bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.

Credit to OSS-Fuzz for finding this. CVE-2017-3738 (Imported from upstream's 5630661aecbea5fe3c4740f5fea744a1f07a6253 and 77d75993651b63e872244a3256e37967bb3c3e9e.) Confirmed with Intel SDE that the fix makes the test vector pass and that, without the fix, the test vector does not. (Well, we knew the latter already, since it was our test vector.) (cherry-picked from 296a61d600) Change-Id: I167aa3407ddab3b434bacbd18e099c55aa40ac4c Reviewed-on: https://boringssl-review.googlesource.com/23884 Reviewed-by: Adam Langley <agl@google.com> Reviewed-on: https://boringssl-review.googlesource.com/23924
Clear bottom three bits of password scalar in SPAKE2.
2017-12-07 19:16:01 +00:00 · 2017-11-16 08:19:54 -08:00 · 2017-10-11 16:46:20 +00:00 · 2017-10-10 21:03:10 +00:00 · 2017-10-10 21:01:59 +00:00 · 2017-10-10 18:58:20 +00:00
3740 changed files with 82797 additions and 64291 deletions
@@ -33,7 +33,7 @@
    executable may be configured explicitly by setting `GO_EXECUTABLE`.

  * To build the x86 and x86\_64 assembly, your assembler must support AVX2
-    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later.
+    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later

 ## Building

@@ -125,16 +125,18 @@ ARM, unlike Intel, does not have an instruction that allows applications to
 discover the capabilities of the processor. Instead, the capability information
 has to be provided by the operating system somehow.

-BoringSSL will try to use `getauxval` to discover the capabilities and, failing
-that, will probe for NEON support by executing a NEON instruction and handling
-any illegal-instruction signal. But some environments don't support that sort
-of thing and, for them, it's possible to configure the CPU capabilities
-at compile time.
+By default, on Linux-based systems, BoringSSL will try to use `getauxval` and
+`/proc` to discover the capabilities. But some environments don't support that
+sort of thing and, for them, it's possible to configure the CPU capabilities at
+compile time.

-If you define `OPENSSL_STATIC_ARMCAP` then you can define any of the following
-to enabling the corresponding ARM feature.
+On iOS or builds which define `OPENSSL_STATIC_ARMCAP`, features will be
+determined based on the `__ARM_NEON__` and `__ARM_FEATURE_CRYPTO` preprocessor
+symbols reported by the compiler. These values are usually controlled by the
+`-march` flag. You can also define any of the following to enable the
+corresponding ARM feature.

-  * `OPENSSL_STATIC_ARMCAP_NEON` or `__ARM_NEON__` (note that the latter is set by compilers when NEON support is enabled).
+  * `OPENSSL_STATIC_ARMCAP_NEON`
  * `OPENSSL_STATIC_ARMCAP_AES`
  * `OPENSSL_STATIC_ARMCAP_SHA1`
  * `OPENSSL_STATIC_ARMCAP_SHA256`
@@ -32,17 +32,66 @@ if (NOT GO_EXECUTABLE)
  message(FATAL_ERROR "Could not find Go")
 endif()

-if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -ggdb -fvisibility=hidden -fno-common")
-  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof")
+if (BORINGSSL_ALLOW_CXX_RUNTIME)
+  add_definitions(-DBORINGSSL_ALLOW_CXX_RUNTIME)
+endif()
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CLANG 1)
+endif()
+
+if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
+  # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
+  # primarily on our normal Clang one because the MSVC one is mostly
+  # suppressions for an overaggressive -Wall.
+  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings")
+  if(MSVC)
+    # clang-cl sets different default warnings than clang.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-unused-parameter -fmsc-version=1900")
+    # googletest suppresses warning C4996 via a pragma, but clang-cl does not
+    # honor it. Suppress it here to compensate. See https://crbug.com/772117.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-deprecated-declarations")
+  else()
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -ggdb -fvisibility=hidden -fno-common")
+  endif()
+
+  if(CLANG)
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
  else()
    # GCC (at least 4.8.4) has a bug where it'll find unreachable free() calls
    # and declare that the code is trying to free a stack pointer.
    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-free-nonheap-object")
  endif()
+
+  if(CLANG OR NOT "7.0.0" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wimplicit-fallthrough")
+  endif()
+
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 ${C_CXX_FLAGS} -Wmissing-declarations")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${C_CXX_FLAGS} -Wmissing-declarations")
+
+  if(NOT MSVC)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
+    if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
+    endif()
+  endif()
+
+  # In GCC, -Wmissing-declarations is the C++ spelling of -Wmissing-prototypes
+  # and using the wrong one is an error. In Clang, -Wmissing-prototypes is the
+  # spelling for both and -Wmissing-declarations is some other warning.
+  #
+  # https://gcc.gnu.org/onlinedocs/gcc-7.1.0/gcc/Warning-Options.html#Warning-Options
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-prototypes
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-declarations
+  if(CLANG)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wmissing-prototypes")
+  endif()
+
+  if(CMAKE_COMPILER_IS_GNUCXX AND "4.8" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-array-bounds")
+  endif()
+
 elseif(MSVC)
  set(MSVC_DISABLED_WARNINGS_LIST
      "C4061" # enumerator 'identifier' in switch of enum 'enumeration' is not
@@ -59,8 +108,6 @@ elseif(MSVC)
              # possible loss of data
      "C4244" # 'function' : conversion from 'int' to 'uint8_t',
              # possible loss of data
-      "C4245" # 'initializing' : conversion from 'long' to
-              # 'unsigned long', signed/unsigned mismatch
      "C4267" # conversion from 'size_t' to 'int', possible loss of data
      "C4371" # layout of class may have changed from a previous version of the
              # compiler due to better packing of member '...'
@@ -105,22 +152,26 @@ elseif(MSVC)
                            ${MSVC_LEVEL4_WARNINGS_LIST})
  set(CMAKE_C_FLAGS   "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
  set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
-  set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+endif()
+
+if(WIN32)
  add_definitions(-D_HAS_EXCEPTIONS=0)
  add_definitions(-DWIN32_LEAN_AND_MEAN)
  add_definitions(-DNOMINMAX)
-  add_definitions(-D_CRT_SECURE_NO_WARNINGS) # Allow use of fopen
+  # Allow use of fopen.
+  add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+  # VS 2017 and higher supports STL-only warning suppressions.
+  add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
 endif()

 if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
-   CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+   CLANG)
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
 endif()

 if(CMAKE_COMPILER_IS_GNUCXX)
-  if ((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR
-      CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if ((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR CLANG)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11")
  else()
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
@@ -133,7 +184,7 @@ if(NOT WIN32)
 endif()

 if(FUZZ)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if(NOT CLANG)
    message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
  endif()

@@ -161,7 +212,7 @@ if (BUILD_SHARED_LIBS)
 endif()

 if (MSAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if(NOT CLANG)
    message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
  endif()

@@ -175,7 +226,7 @@ if (MSAN)
 endif()

 if (ASAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if(NOT CLANG)
    message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
  endif()

@@ -191,6 +242,13 @@ endif()

 if(FIPS)
  add_definitions(-DBORINGSSL_FIPS)
+  if(FIPS_BREAK_TEST)
+    add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
+  endif()
+  # Delocate does not work for ASan and MSan builds.
+  if(NOT ASAN AND NOT MSAN)
+    set(FIPS_DELOCATE "1")
+  endif()
 endif()

 # CMake's iOS support uses Apple's multiple-architecture toolchain. It takes an
@@ -289,7 +347,7 @@ if(FUZZ)
    add_library(Fuzzer STATIC ${LIBFUZZER_SOURCES})
    # libFuzzer does not pass our aggressive warnings. It also must be built
    # without -fsanitize-coverage options or clang crashes.
-    set_target_properties(Fuzzer PROPERTIES COMPILE_FLAGS "-Wno-shadow -Wno-format-nonliteral -fsanitize-coverage=0")
+    set_target_properties(Fuzzer PROPERTIES COMPILE_FLAGS "-Wno-shadow -Wno-format-nonliteral -Wno-missing-prototypes -fsanitize-coverage=0")
  endif()

  add_subdirectory(fuzz)
@@ -68,13 +68,15 @@ Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will:

 * Tickets are unencrypted and the MAC check is performed but ignored.

+* renegotiation\_info checks are ignored.
+
 This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.

 ## TLS transcripts

 The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags.

-There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-path` flags.
+There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-config` flags.

 If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`:

@@ -6,17 +6,27 @@ BoringSSL support, provided they do not use removed APIs. In general, see if the
 library compiles and, on failure, consult the documentation in the header files
 and see if problematic features can be removed.

-In some cases, BoringSSL-specific code may be necessary. In that case, the
-`OPENSSL_IS_BORINGSSL` preprocessor macro may be used in `#ifdef`s. This macro
-should also be used in lieu of the presence of any particular function to detect
-OpenSSL vs BoringSSL in configure scripts, etc., where those are necessary.
-Before using the preprocessor, however, contact the BoringSSL maintainers about
-the missing APIs. If not an intentionally removed feature, BoringSSL will
-typically add compatibility functions for convenience.
+BoringSSL's `OPENSSL_VERSION_NUMBER` matches the OpenSSL version it targets.
+Version checks for OpenSSL should ideally work as-is in BoringSSL. BoringSSL
+also defines upstream's `OPENSSL_NO_*` feature macros corresponding to removed
+features. If the preprocessor is needed, use these version checks or feature
+macros where possible, especially when patching third-party projects. Such
+patches are more generally useful to OpenSSL consumers and thus more
+appropriate to send upstream.

-For convenience, BoringSSL defines upstream's `OPENSSL_NO_*` feature macros
-corresponding to removed features. These may also be used to disable code which
-uses a removed feature.
+In some cases, BoringSSL-specific code may be necessary. Use the
+`OPENSSL_IS_BORINGSSL` preprocessor macro in `#ifdef`s. However, first contact
+the BoringSSL maintainers about the missing APIs. We will typically add
+compatibility functions for convenience. In particular, *contact BoringSSL
+maintainers before working around missing OpenSSL 1.1.0 accessors*. BoringSSL
+was originally derived from OpenSSL 1.0.2 but now targets OpenSSL 1.1.0. Some
+newer APIs may be missing but can be added on request. (Not all projects have
+been ported to OpenSSL 1.1.0, so BoringSSL also remains largely compatible with
+OpenSSL 1.0.2.)
+
+The `OPENSSL_IS_BORINGSSL` macro may also be used to distinguish OpenSSL from
+BoringSSL in configure scripts. Do not use the presence or absence of particular
+symbols to detect BoringSSL.

 Note: BoringSSL does *not* have a stable API or ABI. It must be updated with its
 consumers. It is not suitable for, say, a system library in a traditional Linux
@@ -39,15 +49,19 @@ code, particularly to avoid compiler warnings.
 Most notably, the `STACK_OF(T)` types have all been converted to use `size_t`
 instead of `int` for indices and lengths.

-### Reference counts
+### Reference counts and opaque types

 Some external consumers increment reference counts directly by calling
-`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value.
+`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value. These APIs no longer
+exist in BoringSSL. Instead, code which increments reference counts should call
+the corresponding `FOO_up_ref` function, such as `EVP_PKEY_up_ref`.

-These APIs no longer exist in BoringSSL. Instead, code which increments
-reference counts should call the corresponding `FOO_up_ref` function, such as
-`EVP_PKEY_up_ref`. Note that not all of these APIs are present in OpenSSL and
-may require `#ifdef`s.
+BoringSSL also hides some structs which were previously exposed in OpenSSL
+1.0.2, particularly in libssl. Use the relevant accessors instead.
+
+Note that some of these APIs were added in OpenSSL 1.1.0, so projects which do
+not yet support 1.1.0 may need additional `#ifdef`s. Projects supporting OpenSSL
+1.1.0 should not require modification.

 ### Error codes

@@ -116,7 +130,9 @@ response in (unpipelined) HTTP/1.1.

 Things which do not work:

-* There is no support for renegotiation as a server.
+* There is no support for renegotiation as a server. (Attempts by clients will
+  result in a fatal alert so that ClientHello messages cannot be used to flood
+  a server and escape higher-level limits.)

 * There is no support for renegotiation in DTLS.

@@ -128,6 +144,17 @@ Things which do not work:
 * If a HelloRequest is received while `SSL_write` has unsent application data,
  the renegotiation is rejected.

+* Renegotiation does not participate in session resumption. The client will
+  not offer a session on renegotiation or resume any session established by a
+  renegotiation handshake.
+
+* The server may not change its certificate in the renegotiation. This mitigates
+  the [triple handshake attack](https://mitls.org/pages/attacks/3SHAKE). Any new
+  stapled OCSP response and SCT list will be ignored. As no authentication state
+  may change, BoringSSL will not re-verify the certificate on a renegotiation.
+  Callbacks such as `SSL_CTX_set_custom_verify` will only run on the initial
+  handshake.
+
 ### Lowercase hexadecimal

 BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
@@ -152,6 +179,17 @@ recommended to avoid the `out` parameter completely and always pass in `NULL`.
 Note that less error-prone APIs are available for BoringSSL-specific code (see
 below).

+### Memory allocation
+
+OpenSSL provides wrappers `OPENSSL_malloc` and `OPENSSL_free` over the standard
+`malloc` and `free`. Memory allocated by OpenSSL should be released with
+`OPENSSL_free`, not the standard `free`. However, by default, they are
+implemented directly using `malloc` and `free`, so code which mixes them up
+usually works.
+
+In BoringSSL, these functions maintain additional book-keeping to zero memory
+on `OPENSSL_free`, so any mixups must be fixed.
+
 ## Optional BoringSSL-specific simplifications

 BoringSSL makes some changes to OpenSSL which simplify the API but remain
@@ -247,3 +285,27 @@ parameter.
 `SSL_CTRL_SET_TMP_ECDH_CB` | `SSL_CTX_set_tmp_ecdh_callback`
 `SSL_CTRL_SET_TMP_RSA` | `SSL_CTX_set_tmp_rsa` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
 `SSL_CTRL_SET_TMP_RSA_CB` | `SSL_CTX_set_tmp_rsa_callback` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
+
+## Significant API additions
+
+In some places, BoringSSL has added significant APIs. Use of these APIs goes beyound “porting” and means giving up on OpenSSL compatibility.
+
+One example of this has already been mentioned: the [CBS and CBB](https://commondatastorage.googleapis.com/chromium-boringssl-docs/bytestring.h.html) functions should be used whenever parsing or serialising data.
+
+### CRYPTO\_BUFFER
+
+With the standard OpenSSL APIs, when making many TLS connections, the certificate data for each connection is retained in memory in an expensive `X509` structure. Additionally, common certificates often appear in the chains for multiple connections and are needlessly duplicated in memory.
+
+A [`CRYPTO_BUFFER`](https://commondatastorage.googleapis.com/chromium-boringssl-docs/pool.h.html) is just an opaque byte string. A `CRYPTO_BUFFER_POOL` is an intern table for these buffers, i.e. it ensures that only a single copy of any given byte string is kept for each pool.
+
+The function `TLS_with_buffers_method` returns an `SSL_METHOD` that avoids creating `X509` objects for certificates. Additionally, `SSL_CTX_set0_buffer_pool` can be used to install a pool on an `SSL_CTX` so that certificates can be deduplicated across connections and across `SSL_CTX`s.
+
+When using these functions, the application also needs to ensure that it doesn't call other functions that deal with `X509` or `X509_NAME` objects. For example, `SSL_get_peer_certificate` or `SSL_get_peer_cert_chain`. Doing so will trigger an assert in debug mode and will result in NULLs in release mode. Instead, call the buffer-based alternatives such as `SSL_get0_peer_certificates`. (See [ssl.h](https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html) for functions taking or returning `CRYPTO_BUFFER`.) The buffer-based alternative functions will work even when not using `TLS_with_buffers_method`, thus application code can transition gradually.
+
+In order to use buffers, the application code also needs to implement its own certificate verification using `SSL_[CTX_]set_custom_verify`. Otherwise all connections will fail with a verification error. Auto-chaining is also disabled when using buffers.
+
+Once those changes have been completed, the whole of the OpenSSL X.509 and ASN.1 code should be eliminated by the linker if BoringSSL is linked statically.
+
+### Asynchronous and opaque private keys
+
+OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using `SSL_PRIVATE_KEY_METHOD` via `SSL[_CTX]_set_private_key_method`. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.
@@ -31,10 +31,10 @@ Variable declarations in the middle of a function or inside a `for` loop are
 allowed and preferred where possible. Note that the common `goto err` cleanup
 pattern requires lifting some variable declarations.

-Comments should be `/* C-style */` for consistency.
+Comments should be `// C99-style` for consistency with C++.

-When declaration pointer types, `*` should be placed next to the variable
-name, not the type. So
+When declaring pointer types, `*` should be placed next to the variable name,
+not the type. So

    uint8_t *ptr;

@@ -60,6 +60,19 @@ constants for flags. If adding values to an existing set of `#define`s,
 continue with `#define`.


+## libssl
+
+libssl was originally written in C but is being incrementally rewritten in
+C++11. As of writing, much of the style matches our C conventions rather than
+Google C++. Additionally, libssl on Linux currently may not depend on the C++
+runtime. See the C++ utilities in `ssl/internal.h` for replacements for
+problematic C++ constructs. The `util/check_imported_libraries.go` script may be
+used with a shared library build to check if a new construct is okay.
+
+If unsure, match surrounding code. Discrepancies between it and Google C++ style
+will be fixed over time.
+
+
 ## Formatting

 Single-statement blocks are not allowed. All conditions and loops must
@@ -185,25 +198,36 @@ behavior of the function. Pay special note to success/failure behaviors
 and caller obligations on object lifetimes. If this sacrifices
 conciseness, consider simplifying the function's behavior.

-    /* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
-     * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
-     * zero otherwise. */
+    // EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+    // will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+    // zero otherwise.
    OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
                                              size_t len);

 Explicitly mention any surprising edge cases or deviations from common
 return value patterns in legacy functions.

-    /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
-     * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
-     * least |RSA_size| bytes of space. It returns the number of bytes written, or
-     * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
-     * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
-     *
-     * WARNING: this function is dangerous because it breaks the usual return value
-     * convention. Use |RSA_sign_raw| instead. */
+    // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+    // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+    // least |RSA_size| bytes of space. It returns the number of bytes written, or
+    // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+    // values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+    //
+    // WARNING: this function is dangerous because it breaks the usual return value
+    // convention. Use |RSA_sign_raw| instead.
    OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
                                           uint8_t *to, RSA *rsa, int padding);

 Document private functions in their `internal.h` header or, if static,
 where defined.
+
+
+## Build logic
+
+BoringSSL is used by many projects with many different build tools.
+Reimplementing and maintaining build logic in each downstream build is
+cumbersome, so build logic should be avoided where possible. Platform-specific
+files should be excluded by wrapping the contents in `#ifdef`s, rather than
+computing platform-specific file lists. Generated source files such as perlasm
+and `err_data.c` may be used in the standalone CMake build but, for downstream
+builds, they should be pre-generated in `generate_build_files.py`.
@@ -1,61 +1,64 @@
 include_directories(../include)

-if(UNIX)
-  if (${ARCH} STREQUAL "aarch64")
-    # The "armx" Perl scripts look for "64" in the style argument
-    # in order to decide whether to generate 32- or 64-bit asm.
-    if (APPLE)
-      set(PERLASM_STYLE ios64)
+if(NOT OPENSSL_NO_ASM)
+  if(UNIX)
+    if (${ARCH} STREQUAL "aarch64")
+      # The "armx" Perl scripts look for "64" in the style argument
+      # in order to decide whether to generate 32- or 64-bit asm.
+      if (APPLE)
+        set(PERLASM_STYLE ios64)
+      else()
+        set(PERLASM_STYLE linux64)
+      endif()
+    elseif (${ARCH} STREQUAL "arm")
+      if (APPLE)
+        set(PERLASM_STYLE ios32)
+      else()
+        set(PERLASM_STYLE linux32)
+      endif()
+    elseif (${ARCH} STREQUAL "ppc64le")
+      set(PERLASM_STYLE linux64le)
    else()
-      set(PERLASM_STYLE linux64)
+      if (${ARCH} STREQUAL "x86")
+        set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
+      endif()
+      if (APPLE)
+        set(PERLASM_STYLE macosx)
+      else()
+        set(PERLASM_STYLE elf)
+      endif()
    endif()
-  elseif (${ARCH} STREQUAL "arm")
+    set(ASM_EXT S)
+    enable_language(ASM)
+    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
+
+    # Clang's integerated assembler does not support debug symbols.
+    if(NOT CMAKE_ASM_COMPILER_ID MATCHES "Clang")
+      set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+    endif()
+
+    # CMake does not add -isysroot and -arch flags to assembly.
    if (APPLE)
-      set(PERLASM_STYLE ios32)
-    else()
-      set(PERLASM_STYLE linux32)
+      if (CMAKE_OSX_SYSROOT)
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot \"${CMAKE_OSX_SYSROOT}\"")
+      endif()
+      foreach(arch ${CMAKE_OSX_ARCHITECTURES})
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
+      endforeach()
    endif()
-  elseif (${ARCH} STREQUAL "ppc64le")
-    set(PERLASM_STYLE ppc64le)
  else()
-    if (${ARCH} STREQUAL "x86")
-      set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
-    endif()
-    if (APPLE)
-      set(PERLASM_STYLE macosx)
+    if (${ARCH} STREQUAL "x86_64")
+      set(PERLASM_STYLE nasm)
    else()
-      set(PERLASM_STYLE elf)
+      set(PERLASM_STYLE win32n)
+      set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
    endif()
-  endif()
-  set(ASM_EXT S)
-  enable_language(ASM)
-  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
+    set(CMAKE_ASM_NASM_FLAGS "-g cv8")

-  # Clang's integerated assembler does not support debug symbols.
-  if(NOT CMAKE_ASM_COMPILER_ID MATCHES "Clang")
-    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+    # On Windows, we use the NASM output, specifically built with Yasm.
+    set(ASM_EXT asm)
+    enable_language(ASM_NASM)
  endif()
-
-  # CMake does not add -isysroot and -arch flags to assembly.
-  if (APPLE)
-    if (CMAKE_OSX_SYSROOT)
-      set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot ${CMAKE_OSX_SYSROOT}")
-    endif()
-    foreach(arch ${CMAKE_OSX_ARCHITECTURES})
-      set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
-    endforeach()
-  endif()
-else()
-  if (CMAKE_CL_64)
-    set(PERLASM_STYLE nasm)
-  else()
-    set(PERLASM_STYLE win32n)
-    set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
-  endif()
-
-  # On Windows, we use the NASM output, specifically built with Yasm.
-  set(ASM_EXT asm)
-  enable_language(ASM_NASM)
 endif()

 function(perlasm dest src)
@@ -108,7 +111,6 @@ add_subdirectory(rsa_extra)
 add_subdirectory(ec_extra)
 add_subdirectory(ecdh)
 add_subdirectory(ecdsa_extra)
-add_subdirectory(hmac_extra)

 # Level 3
 add_subdirectory(cmac)
@@ -148,7 +150,7 @@ add_library(
  thread_win.c
 )

-if(FIPS)
+if(FIPS_DELOCATE)
  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES EXTERNAL_OBJECT true)
  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES GENERATED true)

@@ -202,7 +204,7 @@ add_library(
  ${CRYPTO_FIPS_OBJECTS}
 )

-if(FIPS)
+if(FIPS_DELOCATE)
  add_dependencies(crypto bcm_o_target)
 endif()

@@ -212,17 +214,6 @@ if(NOT MSVC AND NOT ANDROID)
  target_link_libraries(crypto pthread)
 endif()

-add_executable(
-  thread_test
-
-  thread_test.c
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(thread_test crypto)
-add_dependencies(all_tests thread_test)
-
 # TODO(davidben): Convert the remaining tests to GTest.
 add_executable(
  crypto_test
@@ -232,28 +223,46 @@ add_executable(
  bio/bio_test.cc
  bytestring/bytestring_test.cc
  chacha/chacha_test.cc
-  cipher_extra/aead_extra_test.cc
+  cipher_extra/aead_test.cc
+  cipher_extra/cipher_test.cc
  cmac/cmac_test.cc
  compiler_test.cc
  constant_time_test.cc
  curve25519/ed25519_test.cc
  curve25519/spake25519_test.cc
  curve25519/x25519_test.cc
+  ecdh/ecdh_test.cc
  dh/dh_test.cc
  digest_extra/digest_test.cc
  dsa/dsa_test.cc
  err/err_test.cc
  evp/evp_extra_test.cc
+  evp/evp_test.cc
  evp/pbkdf_test.cc
+  evp/scrypt_test.cc
  fipsmodule/aes/aes_test.cc
+  fipsmodule/bn/bn_test.cc
  fipsmodule/ec/ec_test.cc
+  fipsmodule/ec/p256-x86_64_test.cc
+  fipsmodule/ecdsa/ecdsa_test.cc
+  fipsmodule/modes/gcm_test.cc
  fipsmodule/rand/ctrdrbg_test.cc
  hkdf/hkdf_test.cc
+  hmac_extra/hmac_test.cc
  lhash/lhash_test.cc
+  obj/obj_test.cc
+  pkcs7/pkcs7_test.cc
+  pkcs8/pkcs8_test.cc
+  pkcs8/pkcs12_test.cc
+  poly1305/poly1305_test.cc
  pool/pool_test.cc
  refcount_test.cc
  rsa_extra/rsa_test.cc
  test/file_test_gtest.cc
+  thread_test.cc
+  x509/x509_test.cc
+  x509v3/tab_test.cc
+  x509v3/v3name_test.cc

  $<TARGET_OBJECTS:crypto_test_data>
  $<TARGET_OBJECTS:gtest_main>
@@ -28,7 +28,6 @@ add_library(
  f_enum.c
  f_int.c
  f_string.c
-  t_bitst.c
  tasn_dec.c
  tasn_enc.c
  tasn_fre.c
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <limits.h>
 #include <string.h>

 #include <openssl/err.h>
@@ -139,6 +140,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
        goto err;
    }

+    if (len > INT_MAX) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
+      goto err;
+    }
+
    if ((a == NULL) || ((*a) == NULL)) {
        if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
            return (NULL);
@@ -211,8 +217,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
        if (a->data == NULL)
            c = (unsigned char *)OPENSSL_malloc(w + 1);
        else
-            c = (unsigned char *)OPENSSL_realloc_clean(a->data,
-                                                       a->length, w + 1);
+            c = (unsigned char *)OPENSSL_realloc(a->data, w + 1);
        if (c == NULL) {
            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
            return 0;
@@ -140,6 +140,21 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 }
 #endif

+typedef struct asn1_const_ctx_st
+    {
+    const unsigned char *p;/* work char pointer */
+    int eos;    /* end of sequence read for indefinite encoding */
+    int error;  /* error code to use when returning an error */
+    int inf;    /* constructed if 0x20, indefinite is 0x21 */
+    int tag;    /* tag from last 'get object' */
+    int xclass; /* class from last 'get object' */
+    long slen;  /* length of last 'get object' */
+    const unsigned char *max; /* largest value of p allowed */
+    const unsigned char *q;/* temporary variable */
+    const unsigned char **pp;/* variable */
+    int line;   /* used in error processing */
+    } ASN1_const_CTX;
+
 #define HEADER_SIZE   8
 #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
@@ -91,31 +91,3 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
        return (V_ASN1_IA5STRING);
    return (V_ASN1_PRINTABLESTRING);
 }
-
-int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
-{
-    int i;
-    unsigned char *p;
-
-    if (s->type != V_ASN1_UNIVERSALSTRING)
-        return (0);
-    if ((s->length % 4) != 0)
-        return (0);
-    p = s->data;
-    for (i = 0; i < s->length; i += 4) {
-        if ((p[0] != '\0') || (p[1] != '\0') || (p[2] != '\0'))
-            break;
-        else
-            p += 4;
-    }
-    if (i < s->length)
-        return (0);
-    p = s->data;
-    for (i = 3; i < s->length; i += 4) {
-        *(p++) = s->data[i];
-    }
-    *(p) = '\0';
-    s->length /= 4;
-    s->type = ASN1_PRINTABLE_type(s->data, s->length);
-    return (1);
-}
@@ -107,30 +107,6 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
                           long max);
 static void asn1_put_length(unsigned char **pp, int length);

-static int _asn1_check_infinite_end(const unsigned char **p, long len)
-{
-    /*
-     * If there is 0 or 1 byte left, the length check should pick things up
-     */
-    if (len <= 0)
-        return (1);
-    else if ((len >= 2) && ((*p)[0] == 0) && ((*p)[1] == 0)) {
-        (*p) += 2;
-        return (1);
-    }
-    return (0);
-}
-
-int ASN1_check_infinite_end(unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end((const unsigned char **)p, len);
-}
-
-int ASN1_const_check_infinite_end(const unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end(p, len);
-}
-
 int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
                    int *pclass, long omax)
 {
@@ -327,31 +303,6 @@ int ASN1_object_size(int constructed, int length, int tag)
    return ret + length;
 }

-static int _asn1_Finish(ASN1_const_CTX *c)
-{
-    if ((c->inf == (1 | V_ASN1_CONSTRUCTED)) && (!c->eos)) {
-        if (!ASN1_const_check_infinite_end(&c->p, c->slen)) {
-            c->error = ASN1_R_MISSING_ASN1_EOS;
-            return (0);
-        }
-    }
-    if (((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) {
-        c->error = ASN1_R_ASN1_LENGTH_MISMATCH;
-        return (0);
-    }
-    return (1);
-}
-
-int asn1_Finish(ASN1_CTX *c)
-{
-    return _asn1_Finish((ASN1_const_CTX *)c);
-}
-
-int asn1_const_Finish(ASN1_const_CTX *c)
-{
-    return _asn1_Finish(c);
-}
-
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
 {
    if (str == NULL)
@@ -484,3 +435,8 @@ unsigned char *ASN1_STRING_data(ASN1_STRING *x)
 {
    return M_ASN1_STRING_data(x);
 }
+
+const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
+{
+    return x->data;
+}
@@ -72,7 +72,7 @@ extern "C" {
 /* Wrapper functions for time functions. */

 /* OPENSSL_gmtime wraps |gmtime_r|. See the manual page for that function. */
-struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
+struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);

 /* OPENSSL_gmtime_adj updates |tm| by adding |offset_day| days and |offset_sec|
 * seconds. */
@@ -1,103 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <string.h>
-
-#include <openssl/mem.h>
-
-int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
-                               BIT_STRING_BITNAME *tbl, int indent)
-{
-    BIT_STRING_BITNAME *bnam;
-    char first = 1;
-    BIO_printf(out, "%*s", indent, "");
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
-            if (!first)
-                BIO_puts(out, ", ");
-            BIO_puts(out, bnam->lname);
-            first = 0;
-        }
-    }
-    BIO_puts(out, "\n");
-    return 1;
-}
-
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
-                            BIT_STRING_BITNAME *tbl)
-{
-    int bitnum;
-    bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
-    if (bitnum < 0)
-        return 0;
-    if (bs) {
-        if (!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
-            return 0;
-    }
-    return 1;
-}
-
-int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
-{
-    BIT_STRING_BITNAME *bnam;
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (!strcmp(bnam->sname, name) || !strcmp(bnam->lname, name))
-            return bnam->bitnum;
-    }
-    return -1;
-}
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <limits.h>
 #include <string.h>

 #include <openssl/asn1t.h>
@@ -147,15 +148,6 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
    return NULL;
 }

-int ASN1_template_d2i(ASN1_VALUE **pval,
-                      const unsigned char **in, long len,
-                      const ASN1_TEMPLATE *tt)
-{
-    ASN1_TLC c;
-    asn1_tlc_clear_nc(&c);
-    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
-}
-
 /*
 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
 * tag mismatch return -1 to handle OPTIONAL
@@ -188,6 +180,14 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    else
        asn1_cb = 0;

+    /*
+     * Bound |len| to comfortably fit in an int. Lengths in this module often
+     * switch between int and long without overflow checks.
+     */
+    if (len > INT_MAX/2) {
+        len = INT_MAX/2;
+    }
+
    switch (it->itype) {
    case ASN1_ITYPE_PRIMITIVE:
        if (it->templates) {
@@ -256,12 +256,6 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
    return 0;
 }

-int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out,
-                      const ASN1_TEMPLATE *tt)
-{
-    return asn1_template_ex_i2d(pval, out, tt, -1, 0);
-}
-
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
@@ -171,7 +171,7 @@ int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
  return 1;
 }

-int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
+int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
                        const struct tm *to) {
  int from_sec, to_sec, diff_sec;
  long from_jd, to_jd, diff_day;
@@ -195,11 +195,11 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
    diff_sec -= SECS_PER_DAY;
  }

-  if (pday) {
-    *pday = (int)diff_day;
+  if (out_days) {
+    *out_days = (int)diff_day;
  }
-  if (psec) {
-    *psec = diff_sec;
+  if (out_secs) {
+    *out_secs = diff_sec;
  }

  return 1;
@@ -65,29 +65,29 @@
 #include "../internal.h"


-/* constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
- * arguments for a slightly simpler implementation. */
+// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
+// arguments for a slightly simpler implementation.
 static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
  crypto_word_t aw = a;
  crypto_word_t bw = b;
-  /* |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
-   * MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1. */
+  // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
+  // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
  return constant_time_msb_w(aw - bw);
 }

-/* constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
- * and |CONSTTIME_FALSE_8| otherwise. */
+// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
+// and |CONSTTIME_FALSE_8| otherwise.
 static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
                                               uint8_t max) {
  a -= min;
  return constant_time_lt_args_8(a, max - min + 1);
 }

-/* Encoding. */
+// Encoding.

 static uint8_t conv_bin2ascii(uint8_t a) {
-  /* Since PEM is sometimes used to carry private keys, we encode base64 data
-   * itself in constant-time. */
+  // Since PEM is sometimes used to carry private keys, we encode base64 data
+  // itself in constant-time.
  a &= 0x3f;
  uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
  ret =
@@ -183,8 +183,8 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
  ctx->data_used = (unsigned)in_len;

  if (total > INT_MAX) {
-    /* We cannot signal an error, but we can at least avoid making *out_len
-     * negative. */
+    // We cannot signal an error, but we can at least avoid making *out_len
+    // negative.
    total = 0;
  }
  *out_len = (int)total;
@@ -201,8 +201,8 @@ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {
  out[encoded] = '\0';
  ctx->data_used = 0;

-  /* ctx->data_used is bounded by sizeof(ctx->data), so this does not
-   * overflow. */
+  // ctx->data_used is bounded by sizeof(ctx->data), so this does not
+  // overflow.
  assert(encoded <= INT_MAX);
  *out_len = (int)encoded;
 }
@@ -240,7 +240,7 @@ size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
 }


-/* Decoding. */
+// Decoding.

 int EVP_DecodedLength(size_t *out_len, size_t len) {
  if (len % 4 != 0) {
@@ -256,8 +256,8 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {
 }

 static uint8_t base64_ascii_to_bin(uint8_t a) {
-  /* Since PEM is sometimes used to carry private keys, we decode base64 data
-   * itself in constant-time. */
+  // Since PEM is sometimes used to carry private keys, we decode base64 data
+  // itself in constant-time.
  const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
  const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
  const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
@@ -265,21 +265,21 @@ static uint8_t base64_ascii_to_bin(uint8_t a) {
  const uint8_t is_slash = constant_time_eq_8(a, '/');
  const uint8_t is_equals = constant_time_eq_8(a, '=');

-  uint8_t ret = 0xff; /* 0xff signals invalid. */
-  ret = constant_time_select_8(is_upper, a - 'A', ret);      /* [0,26) */
-  ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); /* [26,52) */
-  ret = constant_time_select_8(is_digit, a - '0' + 52, ret); /* [52,62) */
+  uint8_t ret = 0xff;  // 0xff signals invalid.
+  ret = constant_time_select_8(is_upper, a - 'A', ret);       // [0,26)
+  ret = constant_time_select_8(is_lower, a - 'a' + 26, ret);  // [26,52)
+  ret = constant_time_select_8(is_digit, a - '0' + 52, ret);  // [52,62)
  ret = constant_time_select_8(is_plus, 62, ret);
  ret = constant_time_select_8(is_slash, 63, ret);
-  /* Padding maps to zero, to be further handled by the caller. */
+  // Padding maps to zero, to be further handled by the caller.
  ret = constant_time_select_8(is_equals, 0, ret);
  return ret;
 }

-/* base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
- * data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
- * number of bytes written, which will be less than three if the quad ended
- * with padding.  It returns one on success or zero on error. */
+// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
+// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
+// number of bytes written, which will be less than three if the quad ended
+// with padding.  It returns one on success or zero on error.
 static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
                              const uint8_t *in) {
  const uint8_t a = base64_ascii_to_bin(in[0]);
@@ -300,20 +300,20 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,

  switch (padding_pattern) {
    case 0:
-      /* The common case of no padding. */
+      // The common case of no padding.
      *out_num_bytes = 3;
      out[0] = v >> 16;
      out[1] = v >> 8;
      out[2] = v;
      break;

-    case 1: /* xxx= */
+    case 1:  // xxx=
      *out_num_bytes = 2;
      out[0] = v >> 16;
      out[1] = v >> 8;
      break;

-    case 3: /* xx== */
+    case 3:  // xx==
      *out_num_bytes = 1;
      out[0] = v >> 16;
      break;
@@ -424,7 +424,7 @@ int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out,
 }

 int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
-  /* Trim spaces and tabs from the beginning of the input. */
+  // Trim spaces and tabs from the beginning of the input.
  while (src_len > 0) {
    if (src[0] != ' ' && src[0] != '\t') {
      break;
@@ -434,7 +434,7 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    src_len--;
  }

-  /* Trim newlines, spaces and tabs from the end of the line. */
+  // Trim newlines, spaces and tabs from the end of the line.
  while (src_len > 0) {
    switch (src[src_len-1]) {
      case ' ':
@@ -455,8 +455,8 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    return -1;
  }

-  /* EVP_DecodeBlock does not take padding into account, so put the
-   * NULs back in... so the caller can strip them back out. */
+  // EVP_DecodeBlock does not take padding into account, so put the
+  // NULs back in... so the caller can strip them back out.
  while (dst_len % 3 != 0) {
    dst[dst_len++] = '\0';
  }
@@ -280,9 +280,9 @@ TEST_P(Base64Test, DecodeUpdateStreaming) {
          out_len += bytes_written;
          if (i == encoded_len ||
              (i + 1 == encoded_len && t.encoded[i] == '\n') ||
-              /* If there was an '-' in the input (which means “EOF”) then
-               * this loop will continue to test that |EVP_DecodeUpdate| will
-               * ignore the remainder of the input. */
+              // If there was an '-' in the input (which means “EOF”) then
+              // this loop will continue to test that |EVP_DecodeUpdate| will
+              // ignore the remainder of the input.
              strchr(t.encoded, '-') != nullptr) {
            break;
          }
@@ -96,13 +96,6 @@ int BIO_free(BIO *bio) {
      return 0;
    }

-    if (bio->callback != NULL) {
-      int i = (int)bio->callback(bio, BIO_CB_FREE, NULL, 0, 0, 1);
-      if (i <= 0) {
-        return i;
-      }
-    }
-
    next_bio = BIO_pop(bio);

    if (bio->method != NULL && bio->method->destroy != NULL) {
@@ -127,64 +120,61 @@ void BIO_free_all(BIO *bio) {
  BIO_free(bio);
 }

-static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
-                  int callback_flags, size_t *num) {
-  int i;
-  typedef int (*io_func_t)(BIO *, char *, int);
-  io_func_t io_func = NULL;
-
-  if (bio != NULL && bio->method != NULL) {
-    io_func =
-        *((const io_func_t *)(((const uint8_t *)bio->method) + method_offset));
-  }
-
-  if (io_func == NULL) {
+int BIO_read(BIO *bio, void *buf, int len) {
+  if (bio == NULL || bio->method == NULL || bio->method->bread == NULL) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return -2;
  }
-
-  if (bio->callback != NULL) {
-    i = (int) bio->callback(bio, callback_flags, buf, len, 0L, 1L);
-    if (i <= 0) {
-      return i;
-    }
-  }
-
  if (!bio->init) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return -2;
  }
-
-  i = 0;
-  if (buf != NULL && len > 0) {
-    i = io_func(bio, buf, len);
+  if (len <= 0) {
+    return 0;
  }
-
-  if (i > 0) {
-    *num += i;
+  int ret = bio->method->bread(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
  }
-
-  if (bio->callback != NULL) {
-    i = (int)(bio->callback(bio, callback_flags | BIO_CB_RETURN, buf, len, 0L,
-                            (long)i));
-  }
-
-  return i;
-}
-
-int BIO_read(BIO *bio, void *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bread), BIO_CB_READ,
-                &bio->num_read);
+  return ret;
 }

 int BIO_gets(BIO *bio, char *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bgets), BIO_CB_GETS,
-                &bio->num_read);
+  if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (len <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bgets(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
+  }
+  return ret;
 }

 int BIO_write(BIO *bio, const void *in, int inl) {
-  return bio_io(bio, (char *)in, inl, offsetof(BIO_METHOD, bwrite),
-                BIO_CB_WRITE, &bio->num_write);
+  if (bio == NULL || bio->method == NULL || bio->method->bwrite == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (inl <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bwrite(bio, in, inl);
+  if (ret > 0) {
+    bio->num_write += ret;
+  }
+  return ret;
 }

 int BIO_puts(BIO *bio, const char *in) {
@@ -196,8 +186,6 @@ int BIO_flush(BIO *bio) {
 }

 long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
-  long ret;
-
  if (bio == NULL) {
    return 0;
  }
@@ -207,20 +195,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
    return -2;
  }

