9 files changed, 589 insertions, 1 deletions

diff --git a/doc/man3/EVP_KEM_free.pod b/doc/man3/EVP_KEM_free.pod
new file mode 100644
index 0000000000..0e3ca12ae3
--- /dev/null
+++ b/doc/man3/EVP_KEM_free.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+EVP_KEM_fetch, EVP_KEM_free, EVP_KEM_up_ref,
+EVP_KEM_number, EVP_KEM_is_a, EVP_KEM_provider,
+EVP_KEM_do_all_provided, EVP_KEM_names_do_all
+- Functions to manage EVP_KEM algorithm objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ EVP_KEM *EVP_KEM_fetch(OPENSSL_CTX *ctx, const char *algorithm,
+                        const char *properties);
+ void EVP_KEM_free(EVP_KEM *kem);
+ int EVP_KEM_up_ref(EVP_KEM *kem);
+ int EVP_KEM_number(const EVP_KEM *kem);
+ int EVP_KEM_is_a(const EVP_KEM *kem, const char *name);
+ OSSL_PROVIDER *EVP_KEM_provider(const EVP_KEM *kem);
+ void EVP_KEM_do_all_provided(OPENSSL_CTX *libctx,
+                              void (*fn)(EVP_KEM *kem, void *arg), void *arg);
+ void EVP_KEM_names_do_all(const EVP_KEM *kem,
+                           void (*fn)(const char *name, void *data), void *data);
+
+=head1 DESCRIPTION
+
+EVP_KEM_fetch() fetches the implementation for the given B<algorithm> from any
+provider offering it, within the criteria given by the B<properties> and in the
+scope of the given library context B<ctx> (see L<OPENSSL_CTX(3)>). The algorithm
+will be one offering functions for performing asymmetric kem related tasks such
+as key encapsulation and decapsulation.
+See L<provider(7)/Fetching algorithms> for further information.
+
+The returned value must eventually be freed with EVP_KEM_free().
+
+EVP_KEM_free() decrements the reference count for the B<EVP_KEM> structure.
+Typically this structure will have been obtained from an earlier call to
+EVP_KEM_fetch(). If the reference count drops to 0 then the structure is freed.
+
+EVP_KEM_up_ref() increments the reference count for an B<EVP_KEM> structure.
+
+EVP_KEM_is_a() returns 1 if I<kem> is an implementation of an
+algorithm that's identifiable with I<name>, otherwise 0.
+
+EVP_KEM_provider() returns the provider that I<kem> was fetched from.
+
+EVP_KEM_do_all_provided() traverses all EVP_KEMs implemented by all activated
+providers in the given library context I<libctx>, and for each of the
+implementations, calls the given function I<fn> with the implementation method
+and the given I<arg> as argument.
+
+EVP_KEM_number() returns the internal dynamic number assigned to I<kem>.
+
+EVP_KEM_names_do_all() traverses all names for I<kem>, and calls I<fn> with
+each name and I<data>.
+
+=head1 RETURN VALUES
+
+EVP_KEM_fetch() returns a pointer to an B<EVP_KEM> for success or B<NULL> for
+failure.
+
+EVP_KEM_up_ref() returns 1 for success or 0 otherwise.
+
+=head1 SEE ALSO
+
+L<provider(7)/Fetching algorithms>, L<OSSL_PROVIDER(3)>
+
+=head1 HISTORY
+
+The functions described here were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 794ad2053a..e5c187d950 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -67,7 +67,8 @@ EVP_PKEY_CTX_set_ecdh_kdf_outlen,
 EVP_PKEY_CTX_get_ecdh_kdf_outlen,
 EVP_PKEY_CTX_set0_ecdh_kdf_ukm,
 EVP_PKEY_CTX_get0_ecdh_kdf_ukm,
-EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
+EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len,
+EVP_PKEY_CTX_set_kem_op
 - algorithm specific control operations
 
 =head1 SYNOPSIS
@@ -91,6 +92,8 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
  int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name);
  int EVP_PKEY_CTX_get_group_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen);
 
+ int EVP_PKEY_CTX_set_kem_op(EVP_PKEY_CTX *ctx, const char *op);
+
  #include <openssl/rsa.h>
 
  int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
@@ -606,6 +609,12 @@ memory for further calls to EVP_PKEY_CTX_get1_id(). EVP_PKEY_CTX_get1_id()
 returns the previously set ID value to caller in I<id>. The caller should
 allocate adequate memory space for the I<id> before calling EVP_PKEY_CTX_get1_id().
 
