react-native-quick-crypto 1.0.0 → 1.0.1

package/deps/ncrypto/{ncrypto.cc → src/ncrypto.cpp}

@@ -1,4 +1,5 @@
 #include "ncrypto.h"
+
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -7,8 +8,21 @@
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+
+#ifndef NCRYPTO_NO_KDF_H
+#include <openssl/kdf.h>
+#else
+#include <openssl/hkdf.h>
+#endif
+
 #include <algorithm>
+#include <array>
+#include <cctype>
+#include <climits>
 #include <cstring>
+#include <string_view>
+#include <vector>
+
 #if OPENSSL_VERSION_MAJOR >= 3
 #include <openssl/core_names.h>
 #include <openssl/params.h>
@@ -57,6 +71,8 @@ constexpr static PQCMapping pqc_mappings[] = {
                     nullptr)
 #endif
 
+// ============================================================================
+
 namespace ncrypto {
 namespace {
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>;
@@ -245,7 +261,7 @@ Buffer<void> DataPointer::release() {
 DataPointer DataPointer::resize(size_t len) {
   size_t actual_len = std::min(len_, len);
   auto buf = release();
-  if (actual_len == len_) return DataPointer(buf.data, actual_len);
+  if (actual_len == len_) return DataPointer(buf);
   buf.data = OPENSSL_realloc(buf.data, actual_len);
   buf.len = actual_len;
   return DataPointer(buf);
@@ -286,7 +302,7 @@ bool testFipsEnabled() {
 #else
 #ifdef OPENSSL_FIPS
   return FIPS_selftest();
-#else  // OPENSSL_FIPS
+#else   // OPENSSL_FIPS
   return false;
 #endif  // OPENSSL_FIPS
 #endif
@@ -338,10 +354,15 @@ BIGNUM* BignumPointer::release() {
 }
 
 size_t BignumPointer::byteLength() const {
-  if (bn_ == nullptr) return 0;
+  if (!bn_) return 0;
   return BN_num_bytes(bn_.get());
 }
 
+size_t BignumPointer::bitLength() const {
+  if (!bn_) return 0;
+  return BN_num_bits(bn_.get());
+}
+
 DataPointer BignumPointer::encode() const {
   return EncodePadded(bn_.get(), byteLength());
 }
@@ -451,6 +472,7 @@ int BignumPointer::isPrime(int nchecks,
         // TODO(@jasnell): This could be refactored to allow inlining.
         // Not too important right now tho.
         [](int a, int b, BN_GENCB* ctx) mutable -> int {
+          // BN_GENCB is opaque in OpenSSL 3.x, must use accessor
           PrimeCheckCallback& ptr =
               *static_cast<PrimeCheckCallback*>(BN_GENCB_get_arg(ctx));
           return ptr(a, b) ? 1 : 0;
@@ -482,6 +504,7 @@ bool BignumPointer::generate(const PrimeConfig& params,
     BN_GENCB_set(
         cb.get(),
         [](int a, int b, BN_GENCB* ctx) mutable -> int {
+          // BN_GENCB is opaque in OpenSSL 3.x, must use accessor
           PrimeCheckCallback& ptr =
               *static_cast<PrimeCheckCallback*>(BN_GENCB_get_arg(ctx));
           return ptr(a, b) ? 1 : 0;
@@ -612,7 +635,9 @@ int64_t PortableTimeGM(struct tm* t) {
 // ============================================================================
 // SPKAC
 
-bool VerifySpkac(const char* input, size_t length) {
+namespace {
+bool VerifySpkacImpl(const char* input, size_t length) {
+  ClearErrorOnReturn clearErrorOnReturn;
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
   // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
@@ -630,9 +655,11 @@ bool VerifySpkac(const char* input, size_t length) {
   return pkey ? NETSCAPE_SPKI_verify(spki.get(), pkey.get()) > 0 : false;
 }
 
-BIOPointer ExportPublicKey(const char* input, size_t length) {
-  BIOPointer bio(BIO_new(BIO_s_mem()));
-  if (!bio) return {};
+BIOPointer ExportPublicKeyImpl(const char* input, size_t length) {
+  ClearErrorOnReturn clearErrorOnReturn;
+  auto bio = BIOPointer::NewMem();
+  if (!bio) [[unlikely]]
+    return {};
 
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
@@ -641,17 +668,21 @@ BIOPointer ExportPublicKey(const char* input, size_t length) {
   length = std::string_view(input, length).find_last_not_of(" \n\r\t") + 1;
 #endif
   NetscapeSPKIPointer spki(NETSCAPE_SPKI_b64_decode(input, length));
-  if (!spki) return {};
+  if (!spki) [[unlikely]] {
+    return {};
+  }
 
   EVPKeyPointer pkey(NETSCAPE_SPKI_get_pubkey(spki.get()));
-  if (!pkey) return {};
 
-  if (PEM_write_bio_PUBKEY(bio.get(), pkey.get()) <= 0) return {};
+  if (!pkey || PEM_write_bio_PUBKEY(bio.get(), pkey.get()) <= 0) [[unlikely]] {
+    return {};
+  }
 
   return bio;
 }
 
-Buffer<char> ExportChallenge(const char* input, size_t length) {
+DataPointer ExportChallengeImpl(const char* input, size_t length) {
+  ClearErrorOnReturn clearErrorOnReturn;
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
   // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
@@ -664,14 +695,46 @@ Buffer<char> ExportChallenge(const char* input, size_t length) {
   unsigned char* buf = nullptr;
   int buf_size = ASN1_STRING_to_UTF8(&buf, sp->spkac->challenge);
   if (buf_size >= 0) {
-    return {
+    return DataPointer({
         .data = reinterpret_cast<char*>(buf),
         .len = static_cast<size_t>(buf_size),
-    };
+    });
   }
 
   return {};
 }
+}  // namespace
+
+bool VerifySpkac(const Buffer<const char>& input) {
+  return VerifySpkacImpl(input.data, input.len);
+}
+
+BIOPointer ExportPublicKey(const Buffer<const char>& input) {
+  return ExportPublicKeyImpl(input.data, input.len);
+}
+
+DataPointer ExportChallenge(const Buffer<const char>& input) {
+  return ExportChallengeImpl(input.data, input.len);
+}
+
+bool VerifySpkac(const char* input, size_t length) {
+  return VerifySpkacImpl(input, length);
+}
+
+BIOPointer ExportPublicKey(const char* input, size_t length) {
+  return ExportPublicKeyImpl(input, length);
+}
+
+Buffer<char> ExportChallenge(const char* input, size_t length) {
+  if (auto dp = ExportChallengeImpl(input, length)) {
+    auto released = dp.release();
+    return Buffer<char>{
+        .data = static_cast<char*>(released.data),
+        .len = released.len,
+    };
+  }
+  return {};
+}
 
 // ============================================================================
 namespace {
@@ -1094,8 +1157,32 @@ BIOPointer X509View::getValidTo() const {
   return bio;
 }
 
+std::optional<std::string_view> X509View::getSignatureAlgorithm() const {
+  if (cert_ == nullptr) return std::nullopt;
+  int nid = X509_get_signature_nid(cert_);
+  if (nid == NID_undef) return std::nullopt;
+  const char* ln = OBJ_nid2ln(nid);
+  if (ln == nullptr) return std::nullopt;
+  return std::string_view(ln);
+}
+
+std::optional<std::string> X509View::getSignatureAlgorithmOID() const {
+  if (cert_ == nullptr) return std::nullopt;
+  const X509_ALGOR* alg = nullptr;
+  X509_get0_signature(nullptr, &alg, cert_);
+  if (alg == nullptr) return std::nullopt;
+  const ASN1_OBJECT* obj = nullptr;
+  X509_ALGOR_get0(&obj, nullptr, nullptr, alg);
+  if (obj == nullptr) return std::nullopt;
+  std::array<char, 128> buf{};
+  int len = OBJ_obj2txt(buf.data(), buf.size(), obj, 1);
+  if (len < 0 || static_cast<size_t>(len) >= buf.size()) return std::nullopt;
+  return std::string(buf.data(), static_cast<size_t>(len));
+}
+
 int64_t X509View::getValidToTime() const {
 #ifdef OPENSSL_IS_BORINGSSL
+#ifndef NCRYPTO_NO_ASN1_TIME
   // Boringssl does not implement ASN1_TIME_to_tm in a public way,
   // and only recently added ASN1_TIME_to_posix. Some boringssl
   // users on older version may still need to patch around this
@@ -1104,6 +1191,11 @@ int64_t X509View::getValidToTime() const {
   ASN1_TIME_to_posix(X509_get0_notAfter(cert_), &tp);
   return tp;
 #else
+  // Older versions of Boringssl do not implement the ASN1_TIME_to_*
+  // version functions. For now, neither shall we.
+  return 0LL;
+#endif  // NCRYPTO_NO_ASN1_TIME
+#else   // OPENSSL_IS_BORINGSSL
   struct tm tp;
   ASN1_TIME_to_tm(X509_get0_notAfter(cert_), &tp);
   return PortableTimeGM(&tp);
@@ -1112,9 +1204,15 @@ int64_t X509View::getValidToTime() const {
 
