react-native-quick-crypto 1.0.8 → 1.0.10

package/deps/ncrypto/src/ncrypto.cpp

@@ -1,5 +1,4 @@
 #include "ncrypto.h"
-
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -11,25 +10,24 @@
 
 #ifndef NCRYPTO_NO_KDF_H
 #include <openssl/kdf.h>
-#else
+#endif
+#ifdef OPENSSL_IS_BORINGSSL
 #include <openssl/hkdf.h>
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L
+#include <openssl/thread.h>
+#endif
+
 #include <algorithm>
 #include <array>
-#include <cctype>
-#include <climits>
 #include <cstring>
 #include <string_view>
 #include <vector>
-
 #if OPENSSL_VERSION_MAJOR >= 3
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/provider.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
-#include <openssl/thread.h>
-#endif
 #endif
 #if OPENSSL_WITH_PQC
 struct PQCMapping {
@@ -71,8 +69,6 @@ constexpr static PQCMapping pqc_mappings[] = {
                     nullptr)
 #endif
 
-// ============================================================================
-
 namespace ncrypto {
 namespace {
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>;
@@ -261,7 +257,7 @@ Buffer<void> DataPointer::release() {
 DataPointer DataPointer::resize(size_t len) {
   size_t actual_len = std::min(len_, len);
   auto buf = release();
-  if (actual_len == len_) return DataPointer(buf);
+  if (actual_len == len_) return DataPointer(buf.data, actual_len);
   buf.data = OPENSSL_realloc(buf.data, actual_len);
   buf.len = actual_len;
   return DataPointer(buf);
@@ -354,12 +350,12 @@ BIGNUM* BignumPointer::release() {
 }
 
 size_t BignumPointer::byteLength() const {
-  if (!bn_) return 0;
+  if (bn_ == nullptr) return 0;
   return BN_num_bytes(bn_.get());
 }
 
 size_t BignumPointer::bitLength() const {
-  if (!bn_) return 0;
+  if (bn_ == nullptr) return 0;
   return BN_num_bits(bn_.get());
 }
 
@@ -635,9 +631,7 @@ int64_t PortableTimeGM(struct tm* t) {
 // ============================================================================
 // SPKAC
 
-namespace {
-bool VerifySpkacImpl(const char* input, size_t length) {
-  ClearErrorOnReturn clearErrorOnReturn;
+bool VerifySpkac(const char* input, size_t length) {
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
   // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
@@ -655,11 +649,9 @@ bool VerifySpkacImpl(const char* input, size_t length) {
   return pkey ? NETSCAPE_SPKI_verify(spki.get(), pkey.get()) > 0 : false;
 }
 
-BIOPointer ExportPublicKeyImpl(const char* input, size_t length) {
-  ClearErrorOnReturn clearErrorOnReturn;
-  auto bio = BIOPointer::NewMem();
-  if (!bio) [[unlikely]]
-    return {};
+BIOPointer ExportPublicKey(const char* input, size_t length) {
+  BIOPointer bio(BIO_new(BIO_s_mem()));
+  if (!bio) return {};
 
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
@@ -668,21 +660,17 @@ BIOPointer ExportPublicKeyImpl(const char* input, size_t length) {
   length = std::string_view(input, length).find_last_not_of(" \n\r\t") + 1;
 #endif
   NetscapeSPKIPointer spki(NETSCAPE_SPKI_b64_decode(input, length));
-  if (!spki) [[unlikely]] {
-    return {};
-  }
+  if (!spki) return {};
 
   EVPKeyPointer pkey(NETSCAPE_SPKI_get_pubkey(spki.get()));
+  if (!pkey) return {};
 
-  if (!pkey || PEM_write_bio_PUBKEY(bio.get(), pkey.get()) <= 0) [[unlikely]] {
-    return {};
-  }
+  if (PEM_write_bio_PUBKEY(bio.get(), pkey.get()) <= 0) return {};
 
   return bio;
 }
 
-DataPointer ExportChallengeImpl(const char* input, size_t length) {
-  ClearErrorOnReturn clearErrorOnReturn;
+Buffer<char> ExportChallenge(const char* input, size_t length) {
 #ifdef OPENSSL_IS_BORINGSSL
   // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
   // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
@@ -695,43 +683,27 @@ DataPointer ExportChallengeImpl(const char* input, size_t length) {
   unsigned char* buf = nullptr;
   int buf_size = ASN1_STRING_to_UTF8(&buf, sp->spkac->challenge);
   if (buf_size >= 0) {
-    return DataPointer({
+    return {
         .data = reinterpret_cast<char*>(buf),
         .len = static_cast<size_t>(buf_size),
-    });
+    };
   }
 
   return {};
 }
-}  // namespace
 
 bool VerifySpkac(const Buffer<const char>& input) {
-  return VerifySpkacImpl(input.data, input.len);
+  return VerifySpkac(input.data, input.len);
 }
 
 BIOPointer ExportPublicKey(const Buffer<const char>& input) {
-  return ExportPublicKeyImpl(input.data, input.len);
+  return ExportPublicKey(input.data, input.len);
 }
 