+EVP_PKEY_CTX_set_kem_op() sets the KEM operation to run. This can be set after
+EVP_PKEY_encapsulate_init() or EVP_PKEY_decapsulate_init() to select the
+kem operation. RSA is the only key type that supports encapsulation currently,
+and as there is no default operation for the RSA type, this function must be
+called before EVP_PKEY_encapsulate() or EVP_PKEY_decapsulate().
+
 =head1 RETURN VALUES
 
 All other functions described on this page return a positive value for success
@@ -623,6 +632,8 @@ L<EVP_PKEY_verify(3)>,
 L<EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)>,
 L<EVP_PKEY_keygen(3)>
+L<EVP_PKEY_encapsulate(3)>
+L<EVP_PKEY_decapsulate(3)>
 
 =head1 HISTORY
 
diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod
new file mode 100644
index 0000000000..7dd47a1e58
--- /dev/null
+++ b/doc/man3/EVP_PKEY_decapsulate.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
+- Key decapsulation using a private key algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
+                          unsigned char *secret, size_t *secretlen,
+                          const unsigned char *wrapped, size_t wrappedlen);
+
+=head1 DESCRIPTION
+
+The EVP_PKEY_decapsulate_init() function initializes a private key algorithm
+context I<ctx> for a decapsulation operation.
+
+The EVP_PKEY_decapsulate() function performs a private key decapsulation
+operation using I<ctx>. The data to be decapsulated is specified using the
+I<wrapped> and I<wrappedlen> parameters.
+If I<secret> is I<NULL> then the maximum size of the output secret buffer
+is written to the I<*secretlen> parameter. If I<secret> is not B<NULL> and the
+call is successful then the decapsulated secret data is written to I<secret> and
+the amount of data written to I<secretlen>.
+
+=head1 NOTES
+
+After the call to EVP_PKEY_decapsulate_init() algorithm specific parameters
+for the operation may be set using L<EVP_PKEY_CTX_set_params(3)>. There are no
+settable parameters currently.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_decapsulate_init() and EVP_PKEY_decapsulate() return 1 for
+success and 0 or a negative value for failure. In particular a return value of -2
+indicates the operation is not supported by the private key algorithm.
+
+=head1 EXAMPLES
+
+Decapsulate data using RSA:
+
+ #include <openssl/evp.h>
+
+ /*
+  * NB: assumes rsa_priv_key is an RSA private key,
+  * and that in, inlen are already set up to contain encapsulated data.
+  */
+
+ EVP_PKEY_CTX *ctx = NULL;
+ size_t secretlen = 0;
+ unsigned char *secret = NULL;;
+
+ ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_priv_key, NULL);
+ if (ctx = NULL)
+     /* Error */
+ if (EVP_PKEY_decapsulate_init(ctx) <= 0)
+     /* Error */
+
+ /* Set the mode - only 'RSASVE' is currently supported */
+ if (EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE") <= 0)
+     /* Error */
+
+ /* Determine buffer length */
+ if (EVP_PKEY_decapsulate(ctx, NULL, &secretlen, in, inlen) <= 0)
+     /* Error */
+
+ secret = OPENSSL_malloc(secretlen);
+ if (secret == NULL)
+     /* malloc failure */
+
+ /* Decapsulated secret data is secretlen bytes long */
+ if (EVP_PKEY_decapsulaterctx, secret, &secretlen, in, inlen) <= 0)
+     /* Error */
+
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encapsulate(3)>,
+L<EVP_KEM-RSA(7)>,
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod
new file mode 100644
index 0000000000..0e911f71cf
--- /dev/null
+++ b/doc/man3/EVP_PKEY_encapsulate.pod
@@ -0,0 +1,101 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
+- Key encapsulation using a public key algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
+                          unsigned char *out, size_t *outlen,
+                          unsigned char *genkey, size_t *genkeylen);
+
+=head1 DESCRIPTION
+
+The EVP_PKEY_encapsulate_init() function initializes a public key algorithm