 int64_t X509View::getValidFromTime() const {
 #ifdef OPENSSL_IS_BORINGSSL
+#ifndef NCRYPTO_NO_ASN1_TIME
   int64_t tp;
   ASN1_TIME_to_posix(X509_get0_notBefore(cert_), &tp);
   return tp;
+#else
+  // Older versions of Boringssl do not implement the ASN1_TIME_to_*
+  // version functions. For now, neither shall we.
+  return 0LL;
+#endif  // NCRYPTO_NO_ASN1_TIME
 #else
   struct tm tp;
   ASN1_TIME_to_tm(X509_get0_notBefore(cert_), &tp);
@@ -1308,10 +1406,16 @@ bool X509View::enumUsages(UsageCallback callback) const {
 
 bool X509View::ifRsa(KeyCallback<Rsa> callback) const {
   if (cert_ == nullptr) return true;
-  OSSL3_CONST EVP_PKEY* pkey = X509_get0_pubkey(cert_);
-  auto id = EVP_PKEY_id(pkey);
+  // The const_cast is a bit unfortunate. The X509_get_pubkey API accepts
+  // a const X509* in newer versions of openssl and boringssl but a non-const
+  // X509* in older versions. By removing the const if it exists we can
+  // support both.
+  EVPKeyPointer pkey(X509_get_pubkey(const_cast<X509*>(cert_)));
+  if (!pkey) [[unlikely]]
+    return true;
+  auto id = pkey.id();
   if (id == EVP_PKEY_RSA || id == EVP_PKEY_RSA2 || id == EVP_PKEY_RSA_PSS) {
-    Rsa rsa(EVP_PKEY_get0_RSA(pkey));
+    Rsa rsa = pkey;
     if (!rsa) [[unlikely]]
       return true;
     return callback(rsa);
@@ -1321,10 +1425,16 @@ bool X509View::ifRsa(KeyCallback<Rsa> callback) const {
 
 bool X509View::ifEc(KeyCallback<Ec> callback) const {
   if (cert_ == nullptr) return true;
-  OSSL3_CONST EVP_PKEY* pkey = X509_get0_pubkey(cert_);
-  auto id = EVP_PKEY_id(pkey);
+  // The const_cast is a bit unfortunate. The X509_get_pubkey API accepts
+  // a const X509* in newer versions of openssl and boringssl but a non-const
+  // X509* in older versions. By removing the const if it exists we can
+  // support both.
+  EVPKeyPointer pkey(X509_get_pubkey(const_cast<X509*>(cert_)));
+  if (!pkey) [[unlikely]]
+    return true;
+  auto id = pkey.id();
   if (id == EVP_PKEY_EC) {
-    Ec ec(EVP_PKEY_get0_EC_KEY(pkey));
+    Ec ec = pkey;
     if (!ec) [[unlikely]]
       return true;
     return callback(ec);
@@ -1758,18 +1868,28 @@ bool checkHkdfLength(const Digest& md, size_t length) {
   return true;
 }
 
-DataPointer hkdf(const Digest& md,
-                 const Buffer<const unsigned char>& key,
-                 const Buffer<const unsigned char>& info,
-                 const Buffer<const unsigned char>& salt,
-                 size_t length) {
+bool hkdfInfo(const Digest& md,
+              const Buffer<const unsigned char>& key,
+              const Buffer<const unsigned char>& info,
+              const Buffer<const unsigned char>& salt,
+              size_t length,
+              Buffer<unsigned char>* out) {
   ClearErrorOnReturn clearErrorOnReturn;
 
   if (!checkHkdfLength(md, length) || info.len > INT_MAX ||
       salt.len > INT_MAX) {
-    return {};
+    return false;
+  }
+
+  std::string_view actual_salt;
+  static const char default_salt[EVP_MAX_MD_SIZE] = {0};
+  if (salt.len > 0) {
+    actual_salt = {reinterpret_cast<const char*>(salt.data), salt.len};
+  } else {
+    actual_salt = {default_salt, static_cast<unsigned>(md.size())};
   }
 
+#ifndef NCRYPTO_NO_KDF_H
   auto ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_HKDF);
   // OpenSSL < 3.0.0 accepted only a void* as the argument of
   // EVP_PKEY_CTX_set_hkdf_md.
@@ -1777,22 +1897,14 @@ DataPointer hkdf(const Digest& md,
   if (!ctx || !EVP_PKEY_derive_init(ctx.get()) ||
       !EVP_PKEY_CTX_set_hkdf_md(ctx.get(), md_ptr) ||
       !EVP_PKEY_CTX_add1_hkdf_info(ctx.get(), info.data, info.len)) {
-    return {};
-  }
-
-  std::string_view actual_salt;
-  static const char default_salt[EVP_MAX_MD_SIZE] = {0};
-  if (salt.len > 0) {
-    actual_salt = {reinterpret_cast<const char*>(salt.data), salt.len};
-  } else {
-    actual_salt = {default_salt, static_cast<unsigned>(md.size())};
+    return false;
   }
 
   // We do not use EVP_PKEY_HKDF_MODE_EXTRACT_AND_EXPAND because and instead
   // implement the extraction step ourselves because EVP_PKEY_derive does not
   // handle zero-length keys, which are required for Web Crypto.
   // TODO(jasnell): Once OpenSSL 1.1.1 support is dropped completely, and once
-  // BoringSSL is confirmed to support it, wen can hopefully drop this and use
+  // BoringSSL is confirmed to support it, we can hopefully drop this and use
   // EVP_KDF directly which does support zero length keys.
   unsigned char pseudorandom_key[EVP_MAX_MD_SIZE];
   unsigned pseudorandom_key_len = sizeof(pseudorandom_key);
@@ -1804,23 +1916,41 @@ DataPointer hkdf(const Digest& md,
            key.len,
            pseudorandom_key,
            &pseudorandom_key_len) == nullptr) {
-    return {};
+    return false;
   }
   if (!EVP_PKEY_CTX_hkdf_mode(ctx.get(), EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) ||
       !EVP_PKEY_CTX_set1_hkdf_key(
           ctx.get(), pseudorandom_key, pseudorandom_key_len)) {
-    return {};
+    return false;
   }
 
+  if (out == nullptr || out->len != length) return false;
+
+  return EVP_PKEY_derive(ctx.get(), out->data, &length) > 0;
+#else
+  return HKDF(out->data,
+              length,
+              md,
+              key.data,
+              key.len,
+              salt.data,
+              salt.len,
+              info.data,
+              info.len);
+#endif
+}
+
+DataPointer hkdf(const Digest& md,
+                 const Buffer<const unsigned char>& key,
+                 const Buffer<const unsigned char>& info,
+                 const Buffer<const unsigned char>& salt,
+                 size_t length) {
   auto buf = DataPointer::Alloc(length);
   if (!buf) return {};
+  Buffer<unsigned char> out = buf;
 
-  if (EVP_PKEY_derive(
-          ctx.get(), static_cast<unsigned char*>(buf.get()), &length) <= 0) {
-    return {};
-  }
-
-  return buf;
+  return hkdfInfo(md, key, info, salt, length, &out) ? std::move(buf)
+                                                     : DataPointer();
 }
 
 bool checkScryptParams(uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem) {
@@ -1828,6 +1958,36 @@ bool checkScryptParams(uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem) {
          1;
 }
 