 DataPointer ExportChallenge(const Buffer<const char>& input) {
-  return ExportChallengeImpl(input.data, input.len);
-}
-
-bool VerifySpkac(const char* input, size_t length) {
-  return VerifySpkacImpl(input, length);
-}
-
-BIOPointer ExportPublicKey(const char* input, size_t length) {
-  return ExportPublicKeyImpl(input, length);
-}
-
-Buffer<char> ExportChallenge(const char* input, size_t length) {
-  if (auto dp = ExportChallengeImpl(input, length)) {
-    auto released = dp.release();
-    return Buffer<char>{
-        .data = static_cast<char*>(released.data),
-        .len = released.len,
-    };
+  auto buf = ExportChallenge(input.data, input.len);
+  if (buf.data != nullptr) {
+    return DataPointer(buf.data, buf.len);
   }
   return {};
 }
@@ -1406,16 +1378,10 @@ bool X509View::enumUsages(UsageCallback callback) const {
 
 bool X509View::ifRsa(KeyCallback<Rsa> callback) const {
   if (cert_ == nullptr) return true;
-  // The const_cast is a bit unfortunate. The X509_get_pubkey API accepts
-  // a const X509* in newer versions of openssl and boringssl but a non-const
-  // X509* in older versions. By removing the const if it exists we can
-  // support both.
-  EVPKeyPointer pkey(X509_get_pubkey(const_cast<X509*>(cert_)));
-  if (!pkey) [[unlikely]]
-    return true;
-  auto id = pkey.id();
+  OSSL3_CONST EVP_PKEY* pkey = X509_get0_pubkey(cert_);
+  auto id = EVP_PKEY_id(pkey);
   if (id == EVP_PKEY_RSA || id == EVP_PKEY_RSA2 || id == EVP_PKEY_RSA_PSS) {
-    Rsa rsa = pkey;
+    Rsa rsa(EVP_PKEY_get0_RSA(pkey));
     if (!rsa) [[unlikely]]
       return true;
     return callback(rsa);
@@ -1425,16 +1391,10 @@ bool X509View::ifRsa(KeyCallback<Rsa> callback) const {
 
 bool X509View::ifEc(KeyCallback<Ec> callback) const {
   if (cert_ == nullptr) return true;
-  // The const_cast is a bit unfortunate. The X509_get_pubkey API accepts
-  // a const X509* in newer versions of openssl and boringssl but a non-const
-  // X509* in older versions. By removing the const if it exists we can
-  // support both.
-  EVPKeyPointer pkey(X509_get_pubkey(const_cast<X509*>(cert_)));
-  if (!pkey) [[unlikely]]
-    return true;
-  auto id = pkey.id();
+  OSSL3_CONST EVP_PKEY* pkey = X509_get0_pubkey(cert_);
+  auto id = EVP_PKEY_id(pkey);
   if (id == EVP_PKEY_EC) {
-    Ec ec = pkey;
+    Ec ec(EVP_PKEY_get0_EC_KEY(pkey));
     if (!ec) [[unlikely]]
       return true;
     return callback(ec);
@@ -1584,15 +1544,6 @@ int BIOPointer::Write(BIOPointer* bio, std::string_view message) {
 // ============================================================================
 // DHPointer
 
-namespace {
-bool EqualNoCase(const std::string_view a, const std::string_view b) {
-  if (a.size() != b.size()) return false;
-  return std::equal(a.begin(), a.end(), b.begin(), b.end(), [](char a, char b) {
-    return std::tolower(a) == std::tolower(b);
-  });
-}
-}  // namespace
-
 DHPointer::DHPointer(DH* dh) : dh_(dh) {}
 
 DHPointer::DHPointer(DHPointer&& other) noexcept : dh_(other.release()) {}
@@ -1889,7 +1840,18 @@ bool hkdfInfo(const Digest& md,
     actual_salt = {default_salt, static_cast<unsigned>(md.size())};
   }
 
-#ifndef NCRYPTO_NO_KDF_H
+#ifdef OPENSSL_IS_BORINGSSL
+  if (out == nullptr || out->len != length) return false;
+  return HKDF(out->data,
+              length,
+              md,
+              key.data,
+              key.len,
+              reinterpret_cast<const unsigned char*>(actual_salt.data()),
+              actual_salt.size(),
+              info.data,
+              info.len) == 1;
+#else
   auto ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_HKDF);
   // OpenSSL < 3.0.0 accepted only a void* as the argument of
   // EVP_PKEY_CTX_set_hkdf_md.
@@ -1927,16 +1889,6 @@ bool hkdfInfo(const Digest& md,
   if (out == nullptr || out->len != length) return false;
 
   return EVP_PKEY_derive(ctx.get(), out->data, &length) > 0;
-#else
-  return HKDF(out->data,
-              length,
-              md,
-              key.data,
-              key.len,
-              salt.data,
-              salt.len,
-              info.data,
-              info.len);
 #endif
 }
 