-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL, parg, cmd, larg, 1);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->ctrl(bio, cmd, larg, parg);
-
-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL | BIO_CB_RETURN, parg, cmd, larg, ret);
-  }
-
-  return ret;
+  return bio->method->ctrl(bio, cmd, larg, parg);
 }

 char *BIO_ptr_ctrl(BIO *b, int cmd, long larg) {
@@ -305,9 +280,6 @@ void BIO_copy_next_retry(BIO *bio) {
 }

 long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
-  long ret;
-  bio_info_cb cb;
-
  if (bio == NULL) {
    return 0;
  }
@@ -317,22 +289,7 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
    return 0;
  }

-  cb = bio->callback;
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL, (void *)&fp, cmd, 0, 1L);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->callback_ctrl(bio, cmd, fp);
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL | BIO_CB_RETURN, (void *)&fp, cmd, 0, ret);
-  }
-
-  return ret;
+  return bio->method->callback_ctrl(bio, cmd, fp);
 }

 size_t BIO_pending(const BIO *bio) {
@@ -363,18 +320,6 @@ int BIO_set_close(BIO *bio, int close_flag) {
  return BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);
 }

-void BIO_set_callback(BIO *bio, bio_info_cb callback_func) {
-  bio->callback = callback_func;
-}
-
-void BIO_set_callback_arg(BIO *bio, char *arg) {
-  bio->cb_arg = arg;
-}
-
-char *BIO_get_callback_arg(const BIO *bio) {
-  return bio->cb_arg;
-}
-
 OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) {
  return bio->num_read;
 }
@@ -464,14 +409,14 @@ void ERR_print_errors(BIO *bio) {
  ERR_print_errors_cb(print_bio, bio);
 }

-/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
- * success, |*out| is set to an allocated buffer (which should be freed with
- * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
- * buffer will contain |prefix| followed by the contents of |bio|. On failure,
- * zero is returned.
- *
- * The function will fail if the size of the output would equal or exceed
- * |max_len|. */
+// bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+// success, |*out| is set to an allocated buffer (which should be freed with
+// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+// buffer will contain |prefix| followed by the contents of |bio|. On failure,
+// zero is returned.
+//
+// The function will fail if the size of the output would equal or exceed
+// |max_len|.
 static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
                        const uint8_t *prefix, size_t prefix_len,
                        size_t max_len) {
@@ -535,20 +480,20 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
  const uint8_t length_byte = header[1];

  if ((tag & 0x1f) == 0x1f) {
-    /* Long form tags are not supported. */
+    // Long form tags are not supported.
    return 0;
  }

  size_t len, header_len;
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = length_byte;
    header_len = kInitialHeaderLen;
  } else {
    const size_t num_bytes = length_byte & 0x7f;

    if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
-      /* indefinite length. */
+      // indefinite length.
      return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
                          max_len);
    }
@@ -571,12 +516,12 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
    }

    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }

    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }

@@ -610,3 +555,82 @@ void BIO_set_retry_special(BIO *bio) {
 }

 int BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; }
+
+static struct CRYPTO_STATIC_MUTEX g_index_lock = CRYPTO_STATIC_MUTEX_INIT;
+static int g_index = BIO_TYPE_START;
+
+int BIO_get_new_index(void) {
+  CRYPTO_STATIC_MUTEX_lock_write(&g_index_lock);
+  // If |g_index| exceeds 255, it will collide with the flags bits.
+  int ret = g_index > 255 ? -1 : g_index++;
+  CRYPTO_STATIC_MUTEX_unlock_write(&g_index_lock);
+  return ret;
+}
+
+BIO_METHOD *BIO_meth_new(int type, const char *name) {
+  BIO_METHOD *method = OPENSSL_malloc(sizeof(BIO_METHOD));
+  if (method == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(method, 0, sizeof(BIO_METHOD));
+  method->type = type;
+  method->name = name;
+  return method;
+}
+
+void BIO_meth_free(BIO_METHOD *method) {
+  OPENSSL_free(method);
+}
+
+int BIO_meth_set_create(BIO_METHOD *method,
+                        int (*create)(BIO *)) {
+  method->create = create;
+  return 1;
+}
+
+int BIO_meth_set_destroy(BIO_METHOD *method,
+                         int (*destroy)(BIO *)) {
+  method->destroy = destroy;
+  return 1;
+}
+
+int BIO_meth_set_write(BIO_METHOD *method,
+                       int (*write)(BIO *, const char *, int)) {
+  method->bwrite = write;
+  return 1;
+}
+
+int BIO_meth_set_read(BIO_METHOD *method,
+                      int (*read)(BIO *, char *, int)) {
+  method->bread = read;
+  return 1;
+}
+
+int BIO_meth_set_gets(BIO_METHOD *method,
+                      int (*gets)(BIO *, char *, int)) {
+  method->bgets = gets;
+  return 1;
+}
+
+int BIO_meth_set_ctrl(BIO_METHOD *method,
+                      long (*ctrl)(BIO *, int, long, void *)) {
+  method->ctrl = ctrl;
+  return 1;
+}
+
+void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
+
+void *BIO_get_data(BIO *bio) { return bio->ptr; }
+
+void BIO_set_init(BIO *bio, int init) { bio->init = init; }
+
+int BIO_get_init(BIO *bio) { return bio->init; }
+
+void BIO_set_shutdown(BIO *bio, int shutdown) { bio->shutdown = shutdown; }
+
+int BIO_get_shutdown(BIO *bio) { return bio->shutdown; }
+
+int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) {
+  // Ignore the parameter. We implement |BIO_puts| using |BIO_write|.
+  return 1;
+}
@@ -82,16 +82,16 @@ BIO *BIO_new_mem_buf(const void *buf, int len) {
  }

  b = (BUF_MEM *)ret->ptr;
-  /* BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. */
+  // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.
  b->data = (void *)buf;
  b->length = size;
  b->max = size;

  ret->flags |= BIO_FLAGS_MEM_RDONLY;

-  /* |num| is used to store the value that this BIO will return when it runs
-   * out of data. If it's negative then the retry flags will also be set. Since
-   * this is static data, retrying wont help */
+  // |num| is used to store the value that this BIO will return when it runs
+  // out of data. If it's negative then the retry flags will also be set. Since
+  // this is static data, retrying wont help
  ret->num = 0;

  return ret;
@@ -105,8 +105,8 @@ static int mem_new(BIO *bio) {
    return 0;
  }

-  /* |shutdown| is used to store the close flag: whether the BIO has ownership
-   * of the BUF_MEM. */
+  // |shutdown| is used to store the close flag: whether the BIO has ownership
+  // of the BUF_MEM.
  bio->shutdown = 1;
  bio->init = 1;
  bio->num = -1;
@@ -214,8 +214,8 @@ static int mem_gets(BIO *bio, char *buf, int size) {
    }
  }

-  /* i is now the max num of bytes to copy, either j or up to and including the
-   * first newline */
+  // i is now the max num of bytes to copy, either j or up to and including the
+  // first newline

  i = mem_read(bio, buf, i);
  if (i > 0) {
@@ -233,7 +233,7 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      if (b->data != NULL) {
-        /* For read only case reset to the start again */
+        // For read only case reset to the start again
        if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
          b->data -= b->max - b->length;
          b->length = b->max;
@@ -12,10 +12,6 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L
-#endif
-
 #include <algorithm>
 #include <string>

@@ -69,31 +65,47 @@ class ScopedSocket {

 TEST(BIOTest, SocketConnect) {
  static const char kTestMessage[] = "test";
+  int listening_sock = -1;
+  socklen_t len = 0;
+  sockaddr_storage ss;
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &ss;
+  struct sockaddr_in *sin = (struct sockaddr_in *) &ss;
+  OPENSSL_memset(&ss, 0, sizeof(ss));

-  // Set up a listening socket on localhost.
-  int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+  ss.ss_family = AF_INET6;
+  listening_sock = socket(AF_INET6, SOCK_STREAM, 0);
  ASSERT_NE(-1, listening_sock) << LastSocketError();
-  ScopedSocket listening_sock_closer(listening_sock);
+  len = sizeof(*sin6);
+  ASSERT_EQ(1, inet_pton(AF_INET6, "::1", &sin6->sin6_addr))
+      << LastSocketError();
+  if (bind(listening_sock, (struct sockaddr *)sin6, sizeof(*sin6)) == -1) {
+    closesocket(listening_sock);

-  struct sockaddr_in sin;
-  OPENSSL_memset(&sin, 0, sizeof(sin));
-  sin.sin_family = AF_INET;
-  ASSERT_EQ(1, inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr))
-      << LastSocketError();
-  ASSERT_EQ(0, bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)))
-      << LastSocketError();
+    ss.ss_family = AF_INET;
+    listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+    ASSERT_NE(-1, listening_sock) << LastSocketError();
+    len = sizeof(*sin);
+    ASSERT_EQ(1, inet_pton(AF_INET, "127.0.0.1", &sin->sin_addr))
+        << LastSocketError();
+    ASSERT_EQ(0, bind(listening_sock, (struct sockaddr *)sin, sizeof(*sin)))
+        << LastSocketError();
+  }
+
+  ScopedSocket listening_sock_closer(listening_sock);
  ASSERT_EQ(0, listen(listening_sock, 1)) << LastSocketError();
-  socklen_t sockaddr_len = sizeof(sin);
-  ASSERT_EQ(0,
-            getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len))
-      << LastSocketError();
-  // The Android NDK, contrary to POSIX, makes |socklen_t| signed.
-  ASSERT_EQ(sizeof(sin), static_cast<size_t>(sockaddr_len));
+  ASSERT_EQ(0, getsockname(listening_sock, (struct sockaddr *)&ss, &len))
+        << LastSocketError();
+
+  char hostname[80];
+  if (ss.ss_family == AF_INET6) {
+    BIO_snprintf(hostname, sizeof(hostname), "[::1]:%d",
+                 ntohs(sin6->sin6_port));
+  } else if (ss.ss_family == AF_INET) {
+    BIO_snprintf(hostname, sizeof(hostname), "127.0.0.1:%d",
+                 ntohs(sin->sin_port));
+  }

  // Connect to it with a connect BIO.
-  char hostname[80];
-  BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
-               ntohs(sin.sin_port));
  bssl::UniquePtr<BIO> bio(BIO_new_connect(hostname));
  ASSERT_TRUE(bio);

@@ -102,7 +114,7 @@ TEST(BIOTest, SocketConnect) {
            BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)));

  // Accept the socket.
-  int sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
+  int sock = accept(listening_sock, (struct sockaddr *) &ss, &len);
  ASSERT_NE(-1, sock) << LastSocketError();
  ScopedSocket sock_closer(sock);

@@ -98,12 +98,12 @@ typedef struct bio_connect_st {
  struct sockaddr_storage them;
  socklen_t them_length;

-  /* the file descriptor is kept in bio->num in order to match the socket
-   * BIO. */
+  // the file descriptor is kept in bio->num in order to match the socket
+  // BIO.

-  /* info_callback is called when the connection is initially made
-   * callback(BIO,state,ret);  The callback should return 'ret', state is for
-   * compatibility with the SSL info_callback. */
+  // info_callback is called when the connection is initially made
+  // callback(BIO,state,ret);  The callback should return 'ret', state is for
+  // compatibility with the SSL info_callback.
  int (*info_callback)(const BIO *bio, int state, int ret);
 } BIO_CONNECT;

@@ -113,9 +113,9 @@ static int closesocket(int sock) {
 }
 #endif

-/* split_host_and_port sets |*out_host| and |*out_port| to the host and port
- * parsed from |name|. It returns one on success or zero on error. Even when
- * successful, |*out_port| may be NULL on return if no port was specified. */
+// split_host_and_port sets |*out_host| and |*out_port| to the host and port
+// parsed from |name|. It returns one on success or zero on error. Even when
+// successful, |*out_port| may be NULL on return if no port was specified.
 static int split_host_and_port(char **out_host, char **out_port, const char *name) {
  const char *host, *port = NULL;
  size_t host_len = 0;
@@ -123,24 +123,24 @@ static int split_host_and_port(char **out_host, char **out_port, const char *nam
  *out_host = NULL;
  *out_port = NULL;

-  if (name[0] == '[') {  /* bracketed IPv6 address */
+  if (name[0] == '[') {  // bracketed IPv6 address
    const char *close = strchr(name, ']');
    if (close == NULL) {
      return 0;
    }
    host = name + 1;
    host_len = close - host;
-    if (close[1] == ':') {  /* [IP]:port */
+    if (close[1] == ':') {  // [IP]:port
      port = close + 2;
    } else if (close[1] != 0) {
      return 0;
    }
  } else {
    const char *colon = strchr(name, ':');
-    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  /* IPv6 address */
+    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  // IPv6 address
      host = name;
      host_len = strlen(name);
-    } else {  /* host:port */
+    } else {  // host:port
      host = name;
      host_len = colon - name;
      port = colon + 1;
@@ -175,9 +175,9 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
  for (;;) {
    switch (c->state) {
      case BIO_CONN_S_BEFORE:
-        /* If there's a hostname and a port, assume that both are
-         * exactly what they say. If there is only a hostname, try
-         * (just once) to split it into a hostname and port. */
+        // If there's a hostname and a port, assume that both are
+        // exactly what they say. If there is only a hostname, try
+        // (just once) to split it into a hostname and port.

        if (c->param_hostname == NULL) {
          OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
@@ -330,7 +330,7 @@ static void conn_close_socket(BIO *bio) {
    return;
  }

-  /* Only do a shutdown if things were established */
+  // Only do a shutdown if things were established
  if (c->state == BIO_CONN_S_OK) {
    shutdown(bio->num, 2);
  }
@@ -415,7 +415,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      bio->flags = 0;
      break;
    case BIO_C_DO_STATE_MACHINE:
-      /* use this one to start the connection */
+      // use this one to start the connection
      if (data->state != BIO_CONN_S_OK) {
        ret = (long)conn_state(bio, data);
      } else {
@@ -138,7 +138,7 @@ BIO *BIO_new_fd(int fd, int close_flag) {
 }

 static int fd_new(BIO *bio) {
-  /* num is used to store the file descriptor. */
+  // num is used to store the file descriptor.
  bio->num = -1;
  return 1;
 }
@@ -190,6 +190,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      num = 0;
+      OPENSSL_FALLTHROUGH;
    case BIO_C_FILE_SEEK:
      ret = 0;
      if (b->init) {
@@ -55,18 +55,17 @@
 * [including the GNU Public Licence.] */

 #if defined(__linux) || defined(__sun) || defined(__hpux)
-/* Following definition aliases fopen to fopen64 on above mentioned
- * platforms. This makes it possible to open and sequentially access
- * files larger than 2GB from 32-bit application. It does not allow to
- * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
- * 32-bit platform permits that, not with fseek/ftell. Not to mention
- * that breaking 2GB limit for seeking would require surgery to *our*
- * API. But sequential access suffices for practical cases when you
- * can run into large files, such as fingerprinting, so we can let API
- * alone. For reference, the list of 32-bit platforms which allow for
- * sequential access of large files without extra "magic" comprise *BSD,
- * Darwin, IRIX...
- */
+// Following definition aliases fopen to fopen64 on above mentioned
+// platforms. This makes it possible to open and sequentially access
+// files larger than 2GB from 32-bit application. It does not allow to
+// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+// 32-bit platform permits that, not with fseek/ftell. Not to mention
+// that breaking 2GB limit for seeking would require surgery to *our*
+// API. But sequential access suffices for practical cases when you
+// can run into large files, such as fingerprinting, so we can let API
+// alone. For reference, the list of 32-bit platforms which allow for
+// sequential access of large files without extra "magic" comprise *BSD,
+// Darwin, IRIX...
 #ifndef _FILE_OFFSET_BITS
 #define _FILE_OFFSET_BITS 64
 #endif
@@ -157,7 +156,7 @@ static int file_read(BIO *b, char *out, int outl) {
    return -1;
  }

-  /* fread reads at most |outl| bytes, so |ret| fits in an int. */
+  // fread reads at most |outl| bytes, so |ret| fits in an int.
  return (int)ret;
 }

@@ -184,6 +183,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      num = 0;
+      OPENSSL_FALLTHROUGH;
    case BIO_C_FILE_SEEK:
      ret = (long)fseek(fp, num, 0);
      break;
@@ -232,7 +232,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
      b->init = 1;
      break;
    case BIO_C_GET_FILE_PTR:
-      /* the ptr parameter is actually a FILE ** in this case. */
+      // the ptr parameter is actually a FILE ** in this case.
      if (ptr != NULL) {
        fpp = (FILE **)ptr;
        *fpp = (FILE *)b->ptr;
@@ -62,12 +62,12 @@
 #include "../internal.h"


-/* hexdump_ctx contains the state of a hexdump. */
+// hexdump_ctx contains the state of a hexdump.
 struct hexdump_ctx {
  BIO *bio;
-  char right_chars[18]; /* the contents of the right-hand side, ASCII dump. */
-  unsigned used;        /* number of bytes in the current line. */
-  size_t n;             /* number of bytes total. */
+  char right_chars[18];  // the contents of the right-hand side, ASCII dump.
+  unsigned used;         // number of bytes in the current line.
+  size_t n;              // number of bytes total.
  unsigned indent;
 };

@@ -84,21 +84,20 @@ static char to_char(uint8_t b) {
  return b;
 }

-/* hexdump_write adds |len| bytes of |data| to the current hex dump described by
- * |ctx|. */
+// hexdump_write adds |len| bytes of |data| to the current hex dump described by
+// |ctx|.
 static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
                         size_t len) {
  char buf[10];
  unsigned l;

-  /* Output lines look like:
-   * 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
-   * ^ offset                          ^ extra space           ^ ASCII of line
-   */
+  // Output lines look like:
+  // 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
+  // ^ offset                          ^ extra space           ^ ASCII of line

  for (size_t i = 0; i < len; i++) {
    if (ctx->used == 0) {
-      /* The beginning of a line. */
+      // The beginning of a line.
      BIO_indent(ctx->bio, ctx->indent, UINT_MAX);

      hexbyte(&buf[0], ctx->n >> 24);
@@ -115,12 +114,12 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
    buf[2] = ' ';
    l = 3;
    if (ctx->used == 7) {
-      /* There's an additional space after the 8th byte. */
+      // There's an additional space after the 8th byte.
      buf[3] = ' ';
      l = 4;
    } else if (ctx->used == 15) {
-      /* At the end of the line there's an extra space and the bar for the
-       * right column. */
+      // At the end of the line there's an extra space and the bar for the
+      // right column.
      buf[3] = ' ';
      buf[4] = '|';
      l = 5;
@@ -145,9 +144,9 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
  return 1;
 }

-/* finish flushes any buffered data in |ctx|. */
+// finish flushes any buffered data in |ctx|.
 static int finish(struct hexdump_ctx *ctx) {
-  /* See the comments in |hexdump| for the details of this format. */
+  // See the comments in |hexdump| for the details of this format.
  const unsigned n_bytes = ctx->used;
  unsigned l;
  char buf[5];
@@ -61,7 +61,7 @@

 #if !defined(OPENSSL_WINDOWS)
 #if defined(OPENSSL_PNACL)
-/* newlib uses u_short in socket.h without defining it. */
+// newlib uses u_short in socket.h without defining it.
 typedef unsigned short u_short;
 #endif
 #include <sys/types.h>
@@ -78,34 +78,34 @@ extern "C" {
 #endif


-/* BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
- * and |*out_addr_length| with the correct values for connecting to |hostname|
- * on |port_str|. It returns one on success or zero on error. */
+// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
+// and |*out_addr_length| with the correct values for connecting to |hostname|
+// on |port_str|. It returns one on success or zero on error.
 int bio_ip_and_port_to_socket_and_addr(int *out_sock,
                                       struct sockaddr_storage *out_addr,
                                       socklen_t *out_addr_length,
                                       const char *hostname,
                                       const char *port_str);

-/* BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
- * success and zero otherwise. */
+// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
+// success and zero otherwise.
 int bio_socket_nbio(int sock, int on);

-/* BIO_clear_socket_error clears the last system socket error.
- *
- * TODO(fork): remove all callers of this. */
+// BIO_clear_socket_error clears the last system socket error.
+//
+// TODO(fork): remove all callers of this.
 void bio_clear_socket_error(void);

-/* BIO_sock_error returns the last socket error on |sock|. */
+// BIO_sock_error returns the last socket error on |sock|.
 int bio_sock_error(int sock);

-/* BIO_fd_should_retry returns non-zero if |return_value| indicates an error
- * and |errno| indicates that it's non-fatal. */
+// BIO_fd_should_retry returns non-zero if |return_value| indicates an error
+// and |errno| indicates that it's non-fatal.
 int bio_fd_should_retry(int return_value);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BIO_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BIO_INTERNAL_H
@@ -63,22 +63,22 @@


 struct bio_bio_st {
-  BIO *peer; /* NULL if buf == NULL.
-              * If peer != NULL, then peer->ptr is also a bio_bio_st,
-              * and its "peer" member points back to us.
-              * peer != NULL iff init != 0 in the BIO. */
+  BIO *peer;  // NULL if buf == NULL.
+              // If peer != NULL, then peer->ptr is also a bio_bio_st,
+              // and its "peer" member points back to us.
+              // peer != NULL iff init != 0 in the BIO.

-  /* This is for what we write (i.e. reading uses peer's struct): */
-  int closed;    /* valid iff peer != NULL */
-  size_t len;    /* valid iff buf != NULL; 0 if peer == NULL */
-  size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
+  // This is for what we write (i.e. reading uses peer's struct):
+  int closed;     // valid iff peer != NULL
+  size_t len;     // valid iff buf != NULL; 0 if peer == NULL
+  size_t offset;  // valid iff buf != NULL; 0 if len == 0
  size_t size;
-  uint8_t *buf; /* "size" elements (if != NULL) */
+  uint8_t *buf;  // "size" elements (if != NULL)

-  size_t request; /* valid iff peer != NULL; 0 if len != 0,
-                   * otherwise set by peer to number of bytes
-                   * it (unsuccessfully) tried to read,
-                   * never more than buffer space (size-len) warrants. */
+  size_t request;  // valid iff peer != NULL; 0 if len != 0,
+                   // otherwise set by peer to number of bytes
+                   // it (unsuccessfully) tried to read,
+                   // never more than buffer space (size-len) warrants.
 };

 static int bio_new(BIO *bio) {
@@ -90,7 +90,7 @@ static int bio_new(BIO *bio) {
  }
  OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));

-  b->size = 17 * 1024; /* enough for one TLS record (just a default) */
+  b->size = 17 * 1024;  // enough for one TLS record (just a default)
  bio->ptr = b;
  return 1;
 }
@@ -165,7 +165,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
  assert(peer_b != NULL);
  assert(peer_b->buf != NULL);

-  peer_b->request = 0; /* will be set in "retry_read" situation */
+  peer_b->request = 0;  // will be set in "retry_read" situation

  if (buf == NULL || size == 0) {
    return 0;
@@ -173,30 +173,30 @@ static int bio_read(BIO *bio, char *buf, int size_) {

  if (peer_b->len == 0) {
    if (peer_b->closed) {
-      return 0; /* writer has closed, and no data is left */
+      return 0;  // writer has closed, and no data is left
    } else {
-      BIO_set_retry_read(bio); /* buffer is empty */
+      BIO_set_retry_read(bio);  // buffer is empty
      if (size <= peer_b->size) {
        peer_b->request = size;
      } else {
-        /* don't ask for more than the peer can
-         * deliver in one write */
+        // don't ask for more than the peer can
+        // deliver in one write
        peer_b->request = peer_b->size;
      }
      return -1;
    }
  }

-  /* we can read */
+  // we can read
  if (peer_b->len < size) {
    size = peer_b->len;
  }

-  /* now read "size" bytes */
+  // now read "size" bytes
  rest = size;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t chunk;

@@ -204,7 +204,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
    if (peer_b->offset + rest <= peer_b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = peer_b->size - peer_b->offset;
    }
    assert(peer_b->offset + chunk <= peer_b->size);
@@ -220,7 +220,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
      }
      buf += chunk;
    } else {
-      /* buffer now empty, no need to advance "buf" */
+      // buffer now empty, no need to advance "buf"
      assert(chunk == rest);
      peer_b->offset = 0;
    }
@@ -248,7 +248,7 @@ static int bio_write(BIO *bio, const char *buf, int num_) {

  b->request = 0;
  if (b->closed) {
-    /* we already closed */
+    // we already closed
    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return -1;
  }
@@ -256,20 +256,20 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  assert(b->len <= b->size);

  if (b->len == b->size) {
-    BIO_set_retry_write(bio); /* buffer is full */
+    BIO_set_retry_write(bio);  // buffer is full
    return -1;
  }

-  /* we can write */
+  // we can write
  if (num > b->size - b->len) {
    num = b->size - b->len;
  }

-  /* now write "num" bytes */
+  // now write "num" bytes
  rest = num;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t write_offset;
    size_t chunk;
@@ -280,12 +280,12 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
    if (write_offset >= b->size) {
      write_offset -= b->size;
    }
-    /* b->buf[write_offset] is the first byte we can write to. */
+    // b->buf[write_offset] is the first byte we can write to.

    if (write_offset + rest <= b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = b->size - write_offset;
    }

@@ -363,15 +363,15 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  assert(b != NULL);

  switch (cmd) {
-    /* specific CTRL codes */
+    // specific CTRL codes

    case BIO_C_GET_WRITE_BUF_SIZE:
      ret = (long)b->size;
      break;

    case BIO_C_GET_WRITE_GUARANTEE:
-      /* How many bytes can the caller feed to the next write
-       * without having to keep any? */
+      // How many bytes can the caller feed to the next write
+      // without having to keep any?
      if (b->peer == NULL || b->closed) {
        ret = 0;
      } else {
@@ -380,28 +380,28 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;

    case BIO_C_GET_READ_REQUEST:
-      /* If the peer unsuccessfully tried to read, how many bytes
-       * were requested?  (As with BIO_CTRL_PENDING, that number
-       * can usually be treated as boolean.) */
+      // If the peer unsuccessfully tried to read, how many bytes
+      // were requested?  (As with BIO_CTRL_PENDING, that number
+      // can usually be treated as boolean.)
      ret = (long)b->request;
      break;

    case BIO_C_RESET_READ_REQUEST:
-      /* Reset request.  (Can be useful after read attempts
-       * at the other side that are meant to be non-blocking,
-       * e.g. when probing SSL_read to see if any data is
-       * available.) */
+      // Reset request.  (Can be useful after read attempts
+      // at the other side that are meant to be non-blocking,
+      // e.g. when probing SSL_read to see if any data is
+      // available.)
      b->request = 0;
      ret = 1;
      break;

    case BIO_C_SHUTDOWN_WR:
-      /* similar to shutdown(..., SHUT_WR) */
+      // similar to shutdown(..., SHUT_WR)
      b->closed = 1;
      ret = 1;
      break;

-    /* standard CTRL codes follow */
+    // standard CTRL codes follow

    case BIO_CTRL_GET_CLOSE:
      ret = bio->shutdown;
@@ -453,7 +453,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {

 static const BIO_METHOD methods_biop = {
    BIO_TYPE_BIO,    "BIO pair", bio_write, bio_read, NULL /* puts */,
-    NULL /* gets */, bio_ctrl,   bio_new,   bio_free, NULL /* callback_ctrl */
+    NULL /* gets */, bio_ctrl,   bio_new,   bio_free, NULL /* callback_ctrl */,
 };

 static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }
@@ -54,10 +54,6 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.] */

-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L  /* for snprintf, vprintf etc */
-#endif
-
 #include <openssl/bio.h>

 #include <assert.h>
@@ -77,13 +73,13 @@ int BIO_printf(BIO *bio, const char *format, ...) {
  va_end(args);

 #if defined(OPENSSL_WINDOWS)
-  /* On Windows, vsnprintf returns -1 rather than the requested length on
-   * truncation */
+  // On Windows, vsnprintf returns -1 rather than the requested length on
+  // truncation
  if (out_len < 0) {
    va_start(args, format);
    out_len = _vscprintf(format, args);
    va_end(args);
-    assert(out_len >= sizeof(buf));
+    assert(out_len >= (int)sizeof(buf));
  }
 #endif

@@ -93,9 +89,9 @@ int BIO_printf(BIO *bio, const char *format, ...) {

  if ((size_t) out_len >= sizeof(buf)) {
    const int requested_len = out_len;
-    /* The output was truncated. Note that vsnprintf's return value
-     * does not include a trailing NUL, but the buffer must be sized
-     * for it. */
+    // The output was truncated. Note that vsnprintf's return value
+    // does not include a trailing NUL, but the buffer must be sized
+    // for it.
    out = OPENSSL_malloc(requested_len + 1);
    out_malloced = 1;
    if (out == NULL) {
@@ -31,7 +31,7 @@ int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {
    return 0;
  }

-  /* INTEGERs must be minimal. */
+  // INTEGERs must be minimal.
  if (CBS_data(&child)[0] == 0x00 &&
      CBS_len(&child) > 1 &&
      !(CBS_data(&child)[1] & 0x80)) {
@@ -50,16 +50,16 @@ int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret) {
    return 0;
  }

-  /* This function intentionally does not reject negative numbers or non-minimal
-   * encodings. Estonian IDs issued between September 2014 to September 2015 are
-   * broken. See https://crbug.com/532048 and https://crbug.com/534766.
-   *
-   * TODO(davidben): Remove this code and callers in March 2016. */
+  // This function intentionally does not reject negative numbers or non-minimal
+  // encodings. Estonian IDs issued between September 2014 to September 2015 are
+  // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+  //
+  // TODO(davidben): Remove this code and callers in March 2016.
  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
 }

 int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
-  /* Negative numbers are unsupported. */
+  // Negative numbers are unsupported.
  if (BN_is_negative(bn)) {
    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
    return 0;
@@ -67,8 +67,8 @@ int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {

  CBB child;
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
-      /* The number must be padded with a leading zero if the high bit would
-       * otherwise be set or if |bn| is zero. */
+      // The number must be padded with a leading zero if the high bit would
+      // otherwise be set or if |bn| is zero.
      (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
      !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
      !CBB_flush(cbb)) {
@@ -96,7 +96,7 @@ char *BN_bn2hex(const BIGNUM *bn) {
  int z = 0;
  for (int i = bn->top - 1; i >= 0; i--) {
    for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
-      /* strip leading zeros */
+      // strip leading zeros
      int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
      if (z || v != 0) {
        *(p++) = hextable[v >> 4];
@@ -110,20 +110,20 @@ char *BN_bn2hex(const BIGNUM *bn) {
  return buf;
 }

-/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
+// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.
 static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
  if (in_len > INT_MAX/4) {
    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
    return 0;
  }
-  /* |in_len| is the number of hex digits. */
+  // |in_len| is the number of hex digits.
  if (!bn_expand(bn, in_len * 4)) {
    return 0;
  }

  int i = 0;
  while (in_len > 0) {
-    /* Decode one |BN_ULONG| at a time. */
+    // Decode one |BN_ULONG| at a time.
    int todo = BN_BYTES * 2;
    if (todo > in_len) {
      todo = in_len;
@@ -143,7 +143,7 @@ static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
        hex = c - 'A' + 10;
      } else {
        hex = 0;
-        /* This shouldn't happen. The caller checks |isxdigit|. */
+        // This shouldn't happen. The caller checks |isxdigit|.
        assert(0);
      }
      word = (word << 4) | hex;
@@ -157,12 +157,12 @@ static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
  return 1;
 }

-/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
+// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.
 static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
  int i, j;
  BN_ULONG l = 0;

-  /* Decode |BN_DEC_NUM| digits at a time. */
+  // Decode |BN_DEC_NUM| digits at a time.
  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
  if (j == BN_DEC_NUM) {
    j = 0;
@@ -207,7 +207,7 @@ static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_
    return num;
  }

-  /* in is the start of the hex digits, and it is 'i' long */
+  // in is the start of the hex digits, and it is 'i' long
  if (*outp == NULL) {
    ret = BN_new();
    if (ret == NULL) {
@@ -243,8 +243,8 @@ int BN_hex2bn(BIGNUM **outp, const char *in) {
 }

 char *BN_bn2dec(const BIGNUM *a) {
-  /* It is easier to print strings little-endian, so we assemble it in reverse
-   * and fix at the end. */
+  // It is easier to print strings little-endian, so we assemble it in reverse
+  // and fix at the end.
  BIGNUM *copy = NULL;
  CBB cbb;
  if (!CBB_init(&cbb, 16) ||
@@ -290,7 +290,7 @@ char *BN_bn2dec(const BIGNUM *a) {
    goto cbb_err;
  }

-  /* Reverse the buffer. */
+  // Reverse the buffer.
  for (size_t i = 0; i < len/2; i++) {
    uint8_t tmp = data[i];
    data[i] = data[len - 1 - i];
@@ -349,7 +349,7 @@ int BN_print(BIO *bp, const BIGNUM *a) {

  for (i = a->top - 1; i >= 0; i--) {
    for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
-      /* strip leading zeros */
+      // strip leading zeros
      v = ((int)(a->d[i] >> (long)j)) & 0x0f;
      if (z || v != 0) {
        if (BIO_write(bp, &hextable[v], 1) != 1) {
@@ -384,8 +384,8 @@ int BN_print_fp(FILE *fp, const BIGNUM *a) {
 size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
  const size_t bits = BN_num_bits(in);
  const size_t bytes = (bits + 7) / 8;
-  /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
-   * prefix with a zero byte. */
+  // If the number of bits is a multiple of 8, i.e. if the MSB is set,
+  // prefix with a zero byte.
  int extend = 0;
  if (bytes != 0 && (bits & 0x07) == 0) {
    extend = 1;
@@ -395,8 +395,8 @@ size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
  if (len < bytes ||
      4 + len < len ||
      (len & 0xffffffff) != len) {
-    /* If we cannot represent the number then we emit zero as the interface
-     * doesn't allow an error to be signalled. */
+    // If we cannot represent the number then we emit zero as the interface
+    // doesn't allow an error to be signalled.
    if (out) {
      OPENSSL_memset(out, 0, 4);
    }
@@ -82,44 +82,30 @@ void BUF_MEM_free(BUF_MEM *buf) {
    return;
  }

-  if (buf->data != NULL) {
-    OPENSSL_cleanse(buf->data, buf->max);
-    OPENSSL_free(buf->data);
-  }
-
+  OPENSSL_free(buf->data);
  OPENSSL_free(buf);
 }

-static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
+int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
  if (buf->max >= cap) {
    return 1;
  }

  size_t n = cap + 3;
  if (n < cap) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  n = n / 3;
  size_t alloc_size = n * 4;
  if (alloc_size / 4 != n) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }

-  char *new_buf;
-  if (buf->data == NULL) {
-    new_buf = OPENSSL_malloc(alloc_size);
-  } else {
-    if (clean) {
-      new_buf = OPENSSL_realloc_clean(buf->data, buf->max, alloc_size);
-    } else {
-      new_buf = OPENSSL_realloc(buf->data, alloc_size);
-    }
-  }
-
+  char *new_buf = OPENSSL_realloc(buf->data, alloc_size);
  if (new_buf == NULL) {
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
@@ -130,12 +116,8 @@ static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
  return 1;
 }

-int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
-  return buf_mem_reserve(buf, cap, 0 /* don't clear old buffer contents. */);
-}
-
-static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
-  if (!buf_mem_reserve(buf, len, clean)) {
+size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
+  if (!BUF_MEM_reserve(buf, len)) {
    return 0;
  }
  if (buf->length < len) {
@@ -145,20 +127,16 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
  return len;
 }

-size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 0 /* don't clear old buffer contents. */);
-}
-
 size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 1 /* clear old buffer contents. */);
+  return BUF_MEM_grow(buf, len);
 }

-char *BUF_strdup(const char *buf) {
-  if (buf == NULL) {
+char *BUF_strdup(const char *str) {
+  if (str == NULL) {
    return NULL;
  }

-  return BUF_strndup(buf, strlen(buf));
+  return BUF_strndup(str, strlen(str));
 }

 size_t BUF_strnlen(const char *str, size_t max_len) {
@@ -173,19 +151,19 @@ size_t BUF_strnlen(const char *str, size_t max_len) {
  return i;
 }

-char *BUF_strndup(const char *buf, size_t size) {
+char *BUF_strndup(const char *str, size_t size) {
  char *ret;
  size_t alloc_size;

-  if (buf == NULL) {
+  if (str == NULL) {
    return NULL;
  }

-  size = BUF_strnlen(buf, size);
+  size = BUF_strnlen(str, size);

  alloc_size = size + 1;
  if (alloc_size < size) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }
@@ -195,7 +173,7 @@ char *BUF_strndup(const char *buf, size_t size) {
    return NULL;
  }

-  OPENSSL_memcpy(ret, buf, size);
+  OPENSSL_memcpy(ret, str, size);
  ret[size] = '\0';
  return ret;
 }
@@ -223,19 +201,17 @@ size_t BUF_strlcat(char *dst, const char *src, size_t dst_size) {
  return l + BUF_strlcpy(dst, src, dst_size);
 }

-void *BUF_memdup(const void *data, size_t dst_size) {
-  void *ret;
-
-  if (dst_size == 0) {
+void *BUF_memdup(const void *data, size_t size) {
+  if (size == 0) {
    return NULL;
  }

-  ret = OPENSSL_malloc(dst_size);
+  void *ret = OPENSSL_malloc(size);
  if (ret == NULL) {
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

-  OPENSSL_memcpy(ret, data, dst_size);
+  OPENSSL_memcpy(ret, data, size);
  return ret;
 }
@@ -21,13 +21,13 @@
 #include "../internal.h"


-/* kMaxDepth is a just a sanity limit. The code should be such that the length
- * of the input being processes always decreases. None the less, a very large
- * input could otherwise cause the stack to overflow. */
+// kMaxDepth is a just a sanity limit. The code should be such that the length
+// of the input being processes always decreases. None the less, a very large
+// input could otherwise cause the stack to overflow.
 static const unsigned kMaxDepth = 2048;

-/* is_string_type returns one if |tag| is a string type and zero otherwise. It
- * ignores the constructed bit. */
+// is_string_type returns one if |tag| is a string type and zero otherwise. It
+// ignores the constructed bit.
 static int is_string_type(unsigned tag) {
  if ((tag & 0xc0) != 0) {
    return 0;
@@ -52,10 +52,10 @@ static int is_string_type(unsigned tag) {
  }
 }

-/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
- * depending on whether an indefinite length element or constructed string was
- * found. The value of |orig_in| is not changed. It returns one on success (i.e.
- * |*ber_found| was set) and zero on error. */
+// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
+// depending on whether an indefinite length element or constructed string was
+// found. The value of |orig_in| is not changed. It returns one on success (i.e.
+// |*ber_found| was set) and zero on error.
 static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  CBS in;

@@ -77,13 +77,13 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
    if (CBS_len(&contents) == header_len &&
        header_len > 0 &&
        CBS_data(&contents)[header_len-1] == 0x80) {
-      /* Found an indefinite-length element. */
+      // Found an indefinite-length element.
      *ber_found = 1;
      return 1;
    }
    if (tag & CBS_ASN1_CONSTRUCTED) {
      if (is_string_type(tag)) {
-        /* Constructed strings are only legal in BER and require conversion. */
+        // Constructed strings are only legal in BER and require conversion.
        *ber_found = 1;
        return 1;
      }
@@ -97,20 +97,20 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  return 1;
 }

-/* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
+// is_eoc returns true if |header_len| and |contents|, as returned by
+// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
 static char is_eoc(size_t header_len, CBS *contents) {
  return header_len == 2 && CBS_len(contents) == 2 &&
         OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
 }