+context I<ctx> for an encapsulation operation.
+
+The EVP_PKEY_encapsulate() function performs a public key encapsulation
+operation using I<ctx> with the name I<name>.
+If I<out> is B<NULL> then the maximum size of the output buffer is written to the
+I<*outlen> parameter and the maximum size of the generated key buffer is written
+to I<*genkeylen>. If I<out> is not B<NULL> and the call is successful then the
+internally generated key is written to I<genkey> and its size is written to
+I<*genkeylen>. The encapsulated version of the generated key is written to
+I<out> and its size is written to I<*outlen>.
+
+=head1 NOTES
+
+After the call to EVP_PKEY_encapsulate_init() algorithm specific parameters
+for the operation may be set using L<EVP_PKEY_CTX_set_params(3)>.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_encapsulate_init() and EVP_PKEY_encapsulate() return 1 for
+success and 0 or a negative value for failure. In particular a return value of -2
+indicates the operation is not supported by the public key algorithm.
+
+=head1 EXAMPLES
+
+Encapsulate an RSASVE key (for RSA keys).
+
+ #include <openssl/evp.h>
+
+ /*
+  * NB: assumes rsa_pub_key is an public key of another party.
+  */
+
+ EVP_PKEY_CTX *ctx = NULL;
+ size_t secretlen = 0, outlen = 0;
+ unsigned char *out = NULL, *secret = NULL;
+
+ ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_pub_key, NULL);
+ if (ctx = NULL)
+     /* Error */
+ if (EVP_PKEY_encapsulate_init(ctx) <= 0)
+     /* Error */
+
+ /* Set the mode - only 'RSASVE' is currently supported */
+  if (EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE") <= 0)
+     /* Error */
+ /* Determine buffer length */
+ if (EVP_PKEY_encapsulate(ctx, NULL, &outlen, NULL, &secretlen) <= 0)
+     /* Error */
+
+ out = OPENSSL_malloc(outlen);
+ secret = OPENSSL_malloc(secretlen);
+ if (out == NULL || secret == NULL)
+     /* malloc failure */
+
+ /*
+  * The generated 'secret' can be used as key material.
+  * The encapsulated 'out' can be sent to another party who can
+  * decapsulate it using their private key to retrieve the 'secret'. 
+  */
+ if (EVP_PKEY_encapsulate(ctx, out, &outlen, secret, &secretlen) <= 0)
+     /* Error */
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_decapsulate(3)>,
+L<EVP_KEM-RSA(7)>,
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/EVP_KEM-RSA.pod b/doc/man7/EVP_KEM-RSA.pod
new file mode 100644
index 0000000000..21dc8ad3dd
--- /dev/null
+++ b/doc/man7/EVP_KEM-RSA.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+EVP_KEM-RSA
+- EVP_KEM RSA keytype and algorithm support
+
+=head1 DESCRIPTION
+
+The B<RSA> keytype and its parameters are described in L<EVP_PKEY-RSA(7)>.
+See L<EVP_PKEY_encapsulate(3)> and L<EVP_PKEY_decapsulate(3)> for more info.
+
+=head2 RSA KEM parameters
+
+=over 4
+
+=item "operation" (B<OSSL_KEM_PARAM_OPERATION>) <UTF8 string>
+
+The OpenSSL RSA Key Encapsulation Mechanism only currently supports the
+following operation
+
+=over 4
+
+=item "RSASVE"
+
+The encapsulate function simply generates a secret using random bytes and then
+encrypts the secret using the RSA public key (with no padding).
+The decapsulate function recovers the secret using the RSA private key.
+
+=back
+
+This can be set using EVP_PKEY_CTX_set_kem_op().
+
+=back
+
+
+=head1 CONFORMING TO
+
+=over 4
+
+=item SP800-56Br2
+
+Section 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
+Section 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
+
+=back
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_CTX_set_kem_op(3)>,
+L<EVP_PKEY_encapsulate(3)>,
+L<EVP_PKEY_decapsulate(3)>
+L<EVP_KEYMGMT(3)>,
+L<EVP_PKEY(3)>,
+L<provider-keymgmt(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 98c6079d72..b802efe215 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -136,6 +136,14 @@ This has the property "provider=fips,fips=no"
 