@@ -1947,10 +1899,14 @@ DataPointer hkdf(const Digest& md,
                  size_t length) {
   auto buf = DataPointer::Alloc(length);
   if (!buf) return {};
-  Buffer<unsigned char> out = buf;
-
-  return hkdfInfo(md, key, info, salt, length, &out) ? std::move(buf)
-                                                     : DataPointer();
+  Buffer<unsigned char> out{
+      .data = static_cast<unsigned char*>(buf.get()),
+      .len = length,
+  };
+  if (hkdfInfo(md, key, info, salt, length, &out)) {
+    return buf;
+  }
+  return {};
 }
 
 bool checkScryptParams(uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem) {
@@ -1972,20 +1928,16 @@ bool scryptInto(const Buffer<const char>& pass,
     return false;
   }
 
-  if (auto dp = DataPointer::Alloc(length)) {
-    return EVP_PBE_scrypt(pass.data,
-                          pass.len,
-                          salt.data,
-                          salt.len,
-                          N,
-                          r,
-                          p,
-                          maxmem,
-                          out->data,
-                          length);
-  }
-
-  return false;
+  return EVP_PBE_scrypt(pass.data,
+                        pass.len,
+                        salt.data,
+                        salt.len,
+                        N,
+                        r,
+                        p,
+                        maxmem,
+                        out->data,
+                        length) == 1;
 }
 
 DataPointer scrypt(const Buffer<const char>& pass,
@@ -1995,11 +1947,24 @@ DataPointer scrypt(const Buffer<const char>& pass,
                    uint64_t p,
                    uint64_t maxmem,
                    size_t length) {
-  if (auto dp = DataPointer::Alloc(length)) {
-    Buffer<unsigned char> buf = dp;
-    if (scryptInto(pass, salt, N, r, p, maxmem, length, &buf)) {
-      return dp;
-    }
+  ClearErrorOnReturn clearErrorOnReturn;
+
+  if (pass.len > INT_MAX || salt.len > INT_MAX) {
+    return {};
+  }
+
+  auto dp = DataPointer::Alloc(length);
+  if (dp && EVP_PBE_scrypt(pass.data,
+                           pass.len,
+                           salt.data,
+                           salt.len,
+                           N,
+                           r,
+                           p,
+                           maxmem,
+                           reinterpret_cast<unsigned char*>(dp.get()),
+                           length)) {
+    return dp;
   }
 
   return {};
@@ -2019,18 +1984,14 @@ bool pbkdf2Into(const Digest& md,
   }
 
   const EVP_MD* md_ptr = md;
-  if (PKCS5_PBKDF2_HMAC(pass.data,
-                        pass.len,
-                        salt.data,
-                        salt.len,
-                        iterations,
-                        md_ptr,
-                        length,
-                        out->data)) {
-    return true;
-  }
-
-  return false;
+  return PKCS5_PBKDF2_HMAC(pass.data,
+                           pass.len,
+                           salt.data,
+                           salt.len,
+                           iterations,
+                           md_ptr,
+                           length,
+                           out->data) == 1;
 }
 
 DataPointer pbkdf2(const Digest& md,
@@ -2038,11 +1999,23 @@ DataPointer pbkdf2(const Digest& md,
                    const Buffer<const unsigned char>& salt,
                    uint32_t iterations,
                    size_t length) {
-  if (auto dp = DataPointer::Alloc(length)) {
-    Buffer<unsigned char> buf = dp;
-    if (pbkdf2Into(md, pass, salt, iterations, length, &buf)) {
-      return dp;
-    }
+  ClearErrorOnReturn clearErrorOnReturn;
+
+  if (pass.len > INT_MAX || salt.len > INT_MAX || length > INT_MAX) {
+    return {};
+  }
+
+  auto dp = DataPointer::Alloc(length);
+  const EVP_MD* md_ptr = md;
+  if (dp && PKCS5_PBKDF2_HMAC(pass.data,
+                              pass.len,
+                              salt.data,
+                              salt.len,
+                              iterations,
+                              md_ptr,
+                              length,
+                              reinterpret_cast<unsigned char*>(dp.get()))) {
+    return dp;
   }
 
   return {};
@@ -2245,12 +2218,6 @@ EVPKeyPointer::EVPKeyPointer(EVP_PKEY* pkey) : pkey_(pkey) {}
 EVPKeyPointer::EVPKeyPointer(EVPKeyPointer&& other) noexcept
     : pkey_(other.release()) {}
 
-EVPKeyPointer EVPKeyPointer::clone() const {
-  if (!pkey_) return {};
-  if (!EVP_PKEY_up_ref(pkey_.get())) return {};
-  return EVPKeyPointer(pkey_.get());
-}
-
 EVPKeyPointer& EVPKeyPointer::operator=(EVPKeyPointer&& other) noexcept {
   if (this == &other) return *this;
   this->~EVPKeyPointer();
@@ -2599,7 +2566,6 @@ EVPKeyPointer::ParseKeyResult EVPKeyPointer::TryParsePrivateKey(
           ERR_GET_REASON(err) == PEM_R_BAD_PASSWORD_READ && !had_passphrase) {
         return ParseKeyResult(PKParseError::NEED_PASSPHRASE);
       }
-
       return ParseKeyResult(PKParseError::FAILED, err);
     }
     if (!pkey) return ParseKeyResult(PKParseError::FAILED);
@@ -2675,8 +2641,11 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
       // PKCS1 is only permitted for RSA keys.
       if (id() != EVP_PKEY_RSA) return Result<BIOPointer, bool>(false);
 
