:
-      return EVP_sha512();
+  return 1;
+}
+
+int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem) {
+  EVP_HPKE_KEY_zero(key);
+  key->kem = kem;
+  if (!kem->generate_key(key)) {
+    key->kem = NULL;
+    return 0;
   }
-  OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
-  return NULL;
+  return 1;
 }
 
-static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
-                             const uint8_t *shared_secret,
-                             size_t shared_secret_len, const uint8_t *info,
-                             size_t info_len, const uint8_t *psk,
-                             size_t psk_len, const uint8_t *psk_id,
-                             size_t psk_id_len) {
-  // Verify the PSK inputs.
-  switch (mode) {
-    case HPKE_MODE_BASE:
-      // This is an internal error, unreachable from the caller.
-      assert(psk_len == 0 && psk_id_len == 0);
-      break;
-    case HPKE_MODE_PSK:
-      if (psk_len == 0 || psk_id_len == 0) {
-        OPENSSL_PUT_ERROR(EVP, EVP_R_EMPTY_PSK);
-        return 0;
-      }
-      break;
-    default:
-      return 0;
+const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key) {
+  return key->kem;
+}
+
+int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,
+                            size_t *out_len, size_t max_out) {
+  if (max_out < key->kem->public_key_len) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
   }
+  OPENSSL_memcpy(out, key->public_key, key->kem->public_key_len);
+  *out_len = key->kem->public_key_len;
+  return 1;
+}
 
-  // Attempt to get an EVP_AEAD*.
-  const EVP_AEAD *aead = EVP_HPKE_get_aead(hpke->aead_id);
-  if (aead == NULL) {
+int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,
+                            size_t *out_len, size_t max_out) {
+  if (max_out < key->kem->private_key_len) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
     return 0;
   }
+  OPENSSL_memcpy(out, key->private_key, key->kem->private_key_len);
+  *out_len = key->kem->private_key_len;
+  return 1;
+}
+
+
+// Supported KDFs and AEADs.
+
+const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void) {
+  static const EVP_HPKE_KDF kKDF = {EVP_HPKE_HKDF_SHA256, &EVP_sha256};
+  return &kKDF;
+}
+
+uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf) { return kdf->id; }
+
+const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_128_GCM,
+                                      &EVP_aead_aes_128_gcm};
+  return &kAEAD;
+}
+
+const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_256_GCM,
+                                      &EVP_aead_aes_256_gcm};
+  return &kAEAD;
+}
+
+const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void) {
+  static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_CHACHA20_POLY1305,
+                                      &EVP_aead_chacha20_poly1305};
+  return &kAEAD;
+}
+
+uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead) { return aead->id; }
+
+const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead) {
+  return aead->aead_func();
+}
+
+
+// HPKE implementation.
+
+// This is strlen("HPKE") + 3 * sizeof(uint16_t).
+#define HPKE_SUITE_ID_LEN 10
+
+// The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
+// I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
+static int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,
+                               uint8_t out[HPKE_SUITE_ID_LEN]) {
+  CBB cbb;
+  int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
+            add_label_string(&cbb, "HPKE") &&
+            CBB_add_u16(&cbb, EVP_HPKE_DHKEM_X25519_HKDF_SHA256) &&
+            CBB_add_u16(&cbb, ctx->kdf->id) &&
+            CBB_add_u16(&cbb, ctx->aead->id);
+  CBB_cleanup(&cbb);
+  return ret;
+}
+
+#define HPKE_MODE_BASE 0
 
+static int hpke_key_schedule(EVP_HPKE_CTX *ctx, const uint8_t *shared_secret,
+                             size_t shared_secret_len, const uint8_t *info,
+                             size_t info_len) {
   uint8_t suite_id[HPKE_SUITE_ID_LEN];
-  if (!hpke_build_suite_id(suite_id, hpke->kdf_id, hpke->aead_id)) {
+  if (!hpke_build_suite_id(ctx, suite_id)) {
     return 0;
   }
 
   // psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
-  static const char kPskIdHashLabel[] = "psk_id_hash";
+  // TODO(davidben): Precompute this value and store it with the EVP_HPKE_KDF.
+  const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
   uint8_t psk_id_hash[EVP_MAX_MD_SIZE];
   size_t psk_id_hash_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, psk_id_hash, &psk_id_hash_len, NULL,
-                            0, suite_id, sizeof(suite_id), kPskIdHashLabel,
-                            psk_id, psk_id_len)) {
+  if (!hpke_labeled_extract(hkdf_md, psk_id_hash, &psk_id_hash_len, NULL, 0,
+                            suite_id, sizeof(suite_id), "psk_id_hash", NULL,
+                            0)) {
     return 0;
   }
 