-/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
- * |string_tag| is non-zero, then all elements must match |string_tag| up to the
- * constructed bit and primitive element bodies are written to |out| without
- * element headers. This is used when concatenating the fragments of a
- * constructed string. If |looking_for_eoc| is set then any EOC elements found
- * will cause the function to return after consuming it. It returns one on
- * success and zero on error. */
+// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
+// |string_tag| is non-zero, then all elements must match |string_tag| up to the
+// constructed bit and primitive element bodies are written to |out| without
+// element headers. This is used when concatenating the fragments of a
+// constructed string. If |looking_for_eoc| is set then any EOC elements found
+// will cause the function to return after consuming it. It returns one on
+// success and zero on error.
 static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
                           char looking_for_eoc, unsigned depth) {
  assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
@@ -134,9 +134,9 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (string_tag != 0) {
-      /* This is part of a constructed string. All elements must match
-       * |string_tag| up to the constructed bit and get appended to |out|
-       * without a child element. */
+      // This is part of a constructed string. All elements must match
+      // |string_tag| up to the constructed bit and get appended to |out|
+      // without a child element.
      if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
        return 0;
      }
@@ -144,8 +144,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    } else {
      unsigned out_tag = tag;
      if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
-        /* If a constructed string, clear the constructed bit and inform
-         * children to concatenate bodies. */
+        // If a constructed string, clear the constructed bit and inform
+        // children to concatenate bodies.
        out_tag &= ~CBS_ASN1_CONSTRUCTED;
        child_string_tag = out_tag;
      }
@@ -157,7 +157,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,

    if (CBS_len(&contents) == header_len && header_len > 0 &&
        CBS_data(&contents)[header_len - 1] == 0x80) {
-      /* This is an indefinite length element. */
+      // This is an indefinite length element.
      if (!cbs_convert_ber(in, out_contents, child_string_tag,
                           1 /* looking for eoc */, depth + 1) ||
          !CBB_flush(out)) {
@@ -171,13 +171,13 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (tag & CBS_ASN1_CONSTRUCTED) {
-      /* Recurse into children. */
+      // Recurse into children.
      if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
                           0 /* not looking for eoc */, depth + 1)) {
        return 0;
      }
    } else {
-      /* Copy primitive contents as-is. */
+      // Copy primitive contents as-is.
      if (!CBB_add_bytes(out_contents, CBS_data(&contents),
                         CBS_len(&contents))) {
        return 0;
@@ -195,8 +195,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
 int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
  CBB cbb;

-  /* First, do a quick walk to find any indefinite-length elements. Most of the
-   * time we hope that there aren't any and thus we can quickly return. */
+  // First, do a quick walk to find any indefinite-length elements. Most of the
+  // time we hope that there aren't any and thus we can quickly return.
  char conversion_needed;
  if (!cbs_find_ber(in, &conversion_needed, 0)) {
    return 0;
@@ -225,14 +225,14 @@ int CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage,
  assert(is_string_type(inner_tag));

  if (CBS_peek_asn1_tag(in, outer_tag)) {
-    /* Normal implicitly-tagged string. */
+    // Normal implicitly-tagged string.
    *out_storage = NULL;
    return CBS_get_asn1(in, out, outer_tag);
  }

-  /* Otherwise, try to parse an implicitly-tagged constructed string.
-   * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
-   * of nesting. */
+  // Otherwise, try to parse an implicitly-tagged constructed string.
+  // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
+  // of nesting.
  CBB result;
  CBS child;
  if (!CBB_init(&result, CBS_len(in)) ||
@@ -27,7 +27,7 @@ void CBB_zero(CBB *cbb) {
 }

 static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
-  /* This assumes that |cbb| has already been zeroed. */
+  // This assumes that |cbb| has already been zeroed.
  struct cbb_buffer_st *base;

  base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
@@ -75,8 +75,8 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {

 void CBB_cleanup(CBB *cbb) {
  if (cbb->base) {
-    /* Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
-     * are implicitly discarded when the parent is flushed or cleaned up. */
+    // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
+    // are implicitly discarded when the parent is flushed or cleaned up.
    assert(cbb->is_top_level);

    if (cbb->base->can_resize) {
@@ -97,7 +97,7 @@ static int cbb_buffer_reserve(struct cbb_buffer_st *base, uint8_t **out,

  newlen = base->len + len;
  if (newlen < base->len) {
-    /* Overflow */
+    // Overflow
    goto err;
  }

@@ -137,7 +137,7 @@ static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,
  if (!cbb_buffer_reserve(base, out, len)) {
    return 0;
  }
-  /* This will not overflow or |cbb_buffer_reserve| would have failed. */
+  // This will not overflow or |cbb_buffer_reserve| would have failed.
  base->len += len;
  return 1;
 }
@@ -176,7 +176,7 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  }

  if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
-    /* |out_data| and |out_len| can only be NULL if the CBB is fixed. */
+    // |out_data| and |out_len| can only be NULL if the CBB is fixed.
    return 0;
  }

@@ -191,15 +191,15 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  return 1;
 }

-/* CBB_flush recurses and then writes out any pending length prefix. The
- * current length of the underlying base is taken to be the length of the
- * length-prefixed data. */
+// CBB_flush recurses and then writes out any pending length prefix. The
+// current length of the underlying base is taken to be the length of the
+// length-prefixed data.
 int CBB_flush(CBB *cbb) {
  size_t child_start, i, len;

-  /* If |cbb->base| has hit an error, the buffer is in an undefined state, so
-   * fail all following calls. In particular, |cbb->child| may point to invalid
-   * memory. */
+  // If |cbb->base| has hit an error, the buffer is in an undefined state, so
+  // fail all following calls. In particular, |cbb->child| may point to invalid
+  // memory.
  if (cbb->base == NULL || cbb->base->error) {
    return 0;
  }
@@ -219,16 +219,16 @@ int CBB_flush(CBB *cbb) {
  len = cbb->base->len - child_start;

  if (cbb->child->pending_is_asn1) {
-    /* For ASN.1 we assume that we'll only need a single byte for the length.
-     * If that turned out to be incorrect, we have to move the contents along
-     * in order to make space. */
+    // For ASN.1 we assume that we'll only need a single byte for the length.
+    // If that turned out to be incorrect, we have to move the contents along
+    // in order to make space.
    uint8_t len_len;
    uint8_t initial_length_byte;

    assert (cbb->child->pending_len_len == 1);

    if (len > 0xfffffffe) {
-      /* Too large. */
+      // Too large.
      goto err;
    } else if (len > 0xffffff) {
      len_len = 5;
@@ -249,7 +249,7 @@ int CBB_flush(CBB *cbb) {
    }

    if (len_len != 1) {
-      /* We need to move the contents along in order to make space. */
+      // We need to move the contents along in order to make space.
      size_t extra_bytes = len_len - 1;
      if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
        goto err;
@@ -331,14 +331,14 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
 int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
  if (tag > 0xff ||
      (tag & 0x1f) == 0x1f) {
-    /* Long form identifier octets are not supported. Further, all current valid
-     * tag serializations are 8 bits. */
+    // Long form identifier octets are not supported. Further, all current valid
+    // tag serializations are 8 bits.
    cbb->base->error = 1;
    return 0;
  }

  if (!CBB_flush(cbb) ||
-      /* |tag|'s representation matches the DER encoding. */
+      // |tag|'s representation matches the DER encoding.
      !CBB_add_u8(cbb, (uint8_t)tag)) {
    return 0;
  }
@@ -451,11 +451,11 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    uint8_t byte = (value >> 8*(7-i)) & 0xff;
    if (!started) {
      if (byte == 0) {
-        /* Don't encode leading zeros. */
+        // Don't encode leading zeros.
        continue;
      }
-      /* If the high bit is set, add a padding byte to make it
-       * unsigned. */
+      // If the high bit is set, add a padding byte to make it
+      // unsigned.
      if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
        return 0;
      }
@@ -466,7 +466,7 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    }
  }

-  /* 0 is encoded as a single 0, not the empty string. */
+  // 0 is encoded as a single 0, not the empty string.
  if (!started && !CBB_add_u8(&child, 0)) {
    return 0;
  }
@@ -190,13 +190,13 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
    return 0;
  }

-  /* ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
-   * number no greater than 30.
-   *
-   * If the number portion is 31 (0x1f, the largest value that fits in the
-   * allotted bits), then the tag is more than one byte long and the
-   * continuation bytes contain the tag number. This parser only supports tag
-   * numbers less than 31 (and thus single-byte tags). */
+  // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
+  // number no greater than 30.
+  //
+  // If the number portion is 31 (0x1f, the largest value that fits in the
+  // allotted bits), then the tag is more than one byte long and the
+  // continuation bytes contain the tag number. This parser only supports tag
+  // numbers less than 31 (and thus single-byte tags).
  if ((tag & 0x1f) == 0x1f) {
    return 0;
  }
@@ -206,52 +206,51 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
  }

  size_t len;
-  /* The format for the length encoding is specified in ITU-T X.690 section
-   * 8.1.3. */
+  // The format for the length encoding is specified in ITU-T X.690 section
+  // 8.1.3.
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = ((size_t) length_byte) + 2;
    if (out_header_len != NULL) {
      *out_header_len = 2;
    }
  } else {
-    /* The high bit indicate that this is the long form, while the next 7 bits
-     * encode the number of subsequent octets used to encode the length (ITU-T
-     * X.690 clause 8.1.3.5.b). */
+    // The high bit indicate that this is the long form, while the next 7 bits
+    // encode the number of subsequent octets used to encode the length (ITU-T
+    // X.690 clause 8.1.3.5.b).
    const size_t num_bytes = length_byte & 0x7f;
    uint32_t len32;

    if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
-      /* indefinite length */
+      // indefinite length
      if (out_header_len != NULL) {
        *out_header_len = 2;
      }
      return CBS_get_bytes(cbs, out, 2);
    }

-    /* ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
-     * used as the first byte of the length. If this parser encounters that
-     * value, num_bytes will be parsed as 127, which will fail the check below.
-     */
+    // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
+    // used as the first byte of the length. If this parser encounters that
+    // value, num_bytes will be parsed as 127, which will fail the check below.
    if (num_bytes == 0 || num_bytes > 4) {
      return 0;
    }
    if (!cbs_get_u(&header, &len32, num_bytes)) {
      return 0;
    }
-    /* ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
-     * with the minimum number of octets. */
+    // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
+    // with the minimum number of octets.
    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }
    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }
    len = len32;
    if (len + 2 + num_bytes < len) {
-      /* Overflow. */
+      // Overflow.
      return 0;
    }
    len += 2 + num_bytes;
@@ -338,23 +337,23 @@ int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
  size_t len = CBS_len(&bytes);

  if (len == 0) {
-    /* An INTEGER is encoded with at least one octet. */
+    // An INTEGER is encoded with at least one octet.
    return 0;
  }

  if ((data[0] & 0x80) != 0) {
-    /* Negative number. */
+    // Negative number.
    return 0;
  }

  if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
-    /* Extra leading zeros. */
+    // Extra leading zeros.
    return 0;
  }

  for (size_t i = 0; i < len; i++) {
    if ((*out >> 56) != 0) {
-      /* Too large to represent as a uint64_t. */
+      // Too large to represent as a uint64_t.
      return 0;
    }
    *out <<= 8;
@@ -462,7 +461,7 @@ int CBS_is_valid_asn1_bitstring(const CBS *cbs) {
    return 1;
  }

-  /* All num_unused_bits bits must exist and be zeros. */
+  // All num_unused_bits bits must exist and be zeros.
  uint8_t last;
  if (!CBS_get_last_u8(&in, &last) ||
      (last & ((1 << num_unused_bits) - 1)) != 0) {
@@ -480,9 +479,9 @@ int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {
  const unsigned byte_num = (bit >> 3) + 1;
  const unsigned bit_num = 7 - (bit & 7);

-  /* Unused bits are zero, and this function does not distinguish between
-   * missing and unset bits. Thus it is sufficient to do a byte-level length
-   * check. */
+  // Unused bits are zero, and this function does not distinguish between
+  // missing and unset bits. Thus it is sufficient to do a byte-level length
+  // check.
  return byte_num < CBS_len(cbs) &&
         (CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
 }
@@ -22,54 +22,54 @@ extern "C" {
 #endif


-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);

-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
                                                uint8_t **out_storage,
                                                unsigned outer_tag,
                                                unsigned inner_tag);

-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
 int CBB_finish_i2d(CBB *cbb, uint8_t **outp);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BYTESTRING_INTERNAL_H
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -165,8 +172,10 @@ $code.=<<___;
 #include <openssl/arm_arch.h>

 .text
-#if defined(__thumb2__)
+#if defined(__thumb2__) || defined(__clang__)
 .syntax	unified
+#endif
+#if defined(__thumb2__)
 .thumb
 #else
 .code	32
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -20,6 +27,7 @@
 # Cortex-A57		8.06/+43%       4.90            4.43(**)
 # Denver		4.50/+82%       2.63		2.67(*)
 # X-Gene		9.50/+46%       8.82		8.89(*)
+# Mongoose		8.00/+44%	3.64		3.25
 #
 # (*)	it's expected that doubling interleave factor doesn't help
 #	all processors, only those with higher NEON latency and
@@ -24,7 +24,7 @@
 #
 # Performance in cycles per byte out of large buffer.
 #
-#		IALU/gcc 4.8(i)	1xSSSE3/SSE2	4xSSSE3	    8xAVX2
+#		IALU/gcc 4.8(i)	1xSSSE3/SSE2	4xSSSE3	    NxAVX(v)
 #
 # P4		9.48/+99%	-/22.7(ii)	-
 # Core2		7.83/+55%	7.90/8.08	4.35
@@ -32,11 +32,13 @@
 # Sandy Bridge	8.31/+42%	5.45/6.76	2.72
 # Ivy Bridge	6.71/+46%	5.40/6.49	2.41
 # Haswell	5.92/+43%	5.20/6.45	2.42	    1.23
-# Skylake	5.87/+39%	4.70/-		2.31	    1.19
+# Skylake[-X]	5.87/+39%	4.70/-		2.31	    1.19[0.57]
 # Silvermont	12.0/+33%	7.75/7.40	7.03(iii)
+# Knights L	11.7/-		-		9.60(iii)   0.80
 # Goldmont	10.6/+17%	5.10/-		3.28
 # Sledgehammer	7.28/+52%	-/14.2(ii)	-
 # Bulldozer	9.66/+28%	9.85/11.1	3.06(iv)
+# Ryzen		5.96/+50%	5.19/-		2.40        2.09
 # VIA Nano	10.5/+46%	6.72/8.60	6.05
 #
 # (i)	compared to older gcc 3.x one can observe >2x improvement on
@@ -12,7 +12,7 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.

 #include <openssl/chacha.h>

@@ -32,7 +32,7 @@
    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))

-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
 void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
                    const uint32_t key[8], const uint32_t counter[4]);

@@ -48,7 +48,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

  const uint32_t *key_ptr = (const uint32_t *)key;
 #if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
-  /* The assembly expects the key to be four-byte aligned. */
+  // The assembly expects the key to be four-byte aligned.
  uint32_t key_u32[8];
  if ((((uintptr_t)key) & 3) != 0) {
    key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

 #else

-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
 static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
                                   '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };

@@ -83,15 +83,15 @@ static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
    (p)[3] = (v >> 24) & 0xff; \
  }

-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
 #define QUARTERROUND(a, b, c, d)                \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);

-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
 static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
  uint32_t x[16];
  int i;
@@ -31,23 +31,5 @@ add_library(
  ${CIPHER_ARCH_SOURCES}
 )

-add_executable(
-  cipher_test
-
-  cipher_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-add_executable(
-  aead_test
-
-  aead_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
 perlasm(aes128gcmsiv-x86_64.${ASM_EXT} asm/aes128gcmsiv-x86_64.pl)
 perlasm(chacha20_poly1305_x86_64.${ASM_EXT} asm/chacha20_poly1305_x86_64.pl)
-
-target_link_libraries(cipher_test crypto)
-target_link_libraries(aead_test crypto)
-add_dependencies(all_tests cipher_test aead_test)
@@ -1,68 +0,0 @@
-/* Copyright (c) 2017, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <gtest/gtest.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-
-
-// Test that EVP_aead_aes_128_gcm and EVP_aead_aes_256_gcm reject empty nonces.
-// AES-GCM is not defined for those.
-//
-// TODO(davidben): Fold this into aead_test.cc, once it is converted to GTest.
-TEST(AEADTest, AESGCMEmptyNonce) {
-  static const uint8_t kZeros[32] = {0};
-
-  // Test AES-128-GCM.
-  uint8_t buf[16];
-  size_t len;
-  bssl::ScopedEVP_AEAD_CTX ctx;
-  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_128_gcm(), kZeros, 16,
-                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
-                                 nullptr /* ad */, 0));
-  uint32_t err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, kZeros /* in */,
-                                 sizeof(kZeros), nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
-
-  // Test AES-256-GCM.
-  ctx.Reset();
-  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_256_gcm(), kZeros, 32,
-                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
-                                 nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, kZeros /* in */,
-                                 sizeof(kZeros), nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
-}
@@ -12,40 +12,100 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-#include <assert.h>
 #include <stdint.h>
 #include <string.h>

 #include <vector>

+#include <gtest/gtest.h>
+
 #include <openssl/aead.h>
-#include <openssl/crypto.h>
+#include <openssl/cipher.h>
 #include <openssl/err.h>

+#include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
 #include "../test/file_test.h"
+#include "../test/test_util.h"


-#if defined(OPENSSL_SMALL)
-const EVP_AEAD* EVP_aead_aes_128_gcm_siv(void) {
-  return nullptr;
-}
-const EVP_AEAD* EVP_aead_aes_256_gcm_siv(void) {
-  return nullptr;
-}
+struct KnownAEAD {
+  const char name[40];
+  const EVP_AEAD *(*func)(void);
+  const char *test_vectors;
+  // limited_implementation indicates that tests that assume a generic AEAD
+  // interface should not be performed. For example, the key-wrap AEADs only
+  // handle inputs that are a multiple of eight bytes in length and the
+  // SSLv3/TLS AEADs have the concept of “direction”.
+  bool limited_implementation;
+  // truncated_tags is true if the AEAD supports truncating tags to arbitrary
+  // lengths.
+  bool truncated_tags;
+  // ad_len, if non-zero, is the required length of the AD.
+  size_t ad_len;
+};
+
+static const struct KnownAEAD kAEADs[] = {
+    {"AES_128_GCM", EVP_aead_aes_128_gcm, "aes_128_gcm_tests.txt", false, true,
+     0},
+    {"AES_128_GCM_NIST", EVP_aead_aes_128_gcm, "nist_cavp/aes_128_gcm.txt",
+     false, true, 0},
+    {"AES_256_GCM", EVP_aead_aes_256_gcm, "aes_256_gcm_tests.txt", false, true,
+     0},
+    {"AES_256_GCM_NIST", EVP_aead_aes_256_gcm, "nist_cavp/aes_256_gcm.txt",
+     false, true, 0},
+#if !defined(OPENSSL_SMALL)
+    {"AES_128_GCM_SIV", EVP_aead_aes_128_gcm_siv, "aes_128_gcm_siv_tests.txt",
+     false, false, 0},
+    {"AES_256_GCM_SIV", EVP_aead_aes_256_gcm_siv, "aes_256_gcm_siv_tests.txt",
+     false, false, 0},
 #endif
+    {"ChaCha20Poly1305", EVP_aead_chacha20_poly1305,
+     "chacha20_poly1305_tests.txt", false, true, 0},
+    {"AES_128_CBC_SHA1_TLS", EVP_aead_aes_128_cbc_sha1_tls,
+     "aes_128_cbc_sha1_tls_tests.txt", true, false, 11},
+    {"AES_128_CBC_SHA1_TLSImplicitIV",
+     EVP_aead_aes_128_cbc_sha1_tls_implicit_iv,
+     "aes_128_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
+    {"AES_128_CBC_SHA256_TLS", EVP_aead_aes_128_cbc_sha256_tls,
+     "aes_128_cbc_sha256_tls_tests.txt", true, false, 11},
+    {"AES_256_CBC_SHA1_TLS", EVP_aead_aes_256_cbc_sha1_tls,
+     "aes_256_cbc_sha1_tls_tests.txt", true, false, 11},
+    {"AES_256_CBC_SHA1_TLSImplicitIV",
+     EVP_aead_aes_256_cbc_sha1_tls_implicit_iv,
+     "aes_256_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
+    {"AES_256_CBC_SHA256_TLS", EVP_aead_aes_256_cbc_sha256_tls,
+     "aes_256_cbc_sha256_tls_tests.txt", true, false, 11},
+    {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls,
+     "aes_256_cbc_sha384_tls_tests.txt", true, false, 11},
+    {"DES_EDE3_CBC_SHA1_TLS", EVP_aead_des_ede3_cbc_sha1_tls,
+     "des_ede3_cbc_sha1_tls_tests.txt", true, false, 11},
+    {"DES_EDE3_CBC_SHA1_TLSImplicitIV",
+     EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv,
+     "des_ede3_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
+    {"AES_128_CBC_SHA1_SSL3", EVP_aead_aes_128_cbc_sha1_ssl3,
+     "aes_128_cbc_sha1_ssl3_tests.txt", true, false, 9},
+    {"AES_256_CBC_SHA1_SSL3", EVP_aead_aes_256_cbc_sha1_ssl3,
+     "aes_256_cbc_sha1_ssl3_tests.txt", true, false, 9},
+    {"DES_EDE3_CBC_SHA1_SSL3", EVP_aead_des_ede3_cbc_sha1_ssl3,
+     "des_ede3_cbc_sha1_ssl3_tests.txt", true, false, 9},
+    {"AES_128_CTR_HMAC_SHA256", EVP_aead_aes_128_ctr_hmac_sha256,
+     "aes_128_ctr_hmac_sha256.txt", false, true, 0},
+    {"AES_256_CTR_HMAC_SHA256", EVP_aead_aes_256_ctr_hmac_sha256,
+     "aes_256_ctr_hmac_sha256.txt", false, true, 0},
+};

-#if !defined(BORINGSSL_FIPS)
-const EVP_AEAD* EVP_aead_aes_128_gcm_fips_testonly(void) {
-  return nullptr;
-}
-const EVP_AEAD* EVP_aead_aes_256_gcm_fips_testonly(void) {
-  return nullptr;
-}
-#endif
+class PerAEADTest : public testing::TestWithParam<KnownAEAD> {
+ public:
+  const EVP_AEAD *aead() { return GetParam().func(); }
+};

-// This program tests an AEAD against a series of test vectors from a file,
-// using the FileTest format. As an example, here's a valid test case:
+INSTANTIATE_TEST_CASE_P(, PerAEADTest, testing::ValuesIn(kAEADs),
+                        [](const testing::TestParamInfo<KnownAEAD> &params)
+                            -> std::string { return params.param.name; });
+
+// Tests an AEAD against a series of test vectors from a file, using the
+// FileTest format. As an example, here's a valid test case:
 //
 //   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
 //   NONCE: 978105dfce667bf4
@@ -53,177 +113,315 @@ const EVP_AEAD* EVP_aead_aes_256_gcm_fips_testonly(void) {
 //   AD: b654574932
 //   CT: 5294265a60
 //   TAG: 1d45758621762e061368e68868e2f929
-
-static bool TestAEAD(FileTest *t, void *arg) {
-  const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
-
-  std::vector<uint8_t> key, nonce, in, ad, ct, tag;
-  if (!t->GetBytes(&key, "KEY") ||
-      !t->GetBytes(&nonce, "NONCE") ||
-      !t->GetBytes(&in, "IN") ||
-      !t->GetBytes(&ad, "AD") ||
-      !t->GetBytes(&ct, "CT") ||
-      !t->GetBytes(&tag, "TAG")) {
-    return false;
-  }
-
-  bssl::ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_seal)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
-  if (!t->HasAttribute("NO_SEAL")) {
-    size_t out_len;
-    if (!EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
-                           nonce.data(), nonce.size(), in.data(), in.size(),
-                           ad.data(), ad.size())) {
-      t->PrintLine("Failed to run AEAD.");
-      return false;
+TEST_P(PerAEADTest, TestVector) {
+  std::string test_vectors = "crypto/cipher_extra/test/";
+  test_vectors += GetParam().test_vectors;
+  FileTestGTest(test_vectors.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+    ASSERT_TRUE(t->GetBytes(&key, "KEY"));
+    ASSERT_TRUE(t->GetBytes(&nonce, "NONCE"));
+    ASSERT_TRUE(t->GetBytes(&in, "IN"));
+    ASSERT_TRUE(t->GetBytes(&ad, "AD"));
+    ASSERT_TRUE(t->GetBytes(&ct, "CT"));
+    ASSERT_TRUE(t->GetBytes(&tag, "TAG"));
+    size_t tag_len = tag.size();
+    if (t->HasAttribute("TAG_LEN")) {
+      // Legacy AEADs are MAC-then-encrypt and may include padding in the TAG
+      // field. TAG_LEN contains the actual size of the digest in that case.
+      std::string tag_len_str;
+      ASSERT_TRUE(t->GetAttribute(&tag_len_str, "TAG_LEN"));
+      tag_len = strtoul(tag_len_str.c_str(), nullptr, 10);
+      ASSERT_TRUE(tag_len);
    }
-    out.resize(out_len);

-    if (out.size() != ct.size() + tag.size()) {
-      t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
-                   (unsigned)(ct.size() + tag.size()));
-      return false;
-    }
-    if (!t->ExpectBytesEqual(ct.data(), ct.size(), out.data(), ct.size()) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), out.data() + ct.size(),
-                             tag.size())) {
-      return false;
-    }
-  } else {
-    out.resize(ct.size() + tag.size());
-    OPENSSL_memcpy(out.data(), ct.data(), ct.size());
-    OPENSSL_memcpy(out.data() + ct.size(), tag.data(), tag.size());
-  }
+    bssl::ScopedEVP_AEAD_CTX ctx;
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_seal));

-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
+    std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead()));
+    if (!t->HasAttribute("NO_SEAL")) {
+      size_t out_len;
+      ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
+                                    nonce.data(), nonce.size(), in.data(),
+                                    in.size(), ad.data(), ad.size()));
+      out.resize(out_len);

-  std::vector<uint8_t> out2(out.size());
-  size_t out2_len;
-  int ret = EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                              nonce.data(), nonce.size(), out.data(),
-                              out.size(), ad.data(), ad.size());
-  if (t->HasAttribute("FAILS")) {
-    if (ret) {
-      t->PrintLine("Decrypted bad data.");
-      return false;
+      ASSERT_EQ(out.size(), ct.size() + tag.size());
+      EXPECT_EQ(Bytes(ct), Bytes(out.data(), ct.size()));
+      EXPECT_EQ(Bytes(tag), Bytes(out.data() + ct.size(), tag.size()));
+    } else {
+      out.resize(ct.size() + tag.size());
+      OPENSSL_memcpy(out.data(), ct.data(), ct.size());
+      OPENSSL_memcpy(out.data() + ct.size(), tag.data(), tag.size());
    }
+
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    std::vector<uint8_t> out2(out.size());
+    size_t out2_len;
+    int ret = EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
+                                nonce.data(), nonce.size(), out.data(),
+                                out.size(), ad.data(), ad.size());
+    if (t->HasAttribute("FAILS")) {
+      ASSERT_FALSE(ret) << "Decrypted bad data.";
+      ERR_clear_error();
+      return;
+    }
+
+    ASSERT_TRUE(ret) << "Failed to decrypt.";
+    out2.resize(out2_len);
+    EXPECT_EQ(Bytes(in), Bytes(out2));
+
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    // Garbage at the end isn't ignored.
+    out.push_back(0);
+    out2.resize(out.size());
+    EXPECT_FALSE(EVP_AEAD_CTX_open(
+        ctx.get(), out2.data(), &out2_len, out2.size(), nonce.data(),
+        nonce.size(), out.data(), out.size(), ad.data(), ad.size()))
+        << "Decrypted bad data with trailing garbage.";
    ERR_clear_error();
-    return true;
-  }

-  if (!ret) {
-    t->PrintLine("Failed to decrypt.");
-    return false;
-  }
-  out2.resize(out2_len);
-  if (!t->ExpectBytesEqual(in.data(), in.size(), out2.data(), out2.size())) {
-    return false;
-  }
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));

-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Garbage at the end isn't ignored.
-  out.push_back(0);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with trailing garbage.");
-    return false;
-  }
-  ERR_clear_error();
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Verify integrity is checked.
-  out[0] ^= 0x80;
-  out.resize(out.size() - 1);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with corrupted byte.");
-    return false;
-  }
-  ERR_clear_error();
-
-  return true;
+    // Verify integrity is checked.
+    out[0] ^= 0x80;
+    out.resize(out.size() - 1);
+    out2.resize(out.size());
+    EXPECT_FALSE(EVP_AEAD_CTX_open(
+        ctx.get(), out2.data(), &out2_len, out2.size(), nonce.data(),
+        nonce.size(), out.data(), out.size(), ad.data(), ad.size()))
+        << "Decrypted bad data with corrupted byte.";
+    ERR_clear_error();
+  });
 }

-static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
+TEST_P(PerAEADTest, TestExtraInput) {
+  const KnownAEAD &aead_config = GetParam();
+  if (!aead()->seal_scatter_supports_extra_in) {
+    return;
+  }
+
+  const std::string test_vectors =
+      "crypto/cipher_extra/test/" + std::string(aead_config.test_vectors);
+  FileTestGTest(test_vectors.c_str(), [&](FileTest *t) {
+    if (t->HasAttribute("NO_SEAL") ||
+        t->HasAttribute("FAILS")) {
+      t->SkipCurrent();
+      return;
+    }
+
+    std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+    ASSERT_TRUE(t->GetBytes(&key, "KEY"));
+    ASSERT_TRUE(t->GetBytes(&nonce, "NONCE"));
+    ASSERT_TRUE(t->GetBytes(&in, "IN"));
+    ASSERT_TRUE(t->GetBytes(&ad, "AD"));
+    ASSERT_TRUE(t->GetBytes(&ct, "CT"));
+    ASSERT_TRUE(t->GetBytes(&tag, "TAG"));
+
+    bssl::ScopedEVP_AEAD_CTX ctx;
+    ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), aead(), key.data(), key.size(),
+                                  tag.size(), nullptr));
+    std::vector<uint8_t> out_tag(EVP_AEAD_max_overhead(aead()) + in.size());
+    std::vector<uint8_t> out(in.size());
+
+    for (size_t extra_in_size = 0; extra_in_size < in.size(); extra_in_size++) {
+      size_t tag_bytes_written;
+      SCOPED_TRACE(extra_in_size);
+      ASSERT_TRUE(EVP_AEAD_CTX_seal_scatter(
+          ctx.get(), out.data(), out_tag.data(), &tag_bytes_written,
+          out_tag.size(), nonce.data(), nonce.size(), in.data(),
+          in.size() - extra_in_size, in.data() + in.size() - extra_in_size,
+          extra_in_size, ad.data(), ad.size()));
+
+      ASSERT_EQ(tag_bytes_written, extra_in_size + tag.size());
+
+      memcpy(out.data() + in.size() - extra_in_size, out_tag.data(),
+             extra_in_size);
+
+      EXPECT_EQ(Bytes(ct), Bytes(out.data(), in.size()));
+      EXPECT_EQ(Bytes(tag), Bytes(out_tag.data() + extra_in_size,
+                                  tag_bytes_written - extra_in_size));
+    }
+  });
+}
+
+TEST_P(PerAEADTest, TestVectorScatterGather) {
+  std::string test_vectors = "crypto/cipher_extra/test/";
+  const KnownAEAD &aead_config = GetParam();
+  test_vectors += aead_config.test_vectors;
+  FileTestGTest(test_vectors.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+    ASSERT_TRUE(t->GetBytes(&key, "KEY"));
+    ASSERT_TRUE(t->GetBytes(&nonce, "NONCE"));
+    ASSERT_TRUE(t->GetBytes(&in, "IN"));
+    ASSERT_TRUE(t->GetBytes(&ad, "AD"));
+    ASSERT_TRUE(t->GetBytes(&ct, "CT"));
+    ASSERT_TRUE(t->GetBytes(&tag, "TAG"));
+    size_t tag_len = tag.size();
+    if (t->HasAttribute("TAG_LEN")) {
+      // Legacy AEADs are MAC-then-encrypt and may include padding in the TAG
+      // field. TAG_LEN contains the actual size of the digest in that case.
+      std::string tag_len_str;
+      ASSERT_TRUE(t->GetAttribute(&tag_len_str, "TAG_LEN"));
+      tag_len = strtoul(tag_len_str.c_str(), nullptr, 10);
+      ASSERT_TRUE(tag_len);
+    }
+
+    bssl::ScopedEVP_AEAD_CTX ctx;
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_seal));
+
+    std::vector<uint8_t> out(in.size());
+    std::vector<uint8_t> out_tag(EVP_AEAD_max_overhead(aead()));
+    if (!t->HasAttribute("NO_SEAL")) {
+      size_t out_tag_len;
+      ASSERT_TRUE(EVP_AEAD_CTX_seal_scatter(
+          ctx.get(), out.data(), out_tag.data(), &out_tag_len, out_tag.size(),
+          nonce.data(), nonce.size(), in.data(), in.size(), nullptr, 0,
+          ad.data(), ad.size()));
+      out_tag.resize(out_tag_len);
+
+      ASSERT_EQ(out.size(), ct.size());
+      ASSERT_EQ(out_tag.size(), tag.size());
+      EXPECT_EQ(Bytes(ct), Bytes(out.data(), ct.size()));
+      EXPECT_EQ(Bytes(tag), Bytes(out_tag.data(), tag.size()));
+    } else {
+      out.resize(ct.size());
+      out_tag.resize(tag.size());
+      OPENSSL_memcpy(out.data(), ct.data(), ct.size());
+      OPENSSL_memcpy(out_tag.data(), tag.data(), tag.size());
+    }
+
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    std::vector<uint8_t> out2(out.size());
+    int ret = EVP_AEAD_CTX_open_gather(
+        ctx.get(), out2.data(), nonce.data(), nonce.size(), out.data(),
+        out.size(), out_tag.data(), out_tag.size(), ad.data(), ad.size());
+
+    // Skip decryption for AEADs that don't implement open_gather().
+    if (!ret) {
+      int err = ERR_peek_error();
+      if (ERR_GET_LIB(err) == ERR_LIB_CIPHER &&
+          ERR_GET_REASON(err) == CIPHER_R_CTRL_NOT_IMPLEMENTED) {
+          t->SkipCurrent();
+          return;
+        }
+    }
+
+    if (t->HasAttribute("FAILS")) {
+      ASSERT_FALSE(ret) << "Decrypted bad data";
+      ERR_clear_error();
+      return;
+    }
+
+    ASSERT_TRUE(ret) << "Failed to decrypt: "
+                     << ERR_reason_error_string(ERR_get_error());
+    EXPECT_EQ(Bytes(in), Bytes(out2));
+
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    // Garbage at the end isn't ignored.
+    out_tag.push_back(0);
+    out2.resize(out.size());
+    EXPECT_FALSE(EVP_AEAD_CTX_open_gather(
+        ctx.get(), out2.data(), nonce.data(), nonce.size(), out.data(),
+        out.size(), out_tag.data(), out_tag.size(), ad.data(), ad.size()))
+        << "Decrypted bad data with trailing garbage.";
+    ERR_clear_error();
+
+    // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+    // reset after each operation.
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    // Verify integrity is checked.
+    out_tag[0] ^= 0x80;
+    out_tag.resize(out_tag.size() - 1);
+    out2.resize(out.size());
+    EXPECT_FALSE(EVP_AEAD_CTX_open_gather(
+        ctx.get(), out2.data(), nonce.data(), nonce.size(), out.data(),
+        out.size(), out_tag.data(), out_tag.size(), ad.data(), ad.size()))
+        << "Decrypted bad data with corrupted byte.";
+    ERR_clear_error();
+
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), key.data(), key.size(), tag_len, evp_aead_open));
+
+    // Check edge case for tag length.
+    EXPECT_FALSE(EVP_AEAD_CTX_open_gather(
+        ctx.get(), out2.data(), nonce.data(), nonce.size(), out.data(),
+        out.size(), out_tag.data(), 0, ad.data(), ad.size()))
+        << "Decrypted bad data with corrupted byte.";
+    ERR_clear_error();
+  });
+}
+
+TEST_P(PerAEADTest, CleanupAfterInitFailure) {
  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
  OPENSSL_memset(key, 0, sizeof(key));
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  assert(sizeof(key) >= key_len);
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  ASSERT_GE(sizeof(key), key_len);

  EVP_AEAD_CTX ctx;
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
+  ASSERT_FALSE(EVP_AEAD_CTX_init(
+      &ctx, aead(), key, key_len,
+      9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
  ERR_clear_error();

-  /* Running a second, failed _init should not cause a memory leak. */
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
+  // Running a second, failed _init should not cause a memory leak.
+  ASSERT_FALSE(EVP_AEAD_CTX_init(
+      &ctx, aead(), key, key_len,
+      9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
  ERR_clear_error();

-  /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
-   * no-op. */
+  // Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+  // no-op.
  EVP_AEAD_CTX_cleanup(&ctx);
-  return 1;
 }

-static int TestTruncatedTags(const EVP_AEAD *aead) {
+TEST_P(PerAEADTest, TruncatedTags) {
+  if (!GetParam().truncated_tags) {
+    return;
+  }
+
  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
  OPENSSL_memset(key, 0, sizeof(key));
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  assert(sizeof(key) >= key_len);
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  ASSERT_GE(sizeof(key), key_len);

  uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
  OPENSSL_memset(nonce, 0, sizeof(nonce));
-  const size_t nonce_len = EVP_AEAD_nonce_length(aead);
-  assert(sizeof(nonce) >= nonce_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(aead());
+  ASSERT_GE(sizeof(nonce), nonce_len);

  bssl::ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init(ctx.get(), aead, key, key_len, 1 /* one byte tag */,
-                         NULL /* ENGINE */)) {
-    fprintf(stderr, "Couldn't initialise AEAD with truncated tag.\n");
-    return 1;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), aead(), key, key_len,
+                                1 /* one byte tag */, NULL /* ENGINE */));

  const uint8_t plaintext[1] = {'A'};

@@ -232,68 +430,53 @@ static int TestTruncatedTags(const EVP_AEAD *aead) {
  constexpr uint8_t kSentinel = 42;
  OPENSSL_memset(ciphertext, kSentinel, sizeof(ciphertext));

-  if (!EVP_AEAD_CTX_seal(ctx.get(), ciphertext, &ciphertext_len,
-                         sizeof(ciphertext), nonce, nonce_len, plaintext,
-                         sizeof(plaintext), nullptr /* ad */, 0)) {
-    fprintf(stderr, "Sealing with truncated tag didn't work.\n");
-    return 0;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext, &ciphertext_len,
+                                sizeof(ciphertext), nonce, nonce_len, plaintext,
+                                sizeof(plaintext), nullptr /* ad */, 0));

  for (size_t i = ciphertext_len; i < sizeof(ciphertext); i++) {
    // Sealing must not write past where it said it did.
-    if (ciphertext[i] != kSentinel) {
-      fprintf(stderr, "Sealing wrote off the end of the buffer.\n");
-      return 0;
-    }
+    EXPECT_EQ(kSentinel, ciphertext[i])
+        << "Sealing wrote off the end of the buffer.";
  }

  const size_t overhead_used = ciphertext_len - sizeof(plaintext);
  const size_t expected_overhead =
-      1 + EVP_AEAD_max_overhead(aead) - EVP_AEAD_max_tag_len(aead);
-  if (overhead_used != expected_overhead) {
-    fprintf(stderr, "AEAD is probably ignoring request to truncate tags.\n");
-    return 0;
-  }
+      1 + EVP_AEAD_max_overhead(aead()) - EVP_AEAD_max_tag_len(aead());
+  EXPECT_EQ(overhead_used, expected_overhead)
+      << "AEAD is probably ignoring request to truncate tags.";

  uint8_t plaintext2[sizeof(plaintext) + 16];
  OPENSSL_memset(plaintext2, kSentinel, sizeof(plaintext2));

  size_t plaintext2_len;
-  if (!EVP_AEAD_CTX_open(ctx.get(), plaintext2, &plaintext2_len,
-                         sizeof(plaintext2), nonce, nonce_len, ciphertext,
-                         ciphertext_len, nullptr /* ad */, 0)) {
-    fprintf(stderr, "Opening with truncated tag didn't work.\n");
-    return 0;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_open(
+      ctx.get(), plaintext2, &plaintext2_len, sizeof(plaintext2), nonce,
+      nonce_len, ciphertext, ciphertext_len, nullptr /* ad */, 0))
+      << "Opening with truncated tag didn't work.";

  for (size_t i = plaintext2_len; i < sizeof(plaintext2); i++) {
    // Likewise, opening should also stay within bounds.
-    if (plaintext2[i] != kSentinel) {
-      fprintf(stderr, "Opening wrote off the end of the buffer.\n");
-      return 0;
-    }
+    EXPECT_EQ(kSentinel, plaintext2[i])
+        << "Opening wrote off the end of the buffer.";
  }