 =back
 
+=head2 Asymmetric Key Encapsulation
+
+=over 4
+
+=item RSA, see L<EVP_KEM-RSA(7)>
+
+=back
+
 =head2 Asymmetric Key Management
 
 =over 4
diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod
index a88c0be6e6..848c887b29 100644
--- a/doc/man7/OSSL_PROVIDER-default.pod
+++ b/doc/man7/OSSL_PROVIDER-default.pod
@@ -182,6 +182,14 @@ The OpenSSL default provider supports these operations and algorithms:
 
 =back
 
+=head2 Asymmetric Key Encapsulation
+
+=over 4
+
+=item RSA, see L<EVP_KEM-RSA(7)>
+
+=back
+
 =head2 Asymmetric Key Management
 
 =over 4
diff --git a/doc/man7/provider-kem.pod b/doc/man7/provider-kem.pod
new file mode 100644
index 0000000000..4d16a3e625
--- /dev/null
+++ b/doc/man7/provider-kem.pod
@@ -0,0 +1,207 @@
+=pod
+
+=head1 NAME
+
+provider-kem - The kem library E<lt>-E<gt> provider functions
+
+=head1 SYNOPSIS
+
+=for openssl multiple includes
+
+ #include <openssl/core_dispatch.h>
+ #include <openssl/core_names.h>
+
+ /*
+  * None of these are actual functions, but are displayed like this for
+  * the function signatures for functions that are offered as function
+  * pointers in OSSL_DISPATCH arrays.
+  */
+
+ /* Context management */
+ void *OSSL_FUNC_kem_newctx(void *provctx);
+ void OSSL_FUNC_kem_freectx(void *ctx);
+ void *OSSL_FUNC_kem_dupctx(void *ctx);
+
+ /* Encapsulation */
+ int OSSL_FUNC_kem_encapsulate_init(void *ctx, void *provkey, const char *name);
+ int OSSL_FUNC_kem_encapsulate(void *ctx, unsigned char *out, size_t *outlen,
+                               unsigned char *secret, size_t *secretlen);
+
+ /* Decapsulation */
+ int OSSL_FUNC_kem_decapsulate_init(void *ctx, void *provkey, const char *name);
+ int OSSL_FUNC_kem_decapsulate(void *ctx, unsigned char *out, size_t *outlen,
+                               const unsigned char *in, size_t inlen);
+
+ /* KEM parameters */
+ int OSSL_FUNC_kem_get_ctx_params(void *ctx, OSSL_PARAM params[]);
+ const OSSL_PARAM *OSSL_FUNC_kem_gettable_ctx_params(void *provctx);
+ int OSSL_FUNC_kem_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
+ const OSSL_PARAM *OSSL_FUNC_kem_settable_ctx_params(void *provctx);
+
+=head1 DESCRIPTION
+
+This documentation is primarily aimed at provider authors. See L<provider(7)>
+for further information.
+
+The asymmetric kem (OSSL_OP_KEM) operation enables providers to
+implement asymmetric kem algorithms and make them available to applications
+via the API functions L<EVP_PKEY_encapsulate(3)>,
+L<EVP_PKEY_decapsulate(3)> and other related functions.
+
+All "functions" mentioned here are passed as function pointers between
+F<libcrypto> and the provider in B<OSSL_DISPATCH> arrays via
+B<OSSL_ALGORITHM> arrays that are returned by the provider's
+provider_query_operation() function
+(see L<provider-base(7)/Provider Functions>).
+
+All these "functions" have a corresponding function type definition
+named B<OSSL_{name}_fn>, and a helper function to retrieve the
+function pointer from an B<OSSL_DISPATCH> element named
+B<OSSL_FUNC_{name}>.
+For example, the "function" OSSL_FUNC_kem_newctx() has these:
+
+ typedef void *(OSSL_FUNC_kem_newctx_fn)(void *provctx);
+ static ossl_inline OSSL_FUNC_kem_newctx_fn
+     OSSL_FUNC_kem_newctx(const OSSL_DISPATCH *opf);
+
+B<OSSL_DISPATCH> arrays are indexed by numbers that are provided as