+bool scryptInto(const Buffer<const char>& pass,
+                const Buffer<const unsigned char>& salt,
+                uint64_t N,
+                uint64_t r,
+                uint64_t p,
+                uint64_t maxmem,
+                size_t length,
+                Buffer<unsigned char>* out) {
+  ClearErrorOnReturn clearErrorOnReturn;
+
+  if (pass.len > INT_MAX || salt.len > INT_MAX || out == nullptr) {
+    return false;
+  }
+
+  if (auto dp = DataPointer::Alloc(length)) {
+    return EVP_PBE_scrypt(pass.data,
+                          pass.len,
+                          salt.data,
+                          salt.len,
+                          N,
+                          r,
+                          p,
+                          maxmem,
+                          out->data,
+                          length);
+  }
+
+  return false;
+}
+
 DataPointer scrypt(const Buffer<const char>& pass,
                    const Buffer<const unsigned char>& salt,
                    uint64_t N,
@@ -1835,27 +1995,42 @@ DataPointer scrypt(const Buffer<const char>& pass,
                    uint64_t p,
                    uint64_t maxmem,
                    size_t length) {
+  if (auto dp = DataPointer::Alloc(length)) {
+    Buffer<unsigned char> buf = dp;
+    if (scryptInto(pass, salt, N, r, p, maxmem, length, &buf)) {
+      return dp;
+    }
+  }
+
+  return {};
+}
+
+bool pbkdf2Into(const Digest& md,
+                const Buffer<const char>& pass,
+                const Buffer<const unsigned char>& salt,
+                uint32_t iterations,
+                size_t length,
+                Buffer<unsigned char>* out) {
   ClearErrorOnReturn clearErrorOnReturn;
 
-  if (pass.len > INT_MAX || salt.len > INT_MAX) {
-    return {};
+  if (pass.len > INT_MAX || salt.len > INT_MAX || length > INT_MAX ||
+      out == nullptr) {
+    return false;
   }
 
-  auto dp = DataPointer::Alloc(length);
-  if (dp && EVP_PBE_scrypt(pass.data,
-                           pass.len,
-                           salt.data,
-                           salt.len,
-                           N,
-                           r,
-                           p,
-                           maxmem,
-                           reinterpret_cast<unsigned char*>(dp.get()),
-                           length)) {
-    return dp;
+  const EVP_MD* md_ptr = md;
+  if (PKCS5_PBKDF2_HMAC(pass.data,
+                        pass.len,
+                        salt.data,
+                        salt.len,
+                        iterations,
+                        md_ptr,
+                        length,
+                        out->data)) {
+    return true;
   }
 
-  return {};
+  return false;
 }
 
 DataPointer pbkdf2(const Digest& md,
@@ -1863,23 +2038,11 @@ DataPointer pbkdf2(const Digest& md,
                    const Buffer<const unsigned char>& salt,
                    uint32_t iterations,
                    size_t length) {
-  ClearErrorOnReturn clearErrorOnReturn;
-
-  if (pass.len > INT_MAX || salt.len > INT_MAX || length > INT_MAX) {
-    return {};
-  }
-
-  auto dp = DataPointer::Alloc(length);
-  const EVP_MD* md_ptr = md;
-  if (dp && PKCS5_PBKDF2_HMAC(pass.data,
-                              pass.len,
-                              salt.data,
-                              salt.len,
-                              iterations,
-                              md_ptr,
-                              length,
-                              reinterpret_cast<unsigned char*>(dp.get()))) {
-    return dp;
+  if (auto dp = DataPointer::Alloc(length)) {
+    Buffer<unsigned char> buf = dp;
+    if (pbkdf2Into(md, pass, salt, iterations, length, &buf)) {
+      return dp;
+    }
   }
 
   return {};
@@ -2052,6 +2215,7 @@ EVPKeyPointer EVPKeyPointer::NewRawSeed(
 #endif
 
 EVPKeyPointer EVPKeyPointer::NewDH(DHPointer&& dh) {
+#ifndef NCRYPTO_NO_EVP_DH
   if (!dh) return {};
   auto key = New();
   if (!key) return {};
@@ -2059,6 +2223,11 @@ EVPKeyPointer EVPKeyPointer::NewDH(DHPointer&& dh) {
     dh.release();
   }
   return key;
+#else
+  // Older versions of openssl/boringssl do not implement the EVP_PKEY_*_DH
+  // APIs
+  return {};
+#endif
 }
 
 EVPKeyPointer EVPKeyPointer::NewRSA(RSAPointer&& rsa) {
@@ -2076,6 +2245,12 @@ EVPKeyPointer::EVPKeyPointer(EVP_PKEY* pkey) : pkey_(pkey) {}
 EVPKeyPointer::EVPKeyPointer(EVPKeyPointer&& other) noexcept
     : pkey_(other.release()) {}
 
+EVPKeyPointer EVPKeyPointer::clone() const {
+  if (!pkey_) return {};
+  if (!EVP_PKEY_up_ref(pkey_.get())) return {};
+  return EVPKeyPointer(pkey_.get());
+}
+
 EVPKeyPointer& EVPKeyPointer::operator=(EVPKeyPointer&& other) noexcept {
   if (this == &other) return *this;
   this->~EVPKeyPointer();
@@ -2424,6 +2599,7 @@ EVPKeyPointer::ParseKeyResult EVPKeyPointer::TryParsePrivateKey(
           ERR_GET_REASON(err) == PEM_R_BAD_PASSWORD_READ && !had_passphrase) {
         return ParseKeyResult(PKParseError::NEED_PASSPHRASE);
       }
+
       return ParseKeyResult(PKParseError::FAILED, err);
     }
     if (!pkey) return ParseKeyResult(PKParseError::FAILED);
@@ -2499,11 +2675,8 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
       // PKCS1 is only permitted for RSA keys.
       if (id() != EVP_PKEY_RSA) return Result<BIOPointer, bool>(false);
 
-#if OPENSSL_VERSION_MAJOR >= 3
-      const RSA* rsa = EVP_PKEY_get0_RSA(get());
-#else
-      RSA* rsa = EVP_PKEY_get0_RSA(get());
-#endif
+      OSSL3_CONST RSA* rsa = EVP_PKEY_get0_RSA(get());
+
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_RSAPrivateKey(
@@ -2562,11 +2735,8 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
       // SEC1 is only permitted for EC keys
       if (id() != EVP_PKEY_EC) return Result<BIOPointer, bool>(false);
 
-#if OPENSSL_VERSION_MAJOR >= 3
-      const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
-#else
-      EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
-#endif
+      OSSL3_CONST EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
+
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_ECPrivateKey(
@@ -2742,6 +2912,15 @@ EVPKeyPointer::operator Dsa() const {
   return Dsa(dsa);
 }
 
+EVPKeyPointer::operator Ec() const {
+  int type = id();
+  if (type != EVP_PKEY_EC) return {};
+
+  OSSL3_CONST EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
+  if (ec == nullptr) return {};
+  return Ec(ec);
+}
+
 bool EVPKeyPointer::validateDsaParameters() const {
   if (!pkey_) return false;
     /* Validate DSA2 parameters from FIPS 186-4 */
@@ -3024,7 +3203,13 @@ SSLCtxPointer SSLCtxPointer::New(const SSL_METHOD* method) {
 }
 
 bool SSLCtxPointer::setGroups(const char* groups) {
+#ifndef NCRYPTO_NO_SSL_GROUP_LIST
   return SSL_CTX_set1_groups_list(get(), groups) == 1;
+#else
+  // Older versions of openssl/boringssl do not implement the
+  // SSL_CTX_set1_groups_list API
+  return false;
+#endif
 }
 
 bool SSLCtxPointer::setCipherSuites(const char* ciphers) {
@@ -3037,6 +3222,36 @@ bool SSLCtxPointer::setCipherSuites(const char* ciphers) {
   return true;
 #endif
 }
+// ============================================================================
+
+template <typename T>
+std::string_view ModeMixin<T>::getModeLabel() const {
+  switch (self().getMode()) {
+    case EVP_CIPH_CCM_MODE:
+      return "ccm";
+    case EVP_CIPH_CFB_MODE:
+      return "cfb";
+    case EVP_CIPH_CBC_MODE:
+      return "cbc";
+    case EVP_CIPH_CTR_MODE:
+      return "ctr";
+    case EVP_CIPH_ECB_MODE:
+      return "ecb";
+    case EVP_CIPH_GCM_MODE:
+      return "gcm";
+    case EVP_CIPH_OCB_MODE:
+      return "ocb";
+    case EVP_CIPH_OFB_MODE:
+      return "ofb";
+    case EVP_CIPH_WRAP_MODE:
+      return "wrap";
+    case EVP_CIPH_XTS_MODE:
+      return "xts";
+    case EVP_CIPH_STREAM_CIPHER:
+      return "stream";
+  }
+  return "{unknown}";
+}
 