-  if (plaintext2_len != sizeof(plaintext) ||
-      OPENSSL_memcmp(plaintext2, plaintext, sizeof(plaintext)) != 0) {
-    fprintf(stderr, "Opening with truncated tag gave wrong result.\n");
-    return 0;
-  }
-
-  return 1;
+  EXPECT_EQ(Bytes(plaintext), Bytes(plaintext2, plaintext2_len));
 }

-static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  const size_t nonce_len = EVP_AEAD_nonce_length(aead);
-  const size_t max_overhead = EVP_AEAD_max_overhead(aead);
+TEST_P(PerAEADTest, AliasedBuffers) {
+  if (GetParam().limited_implementation) {
+    return;
+  }
+
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  const size_t nonce_len = EVP_AEAD_nonce_length(aead());
+  const size_t max_overhead = EVP_AEAD_max_overhead(aead());

  std::vector<uint8_t> key(key_len, 'a');
  bssl::ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key_len,
-                         EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)) {
-    return false;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), aead(), key.data(), key_len,
+                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));

  static const uint8_t kPlaintext[260] =
      "testing123456testing123456testing123456testing123456testing123456testing"
@@ -308,13 +491,11 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
  std::vector<uint8_t> nonce(nonce_len, 'b');
  std::vector<uint8_t> valid_encryption(sizeof(kPlaintext) + max_overhead);
  size_t valid_encryption_len;
-  if (!EVP_AEAD_CTX_seal(
-          ctx.get(), valid_encryption.data(), &valid_encryption_len,
-          sizeof(kPlaintext) + max_overhead, nonce.data(), nonce_len,
-          kPlaintext, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed with disjoint buffers.\n");
-    return false;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_seal(
+      ctx.get(), valid_encryption.data(), &valid_encryption_len,
+      sizeof(kPlaintext) + max_overhead, nonce.data(), nonce_len, kPlaintext,
+      sizeof(kPlaintext), nullptr, 0))
+      << "EVP_AEAD_CTX_seal failed with disjoint buffers.";

  // Test with out != in which we expect to fail.
  std::vector<uint8_t> buffer(2 + valid_encryption_len);
@@ -324,140 +505,149 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {

  OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));
  size_t out_len;
-  if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0) ||
-      EVP_AEAD_CTX_seal(ctx.get(), out2, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal unexpectedly succeeded.\n");
-    return false;
-  }
+  EXPECT_FALSE(EVP_AEAD_CTX_seal(
+      ctx.get(), out1 /* in - 1 */, &out_len, sizeof(kPlaintext) + max_overhead,
+      nonce.data(), nonce_len, in, sizeof(kPlaintext), nullptr, 0));
+  EXPECT_FALSE(EVP_AEAD_CTX_seal(
+      ctx.get(), out2 /* in + 1 */, &out_len, sizeof(kPlaintext) + max_overhead,
+      nonce.data(), nonce_len, in, sizeof(kPlaintext), nullptr, 0));
  ERR_clear_error();

  OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0) ||
-      EVP_AEAD_CTX_open(ctx.get(), out2, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open unexpectedly succeeded.\n");
-    return false;
-  }
+  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), out1 /* in - 1 */, &out_len,
+                                 valid_encryption_len, nonce.data(), nonce_len,
+                                 in, valid_encryption_len, nullptr, 0));
+  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), out2 /* in + 1 */, &out_len,
+                                 valid_encryption_len, nonce.data(), nonce_len,
+                                 in, valid_encryption_len, nullptr, 0));
  ERR_clear_error();

  // Test with out == in, which we expect to work.
  OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));

-  if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
-                         sizeof(kPlaintext) + max_overhead, nonce.data(),
-                         nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != valid_encryption_len ||
-      OPENSSL_memcmp(in, valid_encryption.data(), out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n");
-    return false;
-  }
+  ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
+                                sizeof(kPlaintext) + max_overhead, nonce.data(),
+                                nonce_len, in, sizeof(kPlaintext), nullptr, 0));
+  EXPECT_EQ(Bytes(valid_encryption.data(), valid_encryption_len),
+            Bytes(in, out_len));

  OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
-                         nonce.data(), nonce_len, in, valid_encryption_len,
-                         nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != sizeof(kPlaintext) ||
-      OPENSSL_memcmp(in, kPlaintext, out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n");
-    return false;
-  }
-
-  return true;
+  ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
+                                nonce.data(), nonce_len, in,
+                                valid_encryption_len, nullptr, 0));
+  EXPECT_EQ(Bytes(kPlaintext), Bytes(in, out_len));
 }

-struct KnownAEAD {
-  const char name[40];
-  const EVP_AEAD *(*func)(void);
-  // limited_implementation indicates that tests that assume a generic AEAD
-  // interface should not be performed. For example, the key-wrap AEADs only
-  // handle inputs that are a multiple of eight bytes in length and the
-  // SSLv3/TLS AEADs have the concept of “direction”.
-  bool limited_implementation;
-  // truncated_tags is true if the AEAD supports truncating tags to arbitrary
-  // lengths.
-  bool truncated_tags;
-};
+TEST_P(PerAEADTest, UnalignedInput) {
+  alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1];
+  alignas(64) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1];
+  alignas(64) uint8_t plaintext[32 + 1];
+  alignas(64) uint8_t ad[32 + 1];
+  OPENSSL_memset(key, 'K', sizeof(key));
+  OPENSSL_memset(nonce, 'N', sizeof(nonce));
+  OPENSSL_memset(plaintext, 'P', sizeof(plaintext));
+  OPENSSL_memset(ad, 'A', sizeof(ad));
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  ASSERT_GE(sizeof(key) - 1, key_len);
+  const size_t nonce_len = EVP_AEAD_nonce_length(aead());
+  ASSERT_GE(sizeof(nonce) - 1, nonce_len);
+  const size_t ad_len =
+      GetParam().ad_len != 0 ? GetParam().ad_len : sizeof(ad) - 1;
+  ASSERT_GE(sizeof(ad) - 1, ad_len);

-static const struct KnownAEAD kAEADs[] = {
-  { "aes-128-gcm", EVP_aead_aes_128_gcm, false, true },
-  { "aes-256-gcm", EVP_aead_aes_256_gcm, false, true },
-  { "aes-128-gcm-siv", EVP_aead_aes_128_gcm_siv, false, false },
-  { "aes-256-gcm-siv", EVP_aead_aes_256_gcm_siv, false, false },
-  { "aes-128-gcm-fips-testonly", EVP_aead_aes_128_gcm_fips_testonly, true, true },
-  { "aes-256-gcm-fips-testonly", EVP_aead_aes_256_gcm_fips_testonly, true, true },
-  { "chacha20-poly1305", EVP_aead_chacha20_poly1305, false, true },
-  { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls, true, false },
-  { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv, true, false },
-  { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls, true, false },
-  { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls, true, false },
-  { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv, true, false },
-  { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls, true, false },
-  { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls, true, false },
-  { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls, true, false },
-  { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv, true, false },
-  { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3, true, false },
-  { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3, true, false },
-  { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3, true, false },
-  { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256, false, true },
-  { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256, false, true },
-  { "", NULL, false, false },
-};
+  // Encrypt some input.
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+      ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
+      evp_aead_seal));
+  alignas(64) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD];
+  size_t ciphertext_len;
+  ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext + 1, &ciphertext_len,
+                                sizeof(ciphertext) - 1, nonce + 1, nonce_len,
+                                plaintext + 1, sizeof(plaintext) - 1, ad + 1,
+                                ad_len));

-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 3) {
-    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  const struct KnownAEAD *known_aead;
-  for (unsigned i = 0;; i++) {
-    known_aead = &kAEADs[i];
-    if (known_aead->func == NULL) {
-      fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
-      return 2;
-    }
-    if (strcmp(known_aead->name, argv[1]) == 0) {
-      break;
-    }
-  }
-
-  const EVP_AEAD *const aead = known_aead->func();
-  if (aead == NULL) {
-    // AEAD is not compiled in this configuration.
-    printf("PASS\n");
-    return 0;
-  }
-
-  if (!TestCleanupAfterInitFailure(aead)) {
-    return 1;
-  }
-
-  if (known_aead->truncated_tags && !TestTruncatedTags(aead)) {
-    fprintf(stderr, "Truncated tags test failed for %s.\n", known_aead->name);
-    return 1;
-  }
-
-  if (!known_aead->limited_implementation && !TestWithAliasedBuffers(aead)) {
-    fprintf(stderr, "Aliased buffers test failed for %s.\n", known_aead->name);
-    return 1;
-  }
-
-  return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
+  // It must successfully decrypt.
+  alignas(64) uint8_t out[sizeof(ciphertext)];
+  ctx.Reset();
+  ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+      ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
+      evp_aead_open));
+  size_t out_len;
+  ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out + 1, &out_len, sizeof(out) - 1,
+                                nonce + 1, nonce_len, ciphertext + 1,
+                                ciphertext_len, ad + 1, ad_len));
+  EXPECT_EQ(Bytes(plaintext + 1, sizeof(plaintext) - 1),
+            Bytes(out + 1, out_len));
+}
+
+TEST_P(PerAEADTest, Overflow) {
+  alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
+  OPENSSL_memset(key, 'K', sizeof(key));
+
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  const size_t max_tag_len = EVP_AEAD_max_tag_len(aead());
+  ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(ctx.get(), aead(), key,
+                                               EVP_AEAD_key_length(aead()),
+                                               max_tag_len, evp_aead_seal));
+
+  uint8_t plaintext[1] = {0};
+  uint8_t ciphertext[1024] = {0};
+  size_t ciphertext_len;
+  // The AEAD must not overflow when calculating the ciphertext length.
+  ASSERT_FALSE(EVP_AEAD_CTX_seal(
+      ctx.get(), ciphertext, &ciphertext_len, sizeof(ciphertext), nullptr, 0,
+      plaintext, std::numeric_limits<size_t>::max() - max_tag_len + 1, nullptr,
+      0));
+  ERR_clear_error();
+
+  // (Can't test the scatter interface because it'll attempt to zero the output
+  // buffer on error and the primary output buffer is implicitly the same size
+  // as the input.)
+}
+
+// Test that EVP_aead_aes_128_gcm and EVP_aead_aes_256_gcm reject empty nonces.
+// AES-GCM is not defined for those.
+TEST(AEADTest, AESGCMEmptyNonce) {
+  static const uint8_t kZeros[32] = {0};
+
+  // Test AES-128-GCM.
+  uint8_t buf[16];
+  size_t len;
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_128_gcm(), kZeros, 16,
+                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
+
+  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
+                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
+                                 nullptr /* ad */, 0));
+  uint32_t err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+
+  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
+                                 nullptr /* nonce */, 0, kZeros /* in */,
+                                 sizeof(kZeros), nullptr /* ad */, 0));
+  err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+
+  // Test AES-256-GCM.
+  ctx.Reset();
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_256_gcm(), kZeros, 32,
+                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
+
+  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
+                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
+                                 nullptr /* ad */, 0));
+  err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+
+  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
+                                 nullptr /* nonce */, 0, kZeros /* in */,
+                                 sizeof(kZeros), nullptr /* ad */, 0));
+  err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
 }
@@ -460,7 +460,7 @@ $code.=<<___;
 .align 16
 aes128gcmsiv_aes_ks:
 .cfi_startproc
-    vmovdqa (%rdi), %xmm1           # xmm1 = user key
+    vmovdqu (%rdi), %xmm1           # xmm1 = user key
    vmovdqa %xmm1, (%rsi)           # rsi points to output

    vmovdqa con1(%rip), %xmm0
@@ -521,8 +521,8 @@ $code.=<<___;
 .align 16
 aes256gcmsiv_aes_ks:
 .cfi_startproc
-    vmovdqa (%rdi), %xmm1
-    vmovdqa 16(%rdi), %xmm3
+    vmovdqu (%rdi), %xmm1
+    vmovdqu 16(%rdi), %xmm3
    vmovdqa %xmm1, (%rsi)
    vmovdqa %xmm3, 16(%rsi)
    vmovdqa con1(%rip), %xmm0
@@ -78,6 +78,7 @@ chacha20_poly1305_constants:
 .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00
 .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00
 .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00
+.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
 ___

 my ($oup,$inp,$inl,$adp,$keyp,$itr1,$itr2)=("%rdi","%rsi","%rbx","%rcx","%r9","%rcx","%r8");
@@ -856,7 +857,9 @@ chacha20_poly1305_seal:
 .cfi_offset r15, -56
    lea 32(%rsp), %rbp
    and \$-32, %rbp
-    mov %rdx, 8+$len_store
+    mov 56($keyp), $inl  # extra_in_len
+    addq %rdx, $inl
+    mov $inl, 8+$len_store
    mov %r8, 0+$len_store
    mov %rdx, $inl\n"; $code.="
    mov OPENSSL_ia32cap_P+8(%rip), %eax
@@ -1093,11 +1096,9 @@ seal_sse_128_seal:

 seal_sse_tail_16:
    test $inl, $inl
-    jz seal_sse_finalize
+    jz process_blocks_of_extra_in
    # We can only load the PT one byte at a time to avoid buffer overread
    mov $inl, $itr2
-    shl \$4, $itr2
-    lea .and_masks(%rip), $t0
    mov $inl, $itr1
    lea -1($inp, $inl), $inp
    pxor $T3, $T3
@@ -1106,7 +1107,7 @@ seal_sse_tail_16:
        pinsrb \$0, ($inp), $T3
        lea -1($inp), $inp
        dec $itr1
-    jne 1b
+        jne 1b

    # XOR the keystream with the plaintext.
    pxor $A0, $T3
@@ -1121,14 +1122,121 @@ seal_sse_tail_16:
        sub \$1, $itr1
        jnz 2b

-    pand -16($t0, $itr2), $T3
+    # $T3 contains the final (partial, non-empty) block of ciphertext which
+    # needs to be fed into the Poly1305 state. The right-most $inl bytes of it
+    # are valid. We need to fill it with extra_in bytes until full, or until we
+    # run out of bytes.
+    #
+    # $keyp points to the tag output, which is actually a struct with the
+    # extra_in pointer and length at offset 48.
+    movq 288+32(%rsp), $keyp
+    movq 56($keyp), $t1  # extra_in_len
+    movq 48($keyp), $t0  # extra_in
+    test $t1, $t1
+    jz process_partial_block  # Common case: no bytes of extra_in
+
+    movq \$16, $t2
+    subq $inl, $t2  # 16-$inl is the number of bytes that fit into $T3.
+    cmpq $t2, $t1   # if extra_in_len < 16-$inl, only copy extra_in_len
+                    # (note that AT&T syntax reverses the arguments)
+    jge load_extra_in
+    movq $t1, $t2
+
+load_extra_in:
+    # $t2 contains the number of bytes of extra_in (pointed to by $t0) to load
+    # into $T3. They are loaded in reverse order.
+    leaq -1($t0, $t2), $inp
+    # Update extra_in and extra_in_len to reflect the bytes that are about to
+    # be read.
+    addq $t2, $t0
+    subq $t2, $t1
+    movq $t0, 48($keyp)
+    movq $t1, 56($keyp)
+
+    # Update $itr2, which is used to select the mask later on, to reflect the
+    # extra bytes about to be added.
+    addq $t2, $itr2
+
+    # Load $t2 bytes of extra_in into $T2.
+    pxor $T2, $T2
+3:
+        pslldq \$1, $T2
+        pinsrb \$0, ($inp), $T2
+        lea -1($inp), $inp
+        sub \$1, $t2
+        jnz 3b
+
+    # Shift $T2 up the length of the remainder from the main encryption. Sadly,
+    # the shift for an XMM register has to be a constant, thus we loop to do
+    # this.
+    movq $inl, $t2
+
+4:
+        pslldq \$1, $T2
+        sub \$1, $t2
+        jnz 4b
+
+    # Mask $T3 (the remainder from the main encryption) so that superfluous
+    # bytes are zero. This means that the non-zero bytes in $T2 and $T3 are
+    # disjoint and so we can merge them with an OR.
+    lea .and_masks(%rip), $t2
+    shl \$4, $inl
+    pand -16($t2, $inl), $T3
+
+    # Merge $T2 into $T3, forming the remainder block.
+    por $T2, $T3
+
+    # The block of ciphertext + extra_in is ready to be included in the
+    # Poly1305 state.
    movq $T3, $t0
    pextrq \$1, $T3, $t1
    add $t0, $acc0
    adc $t1, $acc1
    adc \$1, $acc2\n";
    &poly_mul(); $code.="
-seal_sse_finalize:\n";
+
+process_blocks_of_extra_in:
+    # There may be additional bytes of extra_in to process.
+    movq 288+32(%rsp), $keyp
+    movq 48($keyp), $inp   # extra_in
+    movq 56($keyp), $itr2  # extra_in_len
+    movq $itr2, $itr1
+    shr \$4, $itr2         # number of blocks
+
+5:
+        jz process_extra_in_trailer\n";
+        &poly_add("0($inp)");
+        &poly_mul(); $code.="
+        leaq 16($inp), $inp
+        subq \$1, $itr2
+        jmp 5b
+
+process_extra_in_trailer:
+    andq \$15, $itr1       # remaining num bytes (<16) of extra_in
+    movq $itr1, $inl
+    jz do_length_block
+    leaq -1($inp, $itr1), $inp
+
+6:
+        pslldq \$1, $T3
+        pinsrb \$0, ($inp), $T3
+        lea -1($inp), $inp
+        sub \$1, $itr1
+        jnz 6b
+
+process_partial_block:
+    # $T3 contains $inl bytes of data to be fed into Poly1305. $inl != 0
+    lea .and_masks(%rip), $t2
+    shl \$4, $inl
+    pand -16($t2, $inl), $T3
+    movq $T3, $t0
+    pextrq \$1, $T3, $t1
+    add $t0, $acc0
+    adc $t1, $acc1
+    adc \$1, $acc2\n";
+    &poly_mul(); $code.="
+
+do_length_block:\n";
    &poly_add($len_store);
    &poly_mul(); $code.="
    # Final reduce
@@ -57,11 +57,13 @@
 #include <string>
 #include <vector>

+#include <gtest/gtest.h>
+
 #include <openssl/cipher.h>
-#include <openssl/crypto.h>
 #include <openssl/err.h>

 #include "../test/file_test.h"
+#include "../test/test_util.h"


 static const EVP_CIPHER *GetCipher(const std::string &name) {
@@ -109,11 +111,8 @@ static const EVP_CIPHER *GetCipher(const std::string &name) {
  return nullptr;
 }

-static bool TestOperation(FileTest *t,
-                          const EVP_CIPHER *cipher,
-                          bool encrypt,
-                          size_t chunk_size,
-                          const std::vector<uint8_t> &key,
+static void TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt,
+                          size_t chunk_size, const std::vector<uint8_t> &key,
                          const std::vector<uint8_t> &iv,
                          const std::vector<uint8_t> &plaintext,
                          const std::vector<uint8_t> &ciphertext,
@@ -131,48 +130,36 @@ static bool TestOperation(FileTest *t,
  bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;

  bssl::ScopedEVP_CIPHER_CTX ctx;
-  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
-                         encrypt ? 1 : 0)) {
-    return false;
-  }
+  ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
+                         encrypt ? 1 : 0));
  if (t->HasAttribute("IV")) {
    if (is_aead) {
-      if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN,
-                               iv.size(), 0)) {
-        return false;
-      }
-    } else if (iv.size() != EVP_CIPHER_CTX_iv_length(ctx.get())) {
-      t->PrintLine("Bad IV length.");
-      return false;
+      ASSERT_TRUE(
+          EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, iv.size(), 0));
+    } else {
+      ASSERT_EQ(iv.size(), EVP_CIPHER_CTX_iv_length(ctx.get()));
    }
  }
-  if (is_aead && !encrypt &&
-      !EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
-                           const_cast<uint8_t*>(tag.data()))) {
-    return false;
+  if (is_aead && !encrypt) {
+    ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
+                                    const_cast<uint8_t *>(tag.data())));
  }
  // The ciphers are run with no padding. For each of the ciphers we test, the
  // output size matches the input size.
  std::vector<uint8_t> result(in->size());
-  if (in->size() != out->size()) {
-    t->PrintLine("Input/output size mismatch (%u vs %u).", (unsigned)in->size(),
-                 (unsigned)out->size());
-    return false;
-  }
+  ASSERT_EQ(in->size(), out->size());
+  int unused, result_len1 = 0, result_len2;
+  ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()));
+  ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(),
+                                iv.data(), -1));
  // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether
  // parameters are NULL, so it is important to skip the |in| and |aad|
  // |EVP_CipherUpdate| calls when empty.
-  int unused, result_len1 = 0, result_len2;
-  if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) ||
-      !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(), iv.data(),
-                         -1) ||
-      (!aad.empty() &&
-       !EVP_CipherUpdate(ctx.get(), nullptr, &unused, aad.data(),
-                         aad.size())) ||
-      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) {
-    t->PrintLine("Operation failed.");
-    return false;
+  if (!aad.empty()) {
+    ASSERT_TRUE(
+        EVP_CipherUpdate(ctx.get(), nullptr, &unused, aad.data(), aad.size()));
  }
+  ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx.get(), 0));
  if (chunk_size != 0) {
    for (size_t i = 0; i < in->size();) {
      size_t todo = chunk_size;
@@ -181,72 +168,44 @@ static bool TestOperation(FileTest *t,
      }

      int len;
-      if (!EVP_CipherUpdate(ctx.get(), result.data() + result_len1, &len,
-                            in->data() + i, todo)) {
-        t->PrintLine("Operation failed.");
-        return false;
-      }
+      ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), result.data() + result_len1, &len,
+                                   in->data() + i, todo));
      result_len1 += len;
      i += todo;
    }
-  } else if (!in->empty() &&
-             !EVP_CipherUpdate(ctx.get(), result.data(), &result_len1,
-                               in->data(), in->size())) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  if (!EVP_CipherFinal_ex(ctx.get(), result.data() + result_len1,
-                          &result_len2)) {
-    t->PrintLine("Operation failed.");
-    return false;
+  } else if (!in->empty()) {
+    ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), result.data(), &result_len1,
+                                 in->data(), in->size()));
  }
+  ASSERT_TRUE(
+      EVP_CipherFinal_ex(ctx.get(), result.data() + result_len1, &result_len2));
  result.resize(result_len1 + result_len2);
-  if (!t->ExpectBytesEqual(out->data(), out->size(), result.data(),
-                           result.size())) {
-    return false;
-  }
+  EXPECT_EQ(Bytes(*out), Bytes(result));
  if (encrypt && is_aead) {
    uint8_t rtag[16];
-    if (tag.size() > sizeof(rtag)) {
-      t->PrintLine("Bad tag length.");
-      return false;
-    }
-    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(),
-                             rtag) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), rtag,
-                             tag.size())) {
-      return false;
-    }
+    ASSERT_LE(tag.size(), sizeof(rtag));
+    ASSERT_TRUE(
+        EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(), rtag));
+    EXPECT_EQ(Bytes(tag), Bytes(rtag, tag.size()));
  }
-  return true;
 }

-static bool TestCipher(FileTest *t, void *arg) {
+static void TestCipher(FileTest *t) {
  std::string cipher_str;
-  if (!t->GetAttribute(&cipher_str, "Cipher")) {
-    return false;
-  }
+  ASSERT_TRUE(t->GetAttribute(&cipher_str, "Cipher"));
  const EVP_CIPHER *cipher = GetCipher(cipher_str);
-  if (cipher == nullptr) {
-    t->PrintLine("Unknown cipher: '%s'.", cipher_str.c_str());
-    return false;
-  }
+  ASSERT_TRUE(cipher);

  std::vector<uint8_t> key, iv, plaintext, ciphertext, aad, tag;
-  if (!t->GetBytes(&key, "Key") ||
-      !t->GetBytes(&plaintext, "Plaintext") ||
-      !t->GetBytes(&ciphertext, "Ciphertext")) {
-    return false;
-  }
-  if (EVP_CIPHER_iv_length(cipher) > 0 &&
-      !t->GetBytes(&iv, "IV")) {
-    return false;
+  ASSERT_TRUE(t->GetBytes(&key, "Key"));
+  ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext"));
+  ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext"));
+  if (EVP_CIPHER_iv_length(cipher) > 0) {
+    ASSERT_TRUE(t->GetBytes(&iv, "IV"));
  }
  if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
-    if (!t->GetBytes(&aad, "AAD") ||
-        !t->GetBytes(&tag, "Tag")) {
-      return false;
-    }
+    ASSERT_TRUE(t->GetBytes(&aad, "AAD"));
+    ASSERT_TRUE(t->GetBytes(&tag, "Tag"));
  }

  enum {
@@ -261,8 +220,7 @@ static bool TestCipher(FileTest *t, void *arg) {
    } else if (str == "DECRYPT") {
      operation = kDecrypt;
    } else {
-      t->PrintLine("Unknown operation: '%s'.", str.c_str());
-      return false;
+      FAIL() << "Unknown operation: " << str;
    }
  }

@@ -270,30 +228,60 @@ static bool TestCipher(FileTest *t, void *arg) {
                                           17, 31, 32, 33, 63, 64, 65, 512};

  for (size_t chunk_size : chunk_sizes) {
+    SCOPED_TRACE(chunk_size);
    // By default, both directions are run, unless overridden by the operation.
-    if (operation != kDecrypt &&
-        !TestOperation(t, cipher, true /* encrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
+    if (operation != kDecrypt) {
+      SCOPED_TRACE("encrypt");
+      TestOperation(t, cipher, true /* encrypt */, chunk_size, key, iv,
+                    plaintext, ciphertext, aad, tag);
    }

-    if (operation != kEncrypt &&
-        !TestOperation(t, cipher, false /* decrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
+    if (operation != kEncrypt) {
+      SCOPED_TRACE("decrypt");
+      TestOperation(t, cipher, false /* decrypt */, chunk_size, key, iv,
+                    plaintext, ciphertext, aad, tag);
    }
  }
-
-  return true;
 }

-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file>\n", argv[0]);
-    return 1;
-  }
-
-  return FileTestMain(TestCipher, nullptr, argv[1]);
+TEST(CipherTest, TestVectors) {
+  FileTestGTest("crypto/cipher_extra/test/cipher_tests.txt", TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_128_CBC) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_128_cbc.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_128_CTR) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_128_ctr.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_192_CBC) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_192_cbc.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_192_CTR) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_192_ctr.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_256_CBC) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_256_cbc.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_AES_256_CTR) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/aes_256_ctr.txt",
+                TestCipher);
+}
+
+TEST(CipherTest, CAVP_TDES_CBC) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/tdes_cbc.txt", TestCipher);
+}
+
+TEST(CipherTest, CAVP_TDES_ECB) {
+  FileTestGTest("crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt", TestCipher);
 }
@@ -33,7 +33,6 @@ struct aead_aes_ctr_hmac_sha256_ctx {
  block128_f block;
  SHA256_CTX inner_init_state;
  SHA256_CTX outer_init_state;
-  uint8_t tag_len;
 };

 static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
@@ -67,13 +66,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  if (key_len < hmac_key_len) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0; /* EVP_AEAD_CTX_init should catch this. */
+    return 0;  // EVP_AEAD_CTX_init should catch this.
  }

  const size_t aes_key_len = key_len - hmac_key_len;
  if (aes_key_len != 16 && aes_key_len != 32) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0; /* EVP_AEAD_CTX_init should catch this. */
+    return 0;  // EVP_AEAD_CTX_init should catch this.
  }

  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -93,7 +92,7 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  aes_ctx->ctr =
      aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
-  aes_ctx->tag_len = tag_len;
+  ctx->tag_len = tag_len;
  hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
            key + aes_key_len);

@@ -103,9 +102,7 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
 }

 static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
-  OPENSSL_cleanse(aes_ctx, sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
-  OPENSSL_free(aes_ctx);
+  OPENSSL_free(ctx->aead_state);
 }

 static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
@@ -132,7 +129,7 @@ static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
  SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
  SHA256_Update(&sha256, ad, ad_len);

-  /* Pad with zeros to the end of the SHA-256 block. */
+  // Pad with zeros to the end of the SHA-256 block.
  const unsigned num_padding =
      (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
                         EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
@@ -155,8 +152,8 @@ static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
 static void aead_aes_ctr_hmac_sha256_crypt(
    const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
    const uint8_t *in, size_t len, const uint8_t *nonce) {
-  /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
-   * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
+  // Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+  // bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it.
  uint8_t partial_block_buffer[AES_BLOCK_SIZE];
  unsigned partial_block_offset = 0;
  OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
@@ -176,22 +173,21 @@ static void aead_aes_ctr_hmac_sha256_crypt(
  }
 }

-static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                         size_t *out_len, size_t max_out_len,
-                                         const uint8_t *nonce, size_t nonce_len,
-                                         const uint8_t *in, size_t in_len,
-                                         const uint8_t *ad, size_t ad_len) {
+static int aead_aes_ctr_hmac_sha256_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
  const uint64_t in_len_64 = in_len;

-  if (in_len + aes_ctx->tag_len < in_len ||
-      /* This input is so large it would overflow the 32-bit block counter. */
-      in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
+  if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
+     // This input is so large it would overflow the 32-bit block counter.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (max_out_len < in_len + aes_ctx->tag_len) {
+  if (max_out_tag_len < ctx->tag_len) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -206,32 +202,23 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
                 &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
-  OPENSSL_memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
-  *out_len = in_len + aes_ctx->tag_len;
+  OPENSSL_memcpy(out_tag, hmac_result, ctx->tag_len);
+  *out_tag_len = ctx->tag_len;

  return 1;
 }

-static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                         size_t *out_len, size_t max_out_len,
-                                         const uint8_t *nonce, size_t nonce_len,
-                                         const uint8_t *in, size_t in_len,
-                                         const uint8_t *ad, size_t ad_len) {
+static int aead_aes_ctr_hmac_sha256_open_gather(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
-  size_t plaintext_len;

-  if (in_len < aes_ctx->tag_len) {
+  if (in_tag_len != ctx->tag_len) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

-  plaintext_len = in_len - aes_ctx->tag_len;
-
-  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
@@ -240,44 +227,49 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
                 &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
-                 plaintext_len);
-  if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) {
+                 in_len);
+  if (CRYPTO_memcmp(hmac_result, in_tag, ctx->tag_len) != 0) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

-  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, plaintext_len, nonce);
+  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);

-  *out_len = plaintext_len;
  return 1;
 }

 static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
    16 /* AES key */ + 32 /* HMAC key */,
-    12,                                       /* nonce length */
-    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
-    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
+    12,                                    // nonce length
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // overhead
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // max tag length
+    0,                                     // seal_scatter_supports_extra_in

    aead_aes_ctr_hmac_sha256_init,
    NULL /* init_with_direction */,
    aead_aes_ctr_hmac_sha256_cleanup,
-    aead_aes_ctr_hmac_sha256_seal,
-    aead_aes_ctr_hmac_sha256_open,
+    NULL /* open */,
+    aead_aes_ctr_hmac_sha256_seal_scatter,
+    aead_aes_ctr_hmac_sha256_open_gather,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

 static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
    32 /* AES key */ + 32 /* HMAC key */,
-    12,                                       /* nonce length */
-    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
-    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
+    12,                                    // nonce length
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // overhead
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // max tag length
+    0,                                     // seal_scatter_supports_extra_in

    aead_aes_ctr_hmac_sha256_init,
    NULL /* init_with_direction */,
    aead_aes_ctr_hmac_sha256_cleanup,
-    aead_aes_ctr_hmac_sha256_seal,
-    aead_aes_ctr_hmac_sha256_open,
+    NULL /* open */,
+    aead_aes_ctr_hmac_sha256_seal_scatter,
+    aead_aes_ctr_hmac_sha256_open_gather,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

 const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
@@ -13,6 +13,9 @@
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

 #include <openssl/aead.h>
+
+#include <assert.h>
+
 #include <openssl/cipher.h>
 #include <openssl/cpu.h>
 #include <openssl/crypto.h>
@@ -21,27 +24,29 @@
 #include "../fipsmodule/cipher/internal.h"


-#if !defined(OPENSSL_SMALL)
-
 #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12
 #define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16

 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)

-/* Optimised AES-GCM-SIV */
+// Optimised AES-GCM-SIV

 struct aead_aes_gcm_siv_asm_ctx {
-  alignas(64) uint8_t key[16*15];
+  alignas(16) uint8_t key[16*15];
  int is_128_bit;
+  // ptr contains the original pointer from |OPENSSL_malloc|, which may only be
+  // 8-byte aligned. When freeing this structure, actually call |OPENSSL_free|
+  // on this pointer.
+  void *ptr;
 };

-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
 extern void aes128gcmsiv_aes_ks(
    const uint8_t key[16], uint8_t out_expanded_key[16*15]);

-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
 extern void aes256gcmsiv_aes_ks(
    const uint8_t key[16], uint8_t out_expanded_key[16*15]);

@@ -51,7 +56,7 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  if (key_bits != 128 && key_bits != 256) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0; /* EVP_AEAD_CTX_init should catch this. */
+    return 0;  // EVP_AEAD_CTX_init should catch this.
  }

  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -63,11 +68,18 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
    return 0;
  }

-  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx =
-      OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_asm_ctx));
-  if (gcm_siv_ctx == NULL) {
+  char *ptr = OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_asm_ctx) + 8);
+  if (ptr == NULL) {
    return 0;
  }
+  assert((((uintptr_t)ptr) & 7) == 0);
+
+  // gcm_siv_ctx needs to be 16-byte aligned in a cross-platform way.
+  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx =
+      (struct aead_aes_gcm_siv_asm_ctx *)(ptr + (((uintptr_t)ptr) & 8));
+
+  assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);
+  gcm_siv_ctx->ptr = ptr;

  if (key_bits == 128) {
    aes128gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]);
@@ -77,133 +89,133 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
    gcm_siv_ctx->is_128_bit = 0;
  }
  ctx->aead_state = gcm_siv_ctx;
+  ctx->tag_len = tag_len;

  return 1;
 }

 static void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_asm_ctx = ctx->aead_state;
-  OPENSSL_cleanse(gcm_siv_asm_ctx, sizeof(struct aead_aes_gcm_siv_asm_ctx));
-  OPENSSL_free(gcm_siv_asm_ctx);
+  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state;
+  OPENSSL_free(gcm_siv_ctx->ptr);
 }

-/* aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
- * include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
- * the POLYVAL key in |key|. */
+// aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
+// include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
+// the POLYVAL key in |key|.
 extern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16],
                                     const uint8_t key[16], const uint8_t *in,
                                     size_t in_blocks);

-/* aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|.
 extern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8],
                                  const uint8_t auth_key[16]);

-/* aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|.
 extern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6],
                                   const uint8_t auth_key[16]);

-/* aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
- * include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
- * of 16.) It uses the precomputed powers of the key given in |htable|. */
+// aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
+// include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
+// of 16.) It uses the precomputed powers of the key given in |htable|.
 extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8],
                                     const uint8_t *in, size_t in_len,
                                     uint8_t in_out_poly[16]);

-/* aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
- * |in|. (The full value of |in_len| is still used to find the authentication
- * tag appended to the ciphertext, however, so must not be pre-masked.)
- *
- * |in| and |out| may be equal, but must not otherwise overlap.
- *
- * While decrypting, it updates the POLYVAL value found at the beginning of
- * |in_out_calculated_tag_and_scratch| and writes the updated value back before
- * return. During executation, it may use the whole of this space for other
- * purposes. In order to decrypt and update the POLYVAL value, it uses the
- * expanded key from |key| and the table of powers in |htable|. */
+// aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
+// |in|. (The full value of |in_len| is still used to find the authentication
+// tag appended to the ciphertext, however, so must not be pre-masked.)
+//
+// |in| and |out| may be equal, but must not otherwise overlap.
+//
+// While decrypting, it updates the POLYVAL value found at the beginning of
+// |in_out_calculated_tag_and_scratch| and writes the updated value back before
+// return. During executation, it may use the whole of this space for other
+// purposes. In order to decrypt and update the POLYVAL value, it uses the
+// expanded key from |key| and the table of powers in |htable|.
 extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out,
                             uint8_t in_out_calculated_tag_and_scratch[16 * 8],
                             const uint8_t htable[16 * 6],
                             const struct aead_aes_gcm_siv_asm_ctx *key,
                             size_t in_len);

-/* aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256. */
+// aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256.
 extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out,
                             uint8_t in_out_calculated_tag_and_scratch[16 * 8],
                             const uint8_t htable[16 * 6],
                             const struct aead_aes_gcm_siv_asm_ctx *key,
                             size_t in_len);

-/* aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
- * |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
- * the nonce are used, 16 bytes are read and so the value must be
- * right-padded. */
+// aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
+// |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
+// the nonce are used, 16 bytes are read and so the value must be
+// right-padded.
 extern void aes128gcmsiv_kdf(const uint8_t nonce[16],
                             uint64_t out_key_material[8],
                             const uint8_t *key_schedule);

-/* aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256. */
+// aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256.
 extern void aes256gcmsiv_kdf(const uint8_t nonce[16],
                             uint64_t out_key_material[12],
                             const uint8_t *key_schedule);

-/* aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
- * |key|, writes the expanded key to |out_expanded_key| and encrypts a single
- * block from |in| to |out|. */
+// aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
+// |key|, writes the expanded key to |out_expanded_key| and encrypts a single
+// block from |in| to |out|.
 extern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
                                       uint8_t out_expanded_key[16 * 15],
                                       const uint64_t key[2]);

-/* aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
- * AES-256. */
+// aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
+// AES-256.
 extern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
                                       uint8_t out_expanded_key[16 * 15],
                                       const uint64_t key[4]);

-/* aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
- * the expanded key in |expanded_key|. */
+// aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
+// the expanded key in |expanded_key|.
 extern void aes128gcmsiv_ecb_enc_block(
    const uint8_t in[16], uint8_t out[16],
    const struct aead_aes_gcm_siv_asm_ctx *expanded_key);

-/* aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
- * AES-256. */
+// aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
+// AES-256.
 extern void aes256gcmsiv_ecb_enc_block(
    const uint8_t in[16], uint8_t out[16],
    const struct aead_aes_gcm_siv_asm_ctx *expanded_key);

-/* aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
- * expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
- * The |in| and |out| buffers may be equal but must not otherwise overlap. The
- * initial counter is constructed from the given |tag| as required by
- * AES-GCM-SIV. */
+// aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
+// expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
+// The |in| and |out| buffers may be equal but must not otherwise overlap. The
+// initial counter is constructed from the given |tag| as required by
+// AES-GCM-SIV.
 extern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
                                    const uint8_t *tag,
                                    const struct aead_aes_gcm_siv_asm_ctx *key,
                                    size_t in_len);

-/* aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
- * AES-256. */
+// aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
+// AES-256.
 extern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
                                    const uint8_t *tag,
                                    const struct aead_aes_gcm_siv_asm_ctx *key,
                                    size_t in_len);

-/* aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
 extern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
                                    const uint8_t *tag,
                                    const struct aead_aes_gcm_siv_asm_ctx *key,
                                    size_t in_len);

-/* aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
 extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
                                    const uint8_t *tag,
                                    const struct aead_aes_gcm_siv_asm_ctx *key,
                                    size_t in_len);

-/* gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
- * and AD. The result is written to |out_tag|. */
+// gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
+// and AD. The result is written to |out_tag|.
 static void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in,
                                size_t in_len, const uint8_t *ad, size_t ad_len,
                                const uint8_t auth_key[16],
@@ -263,10 +275,10 @@ static void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in,
  out_tag[15] &= 0x7f;
 }

-/* aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
- * (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
- * writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
- * derived from |tag|. */
+// aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
+// (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
+// writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
+// derived from |tag|.
 static void aead_aes_gcm_siv_asm_crypt_last_block(
    int is_128_bit, uint8_t *out, const uint8_t *in, size_t in_len,
    const uint8_t tag[16],
@@ -294,8 +306,8 @@ static void aead_aes_gcm_siv_asm_crypt_last_block(
  }
 }

