1 /* Copyright 2020 The BoringSSL Authors 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H 16 #define OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H 17 18 #include <openssl/aead.h> 19 #include <openssl/base.h> 20 #include <openssl/curve25519.h> 21 #include <openssl/digest.h> 22 23 #if defined(__cplusplus) 24 extern "C" { 25 #endif 26 27 28 // Hybrid Public Key Encryption. 29 // 30 // Hybrid Public Key Encryption (HPKE) enables a sender to encrypt messages to a 31 // receiver with a public key. 32 // 33 // See RFC 9180. 34 35 36 // Parameters. 37 // 38 // An HPKE context is parameterized by KEM, KDF, and AEAD algorithms, 39 // represented by |EVP_HPKE_KEM|, |EVP_HPKE_KDF|, and |EVP_HPKE_AEAD| types, 40 // respectively. 41 42 // The following constants are KEM identifiers. 43 #define EVP_HPKE_DHKEM_P256_HKDF_SHA256 0x0010 44 #define EVP_HPKE_DHKEM_X25519_HKDF_SHA256 0x0020 45 46 // The following functions are KEM algorithms which may be used with HPKE. Note 47 // that, while some HPKE KEMs use KDFs internally, this is separate from the 48 // |EVP_HPKE_KDF| selection. 49 OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void); 50 OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void); 51 52 // EVP_HPKE_KEM_id returns the HPKE KEM identifier for |kem|, which 53 // will be one of the |EVP_HPKE_KEM_*| constants. 54 OPENSSL_EXPORT uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem); 55 56 // EVP_HPKE_MAX_PUBLIC_KEY_LENGTH is the maximum length of an encoded public key 57 // for all KEMs currently supported by this library. 58 #define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 65 59 60 // EVP_HPKE_KEM_public_key_len returns the length of a public key for |kem|. 61 // This value will be at most |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH|. 62 OPENSSL_EXPORT size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem); 63 64 // EVP_HPKE_MAX_PRIVATE_KEY_LENGTH is the maximum length of an encoded private 65 // key for all KEMs currently supported by this library. 66 #define EVP_HPKE_MAX_PRIVATE_KEY_LENGTH 32 67 68 // EVP_HPKE_KEM_private_key_len returns the length of a private key for |kem|. 69 // This value will be at most |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH|. 70 OPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem); 71 72 // EVP_HPKE_MAX_ENC_LENGTH is the maximum length of "enc", the encapsulated 73 // shared secret, for all KEMs currently supported by this library. 74 #define EVP_HPKE_MAX_ENC_LENGTH 65 75 76 // EVP_HPKE_KEM_enc_len returns the length of the "enc", the encapsulated shared 77 // secret, for |kem|. This value will be at most |EVP_HPKE_MAX_ENC_LENGTH|. 78 OPENSSL_EXPORT size_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem); 79 80 // The following constants are KDF identifiers. 81 #define EVP_HPKE_HKDF_SHA256 0x0001 82 83 // The following functions are KDF algorithms which may be used with HPKE. 84 OPENSSL_EXPORT const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void); 85 86 // EVP_HPKE_KDF_id returns the HPKE KDF identifier for |kdf|. 87 OPENSSL_EXPORT uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf); 88 89 // EVP_HPKE_KDF_hkdf_md returns the HKDF hash function corresponding to |kdf|, 90 // or NULL if |kdf| is not an HKDF-based KDF. All currently supported KDFs are 91 // HKDF-based. 92 OPENSSL_EXPORT const EVP_MD *EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF *kdf); 93 94 // The following constants are AEAD identifiers. 95 #define EVP_HPKE_AES_128_GCM 0x0001 96 #define EVP_HPKE_AES_256_GCM 0x0002 97 #define EVP_HPKE_CHACHA20_POLY1305 0x0003 98 99 // The following functions are AEAD algorithms which may be used with HPKE. 100 OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void); 101 OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void); 102 OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void); 103 104 // EVP_HPKE_AEAD_id returns the HPKE AEAD identifier for |aead|. 105 OPENSSL_EXPORT uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead); 106 107 // EVP_HPKE_AEAD_aead returns the |EVP_AEAD| corresponding to |aead|. 108 OPENSSL_EXPORT const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead); 109 110 111 // Recipient keys. 112 // 113 // An HPKE recipient maintains a long-term KEM key. This library represents keys 114 // with the |EVP_HPKE_KEY| type. 115 116 // EVP_HPKE_KEY_zero sets an uninitialized |EVP_HPKE_KEY| to the zero state. The 117 // caller should then use |EVP_HPKE_KEY_init|, |EVP_HPKE_KEY_copy|, or 118 // |EVP_HPKE_KEY_generate| to finish initializing |key|. 119 // 120 // It is safe, but not necessary to call |EVP_HPKE_KEY_cleanup| in this state. 