+macros in L<openssl-core_dispatch.h(7)>, as follows:
+
+ OSSL_FUNC_kem_newctx               OSSL_FUNC_KEM_NEWCTX
+ OSSL_FUNC_kem_freectx              OSSL_FUNC_KEM_FREECTX
+ OSSL_FUNC_kem_dupctx               OSSL_FUNC_KEM_DUPCTX
+
+ OSSL_FUNC_kem_encapsulate_init     OSSL_FUNC_KEM_ENCAPSULATE_INIT
+ OSSL_FUNC_kem_encapsulate          OSSL_FUNC_KEM_ENCAPSULATE
+
+ OSSL_FUNC_kem_decapsulate_init     OSSL_FUNC_KEM_DECAPSULATE_INIT
+ OSSL_FUNC_kem_decapsulate          OSSL_FUNC_KEM_DECAPSULATE
+
+ OSSL_FUNC_kem_get_ctx_params       OSSL_FUNC_KEM_GET_CTX_PARAMS
+ OSSL_FUNC_kem_gettable_ctx_params  OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS
+ OSSL_FUNC_kem_set_ctx_params       OSSL_FUNC_KEM_SET_CTX_PARAMS
+ OSSL_FUNC_kem_settable_ctx_params  OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS
+
+An asymmetric kem algorithm implementation may not implement all of these
+functions.
+In order to be a consistent set of functions a provider must implement
+OSSL_FUNC_kem_newctx and OSSL_FUNC_kem_freectx.
+It must also implement both of OSSL_FUNC_kem_encapsulate_init and
+OSSL_FUNC_kem_encapsulate, or both of OSSL_FUNC_kem_decapsulate_init and
+OSSL_FUNC_kem_decapsulate.
+OSSL_FUNC_kem_get_ctx_params is optional but if it is present then so must
+OSSL_FUNC_kem_gettable_ctx_params.
+Similarly, OSSL_FUNC_kem_set_ctx_params is optional but if it is present then
+so must OSSL_FUNC_kem_settable_ctx_params.
+
+An asymmetric kem algorithm must also implement some mechanism for generating,
+loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
+See L<provider-keymgmt(7)> for further details.
+
+=head2 Context Management Functions
+
+OSSL_FUNC_kem_newctx() should create and return a pointer to a provider side
+structure for holding context information during an asymmetric kem operation.
+A pointer to this context will be passed back in a number of the other
+asymmetric kem operation function calls.
+The parameter I<provctx> is the provider context generated during provider
+initialisation (see L<provider(7)>).
+
+OSSL_FUNC_kem_freectx() is passed a pointer to the provider side asymmetric
+kem context in the I<ctx> parameter.
+This function should free any resources associated with that context.
+
+OSSL_FUNC_kem_dupctx() should duplicate the provider side asymmetric kem
+context in the I<ctx> parameter and return the duplicate copy.
+
+=head2 Asymmetric Key Encapsulation Functions
+
+OSSL_FUNC_kem_encapsulate_init() initialises a context for an asymmetric
+encapsulation given a provider side asymmetric kem context in the I<ctx>
+parameter, a pointer to a provider key object in the I<provkey> parameter and
+the I<name> of the algorithm.
+The key object should have been previously generated, loaded or imported into
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+provider-keymgmt(7)>.
+
+OSSL_FUNC_kem_encapsulate() performs the actual encapsulation itself.
+A previously initialised asymmetric kem context is passed in the I<ctx>
+parameter.
+Unless I<out> is NULL, the data to be encapsulated is internally generated,
+and returned into the the buffer pointed to by the I<secret> parameter and the
+encapsulated data should also be written to the location pointed to by the
+I<out> parameter. The length of the encapsulated data should be written to