 // ============================================================================
 
@@ -3065,40 +3280,14 @@ const Cipher Cipher::AES_256_GCM = Cipher::FromNid(NID_aes_256_gcm);
 const Cipher Cipher::AES_128_KW = Cipher::FromNid(NID_id_aes128_wrap);
 const Cipher Cipher::AES_192_KW = Cipher::FromNid(NID_id_aes192_wrap);
 const Cipher Cipher::AES_256_KW = Cipher::FromNid(NID_id_aes256_wrap);
+
+#ifndef OPENSSL_IS_BORINGSSL
 const Cipher Cipher::AES_128_OCB = Cipher::FromNid(NID_aes_128_ocb);
 const Cipher Cipher::AES_192_OCB = Cipher::FromNid(NID_aes_192_ocb);
 const Cipher Cipher::AES_256_OCB = Cipher::FromNid(NID_aes_256_ocb);
-const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
-
-bool Cipher::isGcmMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_GCM_MODE;
-}
-
-bool Cipher::isWrapMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_WRAP_MODE;
-}
-
-bool Cipher::isCtrMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_CTR_MODE;
-}
-
-bool Cipher::isCcmMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_CCM_MODE;
-}
-
-bool Cipher::isOcbMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_OCB_MODE;
-}
+#endif
 
-bool Cipher::isStreamMode() const {
-  if (!cipher_) return false;
-  return getMode() == EVP_CIPH_STREAM_CIPHER;
-}
+const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
 
 bool Cipher::isChaCha20Poly1305() const {
   if (!cipher_) return false;
@@ -3106,7 +3295,7 @@ bool Cipher::isChaCha20Poly1305() const {
 }
 
 int Cipher::getMode() const {
-  if (!cipher_) return 0;
+  if (!cipher_) return -1;
   return EVP_CIPHER_mode(cipher_);
 }
 
@@ -3130,35 +3319,6 @@ int Cipher::getNid() const {
   return EVP_CIPHER_nid(cipher_);
 }
 
-std::string_view Cipher::getModeLabel() const {
-  if (!cipher_) return {};
-  switch (getMode()) {
-    case EVP_CIPH_CCM_MODE:
-      return "ccm";
-    case EVP_CIPH_CFB_MODE:
-      return "cfb";
-    case EVP_CIPH_CBC_MODE:
-      return "cbc";
-    case EVP_CIPH_CTR_MODE:
-      return "ctr";
-    case EVP_CIPH_ECB_MODE:
-      return "ecb";
-    case EVP_CIPH_GCM_MODE:
-      return "gcm";
-    case EVP_CIPH_OCB_MODE:
-      return "ocb";
-    case EVP_CIPH_OFB_MODE:
-      return "ofb";
-    case EVP_CIPH_WRAP_MODE:
-      return "wrap";
-    case EVP_CIPH_XTS_MODE:
-      return "xts";
-    case EVP_CIPH_STREAM_CIPHER:
-      return "stream";
-  }
-  return "{unknown}";
-}
-
 const char* Cipher::getName() const {
   if (!cipher_) return {};
   // OBJ_nid2sn(EVP_CIPHER_nid(cipher)) is used here instead of
@@ -3189,22 +3349,92 @@ int Cipher::bytesToKey(const Digest& digest,
       *this, Digest::MD5, nullptr, input.data, input.len, 1, key, iv);
 }
 
-// ============================================================================
-
-CipherCtxPointer CipherCtxPointer::New() {
-  auto ret = CipherCtxPointer(EVP_CIPHER_CTX_new());
-  if (!ret) return {};
-  EVP_CIPHER_CTX_init(ret.get());
-  return ret;
-}
-
-CipherCtxPointer::CipherCtxPointer(EVP_CIPHER_CTX* ctx) : ctx_(ctx) {}
+template class ModeMixin<Cipher>;
 
-CipherCtxPointer::CipherCtxPointer(CipherCtxPointer&& other) noexcept
-    : ctx_(other.release()) {}
+namespace {
+struct CipherCallbackContext {
+  Cipher::CipherNameCallback cb;
+  void operator()(const char* name) { cb(name); }
+};
 
-CipherCtxPointer& CipherCtxPointer::operator=(
-    CipherCtxPointer&& other) noexcept {
+#if OPENSSL_VERSION_MAJOR >= 3
+template <class TypeName,
+          TypeName* fetch_type(OSSL_LIB_CTX*, const char*, const char*),
+          void free_type(TypeName*),
+          const TypeName* getbyname(const char*),
+          const char* getname(const TypeName*)>
+void array_push_back(const TypeName* evp_ref,
+                     const char* from,
+                     const char* to,
+                     void* arg) {
+  if (from == nullptr) return;
+
+  const TypeName* real_instance = getbyname(from);
+  if (!real_instance) return;
+
+  const char* real_name = getname(real_instance);
+  if (!real_name) return;
+
+  // EVP_*_fetch() does not support alias names, so we need to pass it the
+  // real/original algorithm name.
+  // We use EVP_*_fetch() as a filter here because it will only return an
+  // instance if the algorithm is supported by the public OpenSSL APIs (some
+  // algorithms are used internally by OpenSSL and are also passed to this
+  // callback).
+  TypeName* fetched = fetch_type(nullptr, real_name, nullptr);
+  if (fetched == nullptr) return;
+
+  free_type(fetched);
+  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
+  cb(from);
+}
+#else
+template <class TypeName>
+void array_push_back(const TypeName* evp_ref,
+                     const char* from,
+                     const char* to,
+                     void* arg) {
+  if (!from) return;
+  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
+  cb(from);
+}
+#endif
+}  // namespace
+
+void Cipher::ForEach(Cipher::CipherNameCallback callback) {
+  ClearErrorOnReturn clearErrorOnReturn;
+  CipherCallbackContext context;
+  context.cb = std::move(callback);
+
+  EVP_CIPHER_do_all_sorted(
+#if OPENSSL_VERSION_MAJOR >= 3
+      array_push_back<EVP_CIPHER,
+                      EVP_CIPHER_fetch,
+                      EVP_CIPHER_free,
+                      EVP_get_cipherbyname,
+                      EVP_CIPHER_get0_name>,
+#else
+      array_push_back<EVP_CIPHER>,
+#endif
+      &context);
+}
+
+// ============================================================================
+
+CipherCtxPointer CipherCtxPointer::New() {
+  auto ret = CipherCtxPointer(EVP_CIPHER_CTX_new());
+  if (!ret) return {};
+  EVP_CIPHER_CTX_init(ret.get());
+  return ret;
+}
+
+CipherCtxPointer::CipherCtxPointer(EVP_CIPHER_CTX* ctx) : ctx_(ctx) {}
+
+CipherCtxPointer::CipherCtxPointer(CipherCtxPointer&& other) noexcept
+    : ctx_(other.release()) {}
+
+CipherCtxPointer& CipherCtxPointer::operator=(
+    CipherCtxPointer&& other) noexcept {
   if (this == &other) return *this;
   this->~CipherCtxPointer();
   return *new (this) CipherCtxPointer(std::move(other));
@@ -3265,6 +3495,11 @@ int CipherCtxPointer::getMode() const {
   return EVP_CIPHER_CTX_mode(ctx_.get());
 }
 
+int CipherCtxPointer::getNid() const {
+  if (!ctx_) return 0;
+  return EVP_CIPHER_CTX_nid(ctx_.get());
+}
+
 bool CipherCtxPointer::isGcmMode() const {
   if (!ctx_) return false;
   return getMode() == EVP_CIPH_GCM_MODE;
@@ -3290,11 +3525,6 @@ bool CipherCtxPointer::isChaCha20Poly1305() const {
   return getNid() == NID_chacha20_poly1305;
 }
 
-int CipherCtxPointer::getNid() const {
-  if (!ctx_) return 0;
-  return EVP_CIPHER_CTX_nid(ctx_.get());
-}
-
 bool CipherCtxPointer::init(const Cipher& cipher,
                             bool encrypt,
                             const unsigned char* key,
@@ -3641,6 +3871,7 @@ bool EVPKeyCtxPointer::setDhParameters(int prime_size, uint32_t generator) {
 
 bool EVPKeyCtxPointer::setDsaParameters(uint32_t bits,
                                         std::optional<int> q_bits) {
+#ifndef NCRYPTO_NO_DSA_KEYGEN
   if (!ctx_) return false;
   if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx_.get(), bits) != 1) {
     return false;
@@ -3650,6 +3881,10 @@ bool EVPKeyCtxPointer::setDsaParameters(uint32_t bits,
     return false;
   }
   return true;
+#else
+  // Older versions of openssl/boringssl do not implement the DSA keygen.
+  return false;
+#endif
 }
 
 bool EVPKeyCtxPointer::setEcParameters(int curve, int encoding) {
@@ -3990,9 +4225,14 @@ const std::optional<Rsa::PssParams> Rsa::getPssParams() const {
   }
 
   if (params->saltLength != nullptr) {
-    if (ASN1_INTEGER_get_int64(&ret.salt_length, params->saltLength) != 1) {
+    // Older versions of openssl/boringssl do not implement
+    // ASN1_INTEGER_get_int64, which the salt length here technically
+    // is. Let's walk it through uint64_t with a conversion.
+    uint64_t temp;
+    if (ASN1_INTEGER_get_uint64(&temp, params->saltLength) != 1) {
       return std::nullopt;
     }
+    ret.salt_length = static_cast<int64_t>(temp);
   }
   return ret;
 }
@@ -4077,79 +4317,18 @@ DataPointer Cipher::recover(const EVPKeyPointer& key,
       key, params, in);
 }
 