121 // This may be used for more uniform cleanup of |EVP_HPKE_KEY|. 122 OPENSSL_EXPORT void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key); 123 124 // EVP_HPKE_KEY_cleanup releases memory referenced by |key|. 125 OPENSSL_EXPORT void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key); 126 127 // EVP_HPKE_KEY_new returns a newly-allocated |EVP_HPKE_KEY|, or NULL on error. 128 // The caller must call |EVP_HPKE_KEY_free| on the result to release it. 129 // 130 // This is a convenience function for callers that need a heap-allocated 131 // |EVP_HPKE_KEY|. 132 OPENSSL_EXPORT EVP_HPKE_KEY *EVP_HPKE_KEY_new(void); 133 134 // EVP_HPKE_KEY_free releases memory associated with |key|, which must have been 135 // created with |EVP_HPKE_KEY_new|. 136 OPENSSL_EXPORT void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key); 137 138 // EVP_HPKE_KEY_copy sets |dst| to a copy of |src|. It returns one on success 139 // and zero on error. On success, the caller must call |EVP_HPKE_KEY_cleanup| to 140 // release |dst|. On failure, calling |EVP_HPKE_KEY_cleanup| is safe, but not 141 // necessary. 142 OPENSSL_EXPORT int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, 143 const EVP_HPKE_KEY *src); 144 145 // EVP_HPKE_KEY_move sets |out|, which must be initialized or in the zero state, 146 // to the key in |in|. |in| is mutated and left in the zero state. 147 OPENSSL_EXPORT void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in); 148 149 // EVP_HPKE_KEY_init decodes |priv_key| as a private key for |kem| and 150 // initializes |key| with the result. It returns one on success and zero if 151 // |priv_key| was invalid. On success, the caller must call 152 // |EVP_HPKE_KEY_cleanup| to release the key. On failure, calling 153 // |EVP_HPKE_KEY_cleanup| is safe, but not necessary. 154 OPENSSL_EXPORT int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem, 155 const uint8_t *priv_key, 156 size_t priv_key_len); 157 158 // EVP_HPKE_KEY_generate sets |key| to a newly-generated key using |kem|. 159 OPENSSL_EXPORT int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, 160 const EVP_HPKE_KEM *kem); 161 162 // EVP_HPKE_KEY_kem returns the HPKE KEM used by |key|. 163 OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key); 164 165 // EVP_HPKE_KEY_public_key writes |key|'s public key to |out| and sets 166 // |*out_len| to the number of bytes written. On success, it returns one and 167 // writes at most |max_out| bytes. If |max_out| is too small, it returns zero. 168 // Setting |max_out| to |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH| will ensure the public 169 // key fits. An exact size can also be determined by 170 // |EVP_HPKE_KEM_public_key_len|. 171 OPENSSL_EXPORT int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, 172 uint8_t *out, size_t *out_len, 173 size_t max_out); 174 175 // EVP_HPKE_KEY_private_key writes |key|'s private key to |out| and sets 176 // |*out_len| to the number of bytes written. On success, it returns one and 177 // writes at most |max_out| bytes. If |max_out| is too small, it returns zero. 178 // Setting |max_out| to |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH| will ensure the 179 // private key fits. An exact size can also be determined by 180 // |EVP_HPKE_KEM_private_key_len|. 181 OPENSSL_EXPORT int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, 182 uint8_t *out, size_t *out_len, 183 size_t max_out); 184 185 186 // Encryption contexts. 187 // 188 // An HPKE encryption context is represented by the |EVP_HPKE_CTX| type. 189 190 // EVP_HPKE_CTX_zero sets an uninitialized |EVP_HPKE_CTX| to the zero state. The 191 // caller should then use one of the |EVP_HPKE_CTX_setup_*| functions to finish 192 // setting up |ctx|. 193 // 194 // It is safe, but not necessary to call |EVP_HPKE_CTX_cleanup| in this state. 195 // This may be used for more uniform cleanup of |EVP_HPKE_CTX|. 196 OPENSSL_EXPORT void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx); 197 198 // EVP_HPKE_CTX_cleanup releases memory referenced by |ctx|. |ctx| must have 199 // been initialized with |EVP_HPKE_CTX_zero| or one of the 200 // |EVP_HPKE_CTX_setup_*| functions. 201 OPENSSL_EXPORT void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx); 202 203 // EVP_HPKE_CTX_new returns a newly-allocated |EVP_HPKE_CTX|, or NULL on error. 204 // The caller must call |EVP_HPKE_CTX_free| on the result to release it. 205 // 206 // This is a convenience function for callers that need a heap-allocated 207 // |EVP_HPKE_CTX|. 208 OPENSSL_EXPORT EVP_HPKE_CTX *EVP_HPKE_CTX_new(void); 209 210 // EVP_HPKE_CTX_free releases memory associated with |ctx|, which must have been 211 // created with |EVP_HPKE_CTX_new|. 