   // info_hash = LabeledExtract("", "info_hash", info)
-  static const char kInfoHashLabel[] = "info_hash";
   uint8_t info_hash[EVP_MAX_MD_SIZE];
   size_t info_hash_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, info_hash, &info_hash_len, NULL, 0,
-                            suite_id, sizeof(suite_id), kInfoHashLabel, info,
+  if (!hpke_labeled_extract(hkdf_md, info_hash, &info_hash_len, NULL, 0,
+                            suite_id, sizeof(suite_id), "info_hash", info,
                             info_len)) {
     return 0;
   }
@@ -215,7 +377,7 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
   size_t context_len;
   CBB context_cbb;
   if (!CBB_init_fixed(&context_cbb, context, sizeof(context)) ||
-      !CBB_add_u8(&context_cbb, mode) ||
+      !CBB_add_u8(&context_cbb, HPKE_MODE_BASE) ||
       !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
       !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
       !CBB_finish(&context_cbb, NULL, &context_len)) {
@@ -223,97 +385,44 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
   }
 
   // secret = LabeledExtract(shared_secret, "secret", psk)
-  static const char kSecretExtractLabel[] = "secret";
   uint8_t secret[EVP_MAX_MD_SIZE];
   size_t secret_len;
-  if (!hpke_labeled_extract(hpke->hkdf_md, secret, &secret_len, shared_secret,
+  if (!hpke_labeled_extract(hkdf_md, secret, &secret_len, shared_secret,
                             shared_secret_len, suite_id, sizeof(suite_id),
-                            kSecretExtractLabel, psk, psk_len)) {
+                            "secret", NULL, 0)) {
     return 0;
   }
 
   // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
-  static const char kKeyExpandLabel[] = "key";
+  const EVP_AEAD *aead = EVP_HPKE_AEAD_aead(ctx->aead);
   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
   const size_t kKeyLen = EVP_AEAD_key_length(aead);
-  if (!hpke_labeled_expand(hpke->hkdf_md, key, kKeyLen, secret, secret_len,
-                           suite_id, sizeof(suite_id), kKeyExpandLabel, context,
-                           context_len)) {
-    return 0;
-  }
-
-  // Initialize the HPKE context's AEAD context, storing a copy of |key|.
-  if (!EVP_AEAD_CTX_init(&hpke->aead_ctx, aead, key, kKeyLen, 0, NULL)) {
+  if (!hpke_labeled_expand(hkdf_md, key, kKeyLen, secret, secret_len, suite_id,
+                           sizeof(suite_id), "key", context, context_len) ||
+      !EVP_AEAD_CTX_init(&ctx->aead_ctx, aead, key, kKeyLen,
+                         EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
     return 0;
   }
 
   // base_nonce = LabeledExpand(secret, "base_nonce", key_schedule_context, Nn)
-  static const char kNonceExpandLabel[] = "base_nonce";
-  if (!hpke_labeled_expand(hpke->hkdf_md, hpke->base_nonce,
+  if (!hpke_labeled_expand(hkdf_md, ctx->base_nonce,
                            EVP_AEAD_nonce_length(aead), secret, secret_len,
-                           suite_id, sizeof(suite_id), kNonceExpandLabel,
-                           context, context_len)) {
+                           suite_id, sizeof(suite_id), "base_nonce", context,
+                           context_len)) {
     return 0;
   }
 
   // exporter_secret = LabeledExpand(secret, "exp", key_schedule_context, Nh)
-  static const char kExporterSecretExpandLabel[] = "exp";
-  if (!hpke_labeled_expand(hpke->hkdf_md, hpke->exporter_secret,
-                           EVP_MD_size(hpke->hkdf_md), secret, secret_len,
-                           suite_id, sizeof(suite_id),
-                           kExporterSecretExpandLabel, context, context_len)) {
+  if (!hpke_labeled_expand(hkdf_md, ctx->exporter_secret, EVP_MD_size(hkdf_md),
+                           secret, secret_len, suite_id, sizeof(suite_id),
+                           "exp", context, context_len)) {
     return 0;
   }
 