-namespace {
-struct CipherCallbackContext {
-  Cipher::CipherNameCallback cb;
-  void operator()(const char* name) { cb(name); }
-};
-
-#if OPENSSL_VERSION_MAJOR >= 3
-template <class TypeName,
-          TypeName* fetch_type(OSSL_LIB_CTX*, const char*, const char*),
-          void free_type(TypeName*),
-          const TypeName* getbyname(const char*),
-          const char* getname(const TypeName*)>
-void array_push_back(const TypeName* evp_ref,
-                     const char* from,
-                     const char* to,
-                     void* arg) {
-  if (from == nullptr) return;
-
-  const TypeName* real_instance = getbyname(from);
-  if (!real_instance) return;
-
-  const char* real_name = getname(real_instance);
-  if (!real_name) return;
-
-  // EVP_*_fetch() does not support alias names, so we need to pass it the
-  // real/original algorithm name.
-  // We use EVP_*_fetch() as a filter here because it will only return an
-  // instance if the algorithm is supported by the public OpenSSL APIs (some
-  // algorithms are used internally by OpenSSL and are also passed to this
-  // callback).
-  TypeName* fetched = fetch_type(nullptr, real_name, nullptr);
-  if (fetched == nullptr) return;
-
-  free_type(fetched);
-  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
-  cb(from);
-}
-#else
-template <class TypeName>
-void array_push_back(const TypeName* evp_ref,
-                     const char* from,
-                     const char* to,
-                     void* arg) {
-  if (!from) return;
-  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
-  cb(from);
-}
-#endif
-}  // namespace
-
-void Cipher::ForEach(Cipher::CipherNameCallback callback) {
-  ClearErrorOnReturn clearErrorOnReturn;
-  CipherCallbackContext context;
-  context.cb = std::move(callback);
-
-  EVP_CIPHER_do_all_sorted(
-#if OPENSSL_VERSION_MAJOR >= 3
-      array_push_back<EVP_CIPHER,
-                      EVP_CIPHER_fetch,
-                      EVP_CIPHER_free,
-                      EVP_get_cipherbyname,
-                      EVP_CIPHER_get0_name>,
-#else
-      array_push_back<EVP_CIPHER>,
-#endif
-      &context);
-}
-
 // ============================================================================
 
 Ec::Ec() : ec_(nullptr) {}
 
-Ec::Ec(OSSL3_CONST EC_KEY* key) : ec_(key) {}
+Ec::Ec(OSSL3_CONST EC_KEY* key)
+    : ec_(key), x_(BignumPointer::New()), y_(BignumPointer::New()) {
+  if (ec_ != nullptr) {
+    MarkPopErrorOnReturn mark_pop_error_on_return;
+    EC_POINT_get_affine_coordinates(
+        getGroup(), getPublicKey(), x_.get(), y_.get(), nullptr);
+  }
+}
 
 const EC_GROUP* Ec::getGroup() const {
   return ECKeyPointer::GetGroup(ec_);
@@ -4179,6 +4358,22 @@ bool Ec::GetCurves(Ec::GetCurveCallback callback) {
   return true;
 }
 
+uint32_t Ec::getDegree() const {
+  return EC_GROUP_get_degree(getGroup());
+}
+
+std::string Ec::getCurveName() const {
+  return std::string(OBJ_nid2sn(getCurve()));
+}
+
+const EC_POINT* Ec::getPublicKey() const {
+  return EC_KEY_get0_public_key(ec_);
+}
+
+const BIGNUM* Ec::getPrivateKey() const {
+  return EC_KEY_get0_private_key(ec_);
+}
+
 // ============================================================================
 
 EVPMDCtxPointer::EVPMDCtxPointer() : ctx_(nullptr) {}
@@ -4288,6 +4483,54 @@ std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInit(
   return ctx;
 }
 
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::signInitWithContext(
+    const EVPKeyPointer& key,
+    const Digest& digest,
+    const Buffer<const unsigned char>& context_string) {
+#ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
+  EVP_PKEY_CTX* ctx = nullptr;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_octet_string(
+          OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+          const_cast<unsigned char*>(context_string.data),
+          context_string.len),
+      OSSL_PARAM_END};
+
+  if (!EVP_DigestSignInit_ex(
+          ctx_.get(), &ctx, nullptr, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInitWithContext(
+    const EVPKeyPointer& key,
+    const Digest& digest,
+    const Buffer<const unsigned char>& context_string) {
+#ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
+  EVP_PKEY_CTX* ctx = nullptr;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_octet_string(
+          OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+          const_cast<unsigned char*>(context_string.data),
+          context_string.len),
+      OSSL_PARAM_END};
+
+  if (!EVP_DigestVerifyInit_ex(
+          ctx_.get(), &ctx, nullptr, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
 DataPointer EVPMDCtxPointer::signOneShot(
     const Buffer<const unsigned char>& buf) const {
   if (!ctx_) return {};
@@ -4413,6 +4656,96 @@ HMACCtxPointer HMACCtxPointer::New() {
   return HMACCtxPointer(HMAC_CTX_new());
 }
 
+#if OPENSSL_VERSION_MAJOR >= 3
+EVPMacPointer::EVPMacPointer(EVP_MAC* mac) : mac_(mac) {}
+
+EVPMacPointer::EVPMacPointer(EVPMacPointer&& other) noexcept
+    : mac_(std::move(other.mac_)) {}
+
+EVPMacPointer& EVPMacPointer::operator=(EVPMacPointer&& other) noexcept {
+  if (this == &other) return *this;
+  mac_ = std::move(other.mac_);
+  return *this;
+}
+
+EVPMacPointer::~EVPMacPointer() {
+  mac_.reset();
+}
+
+void EVPMacPointer::reset(EVP_MAC* mac) {
+  mac_.reset(mac);
+}
+
+EVP_MAC* EVPMacPointer::release() {
+  return mac_.release();
+}
+
+EVPMacPointer EVPMacPointer::Fetch(const char* algorithm) {
+  return EVPMacPointer(EVP_MAC_fetch(nullptr, algorithm, nullptr));
+}
+
+EVPMacCtxPointer::EVPMacCtxPointer(EVP_MAC_CTX* ctx) : ctx_(ctx) {}
+
+EVPMacCtxPointer::EVPMacCtxPointer(EVPMacCtxPointer&& other) noexcept
+    : ctx_(std::move(other.ctx_)) {}
+
+EVPMacCtxPointer& EVPMacCtxPointer::operator=(
+    EVPMacCtxPointer&& other) noexcept {
+  if (this == &other) return *this;
+  ctx_ = std::move(other.ctx_);
+  return *this;
+}
+
+EVPMacCtxPointer::~EVPMacCtxPointer() {
+  ctx_.reset();
+}
+
+void EVPMacCtxPointer::reset(EVP_MAC_CTX* ctx) {
+  ctx_.reset(ctx);
+}
+
+EVP_MAC_CTX* EVPMacCtxPointer::release() {
+  return ctx_.release();
+}
+
+bool EVPMacCtxPointer::init(const Buffer<const void>& key,
+                            const OSSL_PARAM* params) {
+  if (!ctx_) return false;
+  return EVP_MAC_init(ctx_.get(),
+                      static_cast<const unsigned char*>(key.data),
+                      key.len,
+                      params) == 1;
+}
+
+bool EVPMacCtxPointer::update(const Buffer<const void>& data) {
+  if (!ctx_) return false;
+  return EVP_MAC_update(ctx_.get(),
+                        static_cast<const unsigned char*>(data.data),
+                        data.len) == 1;
+}
+
+DataPointer EVPMacCtxPointer::final(size_t length) {
+  if (!ctx_) return {};
+  auto buf = DataPointer::Alloc(length);
+  if (!buf) return {};
+
+  size_t result_len = length;
+  if (EVP_MAC_final(ctx_.get(),
+                    static_cast<unsigned char*>(buf.get()),
+                    &result_len,
+                    length) != 1) {
+    return {};
+  }
+
+  return buf;
+}
+
+EVPMacCtxPointer EVPMacCtxPointer::New(EVP_MAC* mac) {
+  if (!mac) return EVPMacCtxPointer();
+  return EVPMacCtxPointer(EVP_MAC_CTX_new(mac));
+}
+#endif  // OPENSSL_VERSION_MAJOR >= 3
+
 DataPointer hashDigest(const Buffer<const unsigned char>& buf,
                        const EVP_MD* md) {
   if (md == nullptr) return {};
@@ -4676,4 +5009,605 @@ DataPointer KEM::Decapsulate(const EVPKeyPointer& private_key,
 