212 OPENSSL_EXPORT void EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx); 213 214 // EVP_HPKE_CTX_setup_sender implements the SetupBaseS HPKE operation. It 215 // encapsulates a shared secret for |peer_public_key| and sets up |ctx| as a 216 // sender context. It writes the encapsulated shared secret to |out_enc| and 217 // sets |*out_enc_len| to the number of bytes written. It writes at most 218 // |max_enc| bytes and fails if the buffer is too small. Setting |max_enc| to at 219 // least |EVP_HPKE_MAX_ENC_LENGTH| will ensure the buffer is large enough. An 220 // exact size may also be determined by |EVP_PKEY_KEM_enc_len|. 221 // 222 // This function returns one on success and zero on error. Note that 223 // |peer_public_key| may be invalid, in which case this function will return an 224 // error. 225 // 226 // On success, callers may call |EVP_HPKE_CTX_seal| to encrypt messages for the 227 // recipient. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On 228 // failure, calling |EVP_HPKE_CTX_cleanup| is safe, but not required. 229 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender( 230 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, 231 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, 232 const uint8_t *peer_public_key, size_t peer_public_key_len, 233 const uint8_t *info, size_t info_len); 234 235 // EVP_HPKE_CTX_setup_sender_with_seed_for_testing behaves like 236 // |EVP_HPKE_CTX_setup_sender|, but takes a seed to behave deterministically. 237 // The seed's format depends on |kem|. For X25519, it is the sender's 238 // ephemeral private key. For P256, it's an HKDF input. 239 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing( 240 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, 241 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, 242 const uint8_t *peer_public_key, size_t peer_public_key_len, 243 const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len); 244 245 // EVP_HPKE_CTX_setup_recipient implements the SetupBaseR HPKE operation. It 246 // decapsulates the shared secret in |enc| with |key| and sets up |ctx| as a 247 // recipient context. It returns one on success and zero on failure. Note that 248 // |enc| may be invalid, in which case this function will return an error. 249 // 250 // On success, callers may call |EVP_HPKE_CTX_open| to decrypt messages from the 251 // sender. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On failure, 252 // calling |EVP_HPKE_CTX_cleanup| is safe, but not required. 253 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_recipient( 254 EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, 255 const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, 256 const uint8_t *info, size_t info_len); 257 258 // EVP_HPKE_CTX_setup_auth_sender implements the SetupAuthS HPKE operation. It 259 // behaves like |EVP_HPKE_CTX_setup_sender| but authenticates the resulting 260 // context with |key|. 261 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender( 262 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, 263 const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, 264 const uint8_t *peer_public_key, size_t peer_public_key_len, 265 const uint8_t *info, size_t info_len); 266 267 // EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like 268 // |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave 269 // deterministically. The seed's format depends on |kem|. For X25519, it is the 270 // sender's ephemeral private key. For P256, it's an HKDF input. 271 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing( 272 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, 273 const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, 274 const uint8_t *peer_public_key, size_t peer_public_key_len, 275 const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len); 276 277 // EVP_HPKE_CTX_setup_auth_recipient implements the SetupAuthR HPKE operation. 278 // It behaves like |EVP_HPKE_CTX_setup_recipient| but checks the resulting 279 // context was authenticated with |peer_public_key|. 280 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient( 281 EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, 282 const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, 283 const uint8_t *info, size_t info_len, const uint8_t *peer_public_key, 284 size_t peer_public_key_len); 285 286 287 // Using an HPKE context. 288 // 289 // Once set up, callers may encrypt or decrypt with an |EVP_HPKE_CTX| using the 290 // following functions. 291 292 // EVP_HPKE_CTX_open uses the HPKE context |ctx| to authenticate |in_len| bytes 293 // from |in| and |ad_len| bytes from |ad| and to decrypt at most |in_len| bytes 294 // into |out|. It returns one on success, and zero otherwise. 