-/* aead_aes_gcm_siv_kdf calculates the record encryption and authentication
- * keys given the |nonce|. */
+// aead_aes_gcm_siv_kdf calculates the record encryption and authentication
+// keys given the |nonce|.
 static void aead_aes_gcm_siv_kdf(
    int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx,
    uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4],
@@ -320,23 +332,22 @@ static void aead_aes_gcm_siv_kdf(
  out_record_auth_key[1] = key_material[2];
 }

-static int aead_aes_gcm_siv_asm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                     size_t *out_len, size_t max_out_len,
-                                     const uint8_t *nonce, size_t nonce_len,
-                                     const uint8_t *in, size_t in_len,
-                                     const uint8_t *ad, size_t ad_len) {
+static int aead_aes_gcm_siv_asm_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state;
  const uint64_t in_len_64 = in_len;
  const uint64_t ad_len_64 = ad_len;

-  if (in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN < in_len ||
-      in_len_64 > (UINT64_C(1) << 36) ||
+  if (in_len_64 > (UINT64_C(1) << 36) ||
      ad_len_64 >= (UINT64_C(1) << 61)) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (max_out_len < in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
+  if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -382,12 +393,15 @@ static int aead_aes_gcm_siv_asm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                          in_len, tag, &enc_key_expanded);
  }

-  OPENSSL_memcpy(out + in_len, tag, sizeof(tag));
-  *out_len = in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN;
+  OPENSSL_memcpy(out_tag, tag, sizeof(tag));
+  *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;

  return 1;
 }

+// TODO(martinkr): Add aead_aes_gcm_siv_asm_open_gather. N.B. aes128gcmsiv_dec
+// expects ciphertext and tag in a contiguous buffer.
+
 static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                     size_t *out_len, size_t max_out_len,
                                     const uint8_t *nonce, size_t nonce_len,
@@ -426,8 +440,8 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  } else {
    aes256gcmsiv_aes_ks((const uint8_t *) record_enc_key, &expanded_key.key[0]);
  }
-  /* calculated_tag is 16*8 bytes, rather than 16 bytes, because
-   * aes[128|256]gcmsiv_dec uses the extra as scratch space. */
+  // calculated_tag is 16*8 bytes, rather than 16 bytes, because
+  // aes[128|256]gcmsiv_dec uses the extra as scratch space.
  alignas(16) uint8_t calculated_tag[16 * 8] = {0};

  OPENSSL_memset(calculated_tag, 0, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
@@ -500,34 +514,40 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
 }

 static const EVP_AEAD aead_aes_128_gcm_siv_asm = {
-    16,                             /* key length */
-    EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */
+    16,                              // key length
+    EVP_AEAD_AES_GCM_SIV_NONCE_LEN,  // nonce length
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // overhead
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // max tag length
+    0,                               // seal_scatter_supports_extra_in

    aead_aes_gcm_siv_asm_init,
    NULL /* init_with_direction */,
    aead_aes_gcm_siv_asm_cleanup,
-    aead_aes_gcm_siv_asm_seal,
    aead_aes_gcm_siv_asm_open,
+    aead_aes_gcm_siv_asm_seal_scatter,
+    NULL /* open_gather */,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

 static const EVP_AEAD aead_aes_256_gcm_siv_asm = {
-    32,                             /* key length */
-    EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */
+    32,                              // key length
+    EVP_AEAD_AES_GCM_SIV_NONCE_LEN,  // nonce length
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // overhead
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // max tag length
+    0,                               // seal_scatter_supports_extra_in

    aead_aes_gcm_siv_asm_init,
    NULL /* init_with_direction */,
    aead_aes_gcm_siv_asm_cleanup,
-    aead_aes_gcm_siv_asm_seal,
    aead_aes_gcm_siv_asm_open,
+    aead_aes_gcm_siv_asm_seal_scatter,
+    NULL /* open_gather */,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

-#endif  /* X86_64 && !NO_ASM */
+#endif  // X86_64 && !NO_ASM

 struct aead_aes_gcm_siv_ctx {
  union {
@@ -544,13 +564,12 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  if (key_bits != 128 && key_bits != 256) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0; /* EVP_AEAD_CTX_init should catch this. */
+    return 0;  // EVP_AEAD_CTX_init should catch this.
  }

  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
    tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;
  }
-
  if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
    return 0;
@@ -567,23 +586,22 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                  key_len);
  gcm_siv_ctx->is_256 = (key_len == 32);
  ctx->aead_state = gcm_siv_ctx;
+  ctx->tag_len = tag_len;

  return 1;
 }

 static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
-  OPENSSL_cleanse(gcm_siv_ctx, sizeof(struct aead_aes_gcm_siv_ctx));
-  OPENSSL_free(gcm_siv_ctx);
+  OPENSSL_free(ctx->aead_state);
 }

-/* gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
- * |in| to |out|, using the block function |enc_block| with |key| in counter
- * mode, starting at |initial_counter|. This differs from the traditional
- * counter mode code in that the counter is handled little-endian, only the
- * first four bytes are used and the GCM-SIV tweak to the final byte is
- * applied. The |in| and |out| pointers may be equal but otherwise must not
- * alias. */
+// gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
+// |in| to |out|, using the block function |enc_block| with |key| in counter
+// mode, starting at |initial_counter|. This differs from the traditional
+// counter mode code in that the counter is handled little-endian, only the
+// first four bytes are used and the GCM-SIV tweak to the final byte is
+// applied. The |in| and |out| pointers may be equal but otherwise must not
+// alias.
 static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,
                          const uint8_t initial_counter[AES_BLOCK_SIZE],
                          block128_f enc_block, const AES_KEY *key) {
@@ -613,8 +631,8 @@ static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,
  }
 }

-/* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
- * AD. The result is written to |out_tag|. */
+// gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
+// AD. The result is written to |out_tag|.
 static void gcm_siv_polyval(
    uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad,
    size_t ad_len, const uint8_t auth_key[16],
@@ -658,7 +676,7 @@ static void gcm_siv_polyval(
  out_tag[15] &= 0x7f;
 }

-/* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */
+// gcm_siv_record_keys contains the keys used for a specific GCM-SIV record.
 struct gcm_siv_record_keys {
  uint8_t auth_key[16];
  union {
@@ -668,8 +686,8 @@ struct gcm_siv_record_keys {
  block128_f enc_block;
 };

-/* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
- * given nonce and writes them to |*out_keys|. */
+// gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
+// given nonce and writes them to |*out_keys|.
 static void gcm_siv_keys(
    const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,
    struct gcm_siv_record_keys *out_keys,
@@ -695,11 +713,11 @@ static void gcm_siv_keys(
                  key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16);
 }

-static int aead_aes_gcm_siv_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                 size_t *out_len, size_t max_out_len,
-                                 const uint8_t *nonce, size_t nonce_len,
-                                 const uint8_t *in, size_t in_len,
-                                 const uint8_t *ad, size_t ad_len) {
+static int aead_aes_gcm_siv_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
  const uint64_t in_len_64 = in_len;
  const uint64_t ad_len_64 = ad_len;
@@ -711,7 +729,7 @@ static int aead_aes_gcm_siv_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }

-  if (max_out_len < in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
+  if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -730,17 +748,18 @@ static int aead_aes_gcm_siv_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  gcm_siv_crypt(out, in, in_len, tag, keys.enc_block, &keys.enc_key.ks);

-  OPENSSL_memcpy(&out[in_len], tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
-  *out_len = in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN;
+  OPENSSL_memcpy(out_tag, tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
+  *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;

  return 1;
 }

-static int aead_aes_gcm_siv_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                 size_t *out_len, size_t max_out_len,
-                                 const uint8_t *nonce, size_t nonce_len,
-                                 const uint8_t *in, size_t in_len,
-                                 const uint8_t *ad, size_t ad_len) {
+static int aead_aes_gcm_siv_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                        const uint8_t *nonce, size_t nonce_len,
+                                        const uint8_t *in, size_t in_len,
+                                        const uint8_t *in_tag,
+                                        size_t in_tag_len, const uint8_t *ad,
+                                        size_t ad_len) {
  const uint64_t ad_len_64 = ad_len;
  if (ad_len_64 >= (UINT64_C(1) << 61)) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
@@ -748,7 +767,7 @@ static int aead_aes_gcm_siv_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  const uint64_t in_len_64 = in_len;
-  if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN ||
+  if (in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN ||
      in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
@@ -760,60 +779,56 @@ static int aead_aes_gcm_siv_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
-  const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN;
-
-  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }

  struct gcm_siv_record_keys keys;
  gcm_siv_keys(gcm_siv_ctx, &keys, nonce);

-  gcm_siv_crypt(out, in, plaintext_len, &in[plaintext_len], keys.enc_block,
-                &keys.enc_key.ks);
+  gcm_siv_crypt(out, in, in_len, in_tag, keys.enc_block, &keys.enc_key.ks);

  uint8_t expected_tag[EVP_AEAD_AES_GCM_SIV_TAG_LEN];
-  gcm_siv_polyval(expected_tag, out, plaintext_len, ad, ad_len, keys.auth_key,
-                  nonce);
+  gcm_siv_polyval(expected_tag, out, in_len, ad, ad_len, keys.auth_key, nonce);
  keys.enc_block(expected_tag, expected_tag, &keys.enc_key.ks);

-  if (CRYPTO_memcmp(expected_tag, &in[plaintext_len], sizeof(expected_tag)) !=
-      0) {
+  if (CRYPTO_memcmp(expected_tag, in_tag, sizeof(expected_tag)) != 0) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

-  *out_len = plaintext_len;
  return 1;
 }

 static const EVP_AEAD aead_aes_128_gcm_siv = {
-    16,                             /* key length */
-    EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */
+    16,                              // key length
+    EVP_AEAD_AES_GCM_SIV_NONCE_LEN,  // nonce length
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // overhead
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // max tag length
+    0,                               // seal_scatter_supports_extra_in

    aead_aes_gcm_siv_init,
    NULL /* init_with_direction */,
    aead_aes_gcm_siv_cleanup,
-    aead_aes_gcm_siv_seal,
-    aead_aes_gcm_siv_open,
+    NULL /* open */,
+    aead_aes_gcm_siv_seal_scatter,
+    aead_aes_gcm_siv_open_gather,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

 static const EVP_AEAD aead_aes_256_gcm_siv = {
-    32,                             /* key length */
-    EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */
-    EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */
+    32,                              // key length
+    EVP_AEAD_AES_GCM_SIV_NONCE_LEN,  // nonce length
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // overhead
+    EVP_AEAD_AES_GCM_SIV_TAG_LEN,    // max tag length
+    0,                               // seal_scatter_supports_extra_in

    aead_aes_gcm_siv_init,
    NULL /* init_with_direction */,
    aead_aes_gcm_siv_cleanup,
-    aead_aes_gcm_siv_seal,
-    aead_aes_gcm_siv_open,
+    NULL /* open */,
+    aead_aes_gcm_siv_seal_scatter,
+    aead_aes_gcm_siv_open_gather,
    NULL /* get_iv */,
+    NULL /* tag_len */,
 };

 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
@@ -849,6 +864,4 @@ const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {
  return &aead_aes_256_gcm_siv;
 }

-#endif  /* X86_64 && !NO_ASM */
-
-#endif  /* !OPENSSL_SMALL */
+#endif  // X86_64 && !NO_ASM
@@ -22,6 +22,7 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/poly1305.h>
+#include <openssl/type_check.h>

 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
@@ -30,8 +31,34 @@
 #define POLY1305_TAG_LEN 16

 struct aead_chacha20_poly1305_ctx {
-  unsigned char key[32];
-  unsigned char tag_len;
+  uint8_t key[32];
+};
+
+// For convenience (the x86_64 calling convention allows only six parameters in
+// registers), the final parameter for the assembly functions is both an input
+// and output parameter.
+union open_data {
+  struct {
+    alignas(16) uint8_t key[32];
+    uint32_t counter;
+    uint8_t nonce[12];
+  } in;
+  struct {
+    uint8_t tag[POLY1305_TAG_LEN];
+  } out;
+};
+
+union seal_data {
+  struct {
+    alignas(16) uint8_t key[32];
+    uint32_t counter;
+    uint8_t nonce[12];
+    const uint8_t *extra_ciphertext;
+    size_t extra_ciphertext_len;
+  } in;
+  struct {
+    uint8_t tag[POLY1305_TAG_LEN];
+  } out;
 };

 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
@@ -41,42 +68,42 @@ static int asm_capable(void) {
  return sse41_capable;
 }

-// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It
-// decrypts |plaintext_len| bytes from |ciphertext| and writes them to
-// |out_plaintext|. On entry, |aead_data| must contain the final 48 bytes of
-// the initial ChaCha20 block, i.e. the key, followed by four zeros, followed
-// by the nonce. On exit, it will contain the calculated tag value, which the
-// caller must check.
+OPENSSL_COMPILE_ASSERT(sizeof(union open_data) == 48, wrong_open_data_size);
+OPENSSL_COMPILE_ASSERT(sizeof(union seal_data) == 48 + 8 + 8,
+                       wrong_seal_data_size);
+
+// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts
+// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
+// Additional input parameters are passed in |aead_data->in|. On exit, it will
+// write calculated tag value to |aead_data->out.tag|, which the caller must
+// check.
 extern void chacha20_poly1305_open(uint8_t *out_plaintext,
                                   const uint8_t *ciphertext,
                                   size_t plaintext_len, const uint8_t *ad,
-                                   size_t ad_len, uint8_t *aead_data);
+                                   size_t ad_len, union open_data *aead_data);

-// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It
-// encrypts |plaintext_len| bytes from |plaintext| and writes them to
-// |out_ciphertext|. On entry, |aead_data| must contain the final 48 bytes of
-// the initial ChaCha20 block, i.e. the key, followed by four zeros, followed
-// by the nonce. On exit, it will contain the calculated tag value, which the
-// caller must append to the ciphertext.
+// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts
+// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
+// Additional input parameters are passed in |aead_data->in|. The calculated tag
+// value is over the computed ciphertext concatenated with |extra_ciphertext|
+// and written to |aead_data->out.tag|.
 extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
                                   const uint8_t *plaintext,
                                   size_t plaintext_len, const uint8_t *ad,
-                                   size_t ad_len, uint8_t *aead_data);
+                                   size_t ad_len, union seal_data *aead_data);
 #else
-static int asm_capable(void) {
-  return 0;
-}
+static int asm_capable(void) { return 0; }


 static void chacha20_poly1305_open(uint8_t *out_plaintext,
                                   const uint8_t *ciphertext,
                                   size_t plaintext_len, const uint8_t *ad,
-                                   size_t ad_len, uint8_t *aead_data) {}
+                                   size_t ad_len, union open_data *aead_data) {}

 static void chacha20_poly1305_seal(uint8_t *out_ciphertext,
                                   const uint8_t *plaintext,
                                   size_t plaintext_len, const uint8_t *ad,
-                                   size_t ad_len, uint8_t *aead_data) {}
+                                   size_t ad_len, union seal_data *aead_data) {}
 #endif

 static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
@@ -93,7 +120,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  if (key_len != sizeof(c20_ctx->key)) {
-    return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
+    return 0;  // internal error - EVP_AEAD_CTX_init should catch this.
  }

  c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
@@ -102,16 +129,14 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  OPENSSL_memcpy(c20_ctx->key, key, key_len);
-  c20_ctx->tag_len = tag_len;
  ctx->aead_state = c20_ctx;
+  ctx->tag_len = tag_len;

  return 1;
 }

 static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
-  OPENSSL_free(c20_ctx);
+  OPENSSL_free(ctx->aead_state);
 }

 static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
@@ -125,150 +150,175 @@ static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
  CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
 }

-static void poly1305_update_padded_16(poly1305_state *poly1305,
-                                      const uint8_t *data, size_t data_len) {
-  static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
-
-  CRYPTO_poly1305_update(poly1305, data, data_len);
-  if (data_len % 16 != 0) {
-    CRYPTO_poly1305_update(poly1305, padding,
-                           sizeof(padding) - (data_len % 16));
-  }
-}
-
-/* calc_tag fills |tag| with the authentication tag for the given inputs. */
+// calc_tag fills |tag| with the authentication tag for the given inputs.
 static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
                     const struct aead_chacha20_poly1305_ctx *c20_ctx,
                     const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
-                     const uint8_t *ciphertext, size_t ciphertext_len) {
+                     const uint8_t *ciphertext, size_t ciphertext_len,
+                     const uint8_t *ciphertext_extra,
+                     size_t ciphertext_extra_len) {
  alignas(16) uint8_t poly1305_key[32];
  OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
  CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
                   c20_ctx->key, nonce, 0);

+  static const uint8_t padding[16] = { 0 };  // Padding is all zeros.
  poly1305_state ctx;
  CRYPTO_poly1305_init(&ctx, poly1305_key);
-  poly1305_update_padded_16(&ctx, ad, ad_len);
-  poly1305_update_padded_16(&ctx, ciphertext, ciphertext_len);
+  CRYPTO_poly1305_update(&ctx, ad, ad_len);
+  if (ad_len % 16 != 0) {
+    CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
+  }
+  CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
+  CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
+  const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
+  if (ciphertext_total % 16 != 0) {
+    CRYPTO_poly1305_update(&ctx, padding,
+                           sizeof(padding) - (ciphertext_total % 16));
+  }
  poly1305_update_length(&ctx, ad_len);
-  poly1305_update_length(&ctx, ciphertext_len);
+  poly1305_update_length(&ctx, ciphertext_total);
  CRYPTO_poly1305_finish(&ctx, tag);
 }

-static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
+static int aead_chacha20_poly1305_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  const uint64_t in_len_64 = in_len;

+  if (extra_in_len + ctx->tag_len < ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+  if (max_out_tag_len < ctx->tag_len + extra_in_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
  if (nonce_len != 12) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
+  // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+  // individual operations that work on more than 256GB at a time.
+  // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+  // 32-bits and this produces a warning because it's always false.
+  // Casting to uint64_t inside the conditional is not sufficient to stop
+  // the warning.
+  const uint64_t in_len_64 = in_len;
  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (in_len + c20_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + c20_ctx->tag_len) {
+  if (max_out_tag_len < ctx->tag_len) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

-  alignas(16) uint8_t tag[48];
+  // The the extra input is given, it is expected to be very short and so is
+  // encrypted byte-by-byte first.
+  if (extra_in_len) {
+    static const size_t kChaChaBlockSize = 64;
+    uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
+    size_t offset = in_len % kChaChaBlockSize;
+    uint8_t block[64 /* kChaChaBlockSize */];

-  if (asm_capable()) {
-    OPENSSL_memcpy(tag, c20_ctx->key, 32);
-    OPENSSL_memset(tag + 32, 0, 4);
-    OPENSSL_memcpy(tag + 32 + 4, nonce, 12);
-    chacha20_poly1305_seal(out, in, in_len, ad, ad_len, tag);
-  } else {
-    CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
-    calc_tag(tag, c20_ctx, nonce, ad, ad_len, out, in_len);
+    for (size_t done = 0; done < extra_in_len; block_counter++) {
+      memset(block, 0, sizeof(block));
+      CRYPTO_chacha_20(block, block, sizeof(block), c20_ctx->key, nonce,
+                       block_counter);
+      for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
+           i++, done++) {
+        out_tag[done] = extra_in[done] ^ block[i];
+      }
+      offset = 0;
+    }
  }

-  OPENSSL_memcpy(out + in_len, tag, c20_ctx->tag_len);
-  *out_len = in_len + c20_ctx->tag_len;
+  union seal_data data;
+  if (asm_capable()) {
+    OPENSSL_memcpy(data.in.key, c20_ctx->key, 32);
+    data.in.counter = 0;
+    OPENSSL_memcpy(data.in.nonce, nonce, 12);
+    data.in.extra_ciphertext = out_tag;
+    data.in.extra_ciphertext_len = extra_in_len;
+    chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
+  } else {
+    CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
+    calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, out, in_len, out_tag,
+             extra_in_len);
+  }
+
+  OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, ctx->tag_len);
+  *out_tag_len = extra_in_len + ctx->tag_len;
  return 1;
 }

-static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
+static int aead_chacha20_poly1305_open_gather(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  size_t plaintext_len;
-  const uint64_t in_len_64 = in_len;

  if (nonce_len != 12) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

-  if (in_len < c20_ctx->tag_len) {
+  if (in_tag_len != ctx->tag_len) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
+  // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+  // individual operations that work on more than 256GB at a time.
+  // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+  // 32-bits and this produces a warning because it's always false.
+  // Casting to uint64_t inside the conditional is not sufficient to stop
+  // the warning.
+  const uint64_t in_len_64 = in_len;
  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  plaintext_len = in_len - c20_ctx->tag_len;
-  alignas(16) uint8_t tag[48];
-
+  union open_data data;
  if (asm_capable()) {
-    OPENSSL_memcpy(tag, c20_ctx->key, 32);
-    OPENSSL_memset(tag + 32, 0, 4);
-    OPENSSL_memcpy(tag + 32 + 4, nonce, 12);
-    chacha20_poly1305_open(out, in, plaintext_len, ad, ad_len, tag);
+    OPENSSL_memcpy(data.in.key, c20_ctx->key, 32);
+    data.in.counter = 0;
+    OPENSSL_memcpy(data.in.nonce, nonce, 12);
+    chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
  } else {
-    calc_tag(tag, c20_ctx, nonce, ad, ad_len, in, plaintext_len);
-    CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);
+    calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, in, in_len, NULL, 0);
+    CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
  }

-  if (CRYPTO_memcmp(tag, in + plaintext_len, c20_ctx->tag_len) != 0) {
+  if (CRYPTO_memcmp(data.out.tag, in_tag, ctx->tag_len) != 0) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

-  *out_len = plaintext_len;
  return 1;
 }

 static const EVP_AEAD aead_chacha20_poly1305 = {
-    32,                 /* key len */
-    12,                 /* nonce len */
-    POLY1305_TAG_LEN,   /* overhead */
-    POLY1305_TAG_LEN,   /* max tag length */
+    32,                // key len
+    12,                // nonce len
+    POLY1305_TAG_LEN,  // overhead
+    POLY1305_TAG_LEN,  // max tag length
+    1,                 // seal_scatter_supports_extra_in
+
    aead_chacha20_poly1305_init,
-    NULL, /* init_with_direction */
+    NULL,  // init_with_direction
    aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_seal,
-    aead_chacha20_poly1305_open,
-    NULL,               /* get_iv */
+    NULL /* open */,
+    aead_chacha20_poly1305_seal_scatter,
+    aead_chacha20_poly1305_open_gather,
+    NULL,  // get_iv
+    NULL,  // tag_len
 };

 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
@@ -73,18 +73,25 @@
    switch (n) {                               \
      case 8:                                  \
        (l2) = ((uint32_t)(*(--(c)))) << 24L;  \
+        OPENSSL_FALLTHROUGH;                   \
      case 7:                                  \
        (l2) |= ((uint32_t)(*(--(c)))) << 16L; \
+        OPENSSL_FALLTHROUGH;                   \
      case 6:                                  \
        (l2) |= ((uint32_t)(*(--(c)))) << 8L;  \
+        OPENSSL_FALLTHROUGH;                   \
      case 5:                                  \
        (l2) |= ((uint32_t)(*(--(c))));        \
+        OPENSSL_FALLTHROUGH;                   \
      case 4:                                  \
        (l1) = ((uint32_t)(*(--(c)))) << 24L;  \
+        OPENSSL_FALLTHROUGH;                   \
      case 3:                                  \
        (l1) |= ((uint32_t)(*(--(c)))) << 16L; \
+        OPENSSL_FALLTHROUGH;                   \
      case 2:                                  \
        (l1) |= ((uint32_t)(*(--(c)))) << 8L;  \
+        OPENSSL_FALLTHROUGH;                   \
      case 1:                                  \
        (l1) |= ((uint32_t)(*(--(c))));        \
    }                                          \
@@ -104,18 +111,25 @@
    switch (n) {                                    \
      case 8:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
      case 7:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
      case 6:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff);  \
+        OPENSSL_FALLTHROUGH;                        \
      case 5:                                       \
        *(--(c)) = (uint8_t)(((l2)) & 0xff);        \
+        OPENSSL_FALLTHROUGH;                        \
      case 4:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
      case 3:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
      case 2:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff);  \
+        OPENSSL_FALLTHROUGH;                        \
      case 1:                                       \
        *(--(c)) = (uint8_t)(((l1)) & 0xff);        \
    }                                               \
@@ -317,7 +331,7 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
  unsigned int c, d;

  k = (uint8_t *)&key->data[0];
-  *k = 0; /* for if there is a zero length key */
+  *k = 0;  // for if there is a zero length key

  if (len > 128) {
    len = 128;
@@ -333,7 +347,7 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
    k[i] = data[i];
  }

-  /* expand table */
+  // expand table
  d = k[len - 1];
  j = 0;
  for (i = len; i < 128; i++, j++) {
@@ -341,7 +355,7 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
    k[i] = d;
  }

-  /* hmm.... key reduction to 'bits' bits */
+  // hmm.... key reduction to 'bits' bits

  j = (bits + 7) >> 3;
  i = 128 - j;
@@ -354,7 +368,7 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
    k[i] = d;
  }

-  /* copy from bytes into uint16_t's */
+  // copy from bytes into uint16_t's
  ki = &(key->data[63]);
  for (i = 127; i >= 0; i -= 2) {
    *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
@@ -362,8 +376,8 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
 }

 typedef struct {
-  int key_bits; /* effective key bits */
-  RC2_KEY ks;   /* key schedule */
+  int key_bits;  // effective key bits
+  RC2_KEY ks;    // key schedule
 } EVP_RC2_KEY;

 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
@@ -399,8 +413,8 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {
      key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
      return 1;
    case EVP_CTRL_SET_RC2_KEY_BITS:
-      /* Should be overridden by later call to |EVP_CTRL_INIT|, but
-       * people call it, so it may as well work. */
+      // Should be overridden by later call to |EVP_CTRL_INIT|, but
+      // people call it, so it may as well work.
      key->key_bits = arg;
      return 1;

@@ -40,8 +40,8 @@ static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
  size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
  size_t pad_len = (md_size == 20) ? 40 : 48;

-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
  uint8_t ad_extra[2];
  ad_extra[0] = (uint8_t)(in_len >> 8);
  ad_extra[1] = (uint8_t)(in_len & 0xff);
@@ -123,28 +123,48 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
  return 1;
 }

-static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
+static size_t aead_ssl3_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
+                                const size_t extra_in_len) {
+  assert(extra_in_len == 0);
+  const AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX*)ctx->aead_state;
+
+  const size_t digest_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
+  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
+    // The NULL cipher.
+    return digest_len;
+  }
+
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
+  // An overflow of |in_len + digest_len| doesn't affect the result mod
+  // |block_size|, provided that |block_size| is a smaller power of two.
+  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
+  const size_t pad_len = block_size - ((in_len + digest_len) % block_size);
+  return digest_len + pad_len;
+}
+
+static int aead_ssl3_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                  uint8_t *out_tag, size_t *out_tag_len,
+                                  const size_t max_out_tag_len,
+                                  const uint8_t *nonce, const size_t nonce_len,
+                                  const uint8_t *in, const size_t in_len,
+                                  const uint8_t *extra_in,
+                                  const size_t extra_in_len, const uint8_t *ad,
+                                  const size_t ad_len) {
  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  size_t total = 0;

  if (!ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }

-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+  if (in_len > INT_MAX) {
+    // EVP_CIPHER takes int as input.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
+  if (max_out_tag_len < aead_ssl3_tag_len(ctx, in_len, extra_in_len)) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -159,52 +179,71 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }

-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
+  // Compute the MAC. This must be first in case the operation is being done
+  // in-place.
  uint8_t mac[EVP_MAX_MD_SIZE];
  unsigned mac_len;
  if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
    return 0;
  }

-  /* Encrypt the input. */
+  // Encrypt the input.
  int len;
  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
                         (int)in_len)) {
    return 0;
  }
-  total = len;

-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
+
+  // Feed the MAC into the cipher in two steps. First complete the final partial
+  // block from encrypting the input and split the result between |out| and
+  // |out_tag|. Then encrypt the remainder.
+
+  size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
+  if (early_mac_len != 0) {
+    assert(len + block_size - early_mac_len == in_len);
+    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
+    int buf_len;
+    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, buf, &buf_len, mac,
+                           (int)early_mac_len)) {
+      return 0;
+    }
+    assert(buf_len == (int)block_size);
+    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
+    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
+  }
+  size_t tag_len = early_mac_len;
+
+  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len,
+                         mac + tag_len, mac_len - tag_len)) {
    return 0;
  }
-  total += len;
+  tag_len += len;

-  unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
  if (block_size > 1) {
    assert(block_size <= 256);
    assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);

-    /* Compute padding and feed that into the cipher. */
+    // Compute padding and feed that into the cipher.
    uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
+    size_t padding_len = block_size - ((in_len + mac_len) % block_size);
    OPENSSL_memset(padding, 0, padding_len - 1);
    padding[padding_len - 1] = padding_len - 1;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,
+    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len, padding,
                           (int)padding_len)) {
      return 0;
    }
-    total += len;
+    tag_len += len;
  }

-  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
+  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len)) {
    return 0;
  }
-  total += len;
+  tag_len += len;
+  assert(tag_len == aead_ssl3_tag_len(ctx, in_len, extra_in_len));

-  *out_len = total;
+  *out_tag_len = tag_len;
  return 1;
 }

@@ -216,7 +255,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;

  if (ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }
@@ -228,8 +267,8 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
+    // This requires that the caller provide space for the MAC, even though it
+    // will always be removed on return.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -245,12 +284,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+    // EVP_CIPHER takes int as input.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  /* Decrypt to get the plaintext + MAC + padding. */
+  // Decrypt to get the plaintext + MAC + padding.
  size_t total = 0;
  int len;
  if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -263,9 +302,9 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  total += len;
  assert(total == in_len);

-  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
-   * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
-   * https://www.openssl.org/~bodo/ssl-poodle.pdf */
+  // Remove CBC padding and MAC. This would normally be timing-sensitive, but
+  // SSLv3 CBC ciphers are already broken. Support will be removed eventually.
+  // https://www.openssl.org/~bodo/ssl-poodle.pdf
  size_t data_len;
  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
    unsigned padding_length = out[total - 1];
@@ -273,7 +312,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
-    /* The padding must be minimal. */
+    // The padding must be minimal.
    if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
@@ -283,7 +322,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    data_len = total - mac_len;
  }

-  /* Compute the MAC and compare against the one in the record. */
+  // Compute the MAC and compare against the one in the record.
  uint8_t mac[EVP_MAX_MD_SIZE];
  if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
    return 0;
@@ -339,55 +378,71 @@ static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
 }

 static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_128_cbc_sha1_ssl3_init,
    aead_ssl3_cleanup,
-    aead_ssl3_seal,
    aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
    aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };

 static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_256_cbc_sha1_ssl3_init,
    aead_ssl3_cleanup,
-    aead_ssl3_seal,
    aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
    aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };

 static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
+    0,                           // nonce len
+    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,           // max tag length
+    0,                           // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_des_ede3_cbc_sha1_ssl3_init,
    aead_ssl3_cleanup,
-    aead_ssl3_seal,
    aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
    aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };

 static const EVP_AEAD aead_null_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
+    SHA_DIGEST_LENGTH,  // key len
+    0,                  // nonce len
+    SHA_DIGEST_LENGTH,  // overhead (SHA1)
+    SHA_DIGEST_LENGTH,  // max tag length
+    0,                  // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_null_sha1_ssl3_init,
    aead_ssl3_cleanup,
-    aead_ssl3_seal,
    aead_ssl3_open,
-    NULL,                       /* get_iv */
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_ssl3_tag_len,
 };

 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
@@ -25,20 +25,20 @@
 #include <openssl/sha.h>
 #include <openssl/type_check.h>

+#include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
 #include "internal.h"
-#include "../fipsmodule/cipher/internal.h"


 typedef struct {
  EVP_CIPHER_CTX cipher_ctx;
  HMAC_CTX hmac_ctx;
-  /* mac_key is the portion of the key used for the MAC. It is retained
-   * separately for the constant-time CBC code. */
+  // mac_key is the portion of the key used for the MAC. It is retained
+  // separately for the constant-time CBC code.
  uint8_t mac_key[EVP_MAX_MD_SIZE];
  uint8_t mac_key_len;
-  /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
-   * IV. */
+  // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
+  // IV.
  char implicit_iv;
 } AEAD_TLS_CTX;

@@ -48,7 +48,6 @@ static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
  EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
  HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
-  OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
  OPENSSL_free(tls_ctx);
  ctx->aead_state = NULL;
 }
@@ -99,28 +98,48 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
  return 1;
 }

-static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
+static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
+                               const size_t extra_in_len) {
+  assert(extra_in_len == 0);
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+
+  const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
+  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
+    // The NULL cipher.
+    return hmac_len;
+  }
+
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
+  // An overflow of |in_len + hmac_len| doesn't affect the result mod
+  // |block_size|, provided that |block_size| is a smaller power of two.
+  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
+  const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
+  return hmac_len + pad_len;
+}
+
+static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                 uint8_t *out_tag, size_t *out_tag_len,
+                                 const size_t max_out_tag_len,
+                                 const uint8_t *nonce, const size_t nonce_len,
+                                 const uint8_t *in, const size_t in_len,
+                                 const uint8_t *extra_in,
+                                 const size_t extra_in_len, const uint8_t *ad,
+                                 const size_t ad_len) {
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  size_t total = 0;

  if (!tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }

-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+  if (in_len > INT_MAX) {
+    // EVP_CIPHER takes int as input.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
+  if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -135,14 +154,14 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }

-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
  uint8_t ad_extra[2];
  ad_extra[0] = (uint8_t)(in_len >> 8);
  ad_extra[1] = (uint8_t)(in_len & 0xff);

-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
+  // Compute the MAC. This must be first in case the operation is being done
+  // in-place.
  uint8_t mac[EVP_MAX_MD_SIZE];
  unsigned mac_len;
  if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
@@ -153,62 +172,80 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }

-  /* Configure the explicit IV. */
+  // Configure the explicit IV.
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
      !tls_ctx->implicit_iv &&
      !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
    return 0;
  }

-  /* Encrypt the input. */
+  // Encrypt the input.
  int len;
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
+  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
    return 0;
  }
-  total = len;
-
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
-    return 0;
-  }
-  total += len;

  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
+
+  // Feed the MAC into the cipher in two steps. First complete the final partial
+  // block from encrypting the input and split the result between |out| and
+  // |out_tag|. Then feed the rest.
+
+  const size_t early_mac_len =
+      (block_size - (in_len % block_size) % block_size);
+  if (early_mac_len != 0) {
+    assert(len + block_size - early_mac_len == in_len);
+    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
+    int buf_len;
+    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
+                           (int)early_mac_len)) {
+      return 0;
+    }
+    assert(buf_len == (int)block_size);
+    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
+    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
+  }
+  size_t tag_len = early_mac_len;
+
+  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
+                         mac + tag_len, mac_len - tag_len)) {
+    return 0;
+  }
+  tag_len += len;
+
  if (block_size > 1) {
    assert(block_size <= 256);
    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);

-    /* Compute padding and feed that into the cipher. */
+    // Compute padding and feed that into the cipher.
    uint8_t padding[256];
    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
    OPENSSL_memset(padding, padding_len - 1, padding_len);
-    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
+    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
+                           padding, (int)padding_len)) {
      return 0;
    }
-    total += len;
+    tag_len += len;
  }

-  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
+  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
    return 0;
  }
-  total += len;
+  assert(len == 0);  // Padding is explicit.
+  assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));

-  *out_len = total;
+  *out_tag_len = tag_len;
  return 1;
 }

-static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
+static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
+                         size_t max_out_len, const uint8_t *nonce,
+                         size_t nonce_len, const uint8_t *in, size_t in_len,
                         const uint8_t *ad, size_t ad_len) {
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;

  if (tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }
@@ -219,8 +256,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
+    // This requires that the caller provide space for the MAC, even though it
+    // will always be removed on return.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }
@@ -236,19 +273,19 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+    // EVP_CIPHER takes int as input.
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  /* Configure the explicit IV. */
+  // Configure the explicit IV.
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
      !tls_ctx->implicit_iv &&
      !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
    return 0;
  }

-  /* Decrypt to get the plaintext + MAC + padding. */
+  // Decrypt to get the plaintext + MAC + padding.
  size_t total = 0;
  int len;
  if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -261,8 +298,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  total += len;
  assert(total == in_len);

-  /* Remove CBC padding. Code from here on is timing-sensitive with respect to
-   * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
+  // Remove CBC padding. Code from here on is timing-sensitive with respect to
+  // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
  size_t data_plus_mac_len;
  crypto_word_t padding_ok;
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
@@ -270,32 +307,32 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
            &padding_ok, &data_plus_mac_len, out, total,
            EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
            HMAC_size(&tls_ctx->hmac_ctx))) {
-      /* Publicly invalid. This can be rejected in non-constant time. */
+      // Publicly invalid. This can be rejected in non-constant time.
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
  } else {
    padding_ok = CONSTTIME_TRUE_W;
    data_plus_mac_len = total;
-    /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
-     * already been checked against the MAC size at the top of the function. */
+    // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
+    // already been checked against the MAC size at the top of the function.
    assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
  }
  size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);

-  /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
-   * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
-   * still large enough to extract a MAC, but it will be irrelevant. */
+  // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
+  // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
+  // still large enough to extract a MAC, but it will be irrelevant.

-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
  uint8_t ad_fixed[13];
  OPENSSL_memcpy(ad_fixed, ad, 11);
  ad_fixed[11] = (uint8_t)(data_len >> 8);
  ad_fixed[12] = (uint8_t)(data_len & 0xff);
  ad_len += 2;

-  /* Compute the MAC and extract the one in the record. */
+  // Compute the MAC and extract the one in the record.
  uint8_t mac[EVP_MAX_MD_SIZE];
  size_t mac_len;
  uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
@@ -313,8 +350,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    record_mac = record_mac_tmp;
    EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
  } else {
-    /* We should support the constant-time path for all CBC-mode ciphers
-     * implemented. */
+    // We should support the constant-time path for all CBC-mode ciphers
+    // implemented.
    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);

    unsigned mac_len_u;
@@ -330,10 +367,10 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    record_mac = &out[data_len];
  }

-  /* Perform the MAC check and the padding check in constant-time. It should be
-   * safe to simply perform the padding check first, but it would not be under a
-   * different choice of MAC location on padding failure. See
-   * EVP_tls_cbc_remove_padding. */
+  // Perform the MAC check and the padding check in constant-time. It should be
+  // safe to simply perform the padding check first, but it would not be under a
+  // different choice of MAC location on padding failure. See
+  // EVP_tls_cbc_remove_padding.
  crypto_word_t good =
      constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
  good &= padding_ok;
@@ -342,7 +379,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }

-  /* End of timing-sensitive code. */
+  // End of timing-sensitive code.