 #endif  // OPENSSL_VERSION_MAJOR >= 3
 
+// ============================================================================
+// AEAD (Authenticated Encryption with Associated Data)
+#ifdef OPENSSL_IS_BORINGSSL
+
+const Aead Aead::FromName(std::string_view name) {
+  for (const auto& [construct, info] : aeadIndex) {
+    if (EqualNoCase(info.name, name)) {
+      return Aead(&info, construct());
+    }
+  }
+
+  return Aead();
+}
+
+const Aead Aead::FromCtx(std::string_view name, const AeadCtxPointer& ctx) {
+  for (const auto& [_, info] : aeadIndex) {
+    if (info.name == name) {
+      return Aead(&info, EVP_AEAD_CTX_aead(ctx.get()));
+    }
+  }
+
+  return Aead();
+}
+
+int Aead::getMode() const {
+  if (!aead_) return -1;
+
+  return info_->mode;
+}
+
+int Aead::getNonceLength() const {
+  if (!aead_) return 0;
+  return EVP_AEAD_nonce_length(aead_);
+}
+
+int Aead::getKeyLength() const {
+  if (!aead_) return 0;
+  return EVP_AEAD_key_length(aead_);
+}
+
+int Aead::getMaxOverhead() const {
+  if (!aead_) return 0;
+  return EVP_AEAD_max_overhead(aead_);
+}
+
+int Aead::getMaxTagLength() const {
+  if (!aead_) return 0;
+  return EVP_AEAD_max_tag_len(aead_);
+}
+
+int Aead::getBlockSize() const {
+  if (!aead_) return 0;
+
+  // EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
+  // underlying |ctx|, or one if the cipher is a stream cipher.
+  return 1;
+}
+
+std::string_view Aead::getName() const {
+  if (!aead_) return "";
+
+  return info_->name;
+}
+
+int Aead::getNid() const {
+  if (!aead_) return 0;
+
+  return info_->nid;
+}
+
+const Aead Aead::FromConstructor(Aead::AeadConstructor construct) {
+  return Aead(&aeadIndex.at(construct), construct());
+}
+
+const std::unordered_map<Aead::AeadConstructor, Aead::AeadInfo>
+    Aead::aeadIndex = {
+        {EVP_aead_aes_128_gcm,
+         {.name = LN_aes_128_gcm,
+          .mode = EVP_CIPH_GCM_MODE,
+          .nid = NID_aes_128_gcm}},
+        {EVP_aead_aes_192_gcm,
+         {.name = LN_aes_192_gcm,
+          .mode = EVP_CIPH_GCM_MODE,
+          .nid = NID_aes_192_gcm}},
+        {EVP_aead_aes_256_gcm,
+         {.name = LN_aes_256_gcm,
+          .mode = EVP_CIPH_GCM_MODE,
+          .nid = NID_aes_256_gcm}},
+        {EVP_aead_chacha20_poly1305,
+         {.name = LN_chacha20_poly1305,
+          .mode = EVP_CIPH_STREAM_CIPHER,
+          .nid = NID_chacha20_poly1305}},
+        {EVP_aead_xchacha20_poly1305,
+         {
+             .name = "xchacha20-poly1305",
+             .mode = EVP_CIPH_STREAM_CIPHER,
+         }},
+        {EVP_aead_aes_128_ctr_hmac_sha256,
+         {
+             .name = "aes-128-ctr-hmac-sha256",
+             .mode = EVP_CIPH_CTR_MODE,
+         }},
+        {EVP_aead_aes_256_ctr_hmac_sha256,
+         {
+             .name = "aes-256-ctr-hmac-sha256",
+             .mode = EVP_CIPH_CTR_MODE,
+         }},
+        {EVP_aead_aes_128_gcm_siv,
+         {
+             .name = "aes-128-gcm-siv",
+             .mode = EVP_CIPH_GCM_MODE,
+         }},
+        {EVP_aead_aes_256_gcm_siv,
+         {
+             .name = "aes-256-gcm-siv",
+             .mode = EVP_CIPH_GCM_MODE,
+         }},
+        {EVP_aead_aes_128_gcm_randnonce,
+         {
+             .name = "aes-128-gcm-randnonce",
+             .mode = EVP_CIPH_GCM_MODE,
+         }},
+        {EVP_aead_aes_256_gcm_randnonce,
+         {
+             .name = "aes-256-gcm-randnonce",
+             .mode = EVP_CIPH_GCM_MODE,
+         }},
+        {EVP_aead_aes_128_ccm_bluetooth,
+         {
+             .name = "aes-128-ccm-bluetooth",
+             .mode = EVP_CIPH_CCM_MODE,
+         }},
+        {EVP_aead_aes_128_ccm_bluetooth_8,
+         {
+             .name = "aes-128-ccm-bluetooth-8",
+             .mode = EVP_CIPH_CCM_MODE,
+         }},
+        {EVP_aead_aes_128_ccm_matter,
+         {
+             .name = "aes-128-ccm-matter",
+             .mode = EVP_CIPH_CCM_MODE,
+         }},
+        {EVP_aead_aes_128_eax,
+         {.name = "aes-128-eax",
+          // BoringSSL does not define a mode constant for EAX. Using STREAM
+          // arbitrarily
+          .mode = EVP_CIPH_STREAM_CIPHER}},
+        {EVP_aead_aes_256_eax,
+         {.name = "aes-256-eax",
+          // BoringSSL does not define a mode constant for EAX. Using STREAM
+          // arbitrarily
+          .mode = EVP_CIPH_STREAM_CIPHER}},
+    };
+
+void Aead::ForEach(AeadNameCallback callback) {
+  for (const auto& [_, info] : aeadIndex) {
+    callback(info.name);
+  }
+}
+
+const Aead Aead::EMPTY = Aead();
+const Aead Aead::AES_128_GCM = Aead::FromConstructor(EVP_aead_aes_128_gcm);
+const Aead Aead::AES_192_GCM = Aead::FromConstructor(EVP_aead_aes_192_gcm);
+const Aead Aead::AES_256_GCM = Aead::FromConstructor(EVP_aead_aes_256_gcm);
+const Aead Aead::CHACHA20_POLY1305 =
+    Aead::FromConstructor(EVP_aead_chacha20_poly1305);
+const Aead Aead::XCHACHA20_POLY1305 =
+    Aead::FromConstructor(EVP_aead_xchacha20_poly1305);
+const Aead Aead::AES_128_CTR_HMAC_SHA256 =
+    Aead::FromConstructor(EVP_aead_aes_128_ctr_hmac_sha256);
+const Aead Aead::AES_256_CTR_HMAC_SHA256 =
+    Aead::FromConstructor(EVP_aead_aes_256_ctr_hmac_sha256);
+const Aead Aead::AES_128_GCM_SIV =
+    Aead::FromConstructor(EVP_aead_aes_128_gcm_siv);
+const Aead Aead::AES_256_GCM_SIV =
+    Aead::FromConstructor(EVP_aead_aes_256_gcm_siv);
+const Aead Aead::AES_128_GCM_RANDNONCE =
+    Aead::FromConstructor(EVP_aead_aes_128_gcm_randnonce);
+const Aead Aead::AES_256_GCM_RANDNONCE =
+    Aead::FromConstructor(EVP_aead_aes_256_gcm_randnonce);
+const Aead Aead::AES_128_CCM_BLUETOOTH =
+    Aead::FromConstructor(EVP_aead_aes_128_ccm_bluetooth);
+const Aead Aead::AES_128_CCM_BLUETOOTH_8 =
+    Aead::FromConstructor(EVP_aead_aes_128_ccm_bluetooth_8);
+const Aead Aead::AES_128_CCM_MATTER =
+    Aead::FromConstructor(EVP_aead_aes_128_ccm_matter);
+const Aead Aead::AES_128_EAX = Aead::FromConstructor(EVP_aead_aes_128_eax);
+const Aead Aead::AES_256_EAX = Aead::FromConstructor(EVP_aead_aes_256_eax);
+
+template class ModeMixin<Aead>;
+
+AeadCtxPointer AeadCtxPointer::New(const Aead& aead,
+                                   bool encrypt,
+                                   const unsigned char* key,
+                                   size_t keyLen,
+                                   size_t tagLen) {
+  // Note: In the EVP_AEAD API new always calls init
+  auto ret = AeadCtxPointer(EVP_AEAD_CTX_new(aead.get(), key, keyLen, tagLen));
+
+  if (!ret) {
+    return {};
+  }
+
+  return ret;
+}
+
+AeadCtxPointer::AeadCtxPointer(EVP_AEAD_CTX* ctx) : ctx_(ctx) {}
+
+AeadCtxPointer::AeadCtxPointer(AeadCtxPointer&& other) noexcept
+    : ctx_(other.release()) {}
+
+AeadCtxPointer& AeadCtxPointer::operator=(AeadCtxPointer&& other) noexcept {
+  if (this == &other) return *this;
+  this->~AeadCtxPointer();
+  return *new (this) AeadCtxPointer(std::move(other));
+}
+
+AeadCtxPointer::~AeadCtxPointer() {
+  reset();
+}
+
+void AeadCtxPointer::reset(EVP_AEAD_CTX* ctx) {
+  ctx_.reset(ctx);
+}
+
+EVP_AEAD_CTX* AeadCtxPointer::release() {
+  return ctx_.release();
+}
+
+bool AeadCtxPointer::init(const Aead& aead,
+                          bool encrypt,
+                          const unsigned char* key,
+                          size_t keyLen,
+                          size_t tagLen) {
+  return EVP_AEAD_CTX_init_with_direction(
+      ctx_.get(),
+      aead,
+      key,
+      keyLen,
+      tagLen,
+      encrypt ? evp_aead_seal : evp_aead_open);
+}
+
+bool AeadCtxPointer::encrypt(const Buffer<const unsigned char>& in,
+                             Buffer<unsigned char>& out,
+                             Buffer<unsigned char>& tag,
+                             const Buffer<const unsigned char>& nonce,
+                             const Buffer<const unsigned char>& aad) {
+  if (!ctx_) return false;
+  return EVP_AEAD_CTX_seal_scatter(ctx_.get(),
+                                   out.data,
+                                   tag.data,
+                                   &tag.len,
+                                   tag.len,
+                                   nonce.data,
+                                   nonce.len,
+                                   in.data,
+                                   in.len,
+                                   nullptr /* extra_in */,
+                                   0 /* extra_in_len */,
+                                   aad.data,
+                                   aad.len) == 1;
+}
+
+bool AeadCtxPointer::decrypt(const Buffer<const unsigned char>& in,
+                             Buffer<unsigned char>& out,
+                             const Buffer<const unsigned char>& tag,
+                             const Buffer<const unsigned char>& nonce,
+                             const Buffer<const unsigned char>& aad) {
+  if (!ctx_) return false;
+
+  return EVP_AEAD_CTX_open_gather(ctx_.get(),