-      OSSL3_CONST RSA* rsa = EVP_PKEY_get0_RSA(get());
-
+#if OPENSSL_VERSION_MAJOR >= 3
+      const RSA* rsa = EVP_PKEY_get0_RSA(get());
+#else
+      RSA* rsa = EVP_PKEY_get0_RSA(get());
+#endif
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_RSAPrivateKey(
@@ -2735,8 +2704,11 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
       // SEC1 is only permitted for EC keys
       if (id() != EVP_PKEY_EC) return Result<BIOPointer, bool>(false);
 
-      OSSL3_CONST EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
-
+#if OPENSSL_VERSION_MAJOR >= 3
+      const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
+#else
+      EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
+#endif
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_ECPrivateKey(
@@ -2921,9 +2893,15 @@ EVPKeyPointer::operator Ec() const {
   return Ec(ec);
 }
 
+EVPKeyPointer EVPKeyPointer::clone() const {
+  if (!pkey_) return {};
+  if (!EVP_PKEY_up_ref(pkey_.get())) return {};
+  return EVPKeyPointer(pkey_.get());
+}
+
 bool EVPKeyPointer::validateDsaParameters() const {
   if (!pkey_) return false;
-    /* Validate DSA2 parameters from FIPS 186-4 */
+  /* Validate DSA2 parameters from FIPS 186-4 */
 #if OPENSSL_VERSION_MAJOR >= 3
   if (EVP_default_properties_is_fips_enabled(nullptr) && EVP_PKEY_DSA == id()) {
 #else
@@ -3222,36 +3200,6 @@ bool SSLCtxPointer::setCipherSuites(const char* ciphers) {
   return true;
 #endif
 }
-// ============================================================================
-
-template <typename T>
-std::string_view ModeMixin<T>::getModeLabel() const {
-  switch (self().getMode()) {
-    case EVP_CIPH_CCM_MODE:
-      return "ccm";
-    case EVP_CIPH_CFB_MODE:
-      return "cfb";
-    case EVP_CIPH_CBC_MODE:
-      return "cbc";
-    case EVP_CIPH_CTR_MODE:
-      return "ctr";
-    case EVP_CIPH_ECB_MODE:
-      return "ecb";
-    case EVP_CIPH_GCM_MODE:
-      return "gcm";
-    case EVP_CIPH_OCB_MODE:
-      return "ocb";
-    case EVP_CIPH_OFB_MODE:
-      return "ofb";
-    case EVP_CIPH_WRAP_MODE:
-      return "wrap";
-    case EVP_CIPH_XTS_MODE:
-      return "xts";
-    case EVP_CIPH_STREAM_CIPHER:
-      return "stream";
-  }
-  return "{unknown}";
-}
 
 // ============================================================================
 
@@ -3289,13 +3237,43 @@ const Cipher Cipher::AES_256_OCB = Cipher::FromNid(NID_aes_256_ocb);
 
 const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
 
+bool Cipher::isGcmMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_GCM_MODE;
+}
+
+bool Cipher::isWrapMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_WRAP_MODE;
+}
+
+bool Cipher::isCtrMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_CTR_MODE;
+}
+
+bool Cipher::isCcmMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_CCM_MODE;
+}
+
+bool Cipher::isOcbMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_OCB_MODE;
+}
+
+bool Cipher::isStreamMode() const {
+  if (!cipher_) return false;
+  return getMode() == EVP_CIPH_STREAM_CIPHER;
+}
+
 bool Cipher::isChaCha20Poly1305() const {
   if (!cipher_) return false;
   return getNid() == NID_chacha20_poly1305;
 }
 
 int Cipher::getMode() const {
-  if (!cipher_) return -1;
+  if (!cipher_) return 0;
   return EVP_CIPHER_mode(cipher_);
 }
 
@@ -3319,6 +3297,35 @@ int Cipher::getNid() const {
   return EVP_CIPHER_nid(cipher_);
 }
 
+std::string_view Cipher::getModeLabel() const {
+  if (!cipher_) return {};
+  switch (getMode()) {
+    case EVP_CIPH_CCM_MODE:
+      return "ccm";
+    case EVP_CIPH_CFB_MODE:
+      return "cfb";
+    case EVP_CIPH_CBC_MODE:
+      return "cbc";
+    case EVP_CIPH_CTR_MODE:
+      return "ctr";
+    case EVP_CIPH_ECB_MODE:
+      return "ecb";
+    case EVP_CIPH_GCM_MODE:
+      return "gcm";
+    case EVP_CIPH_OCB_MODE:
+      return "ocb";
+    case EVP_CIPH_OFB_MODE:
+      return "ofb";
+    case EVP_CIPH_WRAP_MODE:
+      return "wrap";
+    case EVP_CIPH_XTS_MODE:
+      return "xts";
+    case EVP_CIPH_STREAM_CIPHER:
+      return "stream";
+  }
+  return "{unknown}";
+}
+
 const char* Cipher::getName() const {
   if (!cipher_) return {};
   // OBJ_nid2sn(EVP_CIPHER_nid(cipher)) is used here instead of
@@ -3349,76 +3356,6 @@ int Cipher::bytesToKey(const Digest& digest,
       *this, Digest::MD5, nullptr, input.data, input.len, 1, key, iv);
 }
 