  *out_len = data_len;
  return 1;
@@ -436,133 +473,173 @@ static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
 }

 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
+    16,                      // nonce len (IV)
+    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_128_cbc_sha1_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_128_cbc_sha1_tls_implicit_iv_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA256_DIGEST_LENGTH + 16,  // key len (SHA256 + AES128)
+    16,                         // nonce len (IV)
+    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
+    SHA256_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_128_cbc_sha256_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32,  // key len (SHA1 + AES256)
+    16,                      // nonce len (IV)
+    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_256_cbc_sha1_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_256_cbc_sha1_tls_implicit_iv_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA256_DIGEST_LENGTH + 32,  // key len (SHA256 + AES256)
+    16,                         // nonce len (IV)
+    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
+    SHA256_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_256_cbc_sha256_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
-    SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
-    SHA384_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA384_DIGEST_LENGTH + 32,  // key len (SHA384 + AES256)
+    16,                         // nonce len (IV)
+    16 + SHA384_DIGEST_LENGTH,  // overhead (padding + SHA384)
+    SHA384_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_aes_256_cbc_sha384_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
-    8,                      /* nonce len (IV) */
-    8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24,  // key len (SHA1 + 3DES)
+    8,                       // nonce len (IV)
+    8 + SHA_DIGEST_LENGTH,   // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_des_ede3_cbc_sha1_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
+    0,                           // nonce len
+    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,           // max tag length
+    0,                           // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    aead_tls_get_iv,            /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };

 static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
+    SHA_DIGEST_LENGTH,  // key len
+    0,                  // nonce len
+    SHA_DIGEST_LENGTH,  // overhead (SHA1)
+    SHA_DIGEST_LENGTH,  // max tag length
+    0,                  // seal_scatter_supports_extra_in
+
+    NULL,  // init
    aead_null_sha1_tls_init,
    aead_tls_cleanup,
-    aead_tls_seal,
    aead_tls_open,
-    NULL,                       /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };

 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
@@ -66,53 +66,53 @@ extern "C" {
 #endif


-/* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
- * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
- * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
- * padding is valid and zero otherwise. It then sets |*out_len| to the length
- * with the padding removed or |in_len| if invalid.
- *
- * If the function returns one, it runs in time independent of the contents of
- * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
- * |EVP_tls_cbc_copy_mac|'s precondition. */
+// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
+// record in |in|. This decrypted record should not include any "decrypted"
+// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
+// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
+// padding is valid and zero otherwise. It then sets |*out_len| to the length
+// with the padding removed or |in_len| if invalid.
+//
+// If the function returns one, it runs in time independent of the contents of
+// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
+// |EVP_tls_cbc_copy_mac|'s precondition.
 int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
                               const uint8_t *in, size_t in_len,
                               size_t block_size, size_t mac_size);

-/* EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
- * |in_len| bytes of |in| to |out| in constant time (independent of the concrete
- * value of |in_len|, which may vary within a 256-byte window). |in| must point
- * to a buffer of |orig_len| bytes.
- *
- * On entry:
- *   orig_len >= in_len >= md_size
- *   md_size <= EVP_MAX_MD_SIZE */
+// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
+// |in_len| bytes of |in| to |out| in constant time (independent of the concrete
+// value of |in_len|, which may vary within a 256-byte window). |in| must point
+// to a buffer of |orig_len| bytes.
+//
+// On entry:
+//   orig_len >= in_len >= md_size
+//   md_size <= EVP_MAX_MD_SIZE
 void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
                          size_t in_len, size_t orig_len);

-/* EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
- * which EVP_tls_cbc_digest_record supports. */
+// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
+// which EVP_tls_cbc_digest_record supports.
 int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);

-/* EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
- * record.
- *
- *   md: the hash function used in the HMAC.
- *     EVP_tls_cbc_record_digest_supported must return true for this hash.
- *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
- *   md_out_size: the number of output bytes is written here.
- *   header: the 13-byte, TLS record header.
- *   data: the record data itself
- *   data_plus_mac_size: the secret, reported length of the data and MAC
- *     once the padding has been removed.
- *   data_plus_mac_plus_padding_size: the public length of the whole
- *     record, including padding.
- *
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
+// record.
+//
+//   md: the hash function used in the HMAC.
+//     EVP_tls_cbc_record_digest_supported must return true for this hash.
+//   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
+//   md_out_size: the number of output bytes is written here.
+//   header: the 13-byte, TLS record header.
+//   data: the record data itself
+//   data_plus_mac_size: the secret, reported length of the data and MAC
+//     once the padding has been removed.
+//   data_plus_mac_plus_padding_size: the public length of the whole
+//     record, including padding.
+//
+// On entry: by virtue of having been through one of the remove_padding
+// functions, above, we know that data_plus_mac_size is large enough to contain
+// a padding byte and MAC. (If the padding was invalid, it might contain the
+// padding too. )
 int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
                              size_t *md_out_size, const uint8_t header[13],
                              const uint8_t *data, size_t data_plus_mac_size,
@@ -122,7 +122,7 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,