   return 1;
 }
 
-// The number of bytes written to |out_shared_secret| is the size of the KEM's
-// KDF (currently we only support SHA256).
-static int hpke_encap(EVP_HPKE_CTX *hpke,
-                      uint8_t out_shared_secret[SHA256_DIGEST_LENGTH],
-                      const uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
-                      const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
-  uint8_t dh[X25519_PUBLIC_VALUE_LEN];
-  if (!X25519(dh, ephemeral_private, public_key_r)) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-
-  uint8_t kem_context[KEM_CONTEXT_LEN];
-  OPENSSL_memcpy(kem_context, ephemeral_public, X25519_PUBLIC_VALUE_LEN);
-  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, public_key_r,
-                 X25519_PUBLIC_VALUE_LEN);
-  if (!hpke_extract_and_expand(EVP_sha256(), out_shared_secret,
-                               SHA256_DIGEST_LENGTH, dh, kem_context)) {
-    return 0;
-  }
-  return 1;
-}
-
-static int hpke_decap(const EVP_HPKE_CTX *hpke,
-                      uint8_t out_shared_secret[SHA256_DIGEST_LENGTH],
-                      const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN],
-                      const uint8_t secret_key_r[X25519_PRIVATE_KEY_LEN]) {
-  uint8_t dh[X25519_PUBLIC_VALUE_LEN];
-  if (!X25519(dh, secret_key_r, enc)) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  uint8_t kem_context[KEM_CONTEXT_LEN];
-  OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
-  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, public_key_r,
-                 X25519_PUBLIC_VALUE_LEN);
-  if (!hpke_extract_and_expand(EVP_sha256(), out_shared_secret,
-                               SHA256_DIGEST_LENGTH, dh, kem_context)) {
-    return 0;
-  }
-  return 1;
-}
-
-void EVP_HPKE_CTX_init(EVP_HPKE_CTX *ctx) {
+void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx) {
   OPENSSL_memset(ctx, 0, sizeof(EVP_HPKE_CTX));
   EVP_AEAD_CTX_zero(&ctx->aead_ctx);
 }
@@ -322,272 +431,154 @@ void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
   EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);
 }
 
-int EVP_HPKE_CTX_setup_base_s_x25519(EVP_HPKE_CTX *hpke, uint8_t *out_enc,
-                                     size_t out_enc_len, uint16_t kdf_id,
-                                     uint16_t aead_id,
-                                     const uint8_t *peer_public_value,
-                                     size_t peer_public_value_len,
-                                     const uint8_t *info, size_t info_len) {
-  if (out_enc_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
-    return 0;
-  }
-
-  // The GenerateKeyPair() step technically belongs in the KEM's Encap()
-  // function, but we've moved it up a layer to make it easier for tests to
-  // inject an ephemeral keypair.
-  uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
-  X25519_keypair(out_enc, ephemeral_private);
-  return EVP_HPKE_CTX_setup_base_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, peer_public_value_len, info,
-      info_len, ephemeral_private, sizeof(ephemeral_private), out_enc,
-      out_enc_len);
-}
-
-int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t *peer_public_value, size_t peer_public_value_len,
-    const uint8_t *info, size_t info_len, const uint8_t *ephemeral_private,
-    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
-    size_t ephemeral_public_len) {
-  if (peer_public_value_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  if (ephemeral_private_len != X25519_PRIVATE_KEY_LEN ||
-      ephemeral_public_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
-    return 0;
-  }
-
-  hpke->is_sender = 1;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
-                  ephemeral_public) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
-                         sizeof(shared_secret), info, info_len, NULL, 0, NULL,
-                         0)) {
-    return 0;
-  }
-  return 1;
-}
-
-int EVP_HPKE_CTX_setup_base_r_x25519(EVP_HPKE_CTX *hpke, uint16_t kdf_id,
-                                     uint16_t aead_id, const uint8_t *enc,
-                                     size_t enc_len, const uint8_t *public_key,
-                                     size_t public_key_len,
-                                     const uint8_t *private_key,
-                                     size_t private_key_len,
-                                     const uint8_t *info, size_t info_len) {
-  if (enc_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  if (public_key_len != X25519_PUBLIC_VALUE_LEN ||
-      private_key_len != X25519_PRIVATE_KEY_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
-    return 0;
-  }
-
-  hpke->is_sender = 0;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
-                         sizeof(shared_secret), info, info_len, NULL, 0, NULL,
-                         0)) {
-    return 0;
-  }
-  return 1;
+int EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX *ctx, uint8_t *out_enc,
+                              size_t *out_enc_len, size_t max_enc,
+                              const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf,
+                              const EVP_HPKE_AEAD *aead,
+                              const uint8_t *peer_public_key,
+                              size_t peer_public_key_len, const uint8_t *info,
+                              size_t info_len) {
+  uint8_t seed[MAX_SEED_LEN];
+  RAND_bytes(seed, kem->seed_len);
+  return EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
+      ctx, out_enc, out_enc_len, max_enc, kem, kdf, aead, peer_public_key,
+      peer_public_key_len, info, info_len, seed, kem->seed_len);
 }
 