295 // 296 // This operation will fail if the |ctx| context is not set up as a receiver. 297 // 298 // Note that HPKE encryption is stateful and ordered. The sender's first call to 299 // |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to 300 // |EVP_HPKE_CTX_open|, etc. 301 // 302 // At most |in_len| bytes are written to |out|. In order to ensure success, 303 // |max_out_len| should be at least |in_len|. On successful return, |*out_len| 304 // is set to the actual number of bytes written. 305 OPENSSL_EXPORT int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, 306 size_t *out_len, size_t max_out_len, 307 const uint8_t *in, size_t in_len, 308 const uint8_t *ad, size_t ad_len); 309 310 // EVP_HPKE_CTX_seal uses the HPKE context |ctx| to encrypt and authenticate 311 // |in_len| bytes of ciphertext |in| and authenticate |ad_len| bytes from |ad|, 312 // writing the result to |out|. It returns one on success and zero otherwise. 313 // 314 // This operation will fail if the |ctx| context is not set up as a sender. 315 // 316 // Note that HPKE encryption is stateful and ordered. The sender's first call to 317 // |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to 318 // |EVP_HPKE_CTX_open|, etc. 319 // 320 // At most, |max_out_len| encrypted bytes are written to |out|. On successful 321 // return, |*out_len| is set to the actual number of bytes written. 322 // 323 // To ensure success, |max_out_len| should be |in_len| plus the result of 324 // |EVP_HPKE_CTX_max_overhead| or |EVP_HPKE_MAX_OVERHEAD|. 325 OPENSSL_EXPORT int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, 326 size_t *out_len, size_t max_out_len, 327 const uint8_t *in, size_t in_len, 328 const uint8_t *ad, size_t ad_len); 329 330 // EVP_HPKE_CTX_export uses the HPKE context |ctx| to export a secret of 331 // |secret_len| bytes into |out|. This function uses |context_len| bytes from 332 // |context| as a context string for the secret. This is necessary to separate 333 // different uses of exported secrets and bind relevant caller-specific context 334 // into the output. It returns one on success and zero otherwise. 335 OPENSSL_EXPORT int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out, 336 size_t secret_len, 337 const uint8_t *context, 338 size_t context_len); 339 340 // EVP_HPKE_MAX_OVERHEAD contains the largest value that 341 // |EVP_HPKE_CTX_max_overhead| would ever return for any context. 342 #define EVP_HPKE_MAX_OVERHEAD EVP_AEAD_MAX_OVERHEAD 343 344 // EVP_HPKE_CTX_max_overhead returns the maximum number of additional bytes 345 // added by sealing data with |EVP_HPKE_CTX_seal|. The |ctx| context must be set 346 // up as a sender. 347 OPENSSL_EXPORT size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx); 348 349 // EVP_HPKE_CTX_kem returns |ctx|'s configured KEM, or NULL if the context has 350 // not been set up. 351 OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_CTX_kem(const EVP_HPKE_CTX *ctx); 352 353 // EVP_HPKE_CTX_aead returns |ctx|'s configured AEAD, or NULL if the context has 354 // not been set up. 355 OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx); 356 357 // EVP_HPKE_CTX_kdf returns |ctx|'s configured KDF, or NULL if the context has 358 // not been set up. 359 OPENSSL_EXPORT const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx); 360 361 362 // Private structures. 363 // 364 // The following structures are exported so their types are stack-allocatable, 365 // but accessing or modifying their fields is forbidden. 366 367 struct evp_hpke_ctx_st { 368 const EVP_HPKE_KEM *kem; 369 const EVP_HPKE_AEAD *aead; 370 const EVP_HPKE_KDF *kdf; 371 EVP_AEAD_CTX aead_ctx; 372 uint8_t base_nonce[EVP_AEAD_MAX_NONCE_LENGTH]; 373 uint8_t exporter_secret[EVP_MAX_MD_SIZE]; 374 uint64_t seq; 375 int is_sender; 376 }; 377 378 struct evp_hpke_key_st { 379 const EVP_HPKE_KEM *kem; 380 uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH]; 381 uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH]; 382 }; 383 384 385 #if defined(__cplusplus) 386 } // extern C 387 #endif 388 389 #if !defined(BORINGSSL_NO_CXX) 390 extern "C++" { 391 392 BSSL_NAMESPACE_BEGIN 393 394 using ScopedEVP_HPKE_CTX = 395 internal::StackAllocated<EVP_HPKE_CTX, void, EVP_HPKE_CTX_zero, 396 EVP_HPKE_CTX_cleanup>; 397 using ScopedEVP_HPKE_KEY = 398 internal::StackAllocatedMovable<EVP_HPKE_KEY, void, EVP_HPKE_KEY_zero, 399 EVP_HPKE_KEY_cleanup, EVP_HPKE_KEY_move>; 400 401 BORINGSSL_MAKE_DELETER(EVP_HPKE_CTX, EVP_HPKE_CTX_free) 402 BORINGSSL_MAKE_DELETER(EVP_HPKE_KEY, EVP_HPKE_KEY_free) 403 404 BSSL_NAMESPACE_END 405 406 } // extern C++ 407 #endif 408 409 #endif // OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H 410