-template class ModeMixin<Cipher>;
-
-namespace {
-struct CipherCallbackContext {
-  Cipher::CipherNameCallback cb;
-  void operator()(const char* name) { cb(name); }
-};
-
-#if OPENSSL_VERSION_MAJOR >= 3
-template <class TypeName,
-          TypeName* fetch_type(OSSL_LIB_CTX*, const char*, const char*),
-          void free_type(TypeName*),
-          const TypeName* getbyname(const char*),
-          const char* getname(const TypeName*)>
-void array_push_back(const TypeName* evp_ref,
-                     const char* from,
-                     const char* to,
-                     void* arg) {
-  if (from == nullptr) return;
-
-  const TypeName* real_instance = getbyname(from);
-  if (!real_instance) return;
-
-  const char* real_name = getname(real_instance);
-  if (!real_name) return;
-
-  // EVP_*_fetch() does not support alias names, so we need to pass it the
-  // real/original algorithm name.
-  // We use EVP_*_fetch() as a filter here because it will only return an
-  // instance if the algorithm is supported by the public OpenSSL APIs (some
-  // algorithms are used internally by OpenSSL and are also passed to this
-  // callback).
-  TypeName* fetched = fetch_type(nullptr, real_name, nullptr);
-  if (fetched == nullptr) return;
-
-  free_type(fetched);
-  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
-  cb(from);
-}
-#else
-template <class TypeName>
-void array_push_back(const TypeName* evp_ref,
-                     const char* from,
-                     const char* to,
-                     void* arg) {
-  if (!from) return;
-  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
-  cb(from);
-}
-#endif
-}  // namespace
-
-void Cipher::ForEach(Cipher::CipherNameCallback callback) {
-  ClearErrorOnReturn clearErrorOnReturn;
-  CipherCallbackContext context;
-  context.cb = std::move(callback);
-
-  EVP_CIPHER_do_all_sorted(
-#if OPENSSL_VERSION_MAJOR >= 3
-      array_push_back<EVP_CIPHER,
-                      EVP_CIPHER_fetch,
-                      EVP_CIPHER_free,
-                      EVP_get_cipherbyname,
-                      EVP_CIPHER_get0_name>,
-#else
-      array_push_back<EVP_CIPHER>,
-#endif
-      &context);
-}
-
 // ============================================================================
 
 CipherCtxPointer CipherCtxPointer::New() {
@@ -3495,11 +3432,6 @@ int CipherCtxPointer::getMode() const {
   return EVP_CIPHER_CTX_mode(ctx_.get());
 }
 
-int CipherCtxPointer::getNid() const {
-  if (!ctx_) return 0;
-  return EVP_CIPHER_CTX_nid(ctx_.get());
-}
-
 bool CipherCtxPointer::isGcmMode() const {
   if (!ctx_) return false;
   return getMode() == EVP_CIPH_GCM_MODE;
@@ -3525,6 +3457,11 @@ bool CipherCtxPointer::isChaCha20Poly1305() const {
   return getNid() == NID_chacha20_poly1305;
 }
 
+int CipherCtxPointer::getNid() const {
+  if (!ctx_) return 0;
+  return EVP_CIPHER_CTX_nid(ctx_.get());
+}
+
 bool CipherCtxPointer::init(const Cipher& cipher,
                             bool encrypt,
                             const unsigned char* key,
@@ -4225,14 +4162,9 @@ const std::optional<Rsa::PssParams> Rsa::getPssParams() const {
   }
 
   if (params->saltLength != nullptr) {
-    // Older versions of openssl/boringssl do not implement
-    // ASN1_INTEGER_get_int64, which the salt length here technically
-    // is. Let's walk it through uint64_t with a conversion.
-    uint64_t temp;
-    if (ASN1_INTEGER_get_uint64(&temp, params->saltLength) != 1) {
+    if (ASN1_INTEGER_get_int64(&ret.salt_length, params->saltLength) != 1) {
       return std::nullopt;
     }
-    ret.salt_length = static_cast<int64_t>(temp);
   }
   return ret;
 }
@@ -4317,6 +4249,74 @@ DataPointer Cipher::recover(const EVPKeyPointer& key,
       key, params, in);
 }
 