-int EVP_HPKE_CTX_setup_psk_s_x25519(EVP_HPKE_CTX *hpke, uint8_t *out_enc,
-                                    size_t out_enc_len, uint16_t kdf_id,
-                                    uint16_t aead_id,
-                                    const uint8_t *peer_public_value,
-                                    size_t peer_public_value_len,
-                                    const uint8_t *info, size_t info_len,
-                                    const uint8_t *psk, size_t psk_len,
-                                    const uint8_t *psk_id, size_t psk_id_len) {
-  if (out_enc_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
-    return 0;
-  }
-
-  // The GenerateKeyPair() step technically belongs in the KEM's Encap()
-  // function, but we've moved it up a layer to make it easier for tests to
-  // inject an ephemeral keypair.
-  uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
-  X25519_keypair(out_enc, ephemeral_private);
-  return EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
-      hpke, kdf_id, aead_id, peer_public_value, peer_public_value_len, info,
-      info_len, psk, psk_len, psk_id, psk_id_len, ephemeral_private,
-      sizeof(ephemeral_private), out_enc, out_enc_len);
-}
-
-int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
-    const uint8_t *peer_public_value, size_t peer_public_value_len,
-    const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
-    const uint8_t *psk_id, size_t psk_id_len, const uint8_t *ephemeral_private,
-    size_t ephemeral_private_len, const uint8_t *ephemeral_public,
-    size_t ephemeral_public_len) {
-  if (peer_public_value_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  if (ephemeral_private_len != X25519_PRIVATE_KEY_LEN ||
-      ephemeral_public_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
-    return 0;
-  }
-
-  hpke->is_sender = 1;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
-                  ephemeral_public) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
-                         sizeof(shared_secret), info, info_len, psk, psk_len,
-                         psk_id, psk_id_len)) {
+int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
+    EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
+    const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
+    const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *info, size_t info_len, const uint8_t *seed,
+    size_t seed_len) {
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 1;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,
+                            out_enc_len, max_enc, peer_public_key,
+                            peer_public_key_len, seed, seed_len) ||
+      !hpke_key_schedule(ctx, shared_secret, shared_secret_len, info,
+                         info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }
   return 1;
 }
 
-int EVP_HPKE_CTX_setup_psk_r_x25519(
-    EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id, const uint8_t *enc,
-    size_t enc_len, const uint8_t *public_key, size_t public_key_len,
-    const uint8_t *private_key, size_t private_key_len, const uint8_t *info,
-    size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
-    size_t psk_id_len) {
-  if (enc_len != X25519_PUBLIC_VALUE_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
-    return 0;
-  }
-  if (public_key_len != X25519_PUBLIC_VALUE_LEN ||
-      private_key_len != X25519_PRIVATE_KEY_LEN) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
-    return 0;
-  }
-
-  hpke->is_sender = 0;
-  hpke->kdf_id = kdf_id;
-  hpke->aead_id = aead_id;
-  hpke->hkdf_md = EVP_HPKE_get_hkdf_md(kdf_id);
-  if (hpke->hkdf_md == NULL) {
-    return 0;
-  }
-  uint8_t shared_secret[SHA256_DIGEST_LENGTH];
-  if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
-      !hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
-                         sizeof(shared_secret), info, info_len, psk, psk_len,
-                         psk_id, psk_id_len)) {
+int EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,
+                                 const EVP_HPKE_KDF *kdf,
+                                 const EVP_HPKE_AEAD *aead, const uint8_t *enc,
+                                 size_t enc_len, const uint8_t *info,
+                                 size_t info_len) {
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 0;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||
+      !hpke_key_schedule(ctx, shared_secret, sizeof(shared_secret), info,
+                         info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }
   return 1;
 }
 
-static void hpke_nonce(const EVP_HPKE_CTX *hpke, uint8_t *out_nonce,
+static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce,
                        size_t nonce_len) {
   assert(nonce_len >= 8);
 