+I<*outlen> and the length of the generated secret should be written to
+I<*secretlen>.
+
+If I<out> is NULL then the maximum length of the encapsulated data should be
+written to I<*outlen>, and the maximum length of the generated secret should be
+written to I<*secretlen>.
+
+=head2 Decapsulation Functions
+
+OSSL_FUNC_kem_decapsulate_init() initialises a context for an asymmetric
+decapsulation given a provider side asymmetric kem context in the I<ctx>
+parameter, a pointer to a provider key object in the I<provkey> parameter, and
+a I<name> of the algorithm.
+The key object should have been previously generated, loaded or imported into
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+provider-keymgmt(7)>.
+
+OSSL_FUNC_kem_decapsulate() performs the actual decapsulation itself.
+A previously initialised asymmetric kem context is passed in the I<ctx>
+parameter.
+The data to be decapsulated is pointed to by the I<in> parameter which is I<inlen>
+bytes long.
+Unless I<out> is NULL, the decapsulated data should be written to the location
+pointed to by the I<out> parameter.
+The length of the decapsulated data should be written to I<*outlen>.
+If I<out> is NULL then the maximum length of the decapsulated data should be
+written to I<*outlen>.
+
+=head2 Asymmetric Key Encapsulation Parameters
+
+See L<OSSL_PARAM(3)> for further details on the parameters structure used by
+the OSSL_FUNC_kem_get_ctx_params() and OSSL_FUNC_kem_set_ctx_params()
+functions.
+
+OSSL_FUNC_kem_get_ctx_params() gets asymmetric kem parameters associated
+with the given provider side asymmetric kem context I<ctx> and stores them in
+I<params>.
+OSSL_FUNC_kem_set_ctx_params() sets the asymmetric kem parameters associated
+with the given provider side asymmetric kem context I<ctx> to I<params>.
+Any parameter settings are additional to any that were previously set.
+
+No parameters are currently recognised by built-in asymmetric kem algorithms.
+
+OSSL_FUNC_kem_gettable_ctx_params() and OSSL_FUNC_kem_settable_ctx_params()
+get a constant B<OSSL_PARAM> array that describes the gettable and settable
+parameters, i.e. parameters that can be used with OSSL_FUNC_kem_get_ctx_params()
+and OSSL_FUNC_kem_set_ctx_params() respectively.
+See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.
+
+=head1 RETURN VALUES
+
+OSSL_FUNC_kem_newctx() and OSSL_FUNC_kem_dupctx() should return the newly
+created provider side asymmetric kem context, or NULL on failure.
+
+All other functions should return 1 for success or 0 on error.
+
+=head1 SEE ALSO
+
+L<provider(7)>
+
+=head1 HISTORY
+
+The provider KEM interface was introduced in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/provider.pod b/doc/man7/provider.pod
index 2f7f019650..ead37b5769 100644
--- a/doc/man7/provider.pod
+++ b/doc/man7/provider.pod
@@ -154,6 +154,12 @@ The number for this operation is B<OSSL_OP_ASYM_CIPHER>.
 The functions the provider can offer are described in
 L<provider-asym_cipher(7)>
 
+=item Asymmetric Key Encapsulation
+
+In the OpenSSL libraries, the corresponding method object is B<EVP_KEM>.
+The number for this operation is B<OSSL_OP_KEM>.
+The functions the provider can offer are described in L<provider-kem(7)>
+
 =item Encoding
 
 In the OpenSSL libraries, the corresponding method object is