+                                  out.data,
+                                  nonce.data,
+                                  nonce.len,
+                                  in.data,
+                                  in.len,
+                                  tag.data,
+                                  tag.len,
+                                  aad.data,
+                                  aad.len) == 1;
+}
+#endif
 }  // namespace ncrypto
+
+// ===========================================================================
+#ifdef NCRYPTO_BSSL_NEEDS_DH_PRIMES
+// While newer versions of BoringSSL have these primes, older versions do not,
+// in particular older versions that conform to fips. We conditionally add
+// them here only if the NCRYPTO_BSSL_NEEDS_DH_PRIMES define is set. Their
+// implementations are defined here to prevent duplicating the symbols.
+extern "C" int bn_set_words(BIGNUM* bn, const BN_ULONG* words, size_t num);
+
+// Backporting primes that may not be supported in earlier boringssl versions.
+// Intentionally keeping the existing C-style formatting.
+
+#define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
+
+#if defined(OPENSSL_64_BIT)
+#define TOBN(hi, lo) ((BN_ULONG)(hi) << 32 | (lo))
+#elif defined(OPENSSL_32_BIT)
+#define TOBN(hi, lo) (lo), (hi)
+#else
+#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
+#endif
+
+static BIGNUM* get_params(BIGNUM* ret,
+                          const BN_ULONG* words,
+                          size_t num_words) {
+  BIGNUM* alloc = nullptr;
+  if (ret == nullptr) {
+    alloc = BN_new();
+    if (alloc == nullptr) {
+      return nullptr;
+    }
+    ret = alloc;
+  }
+
+  if (!bn_set_words(ret, words, num_words)) {
+    BN_free(alloc);
+    return nullptr;
+  }
+
+  return ret;
+}
+
+BIGNUM* BN_get_rfc3526_prime_2048(BIGNUM* ret) {
+  static const BN_ULONG kWords[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0x15728e5a, 0x8aacaa68),
+      TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),
+      TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),
+      TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),
+      TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),
+      TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
+      TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
+      TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
+      TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
+      TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
+      TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
+      TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
+      TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
+      TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
+      TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
+      TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
+  };
+  return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));
+}
+
+BIGNUM* BN_get_rfc3526_prime_3072(BIGNUM* ret) {
+  static const BN_ULONG kWords[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0x4b82d120, 0xa93ad2ca),
+      TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),
+      TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),
+      TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),
+      TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),
+      TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),
+      TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),
+      TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),
+      TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),
+      TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),
+      TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),
+      TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),
+      TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),
+      TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
+      TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
+      TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
+      TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
+      TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
+      TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
+      TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
+      TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
+      TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
+      TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
+      TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
+  };
+  return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));
+}
+
+BIGNUM* BN_get_rfc3526_prime_4096(BIGNUM* ret) {
+  static const BN_ULONG kWords[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0x4df435c9, 0x34063199),
+      TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),
+      TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),
+      TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),
+      TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),
+      TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),
+      TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),
+      TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),
+      TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),
+      TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),
+      TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),
+      TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),
+      TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),
+      TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),
+      TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),
+      TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),
+      TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),
+      TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),
+      TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),
+      TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),
+      TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),
+      TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
+      TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
+      TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
+      TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
+      TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
+      TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
+      TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
+      TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
+      TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
+      TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
+      TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
+  };
+  return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));
+}
+
+BIGNUM* BN_get_rfc3526_prime_6144(BIGNUM* ret) {
+  static const BN_ULONG kWords[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0xe694f91e, 0x6dcc4024),
+      TOBN(0x12bf2d5b, 0x0b7474d6), TOBN(0x043e8f66, 0x3f4860ee),
+      TOBN(0x387fe8d7, 0x6e3c0468), TOBN(0xda56c9ec, 0x2ef29632),
+      TOBN(0xeb19ccb1, 0xa313d55c), TOBN(0xf550aa3d, 0x8a1fbff0),
+      TOBN(0x06a1d58b, 0xb7c5da76), TOBN(0xa79715ee, 0xf29be328),
+      TOBN(0x14cc5ed2, 0x0f8037e0), TOBN(0xcc8f6d7e, 0xbf48e1d8),
+      TOBN(0x4bd407b2, 0x2b4154aa), TOBN(0x0f1d45b7, 0xff585ac5),
+      TOBN(0x23a97a7e, 0x36cc88be), TOBN(0x59e7c97f, 0xbec7e8f3),
+      TOBN(0xb5a84031, 0x900b1c9e), TOBN(0xd55e702f, 0x46980c82),
+      TOBN(0xf482d7ce, 0x6e74fef6), TOBN(0xf032ea15, 0xd1721d03),
+      TOBN(0x5983ca01, 0xc64b92ec), TOBN(0x6fb8f401, 0x378cd2bf),
+      TOBN(0x33205151, 0x2bd7af42), TOBN(0xdb7f1447, 0xe6cc254b),
+      TOBN(0x44ce6cba, 0xced4bb1b), TOBN(0xda3edbeb, 0xcf9b14ed),
+      TOBN(0x179727b0, 0x865a8918), TOBN(0xb06a53ed, 0x9027d831),
+      TOBN(0xe5db382f, 0x413001ae), TOBN(0xf8ff9406, 0xad9e530e),
+      TOBN(0xc9751e76, 0x3dba37bd), TOBN(0xc1d4dcb2, 0x602646de),
+      TOBN(0x36c3fab4, 0xd27c7026), TOBN(0x4df435c9, 0x34028492),
+      TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),
+      TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),
+      TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),
+      TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),
+      TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),
+      TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),
+      TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),
+      TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),
+      TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),
+      TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),
+      TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),
+      TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),