 #if defined(__cplusplus)
-} /* extern C */
+}  // extern C
 #endif

-#endif /* OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H */
+#endif  // OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H
@@ -1,563 +0,0 @@
-# The AES-128-GCM test cases from cipher_tests.txt have been merged into this
-# file.
-
-KEY: d480429666d48b400633921c5407d1d1
-NONCE: 
-IN: 
-AD: 
-CT: 3388c676dc754acfa66e172a
-TAG: 7d7daf44850921a34e636b01adeb104f
-NO_SEAL: 01
-
-KEY: 3881e7be1bb3bbcaff20bdb78e5d1b67
-NONCE: 
-IN: 0a2714aa7d
-AD: c60c64bbf7
-CT: dcf5b7ae2d7552e2297fcfa95626f96ecb
-TAG: ff4c4f1d92b0abb1d0820833d9eb83c7
-NO_SEAL: 01
-
-KEY: ea4f6f3c2fed2b9dd9708c2e721ae00f
-NONCE: 
-IN: 8d6c08446cb10d9a2075
-AD: 5c65d4f261d2c54ffe6a
-CT: f975809ddb5172382745634f0f51f7a83c5b5aa796b9
-TAG: 70259cddfe8f9a15a5c5eb485af578fb
-NO_SEAL: 01
-
-KEY: cdbc90e60aab7905bdffdfd8d13c0138
-NONCE: 
-IN: cb75a0f9134c579bebbd27fe4a3011
-AD: 7dc79f38e1df9383e5d3a1378b56ef
-CT: 9d987184c4b4e873d4774931c6a899758b6c11208241627c8a0096
-TAG: 7525125e650d397d0e176fa21315f09a
-NO_SEAL: 01
-
-KEY: 819bc8d2f41996baca697441f982ad37
-NONCE: 
-IN: 9b1ddd177d2842a701b794450e3c81f151f195a1
-AD: 277c372784559784b0e047c6f8b7e9efb6f7491e
-CT: 08b7a15f388fafb16711ce19de9b9c8fe09f705f558c62dc6d40b75e3aa625b6
-TAG: 52e2d2f153a4235eb6fac87ff6b96926
-NO_SEAL: 01
-
-KEY: 682769d52fa0bfeaebe0d0c898d3cda7
-NONCE: 
-IN: 3461523cd98a6e8bdddd01150812e6c58d5cfa25d385cdbbc4
-AD: abe8302d7d5595698d9f31011c24d4d180a637597098361354
-CT: 6af0738b249d09547837883caa3ecb46b9330554b36d0cf6f6ac4cf5e27bfd5f602da1b3c9
-TAG: 0ba547961eba5c58726c418f51d31311
-NO_SEAL: 01
-
-KEY: e2b30b9b040bce7902c54ca7eec00d09
-NONCE: 
-IN: 483080d7e2fb42580dfb862d2d266fad9fdce7cdcdb1158d415f84b6e269
-AD: 9f06fbe67eb2ace15c8011032feeaf72fdf6d316e1e08ef4cc0a176588af
-CT: 28ccf218e8de56ea91422a2567e1980ced4cd232ce893938e40b0798b17a1692476342e520b480a18570
-TAG: 9994185d4329cfa5f4bbeb170ef3a54b
-NO_SEAL: 01
-
-KEY: eaafa992ef6dbcc29cc58b6b8684f7c7
-NONCE: 
-IN: 900951f487221c7125aa140104b776ba77e7b656194933fa4b94a6d7f9722aad51b2fe
-AD: 863ceb297cb90c445dbcf2fcffe85b71db88d8c935158f697023e2cea103ec39766679
-CT: 1ded022dbc56e9ad733e880fe0b3aaa890e45f1c39ad4f13ba7592f5251d6a02ca40fe3633651b35fba74a579f48c5
-TAG: 5c95fd941b272bafbd757553f394991b
-NO_SEAL: 01
-
-KEY: a43859049b2702e8807ac55b0ad27b0e
-NONCE: 
-IN: 8673d6ee2903265c92446ce110d5bb30aa2dd1b1ac5558029f23974acb8a2fbf4c74858fc73d6104
-AD: f77c998ad3ace0839a8657e350bed15ffbd58f152a0dc04ffc227d6beb5738ad061d0f83c2a26999
-CT: bbe8c571342cac7fcc5d66cd40e201a513979b093637445275b2db5ed4cb1fa050af0e20e43b21af6bc56dec654541e55b295b72
-TAG: 41bbef45727d19ee544fba5b360312f0
-NO_SEAL: 01
-
-KEY: 68fd608c8697243d30bd3f1f028c5b74
-NONCE: 
-IN: 2c088f38f7a58e68bdd92632da84770303cd1ff115d6364479fb0aa706571f68d51be745f5c1d1b44fa1501cd5
-AD: 1417a65249b85a918622472a49df50bdb2766aae7bc74a6230b056549851b3c2f0cef727dc805ba2160727fbb2
-CT: 319a210b33c523d8bc39fbea9d376b147620c2ac6a5eaa8ee44f82f179f61c9bc8acdd21680a7ff03acec953437a3cc9660c7ecb1204563944
-TAG: 05a4fb5be11e3edd89e34d0b7132d0fa
-NO_SEAL: 01
-
-KEY: 6edd3bd2aa318f78b4a51103cb08d489
-NONCE: 
-IN: e98f2f99680dc748fe0b57390df38a99950faaf555a888d463d005ef4e4b1c22663d3d3daa812b20ae35ac934c2e187cbba7
-AD: 97337902507391de0f15c88462aa5ffc5e4760543850719ccd8a0cfef89484d8095c23ff8c1d06eae4ff6d758c95e65cc3b5
-CT: ef0027b144691bc9716fbeca3c54842c2099b73daa9c3f1cb64bb913c0527955d923510f3f3046df471c1365db97333bc5a86dc7c5f23047e938fac976c0
-TAG: 375b2a25421434e5e3a021d434fb2d04
-NO_SEAL: 01
-
-KEY: f70482d53d3ef70cdc3cd3c4a37aeb2b
-NONCE: 
-IN: 4cb68874e69125e1a6f6e68669b48317e1b361d0f7f95ec4cf613b7da2c835832010e8f95eaef4e6800b79bd86cd7cda869d2df258c267
-AD: d72975f15721bd0957f5cb1edecaad2d1ef047afb0e779035f777f94cd7ed1bdf8ca9d4f357d2a1e195f195e7483dea1476133235f7e6b
-CT: e69d3de363e225749cb1666fcaa1e48decbda18e314057c5ec32f8733a5cf03ed0d05c3654531bf56faa70751a6c7f70fbd7d39f7e9775a772aba8fe7731cd0230beab
-TAG: 47d909cbdd1c7f8b485fc3232bb7185f
-NO_SEAL: 01
-
-KEY: 98a12fe16a02ec2a4b3a45c82138ae82
-NONCE: 
-IN: 899710fc8333c0d2d87f4496436349259cf57c592e98ec1e3c54c037bc7ef24d039a8c573ec7868e8ce9610b0404ea1b553ae10cc8cec26468cc975c
-AD: ea1a99cee666bf56c8c3667ef4c73c2e1e6534800d6e39a97de3bd5d39068bb3e2f74f96c03463afa18f1ee88c21209bae87f37e5d0269b68db370fe
-CT: 4b3404684825dfcf81966e960431b7fc4889ae401eab5edba07a60f9682fe58419d4140cbf4f20c62d79d8a3cc1f23fabead0e96e1c8c90929756ea1efab508336e1d0ed552eafd0
-TAG: 01053ceeb4f9c797eef9426930573d23
-NO_SEAL: 01
-
-KEY: 6538e8c8753928960ffc9356d43306b6
-NONCE: 
-IN: a92eb9a93a90fdbb2c74dea91d273a48efe9582f8af7a4e3a377b114770a69ca45421959fcf36107815e53dc61b7bf018fc42965fb71d1eafce0961d7698fabbd4
-AD: c5e572e464718398374c8b45ff8749cd9f517bbd97767f77a96cd021176c49c0acec8b055ef761f49aa6d910375a45b2f572cd5420b99153971a682b377ac88f09
-CT: eee386a2b1e310665e335746f36353de609d0b5246f64a519d89a4dfcd9d53325a2d2cf910e7692e68391b0357b056b944e0b53e41568f304bea8822f9ff7a0375a5a8087509799226862f707f
-TAG: f7f9b891089d02cac1181337d95b6725
-NO_SEAL: 01
-
-KEY: cabdcf541aebf917bac019f13925d267
-NONCE: 
-IN: 88cc1e07dfde8e08082e6766e0a88103384742af378d7b6b8a87fce036af7441c13961c25afea7f6e56193f54bee0011cb78642c3ab9e6d5b2e35833ec16cd355515af1a190f
-AD: dd10e371b22e15671c31afee552bf1dea07cbbf685e2caa0e0363716a276e120c6c0eb4acb1a4d1ba73fde6615f708aaa46bc76c7ff345a4f76bda117fe56f0dc9b939040ddd
-CT: 2c34c00c42dae382279d7974049453baf1578787d68ed5478726c0b8a636337a0b8a82b86836f91cde25e6e44c345940e819a0c505751e603cb8f8c4fe98719185562794a185e5dec415c81f2f162cdcd650
-TAG: dce7198728bfc1b5f949b9b5374199c6
-NO_SEAL: 01
-
-KEY: fd1dd6a237a12d7f64f68eb96890c872
-NONCE: 
-IN: 04a9709fdc0a4edb423fe8cf61c33a40043f1a585d5458c7512ec8e4e066a0f95e2e6609abf3c95a5d3ae2c738269533855daedd92eca20bdedbbd5677cd4eee84b7a1efae0904364f1e54
-AD: d253b829a2fbc5877b0fbe92e7b79f38886a49ca889ae72b91f2c3aebe257a3ffe0d390b5d320bea22d6a5536cd9213612f5ed6e3b0ea33ac91cfee284cb25eaaf6b85b15f7ca894317182
-CT: 459ced97ebc385ab3a8da8d54a565d3ba4f2ec461c9bd8dd0f96bc00d2a561bfb56443c8cf47681bdf1c61f55854bea060c4219696cac79c09aa9400a7e5c59c6b6ca556f38c619a662905fc5f0e8437b906af6138e3fb
-TAG: be5f93201d7980af4c5bceb24ac1d238
-NO_SEAL: 01
-
-KEY: b09a4d99112e1637d7f89a058988b417
-NONCE: 
-IN: 6b3c4cfd1eb139b62d91ed5d1d8b0f3b52278d5c48787ce46f12b9f026e3eed1bfbc8c6684c6662f06614c69440b3d7cff7c46b2e4aebaa4b5b89236a3cc75535bc600104f240d01de91e0fb3bcad02c
-AD: 7883ad259fa5d856ce283419f6da371b444b9b64ea0ddb371b17ec0a9ada27b0eb61b53bd3605f21a848b1e7ed91162f3d51f25481f32d61ec902a7f2cbd6938a7ce466a37e4467e4ec2b2c82b4e66ca
-CT: 74348f7126c0cac836e9de5d5e1b783b20fd740310333eddde99a06b5740428cb1a910812219fabd394b72a22a6e3ca31df0afae0a965f0bc0ae631feeaa5ce4c9a38cd5233140b8557bde9f878e65e8932b9e3c3f6e57a73cda36cc
-TAG: 784b73ee7824adf7279c0a18e46d9a2b
-NO_SEAL: 01
-
-KEY: 284bd8c4b5d7b16aebce1b12988fa1d3
-NONCE: 
-IN: 903416331583dcbd31420906c64dc76e14d0c5044d728cd9b605b531ddc350fdaadeabe67d08f0b4c7179f82a1044696716cd96459506453141e9ec3130e893d8c2ff9b8b4c241b73866ca4fc1f712d17d7a88bf4a
-AD: d0a1f92f80094c1fad630ca584edd953bf44cdde404f22c8e476df8708a97a0712e7fbd8054caa7d65144d0be3b30442d0dfa5469ba720afe1d00aa6bb53c79c1c178ed42fce596eeb6c638c8a8dedf76a431976c5
-CT: 7ff05007c5d018b17562f8039bc3708f70a68fc16bcc33099325c821a0ae9a2fd0a6a98382fa21b42ddb3a9ac6c34a13c4805d3beb92586cdf0f4dce3885793d49abce33190685e7009a79242dd93594722a1ceaa44886371c30bcc8312fa2bf67
-TAG: 3fd8a4d760d5b878852b1ca2d34dde6e
-NO_SEAL: 01
-
-KEY: 6d76dd7dea607a5cf5c21cd44c21a315
-NONCE: 
-IN: cb959b92e777f835afc4ae4149b190638851238b7b13c9bf65343adb3130e8ad2356101037f30997d4a5fcc0a1d6415210179fdec881236a799f6e90dd43ea3817819b432611eaafd072368b9c7036c7a88c8b7774a8ed986134
-AD: 92a2bc3b6b6ca9de0cef10d8bdeaadf6f54782cdb2b09e66cce8cb5b56895636e982f7a3c7bd9d221ade62c9ecf68bde70becf683804386606ab1c48ac764c4e11620064545c5beaa5911c118856dfc5cdb8df50052b01762c6c
-CT: c1d13e56b080a500f1cb80bd522ba9bfb47efc624cd8933fc9e17784919d2b3ccfaeec46af414c1b316355f65b9f9fd7f0be6ac3064b4016e43b8fb2028459f0fa0d81fb6656be0ab8fd841d05d24682b4a57c7c59d89af384db22c2f77ce10abc4d1c352a1a
-TAG: 5ea4a77381679876e0e272b53519d533
-NO_SEAL: 01
-
-KEY: 1dbcbe45a47e527e3b6f9c5c9c89e675
-NONCE: 
-IN: bb23b884c897103b7850b83f65b2fea85264784737d40f93ecf867bfdba1052f41f10d2c5607127da2c10c23b1fbd3a05ce378a9583b1a29c0efbf78a84b382698346e27469330a898b341ec1554d7bf408cf979d81807c0cc78260afdb214
-AD: 46f1bde51f6c97a9dae712e653fcac4da639d93a10b39350956681e121fb9ea969d9dc8ef6ddfb2203fad7ab7e3ef7b71eb90b5089844d60d666e8b55388d8afb261f92b6252f4d56240fe8c6c48bfde63e54bd994ff17e0bf9380ebfb653b
-CT: 98f2da8ed8aa23e1371489130d90e869d2f4c85b511fdf85b947ba3ab75c6b1845d8191634770413d7574a6fbd9d86897cb3d3b5d3d8e6f74fac3bd2a9b783cb16cfbec55dd7d2f7fc5c39fe85d39bf186a3fdd3564bc27d86f4019ae0cb73f5f516b602331433689c1b08
-TAG: 8777f2002d5a5214a7bd8ef5a3ccfbbb
-NO_SEAL: 01
-
-KEY: fe33f47136506e5cc14114eb62d26d64
-NONCE: 
-IN: 3ca38385513eaf1fcd03ac837e4db95c0ed1a2528b7ab3ac8e09ecc95698d52b7d90bf974bf96d8f791aa595965e2527aa466fb76da53b5743eda30bb3ebd9f6a8a7721fbfe71fe637d99a7b4b622e6da89e0824ac8aea299ea15e43250d2eccb0d4d553
-AD: 50b7bd342df76bea99b2e9118a525c0f7041c7acdf4a3b17912b5cbb9650900246ed945cfc7db2b34a988af822c763451ac2e769ec67361eded9bcab37ac41f04cdb1d2471c9520a02db9673daaf07001570f9d9f4ac38f09da03ff1c56fdefe16a855ac
-CT: 9534a10af0c96d8981eaf6b3927fe3c924d914a7aae6695ddad54961142b7dd5ff4c0ba5ca3e0cf3d73bdb576afd59bd2b54d820d2a5da03286c124507a48008c571c28a0ce76f0ed68dbac3a61848e7e2162be8e0bee8147b9bf60da625cdab8601bfb37dfcd165f533e94a32c26952
-TAG: 9bd47a4a2acaf865a8a260179aabf8ad
-NO_SEAL: 01
-
-KEY: dec1b34b7b81fb19586c6ec948ecf462
-NONCE: 
-IN: f7b0bbe9f0ff4dcf162792e9ee14d1ed286114f411c834ad06b143cadbbe10a6fbc86f6664e0e07ff7c6876d4543e5b01ff5ddb629f896c30c8cefd56c15d9f24dfd2ed590304a6aae24caac5870ddafc0e672ac3aacae1867891942998c712d45efbfa4d99a8a6f03
-AD: d3c4fc4838cb3cda3937455229ddaf1cb9102e815cb9f519a5434677c68b11a0bae1280faee82f1a5bee593e669e6f81d5ece3675b8af63f1491bb298531aacc940f53678ba56ae96fc66be92b904bc35f2d5b68b3ed98569a4d04e8f8a9689ad9fa4b51db0938a9f3
-CT: d9faf07e72e3c39a0165fecd2f44ecf549077b98ba551819538097bb80304a55c48ef853e20ed8c3f808dc8cb5eb41c2463d19fed2606b59cee4b458958ea75715f7654146df4519dc63524a0569a00d7bbc4b32a372f82d955be5f190d09d35c267da1017e8b16096ae84f8a671b45aaf0d1ca59c
-TAG: bc3af80cf9388d35deadecff5455d515
-NO_SEAL: 01
-
-KEY: 021add6030bd9f3fed8b0d1f16f83783
-NONCE: 
-IN: d9aa1d0db5de536cfbacb59bb75c592ae3f34a5f9c5ff4f22d14e8e4bd0754af19570221893797f60c89a251cd6a19c2953662dca51264afc21099ed5c80077b0e10a5295b3c4c6fe47d3c1c84fee69ebf7d8a7d9b1b338dae162e657e6cf5277ca70d47b9290aa7efe67b0ce574
-AD: 38d99cfd7578d40ffa1749d5fe83500362ceee76c5af38935806837b2f2d1b3422a5057bf617b07868dd95d8e5f4a24e74f96177d53a0275450b429a2b1f364805030765e376151ae35001d6a4872200142fdce82017f3e976ab0edac1a08d2649d297648320e7dd9143b554fa3d
-CT: 4e460f51fe6b5eb9558c45718863ad51578fd1c9dc40702e34236adee885955f0478ad9a094a6941f95f900e466882dcd5b86e1563ba89aa105f56f3ba5ed860ec3338ee1b750a2f9332acb3f0f61718de7e40fb80442d046b35f147f178bd05362f0559a20a53ebbf78e920fe14c9d80d1c9fb21bee152f8ab2
-TAG: 614539247fdcf1a2aa851102d25bb3bc
-NO_SEAL: 01
-
-KEY: 311c2045d5486bfadd698e5e14faa58a
-NONCE: 
-IN: bd154e428369aac5c13128d29bd3031364939abd071c34bacac6ea7292b657b794b2e717d9bcb5d7d01496d805283fffd8f7de6a3493ddd8d1dd7f58835a44d43ea22d95468d1239ca5567d6c80bdf432fce2afc544a731a2852ef733667b9f8f4f8923eaa9de3aa32addddf99b607efce966f
-AD: f70cb7e67b2842207df55fc7582013bbddff8c7f3bd9ebbaf43827aa40f8490e65397934ee6a412de6272cd568566ea172789a006a92e5920140ca5f93f292b47dc262cefc66b75543f94365c08795b7c5e9c6c29b7dc67b2532fbf8a6487d40a3eff504e75c3f2bb2cc3969621028e2112e67
-CT: f1cd8b373cec6451ae405618f88f4ef0431d0f23911aaa38a4022e700d3a33c31e0c7bdebe00f62ca3b55d358385de25ceb0538242871eb9c24530e557d7981fa0182436e1e49272d52689541f09517fd147a8da0f0d2bb32d54911a36eded0b87bcba54d6842edf461b45839df1cab5176e2c82c871b3be4ec1bced67ec5d
-TAG: ae8d847f106e914ffadbdfe7cb57beba
-NO_SEAL: 01
-
-KEY: ceab57de6220b2c80e67f0c088e97b36
-NONCE: 
-IN: ce2a7a5663449cf6e0068085e3c373c5ca6f027544e327bbc09ac00f1571268bee186d51a00bbc16da7429e4d3d5235d8d54ac96b6ecb2fb7d77a6e5b9e70d431dd4dce78ceb972e9e4b63059e350efaff841c2c42bc29c139b7fd070097556b6281b58e074d5271d9f66c6744ec6dd3b9db2f4a21aeeb7d
-AD: 03e464d111ac9228d39d22a00120c6ee671fe5bbf462b1ee3fdf348b34999518998ac4e175ed48189c29b49b5527c27c43094eecbeaeacd3cdb48cd15aa82573e884a7b97bbcdad610a6955f7d8b04f6f98a13a907bc2bec4c940b77582b248f5fced1771f810977b2d0a4fa48bd4d78e4bc383bb92743fd
-CT: 8cf438aeb0cb29dd67506b9c1fa9c379c78b92fa3c1e478443ae38d7b4b50235448ce2a88467514bc9db95844ec1baf4dbdbd1b0720e377d05d82c3b58b52af8c9c50417b39ad225e373c7ff18ac5a6ea5d182b255f1c8a2766e31e3e4e3d55dc08dfc64b818ead40a0e824b06ab24f0dc9f4f0c383db7cd4d40016b31701bb401b126dd
-TAG: a9a885578467430504731d1a8f537e3c
-NO_SEAL: 01
-
-KEY: 585bbac0ab4508afb8b72d84167551aa
-NONCE: 
-IN: d788112213d2b8b5b66b056e8b3e344a7876f6193b59a480c51fc04d3ec2e5166344c833187b14117276fd671a20937a4553181c29d3d85afe385dd86093708226f082a2ea4ec3288f372c772ca7ceae86b746ff428e8add17b0f34f8553e3db63f55224c39edf41f138a2c28be49d56aa8b4c93502b9794a16310f78b
-AD: a29665261a8eb58c88803bcf623dd1a14e76af49ec5db72a267f2ebcbc479385fb6b32bafcb1239515d74a8282b228e83daf282d1ab228099b315bbed0f0e6b3427e029cc28c025460a8bf0914bd584c13e7de7830ab77fb4a9258dfdc9fdaa96ca941546477f04cea19a365a27de34e23e154e7419aefb0be0e871bbe
-CT: 774c82af194277a5506e45ba24f2856e4e40c0b2b8b47e43d94c1faba498884f59d2ae1cdf58c73770279c96feeee3025ec698cd8f0ae25bf0c9fbf2b350674c317e52bad50aa6ed9845e194f294eb71ff192604af50ac7192f308583a3edaf6c7aeb588990be81b801dc916ffd621dd4016e2b76e9078c89fac9da39f3a88f6548006a48b0199a732
-TAG: a5c8f9daa30b045bd3e1c1b01f438518
-NO_SEAL: 01
-
-KEY: c5d727d159dd328b4160ff45a183226b
-NONCE: 
-IN: 88b4be77bb8a2f37bc5e84ef9da92a4b8c3777dbcccfed13b97e93c19674c8c3f13119363ace377a14e5f36501ba9a3898fc09340886d91bf0a17ef0d028f2a92ec150071623a4a5db8e56e99e764629679943ea879ec7634fad1480e8617fe834c26210276d7db208b13f9b4c2060f2867aacb1b47c8e110830beff721dd8d120de
-AD: 5f6513ad3d490f784dd68ca1df41e8c8e1ab9a240ea8e9bc22d0b1d7353da94d5d37c94f0dcd1a2dedd6d8e1c79a383e7e214cbb6ee2ccb7c6d894ffce5d01b6cf13876ae2648d36adccd88710d7d2ab6d43826d37ee0ee3b434972a2cb8f4db1c3304cee0a352bbef76f05de0e6f55a410eea5e697afb197f2483f0200d0abee224
-CT: 881c0802db519ce1595573ff66bbee209eb11c675ecd3303c38cf1087b010c532e1357732c4911ca9db78c67805c95c829194cd413b635a900a08454c6eb9cfa3597ab531fc9ddfdc5b02b290be2a618df7d03b1ab465d6d03e8b87a430bf4e80d8cb9916145cf2d2342a91fc79defa151b1f3c695608e76ca2abc4c0383897f1cbb9d4bd9969b2f33813e2b5502
-TAG: 43daa08e6eac70e3238ce655adb65005
-NO_SEAL: 01
-
-KEY: 16af56326046c92afca49fe173d643ad
-NONCE: 
-IN: c49c8e5769670384d23d9af9834026395d3f3bd32d88e61ed06b2e00e52a5ae4fe3867993c2af95203cd4006470a89677864431fb9edbed17412913bad4bb3eaff0fccaa150c9b13f83b9bf06698af844841a640d6f94d845296638ac27fb5ed87c310dbbd36415161310b284b8f84b4e025267906e0a4c822b76a682d44a70f9afde9bcf48ac2
-AD: f713886f4086026779a7e479fa646cb33574e6c977d70b8da49c8fdbb395dc7c149a59e219db8e4fff053cb00e2a1df9850fce94e52fd34661fd3d4cd8ad3ffe0b4bc7ccfbbf42eeef3e30ce13cdfd77dbd067ae9f5aebfa068f6b7ae2c17ad956dc03511dfcc38eac9fa3c0c0e9a340f5c58e39d868b77dede54fea1173216c0bb8f0a6c2990f
-CT: d32a935b4e56472d92d9f2ced5d7d1ed0ae3e3481e2ccee201857ce1f427734fbb4fbe82a2b90601104008b8ad4daf74514b8ab3e42b6f6b509159ca04489b1175ce1e3fe33d36ea521e0aedff8c69fd00aa588d7a2eb9d2d551e2b8fea321f573e2a1df147535a873d540a3169d3ebc099ea6c33cefc04a2d55dc2d47237b95ad269fcdcd3c3750af426beb4edfe7837b413f
-TAG: cbe0fb9509c224bb0e8e33f7ef9b49e6
-NO_SEAL: 01
-
-KEY: b3df227e6dc2c846095e2a3b825d7645
-NONCE: 
-IN: bf69be81cf0b340b006badc9f644d10376f4f9a7a78c997edb8729e3786447f21e97e4c1e0c0c74e01ef655d0a84ffc04ff7c6712ad65adc9a0da2e3078d4c9e796c9bcd71e7a9da26b987990d366b5e00a23a93652e10942e07a6aa01375af27080c9cbab5f554497abc48260937a6fe895361e79cd3d5e78c1a65c6723d4a4fbe9b3dcae3c05699cf6d3fb
-AD: 00898eedad307fc017917a3296bcedabaad8a505edd34e93d92f3b61797ddccf3fc31144ef70f255be3b0c165c97eb8706f14c495f4aa9b3f15d2dafd65bf6741d67fe240967efbf0e75e610db9a8f722035e039b5e9246d258084a04c12ee8ad1668032f8caec737481fd894dba2ef702d3e6089acbb0fe0bdd6daa2a5cd47fc62603499fe3ea37365072e5
-CT: 578bc24ca3845e23204df661cfeb249551a695ddfec5f789e7f0a9f916abc8ee01d6233c32744c10a09b5b19ff9ed15e9f10de8f93c8ca1ae3c34e26fdbbb7f3b0f5f8b064501830d3cc982da99b294ce51bd33085c98b0ac0bfe44a8f4a5a26511afa3461aa88b770f076fe119ec90f33d8c9e7777f30b8cc95864f06e04dd8e328ad7a2c7dab83b03abfdde065bcd0c7d6dd47389108c4
-TAG: 3dedd1054f1a29286a51817264317b83
-NO_SEAL: 01
-
-KEY: 58a57f04d1d5cbdd1bfbe01dd5f7e915
-NONCE: 
-IN: 5f82d481a6a3856c6f0be2aca54d666f16de88294a4d763134dd51ef03661bab45da94b9871d94e5b574a52214b22c92cf9690ecbffca9b108fe796abed9e608778c0b99d7bea1daec08dae89d5f7229c04fd52cc906b5f5b9fc0f0fc1e0b2272dcf4865286ee22bd9edcce1afadb579ec72cdf6038cfc75c2dbab5a1fd64b6f8e200d1ad0afcf25863293fdb7276648de
-AD: 4b662822b48005fbd85bb99e6a946eaa74403909f646d914a236eecc5f4558b60b2efb1584b1f32d936b90428dda6568515801d21d24d6fb622e6463897c70be01f81fef741d6dd5c6556d163c3f048abe49f21817b41850ce79d7ec1fdfeba32935b58d898e964fa4b36f79c0f1f560b0afec3887ab325e1a025fa7662f9baf8e08a9ee714b8369621a2f1e6d2e96896a
-CT: 47affabd7dbb4cce7666108131ab08ce0aaa883628f4b33369e5f6e5a54ee4a6596f25ecd54eeea30e81b41d357cb6c671adb6acd3d4e6654feb2ab1f3259692502efb33c5121e0852cbcb2dc5d9a4c65752debe9c4bf5e995fc909a2881621d46cc220806703795e61c0fe74c99e3c1230521b1f97bcbf4e95326e2d581f0cc879a2fc06ef88226a4413f9e9985edc913c418cc198c4df13cd46afc24
-TAG: 1e54066c6cc37f35c62b47426b609457
-NO_SEAL: 01
-
-KEY: 64011470970333b7b677d4ad8ebf3ea2
-NONCE: 
-IN: 882cac1ece2d22a1db7f8339332379eb68516c8b7dcb3c089a5bfecceb49f48a169215313686eb5708135f379d89962af478cae865841e0c97ab47a57a456f634282c4e03c99abf7f7cc4e8360deb48160288f06e96cb09114877f9d91dae98828285626a1528aac87f39cfb8ad3db344fe4318aeef6f6ba14bd1edf9caab548c09f8eea091229a90dbc4b0fa34fda2bf13d300a1f9c
-AD: 0394bb920cf58806b909d90c046402c745f6876af85d8a281081e22a1908f8475126594b39a0e191a070bda7c78d30dc4867e69ea522cfc962fa5f9915daea9133e998eab22f32a18957a3cf7d91c6f3d54cea94875d60be694ee841fef01e69bf5997ba4f25e846558431eb592605265f235211c2bb2d4807278f4b9c314039d0768df24e9c098c6a01c689d6a143073fb1a29f4400
-CT: 17031c5133a426d96de93123dd347d6a3d4a71b2bcae0a0c690ca311f012c6ceda4f7fc054b8f9b59bad54237b64b93331b99f1305801640a68e7d50cef581a57ff2564c90995a8dbf57fa8cff046d0b946af5f68e0aa3d73262965622fe6d35c78f949a6cf9e4f62ba71accbf403b690e31f610305faa6737a19efba1e1ee97084cff2d125bd69a5a4ff99aa399df650452daa835b3e54114b295f00d94fc60e2f8
-TAG: e5e72cda6755bfb3a44377945adb5ca1
-NO_SEAL: 01
-
-KEY: 4852e546fdea545d7dd12493a687e895
-NONCE: 
-IN: 30c10d7a63b614bcae1b79b07c252dc55f322554ac34ca664910fe4a0c9a33e30698e124d91cbb55cf34e931807cbe591a87667f2284c1c18dacd108163aa7a82e274ae659c4ea144191e3fc0f82d4cac929969a50b98ed9fbee52cdf465a1f0535d7d7df15a9a6eff3f4a14e254571cc47f82716d7a835dfa839213677c4da8c8623517244891993ad5956f65d318d9bba16f1eb54d2974a741ac
-AD: c5ded7f545d2eaccbc2cf5cbd1b38b0ec3b6bbc054ba25a16efdd448e5a47b0085974e469c1b0df22441340170d6677f5158e4ccd71446d7ac73dcf5fcfe4ad7248c4ddcfab4c8ccab0968d74d66d9c9561650eb98c088d87766440fc9967e8463febcd12ed07f7e44fef47cabf05274002d0014c4e31f230a41171868db68bf5a83c902724397ed181dd8c6768a898e0c78f6aeb886df95442e99
-CT: 7a3e136cd961191570c1b0b7f798de4998683da7fa9ca030a23dbc493f36c48bb52cd1113c3ea97ef2b67433c00195000777fa3b75a3f689a66b148159524a1fe9576587948760b279cda56164a23748564ec66ea51368ba2a900c97169eb33cf1e557f46100193575737dba670175035f0d921675d45415c6591cae079698e6b1f74e82d4b9216c20e907b148a1d514b2cf653d2e4994f7f668dcfe88dc49c29c544de96d8dd0
-TAG: 3663fb2672223154981b4c580ed3d2d9
-NO_SEAL: 01
-
-KEY: a65b520a2ab67a24fb8fc669c41f2753
-NONCE: 
-IN: 9d1559d283f7a38847088116f2156b19a8feab0731f04d0d499c6b0d21b8563a89a9c284230c1298b28a622cbdd38dbceb098ab896a7259caaabfcc7b0d9ea797178c18aaaa351c7f516342dcb9d3e91405882c8faa9a28f7c67f3db8913b31c0dcd56472d8ebbfb20cda2896a66bff2706b12ae0d9bc8c6c123c02f1f0bbaa418c1806482423eac72d718cad0dbccd208eb81663a9d9043d6ae7a52cf32b1fa
-AD: 2538529cc6eec03f70df2ab085027ce015279484981422f31e58aeee31e79703d72752af2b8822dce9b385f1530f19e692e00e20ef973d333f4bd585ecf122bd4ed9b0626cef46baff0302c71411d27e372361f36c7245096faff21f0236f3dd675646760d5687b3cf1544dbcaa863f1267bce04bca976616b890c7c6ff3448d16072c3938f9b62377609950ff7818cbdd21fba2560bf1954a93517962181b18
-CT: 3bd6c7e8d29242abecc4c108c3194fbb5c319a94c0f61c432a730ce7611a005cfc78266ac4e5d7c95351e71d613f06f52d9d008b9d886f4d9a57bcc232d47e0c75ab755dfccc057a9c7558d7fb696a8c29843a8b9199e2406d23cd6507d35a872fa54cb95e2cb9af45405ebc6b6ee353e8a80debc393329bb9499c61c6344a6380c118f30fcd76376a9765517652e1b21ecafa63c0d19c1875658f1eda89c15ac2daf1a6f526ca72ee792a4f
-TAG: fc16cd532c926ba01e2e6b15327bfb3a
-NO_SEAL: 01
-
-KEY: 84215d2c8f86e5b7bf93cb0620da6bb7
-NONCE: 
-IN: dfe500919f97713f6d9c4f53913175b162b8b7587d85d5b63f0cd5f51def23119e2e02c224142ecfba7f0a519aaea3c28be20b9c2a9c98eb145afd4db523b7f0b822e67dad630846b2a192bb146dcbeae00198c81b80c290d881125c24a6b01ec901b8912bad5b081ec7d97d6997b33052ec287f692489df928ce36cba1e3d6a41cf10c697a9e1f4aaf75dc5be054b98965ec3ce173be7e127c4c5387048ae6ab5a8d247f3
-AD: 6bf6222e64a46c90f83f47305554d090bc8d3838b7a856f0e5e1d92c4e7231eda6af1d9eb7ff6ce914f2256a3b0c853453b9bc75e46109cf8d7e8a9dca224e022d3d1a139d00476775622799541edf9d53eb645a40f6d98ea559e181d96e4df0141e51fe067542300581c0424f534d2c2e3b1b27153c0cd496a1c03301226beeed2b5cce0710d1f485e68b44a918b63fd8db610c7ff894514e272b6ed7ae33a38907e0698b
-CT: b35e99ce89dffd1ec616ed926c6faa54df62ba5659d45f64a5f014684138c93bf152da8a495e9d067b13a30b9fb84847f56231b2da4d87e6cd509a3e38a9ff47589c627e5b5a1196e27fc7afaa14a8432c2d10d8fbfd5d6d394e4b947c456420708a76c2aa638df7de119c160636fc8dfba32227c5de12e5ef429da933ab04e77b489f2eb761d0c753738647ad6793cad64b8942f621ac67b13bd0cab106ffeff21f24c79de69424e50ae550f2241d4029
-TAG: 202b232472d050b9bbc68b59a0c02040
-NO_SEAL: 01
-
-KEY: 7c02b6bc3db61e23736c5f36faddd942
-NONCE: 
-IN: 7e5992ed0474f4224b8da1d038eeb78413fc2f9614fab7120043e75986a4bf1114a80703780a149fcc8dfd115b768f45917065c85176a3f00be40b427fe3765d3919a5b741708624e29bcae876d251fd46dd8d36a8ef66f671c25f984761cf7f75f4329de7093937cdabe32f130b77531ab1aa0a1bc38fbe2758c2664eded828b2589fc5c34d9a0d57a5a4463163736f419b65f0543f50207fff4cf1065a551bc00ffe9466538b673b2a
-AD: 76e430fce1a7d8340104e6001f1c2048d457ac335c5453e48727244b75c3c4f04f55afbb5ce55ba6f8632dbc168ed715b83968a32e5b8e91cb24abc9efee6dcb7a8bed9394a546f0b9efc5823ecaa192df061eb41c671bd863498c2130f322074a711ee43791a1cc02b5cacccf25119ecdd99233abf3b131c83ddb8c62c93a0d653e91499e7481303adc8dbac615ec464eb8640ea138f6236b0ee31cea060f97ea9145a22d15e28eaf6b
-CT: b958decc680d5f79ea7b863214cfd190ae0521f94ee6b36bfcc403139782bfac3d33fe95c81f53e83c7d0c9a8fdebbddd79746b550a383ece1b5c93316b2fdf5aa36b4e97f739f78ccd2de9963ee7fb4d77b581cf676bb679b2dc4a48d977b45564f21181dc60ecee84d736f2324196c20327495d18973660ccb5dae69b79853d12e48ee0706c8ed821b7f722e46f35c8dee2b7b55ebee01dd3ea1e8ef80493cab6b27c264a67596cee06c15062e3a96b140d0d9ba38
-TAG: b6c47410e6f4a2f2b172c6a4490732f8
-NO_SEAL: 01
-
-KEY: 1f58ccb33649d0dc91c50f2aedc95cbc
-NONCE: 
-IN: 738e04dc5a8188d775262c2cdaa04468844755dc912a4edf9db308efb3c229b8e46b2b34aee2c6330219bcd29d3493e3cead142cef5f192b043502b8a4cf0419f9b3f5e001a640541c84141e36d585b05a2f702356bd39bda518c42b461564326969983d22c3ac5a2aa214807ede803d57a61c9547505dd7e08402cc43e6ed1574a48366cf5b5573afcc7aa3c4d4721b362d20a58cbf251315f2b5f9e2c97c5ef6bff44beaa5004e5b7c7f28295df2
-AD: 93f7f5054605edc769efc30b35018ee6c929a83bc6454352c69ba9c72e4b4ea6f51c9ed06f314b5682be6a701c719087765d0a7022e5c9d495f28a9053bd435b8b834045c3670856149b08dae742b372a15a0184375d50eb09877bf94f63859e64228606791c516e76c5695a4e529b9dc5f76eff1d4641a22597e4460aea4eff107348077d4ed2d6262744b0a2d6610f25264d905133309ace10bb52f7138674c25e5d43ededbd87c13dc8fd9d3b1b
-CT: b3a392b1fff0157e95f82a44a002b47b18d1febaf64842fe9011484d618a2e855c4efcccc7d08f02dc9b53d0bd4fc8013e01e21fbf2d9bc7fdda69e68be0c06d32003d045dca6bd251c0bb8c2cbe3693b252265c8694295772b767f83661ecefd57353f6f1c442f9d21ed98c55cbe1db8171ef7b54fe3e3a1a253b4dd48416b5fbc7c18d73692e9fc90dc75d4b88de1fa47c9ad33ddfa4e582d3fc61ca2a8b1eab898b9992c8e56d170730454ca50cd4f28d2759388cb8e302be10
-TAG: ac502a9a52fb3a68a7e90dc639c7ad42
-NO_SEAL: 01
-
-KEY: c67510714f556ea1744af9207917eb60
-NONCE: 
-IN: 7040fde3513cf7f1886d7be9c0f371a3b75415e94c3bdfbef485081199bec4494beeee76dcea05b6601ebd4c8fe231fa16d3b0f046eb3e9c9ed8baef25bb0ff6bc85469b2eb41b929fe904735f819b241b01230c68c0b61577899426bf0dd30e085cccb4ac290244d8c1cd7514412a3ebc51aecb6bb4be1a5a4a8d2ff3fc99191f7d7d0b44fe2cc4ec34deccf901f54e3dbe19d2dfe663855fa9d93a01ab14faed7f00c14834f63e1d153441c6fabb3cf22506e8
-AD: 6d28b410c788dba025c387f5b94c0bc392c69ef646b9cdce53dc169326359de26a721703d9a7c5017631a469da13b2d9ad9115de7d06922ed6f093792ac25ae2e27993ad6be5217dc4f6c51e18f230d4eabb01a474704b71b1407d9cff921bd98e28bb60c4fc019b4d609667c747e83eef779ee62000b6800ba2666f415dccb12d43af4f585d3185d66ba2ecf0b0fcddf762445dd1b6154591dd069f03977243b45b113b6f9b110f9fdd96f0b74e2c9843a45c6a
-CT: 71b347a21653cec3d113087af2a2cdb4f890241f44e00b3373769542cc3dd24c3d07502ed162dfa10be9906871051b991f36b2d5c4240df483c2ad704be14b9efe79ca704e8eeb9dc250e75a92ebf5800c59fb9a6a32228fa1121d21e0b423b77e20010d36b9e6c68dbc000f69bddbd521a1f7bbc9d7e431e4e46e5094be96a928c6729293d2d805c468a3993fb7439f192b1142272a78585e3b7fcedd2f7cced52ab2bc42e2521603b89ba7633fa3b4d07d9a314d1159d7bd5b2dc5198b0c34
-TAG: 0b386c3a58ad23e9a45f00ae107d319c
-NO_SEAL: 01
-
-KEY: 171d25e195bae2eaf666993f3b42d690
-NONCE: 
-IN: 8775d6aa2e46ffea6ad4439000a968bcd4fce86535b7265684071a498e0bfb37646f56fad79e0fdc4d6016fd1e935dac5ad74b11c69f5261c3321efdb9cf03f9b7ec681a7f708ba8e3f66648b24c41485a5147df31385809c800155d0d4bbf41d248453302c3754eed4909b267893309ba5249588cb4a4a14b4a29496f1e799559ac9f4baba7a9b4cb5bace1c11dc0e7ef7a2ddd2596c29cdaa378b97c7d3c50db49bcadb8e1840c6b9fa12ad88c0b8152fd753efb04ead427
-AD: ebb169a863dd05cffb9deb866bdd130a1c6852046881f3f8e9013158c83bfcbaa98743957ed4b0619eb88d7ff69b3a5d06da74076c3cc2dff83dc0375236d363c0e2b1fb60c9cf10ecc0fec94757b1b719abc7066af15ff9b66788b38083f766d67005369319967995407ea20339ba27e7bf1dc263fdd54ddd8088232a500f605ba825fedfed69cccca75c207b06594d1d0070ed12a259d4f574f352d2e2ea6fa45199213b6a42d53a7c717250715e0404f2fe7b64e3ec7e89
-CT: fc16bde0c69d5c894642f1f38694eac2bb3968303f795bf0118e43c132c9dd22ec320ecffefbe878ebe6b1e0833d19515c07ebc83f12cd9bb50d2658e6d7fe44a9fbcc2225e93ed58e1bebd78edecbe6c8b3491eedfdcc957cc8ddc95d8116d50cc50b1999ac420802605cc652134ce51a41533e00fe232344e805df146a952b40ce27a2f5c6bbba2154489ca40cbb617476ce6ceac1a6b9c0175ee33615f252377f52583e970f77795b573610baf5cbf5edc6d2837244f88bc155f71588c9c4c1c802be9c
-TAG: f6725998336b3ef020b99818e0d932ac
-NO_SEAL: 01
-
-KEY: f7db0fd345ca6ca82ec8624950f8e672
-NONCE: 
-IN: fa86869e14df0fd8e77eba7fe5a933fd1bc58654deab310a03aa7202a089713e323a323f4932b4b8f6b40982d6738aef48951f621aeb82a747d290d93d1eb5bdec6a62fe66774209a4aea7261acff80af9512af090e0eb0f5905ce8baf2a0ec50ed89906d8d67f370639e6f16eafbdfa982897cd5a3f88929d7f1032a8b3355223bf666be94ba9945fb5cafe655d59af69829ef92365f54ff3eebc45e01ffc439b16e23ce892ba6db7e661fc3676a175a8ede746000ca147db57a14303a1
-AD: f7b826afe62356f985e8e10ff356dc9b5b9d9df24486523c3bab7db355c84ec7e4bbdf66482b74fc6b4c6aaeccd7717fba44eb4820a40f03639076776719ea7aabd3a815c201146428bf4c6bf1e8b056b5a22ebcb214fbba64de54089a20ababda5c860ec301f36e1801fc55fe8fa189f35722a2cbf83ae921a9537be2b4f060d918af9b12f9111909d59db7cad24418896ce49762223d8a20a3a83fdf24b64703c19c78f528daecaa8689f307da7fe0befa1d6b1bef24ac8d9f5f12b6c1
-CT: 3e7ee1a209b1a191f0a00370acdacc648833698eff4d42a5dc0b123cdf6f2985ef05e6f2d42c9cd04663635d240648da18dce158b21cc0a3f7a2c35441799a4f1f5622e11051c874b2bcc64314bf0b94c2589d2a24d996af57d22085a64f10135322cb68428fbb951d8b14683bf6fc96b1395829a0b05ec83eeb20e54daf7a413e070ae1e0b73bde56faac630363fe215f1883cd9eef9c3b7d076bbb56f6f5ffcce0d31570f79be8864482b6b3666424dadb674f873a1b52ae6e3d8ec8984edf54186e38c71602098308
-TAG: 4dba5b1385565427a987c9d0b030f4b2
-NO_SEAL: 01
-
-KEY: ca80ac4cf4057182d06d65dcdc09763a
-NONCE: 
-IN: 701c739ba0c146983b9e1fe0a9723850caeb818514860c3d4adef10dc5e020a8dd7f2fa282896170f9039d5b3fa629dbee3bcb81db44d0d68f9522477619269a59ec1a9ed399d4902f25271dff5c42f3747ab0f4b61c26a2c1bfe1c0fed02282fc2ef88b47825cdfb11df3ced0fe0227e8264132dd62af2d31f23d0c0e253f01c80400127c37806762eb28bc71f31807229172c78ae994b4ad800d6247ea12d3f4f902bb50b72c132902dd4faee05e67836facc7001c8f58475366668ed20d4899aec4
-AD: 0e91b38fdc70951b97e43aa9ea2c6f78d445d90ddf4faabd3e6e0ef74f528fbd5c3d4da18cc3d8bd3167b756da495cba49ea35e2db849bc37f6db8370b492d7f82f2efafa5444ac62835cb5602796cdbe85caa50084e51eec2651996d2da0dc18fe10bd6f374168d4c9ea0a36ba665148192252ce9d05cb78429c55256fbb65f1bbffb8799d63bf41701d1d706a44e3f27eb245cf720f2a329ea24fbea803c575513830fff579a1bde3daa975eecdb8d3956ddd374fe252637aac86ed3c702c4ec63e6
-CT: 63cdd8090e041baa9dca5becca46eac0addd544bb45a97a4989d45d21599ec70f843d9db38157d186716dc39a5d1a5c0624e6c825b5b7f1fd41aa542ac846ec0edfe6bc28f727823667a33cf6cb5ba1ba6654cd023857c53ff00a63b34d2c17ebae5d46dbd073edb7b2f9e02842dbf663bbe36238f3eaeb7a23e328b0d3d50f49674253898f360c0243722af266c934f021e4f2fb8747fae728d06717b2d68cadbff762956826c910cc8ad2d4aea4518d5ac4deec978a13072fd1675a272539ebea31d736c759227f31abc911e0e76
-TAG: 9f0202c228ec48f4be6b2f876fd05a83
-NO_SEAL: 01
-
-KEY: 9c2daabcfae974ae165a2ea58ecb212a
-NONCE: 
-IN: 09169c1f5d873f03821393bef013bbcafcd82314cc986675922e2d43031417c8e65e625ce737af4621aabea6fe75030b84acf96967e791f8427b8f052051d6247a897006c6ddedd49cb7148afa5109a561e78abff7c55b97091f356e31b5667270d5653a497e2503d75e5856ac1efdcf3fb6e80b8deba8802acc064905e2b09d45e446d7d810971e5996540ee9c01fac1b4331f99ad329565a8db38eb93f2e2a8ca37d64d73cc8a7f4fe3234cc155226393f1f2ad17d0f01d5e60537ea44835dea853e027dd597f7
-AD: 1feb0ca13b3022456a4801d8f5382cad95f7a50e466a102d2208e7482dc8ba5c710d1721de7103000fe8811bb13fdf698844257dd164f1e21b0707251f228ca8bd437994526ed5684c4165c9754d1cefe7eb18f9e116a455c28db1f7c04feab74ab06af029819f51ed96f453fb6a634f73ba8c80e19dc62384e82feac70a12d42e3125c360ec2a97f4ce0a07039687ffc37c5dc1df1ed24f05a37591fcd5c34a3fc5f825c79213adbbdef65078f5e41a4062517334a67560ab215fedde53cd8129a51f27baa80f53
-CT: 4b9317e4be2256a467e2831c8a4d4ae0842f8032d83b2e4eecfaea439f745f1d0d07808bee4b68e3b58fcb65a4c8fd9b93cba2d5b4781d28a9cc01508e9e85796551064867551f9083cce342ba1aac4d2b8f5b0b0e4e3d7c82082c441467e47aa2b0f47e167b28fd29cb8d5ee52c2298c1f87cf811061d922f056214346c1ec3d2534045c5c485ccddac7d9998d3d08a80a62eceb2ee18e1a27f97616969df52ec486015974f160745667d6be25ffc20b143d89bcc8b6eab9dff82ce3c8f95a034316a8f2f2a52674105f1246b2daa28edfd829d
-TAG: 0361e65b1fdb9d967492ded32e1fe811
-NO_SEAL: 01
-
-KEY: c98ed84949749efd2ee41eaeec51edba
-NONCE: 
-IN: 41b87fe62c82bd34cbdc70033ca8d2ec5f13eb2c14947f97fbb5d97da7323f8eb5c2eba210be11b1ab9554feaa516aa493822af4a264c8849e9c6ff41f690f44966bb49c9c1df5995de8070a2fcfa42d0b0b5115a36738102134f571988ba4fb210edc3202d3c74b5f8801a7d1e217b90caa27acb49ece590ebe6637fb6e2f5f0b849f29804efdeb8c102b3e3d2abfc4f6f2c5f71f0a6e4d5daa5cf16561914f14601edc40547d55f7d11eb4768d5c64fc621d04e8c64aa3aa1245c7192852d2ccaaabd448e06f806eae66da1b
-AD: 2fdac5a70356c2c8d70def497321c6bee8ebb08a5abc8dd508d83f03bf1a09942d7f7a387d4f875a1ff16c7b5abb53d32bcc372012eab7a3b848a93f7af634eff8c5deb3269d418be698a3026f6f08f55a6e31543105cf1ccf56193cd1af802f32e10512a6bcd3101b7b54a8f3efdba03018d5f2475b51bd65e5e183a62ab11c9462450883e3e87a9640eac909f72b83da8bbd34431ed87d14c6f7e79957067c1cf2a12b5fa083496f903269a3c6c8ccd5e3f9cc287904223ee62bffc4f157f0db409e82101e3ca5e05d962378
-CT: 7b056c9c7b393b0b04382946384ddc8e7ed6868aa722f6785fab15eb69caadf43246521b97c8d016afd976360365bbfc9f48c08b0eaf5437af8a9c23061dcbdd0d22e1d58c92951b43e013689afa6b1587f79fe9ad3104ee1f80b3c95388e35b0b9a5a3b733b32a3e62fc143e6255d0e5b1b55bc9439d3c1cbed610d36c3667378bbc1ac20d93a5a7e5563409a5b94ec799a5281213d724e46f4987588e6bc7e9e6468bbcf340d5f1a1eb1b45dc9fe9c832befff54c8a85db9c07196d7d45cc389fc9d62f4bf1f4bb82801cfa9c408498331eef4ae1ee2809e
-TAG: e8cbdc1d6d51ac64f16cf08725f81370
-NO_SEAL: 01
-
-KEY: 42ece9aeffc9d2e8ea02e73d1a4de834
-NONCE: 
-IN: eccbb9a2c1241c88d17204cb0f0c069e20512bb1d31f966349add203d84cbb79d88f7add957a0a8370b9a0e04c9f17215531cd48d08c4612bbeeecf3dce68d41724166e06a331e7897e8c7c6a6affb7bf07dae1874bf3bec044d38227bef5c228f4cface9ea37255e15d6b27e154b349b16048b0e7984f17cffa03da07924b190f9b91d6222db1124c1e4e77c2b989fe2a7c338c7316a49c7df0be173d0420e8790bad669f6da96745cf34cd2eb429d18eeb61a8e80a5e03294dcf3a5886bd1865e2a55a72574db8db04a9560f969711aa7a
-AD: 2aeb8ee162a7aafe5a72a8d8873ce3bc43a65fd7bbdef1f6ba71b61e5a9c3bd033e7e8eaa55e08ae381362ad0991d65bf22c99a425019c4cd7768622f108f5917a4be22b4ab65ede66c58191e402f8cdad69decf6552dd52b62e8d62268b84122b64145c97115373a26d2d5e59e69b7dca5f96c48106e9fb3f7fc7e0ab11c78a1fafc697fc73603d3f08fdfc0ee885f84572fb04fda718a21744c7e5dbace91b0e141fa82fbd4d1a7dc35edafaba7c5894778c5952ec787bb547a37e509b035c684a8f51ceac5e12ae71b165dfe957c6de15
-CT: b59e0770c689d60823c06c69c5874137f5e75ef02521b37f0759b5724798aaab8a1e62df81b73175690ca1d32cab6e7a9d7803a8aea420ab273fb46eab9e5f0773b7f5457d7a8c0058ed9675a6e1a7f15805c7fb695d277ba06adc3963606ead0cedb342614cb410f4197f4fad0b5df2187f8d2ebfe85ad3d5f59bbf652364c7e8c3542c5d7f15bc6e6c24eeb1d3232bcddf6588ab1c1953085bd0a1516046b76714d2b97718ce57ad23cd213507f6cda95ee9c5c23036cc7d4133c84a1d36393979f9d1bbc613350252a6de78d905607adf51368175a20106f81aa9ff9d
-TAG: eab1c7790a5941270f2ae49895b3113d
-NO_SEAL: 01
-
-KEY: 6ace8b5fa16054558c9d0e272573a7a1
-NONCE: 
-IN: 915466e994705239afebb8025aa965626973e41a750bd75f9e8ccc7c1078ec555fa618120b4f4b5e273fb9b262df73d39950fe5cc1c265c06a08e2318efa83c63dfc689de80966f45cab0d2dba603bf116b9ef7242bf4d9cc691a775f78148d2c75059d6049c861da5dc40d5f94848c7247a724db956d050975d613433066ab89bf91936e0fc85c61af5c2c61cd1eb414b9df0dc125a31a3805903a886b427fb78551bc696610833a9e55c7776ec1622abf839d733594864de06999be8d483f8dbc4da99f541c6f7e21d946cce229a104a57e4b823bfea
-AD: e54b90d037c375238f4989910d423bc58d32ccc06ddee558dc6a0c2f9a0f13b2332883e2c4ef9cce41d72cd636516b3506f28f914dcc88311fd7c79bff0ad32770e4847362affd98ad468117cf0daa0f5747c86359615ad6087ee18e6c58453be60f3bf30f8c61c1466d107116f88499fb1b5df9a01eb762317676d5413b839c66e5c1b74121f6f2f7408825745fafa2b10ba7450f4ce207a9cc682d1e1442f972a86d5d4039c4856ccbc00c43b5b3412f5b3f87c16508ffa527c8080a556944d359f388f787f9cbc033fb3333e72127e94c455b433222
-CT: 358c73828e032f0e0db608fa37be446820f5635c1b5ca1d8ccc2c5ab5b393243ef5229999a2c084fbb54a330bb338963740ba470973adc86e640fcc167a88bb940e5ad1723a01089b5e804b932138efed6fa0ed99c1ac4e9c607f466c829af04407a4a2e5cba486685f693a7b973921746902ad8a0242e02075cab66204084e6b281d58430f2d62bf55ad56ad279bdab0fc8c3d570fc3371dc3280ef3aea70d686c855d40ff205c04d457adb518d904f5715fc6a9a5f30bf1cc74703b175d70a1470cc810a366cb8927fb937aecc200928db6b73873935c429e2f8d595b418c5b1bf9c
-TAG: 01b05fbaa9f2257b3c23ed3cf91bcbd0
-NO_SEAL: 01
-
-KEY: c5bf40aa1127073b03c114b10f3f78f2
-NONCE: 
-IN: 164906110c34354a0d4cb6370e1ccc17a739350cbb11d6570f398d50efe3d9db1a97f00d031a579f56d23da2441295af18a640a4e33c29dfdc848d722786d9b73550bfb76da1676af24a7bdf5fd3301090bf342369a24ba830c7f8883db6ed77a2ced83bb85205ca31f75a16a58fbbbd163a3af5e5021bee2d2cece33c08442e89d3f4d6d2359b94a7ec6cac388208a689b584d5dd1103fcf6af10ea2c7cda4f690ea0e4c7376fe2c3e69365d982da28c5bc18d58fe384c9ad2689f4047f9575e54970961a02419d9f2bac8061ce943f132edae1b9622738593cde52
-AD: 9f05d0391cb128690cd8bd120120f21725a79e5d2d0ef9e8322c04bf775f7215a82ce1ffdcf0f6562c188e84cb520f30842b8dcbdec36436725633325020cfdda7ed1af3323d86b2bc72d1b4a326f02be2231fcf133762c4fa76c8a7d5d3ac31cd19f63411a220eba4fcbdec40b8eb01e4ef33c6620978d09a8d428ce0e74d02c140881f46f6f81c2850edd82dc46f3460b5d5fe0b54f09a3f31548dc520f1dd46ed657995e63297b6834df57525408b944badf56234eb2b9a43b1422a5c6a59bc58be683e47753803f7341cbb0075b5795228b586cc571c1bca70d5
-CT: b4ac4fe9920fbb4e032f6aa65c75ee10a917651c49eab6a1187ed631c7069134e492bdb5e5698f8ccd5503cea5b1902d779c2f6e6c03b0108cee3fba03f2b47803e390930060ee4ac984b1ceb9488b4cce80e329d3427851aa7da2213eca2dc5f79366caf601c49a6b7a8ab068f1a9bb899b81a23c99a9de20466fe01398bc071c724b2942640cb1a00489e0ca7052f7a06398ad42500780f194078e3e77142df5710ae88540761b902084f57d87c2b0ec57bcb7eacee6743d419d8877d61666f93a127d22ccb49b5db0b93e4f4ac0dd9393d6351780dafa412380205a90fc8daad3dfcb1b7ffaff
-TAG: 8048088e7e9dadc4ef98777c0f6cb661
-NO_SEAL: 01
-
-KEY: b628ee6726a4d7925734ab1db3ec4645
-NONCE: 
-IN: cdccda3718f2b0963414d965a3c36bce0a165f8e88aa70ca9eb3de6510d02b0b49c29cda4a7f6d439c18cc8fd80b932d0a4190236a13edc9994b1c4a71dbdb694ea5dea53ef781ed398e453ce372a99c204a138739edf5b606160e38cc8444c8fb6e9cfc3aeecc1760e90d13d01692ca894572a0bcb02e13f61d8604a75bb98e96f5f36d10e70a48bbb4f73771ef97031c7da23550b3a12554c2c436115fe56713dd303d1c3d87bcebf25f61710eecc9f01c555494facac496c68ef44344aae40bbe1199de793096d4630018a725b130a27d38ab2e8c629e61d2d8d37b5974f9b7
-AD: f4d345e55ebd1ef9faf967d76736f7ef38e5eb9d659bf8a89fd3c6c3c674161bb54758f1c14856281a7dff7c9cec16cc138384f644544881d50c7692bf22513223b63274e3cb7509c8a410a389277f86cefc801d026b0049c13d85b26da1dbcc7cb387084a3d4a469788ef85b6da02ed2ba0412ba999c8cd83c9c6716cd66b65760c42d4ef3e324b470c2a5e031846fde97cadc448e87bec15164da006c10d3a846adab2b09c29ecc27ec8a9134d5fcfd2c54f17fb23f1a05dc8da46e737f317db42e927818ed00d36af8dabfef09c8641159fabfcfaed344b03a1dd6f9b883f7e