+namespace {
+struct CipherCallbackContext {
+  Cipher::CipherNameCallback cb;
+  void operator()(const char* name) { cb(name); }
+};
+
+#if OPENSSL_VERSION_MAJOR >= 3
+template <class TypeName,
+          TypeName* fetch_type(OSSL_LIB_CTX*, const char*, const char*),
+          void free_type(TypeName*),
+          const TypeName* getbyname(const char*),
+          const char* getname(const TypeName*)>
+void array_push_back(const TypeName* evp_ref,
+                     const char* from,
+                     const char* to,
+                     void* arg) {
+  if (from == nullptr) return;
+
+  const TypeName* real_instance = getbyname(from);
+  if (!real_instance) return;
+
+  const char* real_name = getname(real_instance);
+  if (!real_name) return;
+
+  // EVP_*_fetch() does not support alias names, so we need to pass it the
+  // real/original algorithm name.
+  // We use EVP_*_fetch() as a filter here because it will only return an
+  // instance if the algorithm is supported by the public OpenSSL APIs (some
+  // algorithms are used internally by OpenSSL and are also passed to this
+  // callback).
+  TypeName* fetched = fetch_type(nullptr, real_name, nullptr);
+  if (fetched == nullptr) return;
+
+  free_type(fetched);
+  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
+  cb(from);
+}
+#else
+template <class TypeName>
+void array_push_back(const TypeName* evp_ref,
+                     const char* from,
+                     const char* to,
+                     void* arg) {
+  if (!from) return;
+  auto& cb = *(static_cast<CipherCallbackContext*>(arg));
+  cb(from);
+}
+#endif
+}  // namespace
+
+void Cipher::ForEach(Cipher::CipherNameCallback callback) {
+  ClearErrorOnReturn clearErrorOnReturn;
+  CipherCallbackContext context;
+  context.cb = std::move(callback);
+
+  EVP_CIPHER_do_all_sorted(
+#if OPENSSL_VERSION_MAJOR >= 3
+      array_push_back<EVP_CIPHER,
+                      EVP_CIPHER_fetch,
+                      EVP_CIPHER_free,
+                      EVP_get_cipherbyname,
+                      EVP_CIPHER_get0_name>,
+#else
+      array_push_back<EVP_CIPHER>,
+#endif
+      &context);
+}
+
 // ============================================================================
 
 Ec::Ec() : ec_(nullptr) {}
@@ -4338,6 +4338,22 @@ int Ec::getCurve() const {
   return EC_GROUP_get_curve_name(getGroup());
 }
 
+uint32_t Ec::getDegree() const {
+  return EC_GROUP_get_degree(getGroup());
+}
+
+std::string Ec::getCurveName() const {
+  return std::string(OBJ_nid2sn(getCurve()));
+}
+
+const EC_POINT* Ec::getPublicKey() const {
+  return EC_KEY_get0_public_key(ec_);
+}
+
+const BIGNUM* Ec::getPrivateKey() const {
+  return EC_KEY_get0_private_key(ec_);
+}
+
 int Ec::GetCurveIdFromName(const char* name) {
   int nid = EC_curve_nist2nid(name);
   if (nid == NID_undef) {
@@ -4358,22 +4374,6 @@ bool Ec::GetCurves(Ec::GetCurveCallback callback) {
   return true;
 }
 
-uint32_t Ec::getDegree() const {
-  return EC_GROUP_get_degree(getGroup());
-}
-
-std::string Ec::getCurveName() const {
-  return std::string(OBJ_nid2sn(getCurve()));
-}
-
-const EC_POINT* Ec::getPublicKey() const {
-  return EC_KEY_get0_public_key(ec_);
-}
-
-const BIGNUM* Ec::getPrivateKey() const {
-  return EC_KEY_get0_private_key(ec_);
-}
-
 // ============================================================================
 
 EVPMDCtxPointer::EVPMDCtxPointer() : ctx_(nullptr) {}
@@ -4836,9 +4836,10 @@ std::pair<std::string, std::string> X509Name::Iterator::operator*() const {
   unsigned char* value_str;
   int value_str_size = ASN1_STRING_to_UTF8(&value_str, value);
 
-  return {
-      std::move(name_str),
-      std::string(reinterpret_cast<const char*>(value_str), value_str_size)};
+  std::string out(reinterpret_cast<const char*>(value_str), value_str_size);
+  OPENSSL_free(value_str);  // free after copy
+
+  return {std::move(name_str), std::move(out)};
 }
 
 // ============================================================================
@@ -5009,289 +5010,6 @@ DataPointer KEM::Decapsulate(const EVPKeyPointer& private_key,
 