-  // Write padded big-endian bytes of |hpke->seq| to |out_nonce|.
+  // Write padded big-endian bytes of |ctx->seq| to |out_nonce|.
   OPENSSL_memset(out_nonce, 0, nonce_len);
-  uint64_t seq_copy = hpke->seq;
+  uint64_t seq_copy = ctx->seq;
   for (size_t i = 0; i < 8; i++) {
     out_nonce[nonce_len - i - 1] = seq_copy & 0xff;
     seq_copy >>= 8;
   }
 
-  // XOR the encoded sequence with the |hpke->base_nonce|.
+  // XOR the encoded sequence with the |ctx->base_nonce|.
   for (size_t i = 0; i < nonce_len; i++) {
-    out_nonce[i] ^= hpke->base_nonce[i];
+    out_nonce[i] ^= ctx->base_nonce[i];
   }
 }
 
-size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *hpke) {
-  assert(hpke->is_sender);
-  return EVP_AEAD_max_overhead(hpke->aead_ctx.aead);
-}
-
-int EVP_HPKE_CTX_open(EVP_HPKE_CTX *hpke, uint8_t *out, size_t *out_len,
+int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
                       size_t max_out_len, const uint8_t *in, size_t in_len,
                       const uint8_t *ad, size_t ad_len) {
-  if (hpke->is_sender) {
+  if (ctx->is_sender) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
-  if (hpke->seq == UINT64_MAX) {
+  if (ctx->seq == UINT64_MAX) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
     return 0;
   }
 
   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
-  const size_t nonce_len = EVP_AEAD_nonce_length(hpke->aead_ctx.aead);
-  hpke_nonce(hpke, nonce, nonce_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
+  hpke_nonce(ctx, nonce, nonce_len);
 
-  if (!EVP_AEAD_CTX_open(&hpke->aead_ctx, out, out_len, max_out_len, nonce,
+  if (!EVP_AEAD_CTX_open(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
                          nonce_len, in, in_len, ad, ad_len)) {
     return 0;
   }
-  hpke->seq++;
+  ctx->seq++;
   return 1;
 }
 
-int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *hpke, uint8_t *out, size_t *out_len,
+int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
                       size_t max_out_len, const uint8_t *in, size_t in_len,
                       const uint8_t *ad, size_t ad_len) {
-  if (!hpke->is_sender) {
+  if (!ctx->is_sender) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
-  if (hpke->seq == UINT64_MAX) {
+  if (ctx->seq == UINT64_MAX) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
     return 0;
   }
 
   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
-  const size_t nonce_len = EVP_AEAD_nonce_length(hpke->aead_ctx.aead);
-  hpke_nonce(hpke, nonce, nonce_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
+  hpke_nonce(ctx, nonce, nonce_len);
 
-  if (!EVP_AEAD_CTX_seal(&hpke->aead_ctx, out, out_len, max_out_len, nonce,
+  if (!EVP_AEAD_CTX_seal(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
                          nonce_len, in, in_len, ad, ad_len)) {
     return 0;
   }
-  hpke->seq++;
+  ctx->seq++;
   return 1;
 }
 
-int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *hpke, uint8_t *out,
+int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,
                         size_t secret_len, const uint8_t *context,
                         size_t context_len) {
   uint8_t suite_id[HPKE_SUITE_ID_LEN];
-  if (!hpke_build_suite_id(suite_id, hpke->kdf_id, hpke->aead_id)) {
+  if (!hpke_build_suite_id(ctx, suite_id)) {
     return 0;
   }
-  static const char kExportExpandLabel[] = "sec";
-  if (!hpke_labeled_expand(hpke->hkdf_md, out, secret_len,
-                           hpke->exporter_secret, EVP_MD_size(hpke->hkdf_md),
-                           suite_id, sizeof(suite_id), kExportExpandLabel,
-                           context, context_len)) {
+  const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
+  if (!hpke_labeled_expand(hkdf_md, out, secret_len, ctx->exporter_secret,
+                           EVP_MD_size(hkdf_md), suite_id, sizeof(suite_id),
+                           "sec", context, context_len)) {
     return 0;
   }
   return 1;
 }
+
+size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx) {
+  assert(ctx->is_sender);
+  return EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(&ctx->aead_ctx));
+}
+
+const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx) {
+  return ctx->aead;
+}
+
+const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx) {
+  return ctx->kdf;
+}