+      TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),
+      TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),
+      TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),
+      TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),
+      TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),
+      TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),
+      TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),
+      TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),
+      TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
+      TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
+      TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
+      TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
+      TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
+      TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
+      TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
+      TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
+      TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
+      TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
+      TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
+  };
+  return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));
+}
+
+BIGNUM* BN_get_rfc3526_prime_8192(BIGNUM* ret) {
+  static const BN_ULONG kWords[] = {
+      TOBN(0xffffffff, 0xffffffff), TOBN(0x60c980dd, 0x98edd3df),
+      TOBN(0xc81f56e8, 0x80b96e71), TOBN(0x9e3050e2, 0x765694df),
+      TOBN(0x9558e447, 0x5677e9aa), TOBN(0xc9190da6, 0xfc026e47),
+      TOBN(0x889a002e, 0xd5ee382b), TOBN(0x4009438b, 0x481c6cd7),
+      TOBN(0x359046f4, 0xeb879f92), TOBN(0xfaf36bc3, 0x1ecfa268),
+      TOBN(0xb1d510bd, 0x7ee74d73), TOBN(0xf9ab4819, 0x5ded7ea1),
+      TOBN(0x64f31cc5, 0x0846851d), TOBN(0x4597e899, 0xa0255dc1),
+      TOBN(0xdf310ee0, 0x74ab6a36), TOBN(0x6d2a13f8, 0x3f44f82d),
+      TOBN(0x062b3cf5, 0xb3a278a6), TOBN(0x79683303, 0xed5bdd3a),
+      TOBN(0xfa9d4b7f, 0xa2c087e8), TOBN(0x4bcbc886, 0x2f8385dd),
+      TOBN(0x3473fc64, 0x6cea306b), TOBN(0x13eb57a8, 0x1a23f0c7),
+      TOBN(0x22222e04, 0xa4037c07), TOBN(0xe3fdb8be, 0xfc848ad9),
+      TOBN(0x238f16cb, 0xe39d652d), TOBN(0x3423b474, 0x2bf1c978),
+      TOBN(0x3aab639c, 0x5ae4f568), TOBN(0x2576f693, 0x6ba42466),
+      TOBN(0x741fa7bf, 0x8afc47ed), TOBN(0x3bc832b6, 0x8d9dd300),
+      TOBN(0xd8bec4d0, 0x73b931ba), TOBN(0x38777cb6, 0xa932df8c),
+      TOBN(0x74a3926f, 0x12fee5e4), TOBN(0xe694f91e, 0x6dbe1159),
+      TOBN(0x12bf2d5b, 0x0b7474d6), TOBN(0x043e8f66, 0x3f4860ee),
+      TOBN(0x387fe8d7, 0x6e3c0468), TOBN(0xda56c9ec, 0x2ef29632),
+      TOBN(0xeb19ccb1, 0xa313d55c), TOBN(0xf550aa3d, 0x8a1fbff0),
+      TOBN(0x06a1d58b, 0xb7c5da76), TOBN(0xa79715ee, 0xf29be328),
+      TOBN(0x14cc5ed2, 0x0f8037e0), TOBN(0xcc8f6d7e, 0xbf48e1d8),
+      TOBN(0x4bd407b2, 0x2b4154aa), TOBN(0x0f1d45b7, 0xff585ac5),
+      TOBN(0x23a97a7e, 0x36cc88be), TOBN(0x59e7c97f, 0xbec7e8f3),
+      TOBN(0xb5a84031, 0x900b1c9e), TOBN(0xd55e702f, 0x46980c82),
+      TOBN(0xf482d7ce, 0x6e74fef6), TOBN(0xf032ea15, 0xd1721d03),
+      TOBN(0x5983ca01, 0xc64b92ec), TOBN(0x6fb8f401, 0x378cd2bf),
+      TOBN(0x33205151, 0x2bd7af42), TOBN(0xdb7f1447, 0xe6cc254b),
+      TOBN(0x44ce6cba, 0xced4bb1b), TOBN(0xda3edbeb, 0xcf9b14ed),
+      TOBN(0x179727b0, 0x865a8918), TOBN(0xb06a53ed, 0x9027d831),
+      TOBN(0xe5db382f, 0x413001ae), TOBN(0xf8ff9406, 0xad9e530e),
+      TOBN(0xc9751e76, 0x3dba37bd), TOBN(0xc1d4dcb2, 0x602646de),
+      TOBN(0x36c3fab4, 0xd27c7026), TOBN(0x4df435c9, 0x34028492),
+      TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),
+      TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),
+      TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),
+      TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),
+      TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),
+      TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),
+      TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),
+      TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),
+      TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),
+      TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),
+      TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),
+      TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),
+      TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),
+      TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),
+      TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),
+      TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),
+      TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),
+      TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),
+      TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),
+      TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),
+      TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
+      TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
+      TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
+      TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
+      TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
+      TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
+      TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
+      TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
+      TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
+      TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
+      TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
+  };
+  return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));
+}
+#endif
+
+// ===========================================================================
+#if NCRYPTO_BSSL_LIBDECREPIT_MISSING
+// While BoringSSL implements EVP_CIPHER_do_all_sorted, it includes this
+// inplementation in a library called "libdecrepit", which might not be included
+// depending on how boringssl was built. In such cases, a copy of the function
+// is provided here:
+
+extern "C" void EVP_CIPHER_do_all_sorted(
+    void (*callback)(const EVP_CIPHER* cipher,
+                     const char* name,
+                     const char* unused,
+                     void* arg),
+    void* arg) {
+  callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg);
+  callback(EVP_aes_192_cbc(), "AES-192-CBC", NULL, arg);
+  callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg);
+  callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg);
+  callback(EVP_aes_192_ctr(), "AES-192-CTR", NULL, arg);
+  callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg);
+  callback(EVP_aes_128_ecb(), "AES-128-ECB", NULL, arg);
+  callback(EVP_aes_192_ecb(), "AES-192-ECB", NULL, arg);
+  callback(EVP_aes_256_ecb(), "AES-256-ECB", NULL, arg);
+  callback(EVP_aes_128_ofb(), "AES-128-OFB", NULL, arg);
+  callback(EVP_aes_192_ofb(), "AES-192-OFB", NULL, arg);
+  callback(EVP_aes_256_ofb(), "AES-256-OFB", NULL, arg);
+  callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg);
+  callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg);
+  callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg);
+  callback(EVP_des_cbc(), "DES-CBC", NULL, arg);
+  callback(EVP_des_ecb(), "DES-ECB", NULL, arg);
+  callback(EVP_des_ede(), "DES-EDE", NULL, arg);
+  callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg);
+  callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg);
+  callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg);
+  callback(EVP_rc4(), "RC4", NULL, arg);
+
+  // OpenSSL returns everything twice, the second time in lower case.
+  callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg);
+  callback(EVP_aes_192_cbc(), "aes-192-cbc", NULL, arg);
+  callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg);
+  callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg);
+  callback(EVP_aes_192_ctr(), "aes-192-ctr", NULL, arg);
+  callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg);
+  callback(EVP_aes_128_ecb(), "aes-128-ecb", NULL, arg);
+  callback(EVP_aes_192_ecb(), "aes-192-ecb", NULL, arg);
+  callback(EVP_aes_256_ecb(), "aes-256-ecb", NULL, arg);
+  callback(EVP_aes_128_ofb(), "aes-128-ofb", NULL, arg);
+  callback(EVP_aes_192_ofb(), "aes-192-ofb", NULL, arg);
+  callback(EVP_aes_256_ofb(), "aes-256-ofb", NULL, arg);
+  callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg);
+  callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg);
+  callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg);
+  callback(EVP_des_cbc(), "des-cbc", NULL, arg);
+  callback(EVP_des_ecb(), "des-ecb", NULL, arg);
+  callback(EVP_des_ede(), "des-ede", NULL, arg);
+  callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg);
+  callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg);
+  callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);
+  callback(EVP_rc4(), "rc4", NULL, arg);
+}
+#endif