 #endif  // OPENSSL_VERSION_MAJOR >= 3
 
-// ============================================================================
-// AEAD (Authenticated Encryption with Associated Data)
-#ifdef OPENSSL_IS_BORINGSSL
-
-const Aead Aead::FromName(std::string_view name) {
-  for (const auto& [construct, info] : aeadIndex) {
-    if (EqualNoCase(info.name, name)) {
-      return Aead(&info, construct());
-    }
-  }
-
-  return Aead();
-}
-
-const Aead Aead::FromCtx(std::string_view name, const AeadCtxPointer& ctx) {
-  for (const auto& [_, info] : aeadIndex) {
-    if (info.name == name) {
-      return Aead(&info, EVP_AEAD_CTX_aead(ctx.get()));
-    }
-  }
-
-  return Aead();
-}
-
-int Aead::getMode() const {
-  if (!aead_) return -1;
-
-  return info_->mode;
-}
-
-int Aead::getNonceLength() const {
-  if (!aead_) return 0;
-  return EVP_AEAD_nonce_length(aead_);
-}
-
-int Aead::getKeyLength() const {
-  if (!aead_) return 0;
-  return EVP_AEAD_key_length(aead_);
-}
-
-int Aead::getMaxOverhead() const {
-  if (!aead_) return 0;
-  return EVP_AEAD_max_overhead(aead_);
-}
-
-int Aead::getMaxTagLength() const {
-  if (!aead_) return 0;
-  return EVP_AEAD_max_tag_len(aead_);
-}
-
-int Aead::getBlockSize() const {
-  if (!aead_) return 0;
-
-  // EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
-  // underlying |ctx|, or one if the cipher is a stream cipher.
-  return 1;
-}
-
-std::string_view Aead::getName() const {
-  if (!aead_) return "";
-
-  return info_->name;
-}
-
-int Aead::getNid() const {
-  if (!aead_) return 0;
-
-  return info_->nid;
-}
-
-const Aead Aead::FromConstructor(Aead::AeadConstructor construct) {
-  return Aead(&aeadIndex.at(construct), construct());
-}
-
-const std::unordered_map<Aead::AeadConstructor, Aead::AeadInfo>
-    Aead::aeadIndex = {
-        {EVP_aead_aes_128_gcm,
-         {.name = LN_aes_128_gcm,
-          .mode = EVP_CIPH_GCM_MODE,
-          .nid = NID_aes_128_gcm}},
-        {EVP_aead_aes_192_gcm,
-         {.name = LN_aes_192_gcm,
-          .mode = EVP_CIPH_GCM_MODE,
-          .nid = NID_aes_192_gcm}},
-        {EVP_aead_aes_256_gcm,
-         {.name = LN_aes_256_gcm,
-          .mode = EVP_CIPH_GCM_MODE,
-          .nid = NID_aes_256_gcm}},
-        {EVP_aead_chacha20_poly1305,
-         {.name = LN_chacha20_poly1305,
-          .mode = EVP_CIPH_STREAM_CIPHER,
-          .nid = NID_chacha20_poly1305}},
-        {EVP_aead_xchacha20_poly1305,
-         {
-             .name = "xchacha20-poly1305",
-             .mode = EVP_CIPH_STREAM_CIPHER,
-         }},
-        {EVP_aead_aes_128_ctr_hmac_sha256,
-         {
-             .name = "aes-128-ctr-hmac-sha256",
-             .mode = EVP_CIPH_CTR_MODE,
-         }},
-        {EVP_aead_aes_256_ctr_hmac_sha256,
-         {
-             .name = "aes-256-ctr-hmac-sha256",
-             .mode = EVP_CIPH_CTR_MODE,
-         }},
-        {EVP_aead_aes_128_gcm_siv,
-         {
-             .name = "aes-128-gcm-siv",
-             .mode = EVP_CIPH_GCM_MODE,
-         }},
-        {EVP_aead_aes_256_gcm_siv,
-         {
-             .name = "aes-256-gcm-siv",
-             .mode = EVP_CIPH_GCM_MODE,
-         }},
-        {EVP_aead_aes_128_gcm_randnonce,
-         {
-             .name = "aes-128-gcm-randnonce",
-             .mode = EVP_CIPH_GCM_MODE,
-         }},
-        {EVP_aead_aes_256_gcm_randnonce,
-         {
-             .name = "aes-256-gcm-randnonce",
-             .mode = EVP_CIPH_GCM_MODE,
-         }},
-        {EVP_aead_aes_128_ccm_bluetooth,
-         {
-             .name = "aes-128-ccm-bluetooth",
-             .mode = EVP_CIPH_CCM_MODE,
-         }},
-        {EVP_aead_aes_128_ccm_bluetooth_8,
-         {
-             .name = "aes-128-ccm-bluetooth-8",
-             .mode = EVP_CIPH_CCM_MODE,
-         }},
-        {EVP_aead_aes_128_ccm_matter,
-         {
-             .name = "aes-128-ccm-matter",
-             .mode = EVP_CIPH_CCM_MODE,
-         }},
-        {EVP_aead_aes_128_eax,
-         {.name = "aes-128-eax",
-          // BoringSSL does not define a mode constant for EAX. Using STREAM
-          // arbitrarily
-          .mode = EVP_CIPH_STREAM_CIPHER}},
-        {EVP_aead_aes_256_eax,
-         {.name = "aes-256-eax",
-          // BoringSSL does not define a mode constant for EAX. Using STREAM
-          // arbitrarily
-          .mode = EVP_CIPH_STREAM_CIPHER}},
-    };
-
-void Aead::ForEach(AeadNameCallback callback) {
-  for (const auto& [_, info] : aeadIndex) {
-    callback(info.name);
-  }
-}
-
-const Aead Aead::EMPTY = Aead();
-const Aead Aead::AES_128_GCM = Aead::FromConstructor(EVP_aead_aes_128_gcm);
-const Aead Aead::AES_192_GCM = Aead::FromConstructor(EVP_aead_aes_192_gcm);
-const Aead Aead::AES_256_GCM = Aead::FromConstructor(EVP_aead_aes_256_gcm);
-const Aead Aead::CHACHA20_POLY1305 =
-    Aead::FromConstructor(EVP_aead_chacha20_poly1305);
-const Aead Aead::XCHACHA20_POLY1305 =
-    Aead::FromConstructor(EVP_aead_xchacha20_poly1305);
-const Aead Aead::AES_128_CTR_HMAC_SHA256 =
-    Aead::FromConstructor(EVP_aead_aes_128_ctr_hmac_sha256);
-const Aead Aead::AES_256_CTR_HMAC_SHA256 =
-    Aead::FromConstructor(EVP_aead_aes_256_ctr_hmac_sha256);
-const Aead Aead::AES_128_GCM_SIV =
-    Aead::FromConstructor(EVP_aead_aes_128_gcm_siv);
-const Aead Aead::AES_256_GCM_SIV =
-    Aead::FromConstructor(EVP_aead_aes_256_gcm_siv);
-const Aead Aead::AES_128_GCM_RANDNONCE =
-    Aead::FromConstructor(EVP_aead_aes_128_gcm_randnonce);
-const Aead Aead::AES_256_GCM_RANDNONCE =
-    Aead::FromConstructor(EVP_aead_aes_256_gcm_randnonce);
-const Aead Aead::AES_128_CCM_BLUETOOTH =
-    Aead::FromConstructor(EVP_aead_aes_128_ccm_bluetooth);
-const Aead Aead::AES_128_CCM_BLUETOOTH_8 =
-    Aead::FromConstructor(EVP_aead_aes_128_ccm_bluetooth_8);
-const Aead Aead::AES_128_CCM_MATTER =
-    Aead::FromConstructor(EVP_aead_aes_128_ccm_matter);
-const Aead Aead::AES_128_EAX = Aead::FromConstructor(EVP_aead_aes_128_eax);
-const Aead Aead::AES_256_EAX = Aead::FromConstructor(EVP_aead_aes_256_eax);
-
-template class ModeMixin<Aead>;
-
-AeadCtxPointer AeadCtxPointer::New(const Aead& aead,
-                                   bool encrypt,
-                                   const unsigned char* key,
-                                   size_t keyLen,
-                                   size_t tagLen) {
-  // Note: In the EVP_AEAD API new always calls init
-  auto ret = AeadCtxPointer(EVP_AEAD_CTX_new(aead.get(), key, keyLen, tagLen));
-
-  if (!ret) {
-    return {};
-  }
-
-  return ret;
-}
-
-AeadCtxPointer::AeadCtxPointer(EVP_AEAD_CTX* ctx) : ctx_(ctx) {}
-
-AeadCtxPointer::AeadCtxPointer(AeadCtxPointer&& other) noexcept
-    : ctx_(other.release()) {}
-
-AeadCtxPointer& AeadCtxPointer::operator=(AeadCtxPointer&& other) noexcept {
-  if (this == &other) return *this;
-  this->~AeadCtxPointer();
-  return *new (this) AeadCtxPointer(std::move(other));
-}
-
-AeadCtxPointer::~AeadCtxPointer() {
-  reset();
-}
-
-void AeadCtxPointer::reset(EVP_AEAD_CTX* ctx) {
-  ctx_.reset(ctx);
-}
-
-EVP_AEAD_CTX* AeadCtxPointer::release() {
-  return ctx_.release();
-}
-
-bool AeadCtxPointer::init(const Aead& aead,
-                          bool encrypt,
-                          const unsigned char* key,
-                          size_t keyLen,
-                          size_t tagLen) {
-  return EVP_AEAD_CTX_init_with_direction(
-      ctx_.get(),
-      aead,
-      key,
-      keyLen,
-      tagLen,
-      encrypt ? evp_aead_seal : evp_aead_open);
-}
-
-bool AeadCtxPointer::encrypt(const Buffer<const unsigned char>& in,
-                             Buffer<unsigned char>& out,
-                             Buffer<unsigned char>& tag,
-                             const Buffer<const unsigned char>& nonce,
-                             const Buffer<const unsigned char>& aad) {
-  if (!ctx_) return false;
-  return EVP_AEAD_CTX_seal_scatter(ctx_.get(),
-                                   out.data,
-                                   tag.data,
-                                   &tag.len,
-                                   tag.len,
-                                   nonce.data,
-                                   nonce.len,
-                                   in.data,
-                                   in.len,
-                                   nullptr /* extra_in */,
-                                   0 /* extra_in_len */,
-                                   aad.data,
-                                   aad.len) == 1;
-}
-
-bool AeadCtxPointer::decrypt(const Buffer<const unsigned char>& in,
-                             Buffer<unsigned char>& out,
-                             const Buffer<const unsigned char>& tag,
-                             const Buffer<const unsigned char>& nonce,
-                             const Buffer<const unsigned char>& aad) {
-  if (!ctx_) return false;
-
-  return EVP_AEAD_CTX_open_gather(ctx_.get(),
-                                  out.data,
-                                  nonce.data,
-                                  nonce.len,
-                                  in.data,
-                                  in.len,
-                                  tag.data,
-                                  tag.len,
-                                  aad.data,
-                                  aad.len) == 1;
-}
-#endif
 }  // namespace ncrypto
 
 // ===========================================================================