-CT: c830b0d1b4113f4c9aae46b24f39b8fbd8ecbc8aaea871db2e67583a5b06cb83ed8035ff639dbc9af92c4e3f9fe57b970f4e998a0262dbf77dc024d5e208d3678ae0d90e6fa5d45e2c7f0cf90676368c8784c851d3818e221abaa87c5e54298229a2f4d3f82505ef7bf45686aaf12e8322210a727cfd57c74a5f23bb5d8222115b28503eae7a5c600ebc4765011161736a346b535e1bfcded85c198c6ce6fccfcff0fdb0c2fc480bc6e71fd5de77355932d82f8eae245091bcf5abfa0d62123302e5805ab1f5006a976bc1468e3bed0452c5844029d7d4ea6cbd4a907e905dfc796c01bbeb69c54807354a5bd8
-TAG: 2b55edb998ac9971e53ebc8973c4e8fc
-NO_SEAL: 01
-
-KEY: 095b26bf096971842fae34af6833c77c
-NONCE: 
-IN: 3be9eeac265ec4eb947dd32583ac2e595505b363d660f8b8c2ef631390bb152f016ba7c75bf7c2e5e23c980d6967772ca4535bcbf4871ac1bf70b53826a34174e5a2e6118d7ff86d4836736c9a1f9de44c80b236c5530bb5f80e5fbce9814f3b0843a088afd029f4cd2e6190dd51fa804f8216448e7acc785ddc5478287b101bab80256977494fae87d0c13054fa4470c3827b2e8172224944c8c4f78b0a33dd78ee2bff16fabff15e5909f62c49beb455dd655ee1188b8eff35bfba72f2ec5e4ebad63d7db8b6338660f9b818c6832954241860925ea9b7eb07479dd6de27489d64b1a9191b
-AD: 2ff9a8d12980e63a378d6d635d319c26e8f747435aa5d797c6e21aa69fe21f653f56da7db7d67cbf54451f336f683aa9cf373ab40c16738c44efd3e664ecc6eec40d6af82df2b3e58d7abcf26b1d9ebbe6263176ce4ef8087d14b0d5ae1c16917141d2ebdc76a0834e8d83c4ef76add82e957ae376b210ce2d94d2684a045a109454799f3cb453279d89c60ba9d038a1dcb99540fac078d7216ee94f96f5cce939eca9b5f9715b1cf3c9f1e6be982897c2f25225919db3e31595713a4e281e9919bc2c5a88c46835ce05411d0757eb738ac9e45ab3f1a42ffcd6dbd09f17f656f40f1cc2c050
-CT: d59d30bd5384b86b19b33c134723fb7339048f811434eaaf1db24759fc232466f5f53926b84e740b67f457c8c76f902f4d70ebfd97696380de95e8e40e62434ab1089e3a5308cb066fd4cc7e862a391c2f727a63a01bfd9fdb8ceae55067fd9d6f55312f73bc2c38e4b12b3aa96edd156dd758e9175e67a64a17aedd27c9c70945a065216773d756f533b035f2ab53335a159d9ed3f97b2b7a57aef676fad95c46e3b82eb800197c03812ca4e580916c5f7cdbd4aa1308ab16096a8af5290a0a2330902966a58dcf2e72eea7ce799a8f05c986c6457b05e3eec2adfdd4ed38926a3dc07ef208c91a619848917b96a082ac27
-TAG: 3ff349a628f7fa8d3f970aff8a6302f0
-NO_SEAL: 01
-
-KEY: e27171ed1baad563d3d299abc0968b75
-NONCE: 
-IN: 1d209b32a772e87c5bc593fe943d3d7a1497f390ecdccfefac50ce14595b98b682111f82957278241f291e655b3af108a9cc1523721652b6d446f34cdba2e61464a3217b29344e18ce8f47f10da88c2845a009b7491bbd1e1f36ec49997a0fb09764ee25355de29e56eae7af42a8c96aa137c02268078b7f145fb1249bdd74f2d4e4685de75be4dd7fcf29482eb26b5dfa5028accbd23c3c654bc202c1c0ae7a597ef15f4d14f7b8a14fd45698470ac6355e04fe4a14e3b2907bcade18e4152c68631f313cbef48341008482f434c017bf8e1dbd048f0d6d207446e697fea68202be7283188d1227f21ae4
-AD: af2f6abc40ca82d92901de02113cb8f7638f0a510f6a03bf056a75b02beb10157c97632320fe14fdf0610235e3a06172b6b6e80d2fe18263b11e9a5e3a07758c55131ffca0a6c9b121c37a0c85658125d5bc2edc8e4e247a636d7793a1cde364ac22bf754844607daec0a6b939d05fff5a8c44ad030181aad2361ff61f20a224f2bbf2083b2fc2a5b92f5a66bf2f9b4c49b39dcc23cd3ba66b5e7c19c5b7b74a766c3da0c2b02ac80ac22c006e8eaddf48ce6f6887f69fff1fd0aaba0a0f70ef84b54280830a62d8b0dba55ddaa5b0385c586dee60d1a05a28863a081cb9b41edbf3ee9ebff98cff983917
-CT: 5931a4414d5a90e93d2ac47b673ae48b6080a3dbd08034312c36201d18508f4e1ee178ae2632a9a5ce0938687ac7e6cb238cff852ecfc736bb8b3c04b42752fe65cbf6ff897e207582e85533f7c238b0be14bb1deb4cdaff524b013661e4f2c96807bcd928e15e4e159390e1eeed036ce776b579d9f3fadcad81adfcbb99986babc9a8465def3de8de0cae19bdbf6488c12534a9b6b7d6fdaeb1d4c3be36b4adf7444a0b9fc69c69a46f7bdeced1214743f3357803d2eae24dc50933a733defc653dec56f0e0bfb8928de76699d4f7029fce9175b3b7cfb6c7ab1018f6f3eeb2b9401115c8cd382b06e4b9b43a097f42bebcc1493a49d4
-TAG: 285c1a0028fed3ab2a4d68946399d700
-NO_SEAL: 01
-
-KEY: cfea8c059d7b866051aa54b8977befe3
-NONCE: 
-IN: 5a20333c4dd9b7378bfb773b7d64ab80379d16c0a56eb1f48f53c19d0fc4519d0b5f478e37f16d6e5085af31dc63488f9f2cbde3e49ba954b674b0a4e20df811098f7b8e716efaee6a4109f16afe128ddb0e54034d66bd00d13a6c69c9ef2e5a065825701f5e85634e118c69ff0fd71bfccc25030fe94e778e7f474136cd3722eb5bfd88bc99fb45dbc3060a24ac2bdadc5c82d883c5c63ccc0f7aaf5384f4c7fb07310b66a7c767d025c1a02dc9aa3d7aa921a72084906ae6039f837454493aac3e3549ad3722a735dfce4211819a2d7ec279221d43360edd9a4cb930815c8565c22b94b4849a979d5e2a57b2da8ecb
-AD: 376d8e02071a93c892293902e369b8c7c44a4c9541b5050347b016243935408d0c9557b0f66c6cd493c1b8da68c8635f4c868e685674aed42f196ee9b6e56ee44510eb9b9e89108d878be917454dca0c62d207fa462a563a267270d6b1602d6795717475bc6fb5c87b747589328e39b1d4db3cb19f0fbe9791aa4232e33abd9e14b5fa3abe4705ee988c657677fa063aa349f1a05de045f3ee66da03af18b6b8b83e29b203e12bb02a4cbaf79eab3cfeb83a5a997daaf8f36fa9e12faee86c9cb351ff361351d98ee3a10af999799955a02fc46ddf56c23070319b3fe0cb42d07d811ae976f242670e618eed113b4342
-CT: e54e684ef16a2fa8e25786d906ccc7336773919c2b1bd832e7c48ae4a569db96545363ae0b28061fede28a25ab6cc0382aae3e6b31efaa4c225073640d0148878524a7f381f53b4d21a43e39afd4c12cfdcda442d5023a8d2a8ad49f4a002ecc8354c86520524017e561fe891b6962682d168a860210e0def1cb4be1bfc6590121c1b1988254757fc5a37ef916827a5fc258ae772773a6902b084817f3641c21d3d1d1e8818b9851dd05aa49ea74e16778593f6f486957345462732ab92b1e4b06c32b5ad3270c5ef3d80b4e4bd08451e92c26acebcac1a4592e08ea434a1fbc6dfedc677151ae9471661913db19723184d9ef4bb49342606f784d98
-TAG: e7be877dad60c889d397726bf1b6ea89
-NO_SEAL: 01
-
-KEY: 40d35704108a944f1e7582503018cc85
-NONCE: 
-IN: 515f9bd4935dc10e77dadd81f5a4e0b53eb858ded393979ed75330b80adb36f6b81288dcbc581e8d93b0e4705c07be3e200422397ca3648c9676952e60ea26d12198add3e33cdc589ee5a800a750d77978976344dd5dc710e56dbad462fab7fbd08c057a9f8765c4caa9418e6380038d288e09a90befeffb1e8d60e79925dcb3772cbb3258b15544f9c9554181df3483784b89b73bb6f9ca55f6d644c02fbd7e31bfbff45cc40132d2bbd08db6a27f5a302e1dce2f0afe4ef5bd4ca844c7900ba18faa1896a36896a1c80307cb37162174205665613b39cabd0a5b2dd1d5f8b6fee948006f0b2e31488c0c613c1d178b7800dddcfc
-AD: 9c86692c874fa785e0d9384061bfce8d8332871ecc195621ed478706c46057bb4fff80515ed65b5fbbca3d463a62e227c228a340143bf012233b1c05a50fdb4ed04b840d983f47e00e001844a0d2ce14f6dcea58069c9b0bd8824537d2420147be7caf4a88dc9912853a7fde6d2a5cc21f85eeabca7902b94eb79d5fa143d02585acd57b93e4eb6bcdbe289a51c6631f7aea7bd9dc0f6cc2ee8426b37220216f834033fde15e3543422612fb3d972b8eacaece9614a4b759d93dcdeed026cc90ea058d7dc985c10859d4ef14ac5cb14849d4ae404badbcd98c28663eaf7274aade4bb7527c4f960875ca703ee6732c9a3720b629f2
-CT: 26048431289e7e100481e2bb89a21a1d502ba947ac1921efd3c998bfdb437c2da0802e5eefff66de3af00bde934fb9109e961f179771c52de783680683f4bb752f877897882103146d030bea5bc3c03f923b477443e640450244cdf66d7d346954f6e862a3a577820d49151a82f4205340ccf2e11e4575b53f7ffeef09ec640df65a0b8c04b37f6dad7f940cf2d7446a6fc5bc2dc31854c27567b2badf6f8e94294ed5d899a458a080f38d6e72df59f13f5c8f736264fa2b302d5375d6e3f8c3abe4811f4f85cb6e302e2c12a892a1e7a78a5a33e4b555c02917330ea7a45f20cb59fa991f183d1e2a5bb1761005b73fb728124fa2082f41cdbc88bb06389eb165
-TAG: 5476c08e9561442745fd2f222d08b535
-NO_SEAL: 01
-
-KEY: 2c6796d0773d12455829a3242ac7d480
-NONCE: 
-IN: e0f7ac13e8cdf4da6c17f1221df18b98267277e79c362ec2793dbb842bb9662b5e2fa34e43cea12f71b4eb53d9c862f176efc5d91f06b5c532d9c30206eb4355ad442127d325ae2c30ec436889e3d7a56b683ee09c7d79768d6876ebeb67b5a2cc13df02ab93646386106e0473149ed77ad0ec91dd282712d0aa26f30bfc44f93cad39504356e3472c5bfcbbf9557cd85b53e33e1a88d2f08686955a3d876e4eacfe783e5f6089b3106295899d4a73fbbdc1bd22e1408a2b93a9d89c9489cfe7a9a7cda7c92b06560a189f5ed04d1f02489685c602f8741baeef3fddf610b1a25ed26d88daf9a05aa0a476c8000dbbf798de92b0ab8779add7b7
-AD: 1048769719a44958dbafe1a59a159ddf2427c5dd8746a8454180dbf59f48ff6467d760f8e06aae8d2d2a79efefaef2dd2abf33ba1929073685d0320a583a56e8748288b50c7eac551aa859b274629f3d3cdca5fd7b2a08f0bc830e929584bcba85f80e2eb12bf83de607e4749eaf7631c3545f06ac236d55769c8a08427abce0174c52718c2c08b02afc7e418bd7aa7715de95a930eaf92f54c7dfa2f3ff3691187a21c6bb9b238d2fe2dac7266de30c94c7ee96fa60caf5ec0f5aae5cef28264933cbbc295cade787321f4c12f63ddd85185997a63fec48fc5ddb83be3b47a94e15dda3f315e7495098bc7a0b7d26802e12fdfc6a94bc6c5a76
-CT: b43c0e7842006f6a7953d598794ba0a7df144e66e6e7fc83ee290431818d149673d1821e1df496565aa7996f9e581fcfe9499c01d8716fd3f6d67acd6641285b70f8457108063933126c95b665e551925722af60aed5343e429e645574a65cb6fd767b204ca8fa91979c6fe49377fe4b43fb9994e619e1dd962fa49a8ae5ae0b8eb630f112c43a4e9c28ad91fee9b5bec0b27c5472e30c2699e984dcd9f984a3eb7a7b7209a165b2f4a74bca555dceb81e3495a3d39115d32609f372d8dfce820aded274ac567112d295de5b261b10c01f4939ac532d4a0591f87742d9502d7a2201178b4cb4c069b1873c44b73a901e299d4a41e57dabdefa39907dc559b44e99f2b950e09c
-TAG: ae5afc2bc4096e308cffe8063277ef88
-NO_SEAL: 01
-
-KEY: 092e4a78c47bcd0b169aa35343c885f6
-NONCE: 
-IN: 0751fac5f54602181fac252cd2fc408ea3763fe229b80149bfb4b0044f541801843c8a20ffa1ec931830bdbde31efa998e0875c09eadaba6906c870549dcc650b865665c56b5cf29b75da63de088fe4d79cce59499518a04a17dce18879e3e33ed11ad808d470b2811da4617039758109f56fe75eeee696ff51c18d5ac04fe895518fe59435ed1f073b56079dec1701999ce0e5ab45829cbb85cb1f94dc67c9ad28815728f6de85fb7ae12203eff28420393c1ae5cf644bfb5633156e9189beb02294d7199e54ca0d2012bee2dcd6322eb90f41b3c6086cf0ac6b3888b21131f3e57643f2ab60141aeb17d9d07daa213658b52503482fabc4a0ba17bbe3a1a
-AD: 60fbcd82efaa99e17f3cb16a4d2a1e04659d13d84a83135a5e332366ba5e6716bb3674d27e6b2df4269180a0df25841e2235eed7d8eaba571b34178ac1a1041623138641f500a7d4ceb28efdc0ab45274cf26c0dd16174c77dcdbb79a7980e04d48b35efd3656e501e352b605bdd1b57cb7f9ceca5ca14a3953b2dc77d18fe1c4e1b859d2b02feffd3da7e259fbbf27721d330049f0d1c2729ed2f8048abfdc0e7b3609d2e6b4f5b42ece472f0fc330247880fd04768b678fbe20ba9581f3db18bf3668fa0c80751d78286e1927aa6e27ecce63fe883ee88e7a05f8ca2a387b86246f7d1a4791881b14f619a340163da62f4130b2a2c0bf39f463ef0af4120
-CT: adb73023c873661f02bf4ea6eb0fffeb17e3309d1104c9a9c211bfbd585f9516f775793c365d36352e93af1b4db15430b454d1e7aa913f2af994191c365d76a4d49eda531fa7ce9c49b98bad4d591c868fb066a2e00a6bf4b1bf529002d403313c5df306ae34b8c62e939569bb5401eb7ba87080ba505e5c40a3856d2e177d247a5d8c727b32a13014a00a57e9f01cdeacb4d1abd16f1548256d661c45da12c2fe3ab561375875c7b6e273bbff5659749631fe26cef86e02742d0cc3f63a76ae5ece59b6556ab27da9de1a20c627da8bef3c596ebd7b246505006d1a381c2a24dda70e52b126b919471acfce274b89e07d125bc69bd94f2c65bddb82441897973566014fef625bca7e342f
-TAG: 8f2dbbcc01538ccc45436e7176c2df47
-NO_SEAL: 01
-
-KEY: ab1405116f454a3b1f106fd491cdfc8e
-NONCE: 
-IN: f64f0ed5ca25e118f2a2dbf069a9dc0169ab0079d91c6552d4a7e8d0314c910ce0614e1f6157b0f758ed6d3fb3fc3e2eaaa9718ef30e8d0c136c8bd6dcff97c0f5ff8a5d3808d8c23f2a9ccc35fb9427afd10dc1c298e95b335044b8d33e414ecc17d7b34901608284bc175418910116410a40b29dbb379eacf4ead521db3ab2a3d9956081af6d7438714c0631147b7d1e9ee4789751d4260b57630bb573739a3fd0b19a7ee8c301d7f1b09f86e60e31d5f2a86c7a65b244d5e4d591df3df3caab80887ea5f1dbb569516672eee351db5d5ee4d662a3d3c0e48cca108966ac6dfa6e4f9b88e5e577752826d2da05f2677dac7c31774eb64b1b0fc938580a78e4a296889c
-AD: 3726f25fea1d10c2712d157e1a1bfa75d6f9e5bda448944ea2b7b85c7d4ff4ac00f68988f2a290cff3d5dfd6af33770a021b03fadd5741bffb7532924f3f2841a7f7658c49c6b915b1dc41ee4bb9ee89386c9911974979f43e71297bcb34ad6ed085177ea91300c9b42524503bbbbfcdcaea03e3f2c939d6b1dfc9c6b6e53e221568d2557bc3055752f4fd487b903a2a0bb7697a19a763fb7c615c7edd099f72e87849f57722cb0987651bfc476a0acfe13d02d6b01f761784d247301bf514a14a990cd4b59664f826649e0f389787641c1e5b87388cff42fec144d6ff3f382b85062bc21368c93019bacb56b643808a848c60bb3d804aa64e2b8fa1c128d6914663d9d3
-CT: a9e9a06e4bb83c215fc59a00bc1c14f1df6ca46e6b4daafb016daa235718fcccfc1ac698a061885c33479c0a7fd44e46e805869383232168940b1a9379bc652c565059ba81b4ec2ab435eb9b91de5bc03cb0a7dc11805690ed9abbadafeab2add15f9fd69b5ff4bf4ab5cdb4a6fd3164ceb7820530641d8460b83929b13860bd2e64b984407dbfd2de51e865d88c63554ea1f04305ab72bfc991fa5573bd6b41c4f8c848fff4b0c5d2398a57b4de4678ca4dfcb16a7612773a24088893444a8ea3d0916e4b460b33657f41d2b04d0c28653ed068a3653975402c31088cd74722d3bc09c50679d0ec94c1e84844886b1a56c4fc3b14614634f08c5b0868d276e9f8f992f94b2c55be5f2e408a498d27c7
-TAG: ee43dba528a9ce84a53ed8fc1fbcd871
-NO_SEAL: 01
-
-KEY: 7990cd12d13fbb929fa541bdb8e3107e
-NONCE: 
-IN: 5ba2afc1da8c18d8be3936a2e515bf9eabb93e44905a86773a38de7f959c49ca56d7f1fb43213cf7fe394b49733b031334729ce6c7ef17d843790fde814672ca982807b76475350210871ddf8309f59fb280a7d41726ba7f00ed2fd96b4a17aeb7d157130cb7e49c8a454cd08622824d20f86b4ba062bb3b3f9d4a9c1402a9d80f3324e4127ee57ad94f87d6ccfda76145363fa70df95341d483dfcc304757da7541a0f148036b2e2dc7f93697d8d275456107a016b425542a89ee33ec02289f5260257176369d990c8c89df73892d7e67227086c0c2c258e5fbfff8bf9129a230c229356fb0935738d2d6fb82992c3465ca5a9472ec06c7b5a29240b611837225c61a0e14ca2dd30f
-AD: 865a9b2706eea62f3fd3164805cd8fe4740d1ba7be809cad9fb39cac26f7c57d4c449f4eac03d87f87dcf219c562b9ee07ab3ce22abd46237eef8221049fe499c9189f789948af92bc434b24aa44fff600c2d698593bdfcaea878f8780adbe8dad2cf453d253e8668631a6eb831be01db9c7f1b7b8bfedfae83bcdfef3501cf2b2ea48bcb19f40a70733f3e4c3dd90e17912d5797fa46ec852edcd49b0780bf6287679aaad13a926f750ad7d3ca1ccab577b74fc0ce4cb22e5c619d2d668292c9db4a98c5acc4c49561a77275c06f5c3fd514ed8555db3e2f50dde5c23e84a38129e7a91cec8d168bc828d09239a5c6bbb180bf69950540d8876f9fac5d1a258543a771610991b92ec
-CT: ff7b2818b62e856952aa2cac1901c8f9b5a99c46c9cbdf8ace9db03f36ac17183295544d8170fdc3a16c7194a2fda400f8f0b251a3eccf639f539cc356ed3fd09383954a8119b536290865c30a629d44e467acff5fc323d2be97f29fb9b4ef7cf2c18a63dabfefd7f75e696c574372f4a35249897a3387a2b10c1a50ae23ea74560b498c9d06bede78f4c8c9d879667c8c8e137a0a254f3f881ce8d183588546e066314bf1989d1acadbae61f7836fa633de9fd0fcc5b3f72aa03ac432be8f7a14c8e86b45bee416acfdace44b783137e3135a801342061781007ab939a52c68d686f5e3b401240bb10e764211a059fb0aa00e2f635ef214322918fffd0326ae38ee939b4045c6039df7e7def36fdad7f5b65c20dd
-TAG: 3e003897b4d9411cbd449cd8dca5b58b
-NO_SEAL: 01
-
-KEY: 64f0a8065987a4713e35dede10afb708
-NONCE: 
-IN: 29327f95b41119679b80c3b51fb5240490689880ebb5ff7b59a62ae5e08f7cf0993c09b13fd845ffb32a99ce18c22bb8825c137c3aa622cf3a8390042c6a1a159aa1dcb6b6b21f4e07fada584dd21620b2fe0aef64dc609aac925d8b8d26915fc101031b68a4bc89898bb92146a0a580103da265cad1946791c5735b95d85d3f0f1f39a88f47b9c52e61307627c084d68d14bd14e3572825e190bc7146080bca423099f643d53ee3989386b87fe3dd9c383f6a58fc0437fdb2087b5211df2069bfd981d8ca785384cab31545ecfc35345f38837883dbde917155e631a46ed1444ea0ea8a5441bebd54e5f6ff914fcdd66d62efd223f34e16a880370a529b2ce6ade88e907102021dc87aba9900b6
-AD: c8116196a12363785d4d6fc593b23226a5fe83b00a77ba24c69644d2e52291dc59d2af3c6ae102707439f22c33251a01c41867f54ecc552396a5aa98ffc687e3a88d8d0dcf826645bc78ff9c1a3052481933c3e8ba8e30bc249e6d095699ebdc51684696a15dcc9e28d09cac757e51336f79a0cd5ce8d070579e12956a740666d28ead49c47bae10db20fff8dfe6fb0260a87cc6f5a879cd0b2f949dbff046d90cf42c7ab51337e8908302935e50755a4503107c84fc94f7db3d3f0e8eac9c0def7435676701c9acd7f4c2349c3b7324622dfc4d6ddd8265a810c000158260aa6a7e3af973f8b178959de409792652e9c4ed1d50fce2e5e6bcf205c6889ed717db7f4b14500aa8641b8514150cab
-CT: d6ee984b82f1097331400f383e04445e0ba21e8788f6f192b710b466d5d3433463f0308a3c0fbf7f1666fe01853b9d340f496bb0c2212ae3e3d34b0fa1adaf33f039201d1962f2b51031c2a4dd9aedc08f7c895682d1352e9a21225d81c98ac7fd4b4de6efe3dbe437d255e4464a1258d4497e2a1d4ef6c319869b78fdbcf4632743825112fc21acc0a1431d8cf8eb8865e695c0f3668ff5acd8e850373331ed7ae3bbe515b42c1d0ca0b9caa4df0048425fcd08850f23a86b4adc859291b5c49ed54e41778c7ee2a11da9598396aa889dda9513afb9fa0b66c0affa555bf76849d754702163004fe3e77ae5a7c46f3696bbd52cb8680583aa5cac22608c6d45b96770dbbfca14312fba61b3fd0d7041ded80d8dfbdc3f901b10
-TAG: f42a0e4e6e6a1e0654aca2ab7877350d
-NO_SEAL: 01
-
-KEY: 2c351f0b77cf0920873fb57c910cea15
-NONCE: 
-IN: 227ae9330bfd5a662af4137ca7fa164f383a63e5bc33eba94726a0e7a27f666887fe484680899ad8aaf6fc5426600760f5e6ba53b0484615d0089d9b1e75f5952ce0665d16a045b272c3c50194ab7b3831b313dbd800168a24e576cab5dca4319660fc6add76bb400376fa29cbcaa25adf3cac81f3e66a6baeb0d94ed92aa37271d2cbd8219c0647f0af6a4ba8a8e169c10cf6354122054a547ba046e67cf1fb424271d3d3eee5b51e94019d450de6c1f770395316421b61c5ee9ff00c910103e58d423946c68369730a974a392c21be3fc8223cd816e7432200390fd7cc3f5160795422c9daffed23df42a7f8259e295d43fe57f75f674886c6405bc6954d17c2a36348761ba09694964646cb86c0d8c64c00
-AD: 9d7d5e5f63267154bab863a7b53e0ba159a6d8a57a8c49e084b513b463a1e812e94611116dce9c1ceab2b7e18b4d69f7dfd225d2bdf5b7750d0d9dc131f22987bc812da5b0a8ecbe9d0ca2210cf6ed8a791d95c3f72898497226f69c8971c2da342500b75367842d14983384b5985041eda7f1cd73e2b5c71bbbec6537390313583bbd53d2d563848fc93d81579d8db321d1bec973f7c4e8f34b6cab8bd7b5789a7b40f599f2f8c43f6d7f8fdf940577ca8b5159e699d449ffb00acee0940937d491a71a81ee9da0949f8fa1d780f3957908819221941f0c5d011bfb2560acf2d7386f973358d68487954e26ea9ad3068c65b797307831e03aef7d1f1bba9ddbba2f251329e85172ed8efb1a689f8026b5068c
-CT: 4f844d27dd26df30156081194ef2a097a8e507143b6354ecd94d072c0068c68698fd04f2211a771bec45d616d8eb7eaf90140850c135cf468dab9e9f3dbf059b56efcf616b32992df407bdb735a8b5ac2c361973abf47029bcde46dd5b13728add772264f2faf60f3de10494b0606618c383c8929377f2390c4a104141a11711ba7e3a3c83396761d7d62a997e8782822f51ffd0eaa0e6c9e02ae4effc0686af29f2805039c1cabc8b826d1ceb75c4274e95f854a9f5be709ddf1002481272586aa021acc2fcfe3e6cb0b2a47d124bd8b83585b43bc38599a497d0de3979c30c81536ab06a1649a3cf5dc2c2a6e52bcbb05a76e35139c668dc8a3c038ffd1fde8c1b4a31de48341b5fd586c674e35bef3b104e4b84063889907c268226dc73
-TAG: 12aa2a46a9014800b3243d1020290d1b
-NO_SEAL: 01
-
-KEY: d94582550b2e0d42255f13a8753f8e82
-NONCE: 
-IN: 53ba297d691fc3abd93ea8b6f3d629584370ac045934b1b738a73c09a8236bf5f99f357b1cbb120414c68ee64d304b7751c88c563d5d16fa094602c0ad3c803a8f116f3a5071c049a4b88f19ba2d500a171565c719fa64e691bd4a9c4588077b0c2b91733a30a214e474d868ac6b301898dc85346523bdd4f6c9807ef69941a5369b4b7ff7fdfd252729d3829a7bde65427639de0b2b154b4830f57ac13894bbe705f02362f8b75367ec7962c53bd6aebbf15d72b25c08570392592b6a83d4f44d2037da8cbfea2456696cc39a3272e46a5b4fb837bc6e4bcd9606afa58d3b260e9f6f58bb5d0f07438f378b6a36c1931e9eaf923c2a3679a789e7ef5865c7e799ff4633f1b2acfb79a5a0fe9cdda9cf347b9664568def93
-AD: 2bfb6a6726c6564b31cca749bec29a8c9fd7bfa22f26af0a80db5e6b13a3b10367be6ad87325abc59252453422535466347059b7d57fd2b1eda1d6d37dcfa9da7df34746e1bbc98baeb4bae17281a537fff85c0785f9f27617e77333f11be28f9aa3704651e4ddd72502c79cb2a810c4686147cedf056b5f035566eb34d117c83ae7815e7e1e83163907020cf0736ff1862371e87269e5c8c1926e0bafbc10610a6ba6cfc273c9d9bec0922726dea04acf72b3f88a5fffc57e0af6dddd0396b4937d2e7d52feaf60d29dddc5b4cc139eb855acbb794b99d74b8a93e3731f9092b92b9bd50c846eecb6eaed2e51290cd1f98dccf3fe746c5293e0b970dde72835c44b3a445dc1f2bd67fff6b1a7e378611eaa42889fb92de1
-CT: 82f7abb31dfc28491697b3471afa2fec98728ce39fba26bcc769e9766993c8276f88613db574773c84c91fce6ee7dc6ba4281b8d2dfe13820723526f0d6f20cc21f305b792e9a2bb1622c742fbc05ca1f0121cb9f6e1ad6c3ba80891e2043adaac4f1bdf29260a44a182cb165f58f480be5f16b51fddfd0d264bc4a18bec589d24817f586fc8bad15df7cb4d48d788fe7fbe69f821b5558b0a664ee12ba8ddc6bbd325f9b83a024245b4e68b310f2282f4cc6005209f7b7aa6ccc025d435441e3bb990e81bcd4c8218b8360163ab266be4a1f5603059db2bb67e541e1edbe8e7762ac522a81f495f5ff8bf99948050e61c86e83134f4e1212f879c86f7fccff472fd9753e27a0601f914655a5f803061cc986431445021c907b3ae0f060fac13f3723867
-TAG: 5ef1ed1e2bf562893b094d58516c11a9
-NO_SEAL: 01
-
-KEY: 31d93fd51c2d6450cf35d9edd71413f4
-NONCE: 
-IN: e78eba6c58f93cc2374932fc21e54f695f2daeda3bd1e0121a77d178e3bf5c0e824a99042e8f2522df829d014e4d35a756780e8c07f53ca8fb78db6fb76754ad461665051c4572b2514804d0a9cbae1a1a013b796565eee13a7832ab8834b8406b1185332552d38754dde2344ff4f6e4823390964ba2dc43de136f2235b1d919e0f4ad60813d30f0ac1dad35abe3bee9479337c7b430841d2c722f12aeaf931cedd8a82053f697fff8d07f0af6013da7da58a5dfcf45561943e7ccdfd8d11fbe96a68a5a27982e47346500c0284caf8e6b63c6621e80503a7365d6693dc9a249093dc45221cfd88562e25910034c2c123e44e3b09d8a8a15547285d2596b98c7a0ee9d10b2cdb032d08a6caee1212420b6854181a583c15e046aa202dd
-AD: a4fdd42aad5475ffc1b122170024486406033c8640233cd9b23c286fdd40c5b69eee39cfbf965f7a10c73663f9804e6821c4f62980f8362a580bab446325b009a004b60b1dbd12566b55b42e58d8037d86c1050cd6ecaaac2fb0ef616a15bc5bcd8252fd459165795c500bbb2fb1476e5cfef9549db733be65bde391c810d099e3745a2cc7a94debe1f4ff6653b338123ef7d2f9a602bc9a4bbe757a63f932a802014f2f06c6688faf14332a355b1025f33687124399f55b6a5adb4864727ec6c5334c41d78d1463400925f6c29c0f611f35c9640045a740dad5b4f0dcb632e7f9a3478b526aa9f97cd9f8d3ad094b7922890e7b6d9c67fcc4f747d04ddcd115fba0a8f0433c6fb1bf6011a9cd153f866c76b26d427a25aebc60d10540
-CT: 28f6f0c288c9f92e80252e1e8d668fb50efda82552aeb5d075ff3977c37929d73f6639289e7c6da8c89c664df80b2387e788d12398d62d3c0ed2f9f918010d41021c464d54f016c4e10e85e29ba3a45793df2ebd6cdf30045363434387bb0d20439f4986e6eb7ae9fd85fe776f7b8035025624c2413ca8491cc6e79fe901b9c40ff3a0e37a7c7e88b56de4fee65861865162821e046846d253982e4ecd17bd26214b0923a4297d4ed9423395d856940829ca5ee74488c3b4d8aa3c5ceade17d8a3f2e45d3ba91360ac1c76d6a29f8243bf49c1d75aa41ba239fa6f3b123e198ba799e3b70c674607c5371894800954eda0264b3b82606433f71371dabc5f1fb3d703232533662920a241f613c38d16b0bad24f4aa3b336af89cdcd2f371e1bed7aaa47c56d17100a01
-TAG: 594ee5c93636cfb5fde940e3d561440a
-NO_SEAL: 01
-
-KEY: b06d694a83b14768ae26a8f00fb78ecf
-NONCE: 
-IN: c01130afd7d3f4276dcfc1ffaf4bb636a85d18e0778df6c6791b6edb92a617894b84cffef6556c834a4800b336dc295e80b699b28cf478a01c54052ab0d0d4208e1865edd6906e3a263862c05f033668d7eb5b42baf36c702d102a6a5c723974e63bec848c89d16584f0d1ec429c87686b1ccffd7626e0a83f9c471cb615541ccb02cb58d10e63ffef171f1affca492ace4d39fbf33bb5126c575963e6b6ef9fd2ee4d6efcae5afe422bbfd9c3dc22b6b47cab8dc04127ff93b016e0f92f5d8518d5bd3bc6edd45e0397440f1a4a0c7c9c2773c0a0cd3b890effb010dbcc00237dbed1177b86bf60913309bfda9376b4192da59a360afc5bcfaf8be16ea8313de97b417aaddceadc63a1c3a355693616413ed4101ad68f6e6aaa99c839dd2a9ff536
-AD: 18e3195358bae4ccf43ff8daa34902fe48f99fc1371d34060aaa442a43016a1d756f795fa5c9c4a828525554571e18c27134f46094790dd1e68471ee40c17bfa02f175b2c2f7f2aef20f00e4d71926560b58f015de19c871d808acdd341675d8fc19d1e6d4028e1e8926df500c4685c14729c6a056898cf919bf3ae429fa3ca8746495716d78c9a8f2ecde596f985b1c25ad0e73aa305a86259319176b4c4f3bb231fdaa478a856f46416ddb10a14ed23c96dcb86f5bea3114568a44d8fc6ff4bb47fd0e2538b70d964842910a682e7bc7c7263249832c21b7083a1e8b143828de0f3dea8b404cbd82efb19a11e4d60aeef13abd86621ccbc3d8f220715730eabbe04a6bf0e11a4f78cd2c4369ce2447a76f4fa48ef8d322a8a28a67039c24c4bfbf
-CT: af11369ee342454cddb8db626beeb306c71318cedabe3877ec916ce2074b2c3f1df887cc3a3e8019c10d353854b6b65c947359138d5decc62a42d50921dc8f6cf63a16062af47aa8cd50d0b2dcbc3300ba0d7d069a5e4b4fe03bbf7062c6001e276be116fdd00d15a6399d1b0db71c58f396f8bc7e51c2b1f47430d4ebd6c5d05328b29aa79bcb26927ea5a40c82715aa0e36cc83ca6d250812c1305c02ed4291a25762cd709cb3d808031b5f918ce253f622c1afcb83c43707edc493d18ec6f0dba4353a1cde7184db65654088fa13baf45f7643f0dfedf4058e6095156b791ed30827c556a7721658314356e7a3f3c62cd62fe938b008cda56ceca71442fa0ffeb78b13c5847a3ee9668bcd2a01c753bd797c240378505d1e8f2b8905428b23bf589de9af390f94f21630d1826
-TAG: df5a21a399354b2b3346a9eb6820b81f
-NO_SEAL: 01
-
-KEY: 06a4c6a8aa189134f5784a525d46ff10
-NONCE: 
-IN: 706b754094869313523493089e591d34868b708cbde9bd8b42cba8175d1fdb6a8769bb9ec156d44bcb8f9cbf2685a0dc18b5a802dcf7a12570bb9042a0aa53dfb19af8c0f13763f388d9626a480d6d435dd90fbdbb4292d9015a5633252aa0583498d6f7ec54460d8589c1d6a6d16a349d10ec6070e1cc52e5fb996f810d333675a7130e4f3db9f4db0e3fd3541d32e0b2efbd40ba70cd59295bc8d08481f0f137832b01bac1778ffd7450376e174067b3ec23d0495cbf936bdc176cabc3f42e2991947a4fa87dd8343c32fa3d7ac0e2d22660a0c128a00e1b51a8742fdb2aff44540e39e588c5920ea16293aaa522513c944d3b77f3a0e90bd9105319c170886202e336893d100b0a25aa609a49a8255f78233561f7b88256386d1c3c002c3ee68f2775585c65
-AD: 18e2ed6d500b176e49f7e1b5074c0b7dbfdefdf00a63d9fa2fea8c5e78a1c4ae00f17b23442933543ac864097629e112a099f3dce6d5beb1e3f3c8e19522c6b8f615cbe23444bc91a802edf8a08995a55125da805ebb073fd89863996ef708f7293069a744ad95db8c17cbcfedc331119e85020df8852d74b8092fd38ad424f3da41b4775beac19536ed801ac1069925b12303d8ad2c52c36ca5b4ec95e96f02ebc5725ee6cdc099e666d9055b789e39ded77a8fdca0fe2d94b8039be55b6a75209cbee4fc7864957402b50427db71bc75a0b1e3d2ed6ea20f12a980c5ee916067d0dde7d686570d075da4df7088fe5dccf0d440064a96998da6f318b603d513104c723f27484780bdad586ee358d821b480f9569e4dbdd1a45ab9056f8d8e5a879789a0d65338
-CT: 0f765d3893af99f5c3e6d9e15f3627bd53f8da0bbe6f3c9246d6f96fe9abb91cdecf66ddd42f833d98f4d4634c2e1e1ad4088c84c22191bdb9d99ef227320e455dd112c4a9e9cca95724fcc9ae024ed12bf60a802d0b87b99d9bf22590786567c2962171d2b05bec9754c627608e9eba7bccc70540aa4da72e1e04b26d8f968b10230f707501c0091a8ac118f86e87aae1ac00257aee29c3345bd3839154977acd378fc1b2197f5c1fd8e12262f9c2974fb92dc481eeb51aadd44a8851f61b93a84ba57f2870df0423d289bfdcfe634f9ecb7d7c6110a95b49418a2dd6663377690275c205b3efa79a0a77c92567fb429d8ee437312a39df7516dc238f7b9414938223d7ec24d256d3fb3a5954a7c75dbd79486d49ba6bb38a7ccce0f58700260b71319adf98ab8684e34913abe2d9d97193e2
-TAG: e690e89af39ff367f5d40a1b7c7ccd4f
-NO_SEAL: 01
-
-# AES GCM test vectors from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
-
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: ""
-CT: 000000000000000000000000
-AD: ""
-TAG: 58e2fccefa7e3061367f1d57a4e7455a
-NO_SEAL: 01
-
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: 00000000000000000000000000000000
-CT: 0000000000000000000000000388dace60b6a392f328c2b971b2fe78
-AD: ""
-TAG: ab6e47d42cec13bdf53a67b21257bddf
-NO_SEAL: 01
-
-KEY: feffe9928665731c6d6a8f9467308308
-NONCE: 
-IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
-CT: cafebabefacedbaddecaf88842831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985
-AD: ""
-TAG: 4d5c2af327cd64a62cf35abd2ba6fab4
-NO_SEAL: 01
-
-KEY: feffe9928665731c6d6a8f9467308308
-NONCE: 
-IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
-CT: cafebabefacedbaddecaf88842831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091
-AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
-TAG: 5bc94fbc3221a5db94fae95ae7121a47
-NO_SEAL: 01
-
-# local add-ons, primarily streaming ghash tests
-
-# 128 bytes AD
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: ""
-CT: 000000000000000000000000
-AD: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
-TAG: 5fea793a2d6f974d37e68e0cb8ff9492
-NO_SEAL: 01
-
-# 48 bytes plaintext
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CT: 0000000000000000000000000388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0
-AD: ""
-TAG: 9dd0a376b08e40eb00c35f29f9ea61a4
-NO_SEAL: 01
-
-# 80 bytes plaintext
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CT: 0000000000000000000000000388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d5270291
-AD: ""
-TAG: 98885a3a22bd4742fe7b72172193b163
-NO_SEAL: 01
-
-# 128 bytes plaintext
-KEY: 00000000000000000000000000000000
-NONCE: 
-IN: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CT: 0000000000000000000000000388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40
-AD: ""
-TAG: cac45f60e31efd3b5a43b98a22ce1aa1
-NO_SEAL: 01
-
-# 80 bytes plaintext, submitted by Intel
-KEY: 843ffcf5d2b72694d19ed01d01249412
-NONCE: 
-IN: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
-AD: 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f
-CT: dbcca32ebf9b804617c3aa9e6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5
-TAG: 3b629ccfbc1119b7319e1dce2cd6fd6d
-NO_SEAL: 01
@@ -1,516 +0,0 @@
-# The AES-256-GCM test cases from cipher_tests.txt have been merged into this
-# file.
-
-KEY: e5ac4a32c67e425ac4b143c83c6f161312a97d88d634afdf9f4da5bd35223f01
-NONCE: 
-IN: 
-AD: 
-CT: 5bf11a0951f0bfc7ea5c9e58
-TAG: d7cba289d6d19a5af45dc13857016bac
-NO_SEAL: 01
-
-KEY: 73ad7bbbbc640c845a150f67d058b279849370cd2c1f3c67c4dd6c869213e13a
-NONCE: 
-IN: f0535fe211
-AD: e91428be04
-CT: a330a184fc245812f4820caae9b8a896da
-TAG: 9115ed79f26a030c14947b3e454db9e7
-NO_SEAL: 01
-
-KEY: 80e2e561886eb2a953cf923aaac1653ed2db0111ee62e09cb20d9e2652bd3476
-NONCE: 
-IN: 96669d2d3542a4d49c7c
-AD: e51e5bce7cbceb660399
-CT: 5daf201589654da8884c3c684521953e7d39497e4563
-TAG: 2083e3c0d84d663066bbe2961b08dcf7
-NO_SEAL: 01
-
-KEY: 881cca012ef9d6f1241b88e4364084d8c95470c6022e59b62732a1afcc02e657
-NONCE: 
-IN: 8ed8ef4c09360ef70bb22c716554ef
-AD: 98c115f2c3bbe22e3a0c562e8e67ff
-CT: 172ec639be736062bba5c32f06a761987a7eb0e57a31979043747d
-TAG: cf07239b9d40a759e0f4f8ef088f016a
-NO_SEAL: 01
-
-KEY: a6efd2e2b0056d0f955e008ca88ca59fb21a8f5fc0e9aa6d730fbfc5a28b5f90
-NONCE: 
-IN: 5dc495d949f4b2c8a709092b120ac8078cdfd104
-AD: 86a597f5e2c398fff963fcfe126eae1bc13f097f
-CT: f6775dca7cd8674c16fdb4ee04416e23586ee364b1cf3fb75405f8ef28fddbde
-TAG: e7b9d5ecb2cf30162a28c8f645f62f87
-NO_SEAL: 01
-
-KEY: 8d6ed9a6d410989e3bd37874edb5a89f9ab355fa395967dcbbfa216ec9ce3f45
-NONCE: 
-IN: 52939c7416220822a77435a46687f134cebc70a2f1a4c33d37
-AD: 7790af913d84a04c1b72d4484ea2e09fdaa802d8b1733b8470
-CT: 55debbb289b9439eb47834abd7bddae8929ed6bbc9ac077e2415d9fbafae4a0432f8f7eb6b
-TAG: e6383b16ed9c32521dcaeef3a7b9b67f
-NO_SEAL: 01
-
-KEY: 525429d45a66b9d860c83860111cc65324ab91ff77938bbc30a654220bb3e526
-NONCE: 
-IN: 677eca74660499acf2e2fd6c7800fd6da2d0273a31906a691205b5765b85
-AD: 513bc218acee89848e73ab108401bfc4f9c2aa70310a4e543644c37dd2f3
-CT: 31535d82b9b46f5ad75a1629f1e6032ee3ce224b2e8f17f91055c81a480398e07fd9366ad69d84dca712
-TAG: e39da5658f1d2994a529646d692c55d8
-NO_SEAL: 01
-
-KEY: 630b506aa4b15c555cf279dc4a7ee9add213219d2c68163ceaeda903fb892c30
-NONCE: 
-IN: b12e6f1f8160cd65278c48f68ad53c8c82fd17c2c39bbb109f077c17fdcb8a0b3a5dbf
-AD: 46cb18593b3b26ba75e4cb20a252caef31d00be31093d2369e93572a393d650c68313f
-CT: 79eca200a5cdf92b28be5a7a9a9ad1f78b4d411afe450d2e46347a7df98f39daa4fd478b9ab6e6b417878bcd52743a
-TAG: 55453a003b021c8a247379cdc4fa6da6
-NO_SEAL: 01
-
-KEY: d10bb6641e9ba0a3f1b016317831ad4232f81c2137adac0940ecd7fa36de0563
-NONCE: 
-IN: 8b9089df5bb048cebbe709cb61e178ec768515a0031288d95b7cc4dfffeb51b836e126a237ec50cc
-AD: f1cbf6c83493b2087d9f88e02121a114f45ed51817e46ffc0b66a783350eae89c6700db3f3be5f4a
-CT: 99c922d37c95ebeda8e81ae88a838c51a8ef8134481e9951033295ae686624aa4df72f869d140980347a5e69a6d7cb3d7119b303
-TAG: 9152bef766579a3e9a1e36abd7ebb64c
-NO_SEAL: 01
-
-KEY: ca665229adcc7554f1b1c8f50e7444c6d4059c525f9c0da1406ffb35d50cae97
-NONCE: 
-IN: 12365eaac86b270e9c61b3ae7702a6f3583ef4accb80a98454c56e34e2ab97d8afa23ddee34e7e3a522497f985
-AD: bf539d8e9e3a02f3e5834970e7efd40cc7cb340a075041428d6a69ed9fa5105e4bc63720be9a7040ce5b4af6e1
-CT: 8e2df19123ce0ad41df416d496027efdcd4433df8e7f6181c05be365cdce550b09d45cfc96fe258eab6d55976a9306a0070c9589ef08cf7a42
-TAG: ec9fb5e79cdf8ad4c8a79c900975159d
-NO_SEAL: 01
-
-KEY: 5033338bf7526cca0425f4a620424662ebc58364c8d985d130e525fd1f598f3f
-NONCE: 
-IN: 69a62b8c5f9b81cebee3a9345f4e49ea089b0d9c1cc57b4ef707956d0287de83fcca6d8f5270a9393e00693075028189bda7
-AD: 3efe0ed6fbafa61070388abc59c0d06589309736b02418df5534c8c594d61a2afefbee17af8283d01634b6ca3e8e2aeadff8
-CT: b40842b30758aa3eef7cda62d6184677a21978b6443d99d7de1fd01c6b6334cf01b7e7d58456267453f4de96708b62301172c8c87e970f91c5301e0ff61e
-TAG: f8ac7aef208712845d137b8b176c89f1
-NO_SEAL: 01
-
-KEY: f33c39140999a2cb69e43129cb5df18fffeb3513ec3560792e9909784daee43b
-NONCE: 
-IN: e2802c4d290468177fdb031a717345753cd7c3028ed07dea428db84e7c50c3eb7b24f7381a167b4ee31bf88dcaf5251fdb90ecbb74ac2f
-AD: 10a6f463dc59d4791b3c2b4c93cbe2dec579a154962cb2c4cc77664e8c2b106c574fe115fd43dad94b8b1bf2f74820e28435b4444b2b82
-CT: 70608463f1dfabb1fc4451e9a27419a46037323c033d7cf2a716777fedc02a5ddd8bfbdbca82ffbdea3037bc1cc80df7c5e502b32276ae88ad6fd0f0cfe72604648812
-TAG: b1ae330d47fd399aaaa687e141e23fc7
-NO_SEAL: 01
-
-KEY: 2121056225a7b2316a93c4bfeb970486fa9c586c14ba8b40be5844a31e9449c0
-NONCE: 
-IN: 2038e2c6cdf5282f081292448f8febbb60a1520fa3771cbfef387f48c5915a1438ab709628e8d4c81623ddbc2f6f159c3c9a8922905c4994269898b8
-AD: b07f66508a39c4932b04c16172d6462d78273cd9463e52284bb73e3b8b8e7047bdf10c5ace1f903e5a5eacbf67c9351f82c74bda140df2fe0480c80a
-CT: b4b7d1e8fa7d0e2334c923157b54618ae09b37ee72e51873c82cdd20b6dca37c334af89548f52f34df3a757e632cc0d453fc97270898eb50ce2f2a98c4cbd4cbb22a5b7c7564406b
-TAG: de3a9e2aab2439675c4f7f0b61216d5a
-NO_SEAL: 01
-
-KEY: efb15235bc91771aa32d51472877b0eb364de2f88766908eebc6e6b57a702099
-NONCE: 
-IN: 4eff604dd4bba67f143dab0728b8597e269d4e0ecb4ce80c9850afc645d96da239d9db360605bb4268d74e1fe3431a44242ae862fa2340c076db13315f615b85f0
-AD: e8dad34f727e77444a96cf06425640f1fc80fe3b01dafd1d91476140afe8204286d01b0ebdadc0270a3d218516ff5f08a69a7ba251ac325983caccbe0d9e1de359
-CT: 1a510b42dc20d1d0fb34fb52989fef0145e2fe93b9f99fd90123632d83d9df8f37d8e1f80dac329dbe0c214c2191009e31232538fec63a29665f0fc1c77dc86b2f5f2050b86b3ae48e85d63116
-TAG: 6816304faeb45da4e4772f5c35730f8a
-NO_SEAL: 01
-
-KEY: 998c22912d5687fc3faac262a902783fcb0c738520b5c4135a8dd2cdbd7b0dfb
-NONCE: 
-IN: 1f6ae10d425923c882b7d2f556571acfc10333ec665b07bfad9f8948a3b8c5e5f163a4e99d4726da1a35359c657c848f327b7fd9b5f61987440ab12b9399db24715715a2d1c8
-AD: 9a3c76dbaeb69a6481a89318caeb6358267ef51a1a364a48387bf77526837c9c70afb6f105cd47d2b976dbda7d2b6bfea7b76b135810c53437472f7b80ffc8ce4dc95c7e5045
-CT: eeb535c5bd6edfd696655b6087f4e2c80a4f15f92a8e94f468e70fe7f0e0f83c0a7799a1d465043d25210ac6f0f39a5e9765b4daca637864d1bcc090d2ef33ddfccded2d2dad61dab443b3cfcc683147c490
-TAG: 0744d928a5b5ec95f3087cc2623f0031
-NO_SEAL: 01
-
-KEY: e12effa8da2c90a5d35d257c07d1b467991bd5f75fecd7129aea4e26b9e27ff1
-NONCE: 
-IN: 21dc87984edca46a629ed95ffb04471397da8806c525a781d9a71818422e344e4af577f38e7cdbc556d4766770a9a3c95bea59ad497fe0127816ec4dcecb6b999486719b0b86cdb2c9d09e
-AD: bc158e6570fb0a08d73367dba65b80a8c8e57ba6c7b99493ebdaef0424e18d8ab1f7c88670cf51c4d91b77eb9ce0f89a46ed1316141e4299ec6c3d6e712ec9e92d3db44640402aa4ac00ba
-CT: 4edd0b4cc349d37eb77f557607ab8c623d683ff83030392e2864edd4b8e3d296d60579a226a8d2aff6bc5af3c4598a18cc1e8d7db4ac8eb56a082af864ac52a324851dd29af51a0945cee4bf303ea111b9b627aabf5ff8
-TAG: 53e69b7be969c39560c016c6bc1aa4e1
-NO_SEAL: 01
-
-KEY: 3d9723c9235939df8647529b7e4a57b8536476d5b71b424e2c27ba4d0b82b0e8
-NONCE: 
-IN: b44face0f45e4a8da19aa0c5cbe3aa960ed6b74fe3d3d9201f52523dfe7651756b2ce482e759c87bde4ec670a0e808fb4883e437c7cbcf2f6470352174327824200cb0897edc4def1736f51e229addaa
-AD: a4b2b7bf36a70a5246feee52c474058100bc618fb0e3d32e8c1f76153edec47fab3045dcc7eed9ca1886bb2593703c9ffb8883c45386d2f4e3fbb0b7c722d19f2eca94767174d9127450549e8993ae33
-CT: 60163d2eb7822af7fad64c0466fa63ded066ac67bf218af7bc21169a875f4bd695f44fbdff906f0a9b8a067be721fd260571c53a8b51661c8d49fe178dcb28c31deb3fa71b096b387f9fc8f3657d280404c05d2b6443eba7e60b562e
-TAG: 59d5450872510c4bfb590d9497524331
-NO_SEAL: 01
-
-KEY: 75b0a20935c4a5e2126ac7420d632bfda8d41bc947c2402bed4759b6e617ff92
-NONCE: 
-IN: 8edc98e70030e40bea1548f6f56b4561272be0c333f3b7ae53ff3e27c35a91b1aa42d39e6305ec4811e75931e5cae2261d88a6f7d6c5b05bfb48802264e9cac782411f1de579e29d464ba56840b126a3fad07f01c4
-AD: 7e35081ef652424da6304852243ce43ff711da17f7881d5e0433b1ad7535e755a8531b93d67ce99ffe66e59fbb24f6b42655524b39f2c84daa5cdacb5e7916266c05711a118b2128930b95de83ff1a67e53337474a
-CT: 0c3edf0dcd1125d7e263b897858dc74dbec6fdbe4ef15a3596ff7201c8f4fcca765bf5452f678b1493a66ed9852a6fa174a73099acf951a35699f33289ec50625538c01eaa456dc658013a29e4d133b856eb969c1f221f99e11fadc98b0ee08243
-TAG: 3d8f17838c4fc69f04d7e2b76eebbc0b
-NO_SEAL: 01
-
-KEY: 7a3823191abcebadb7970d1b65c2a8dab8a908151737bd5400b3b6c0d59e3b08
-NONCE: 
-IN: 220db5400dce604adee4cb698cdc02d2ca61622bbdeebe347b0bfef55cc45319b940f93773a9878725c5f55485d7a26363251b9ce0d3da1f8f6e34ad5329dc9f752ec7dc12b2d259ac89a8059085996a431a56cc2dc2400a26b4
-AD: a83b6dc78931cb7500eddcf77792e810c1edbd5f4e33f85018807a8539a3cace094fb794fa9ea058e82c830d42d5a6b3e22b7785698774aec5c73edd92731c51106a23c569c0c0fef18d13da1562a9a42aa435b243c4fbc9fe42
-CT: e32eb00e5106097e2ef0e8ba5ce6ec0e1d67ced5a6aa46c909b9b8907b372be03331dd0940ceb6d87e928c14a1a1e8ef9096c9b63ab4cd93242ec7be7e38b80643f9c52e7e90ffa06b8f2d238fa63dcd97af74ae37802d124623b8a272e68ca18b3432b7c017
-TAG: e21c61d604253bc5b5d58283756b9eb3
-NO_SEAL: 01
-
-KEY: 53ff6dc0af3e89fc2de7370caa433f539d068609fcfed6400a5b9fda4c83e3aa
-NONCE: 
-IN: fc23e07b4018460279f8392e86423ecfe465b25b60382f58995ef5fa1f9ca235e4bf87112554aa0e72836831d7b5f39125df11518b8aeb1809d804419beb05ae013482213012e4ce980ddd1c58e11608b775d12b450ecace83e678c69d2c5d
-AD: b3a1db2d467780480f166859e0e7aab212738b85e88237c2782496c9c503347de02f3dad6bfc671fda71a04ff1e4661767c11303daa0c36d944346d39e3e29ec63d695cdcd83b2b57181582c5ac692b13e4299ab5e86c59d09c2dc6194ebe9
-CT: 91a824c5e02328395985806288af588ec33bdac2cc748a01ee3eec97e5bbfdf69de1d66176f42b66383bbffa8b185cdedc25b11a62237d334d68120fccfd68c2f9447b3b8e1f623f33f7f97ad8815d29bf11bc0c65641ba8fca4a087783f4694fb1d574450191825f84402
-TAG: 2c4973323e635a885f78ee106eddf19e
-NO_SEAL: 01
-
-KEY: ca2b4d335598f26d3d3607e62b9ef853d3543e741350f92f3050894721d3d450
-NONCE: 
-IN: 75e29e46350d1fa99403b1e5baa414e41a8e714910f313f8e850cf3076508ff650011af766b51283fbd5626166d775fd4b4cb7124d26d77b41eb17bf642bf67a34c1caf0fa9b43eec12103f864e56c5ccdc81b89c1a35e394362688d05dd94eda3d05dd2
-AD: 31c3ce532bc1bae65b5ced69449129b112019cc6078268b853dd17c41832ecae07f9c6b068ef6cba2b55f352904afd6096ff8432081aed408d9340c319fd8e2029c389b6e3a4bdc38853444c3f7be9385ff1ca27e59c43b542e99799bb4ce56b8e26d6c1
-CT: 2431b5cee8c3ecec4caad27890c13ec26d01b7b96bdd6816d3ee57df57efeabdb15ba602229ff71d71793fe8081eb1b462e8b2967bc4af96fd6dc72cee3d2b6495c7f04c9068b2ad0b073e11cd5999df541ad705c6315eefa8da49c5dbc258f7ba922908489c1ce672971c3bfb6e8482
-TAG: 3a7741a094be92b838850c32e4b06c6d
-NO_SEAL: 01
-
-KEY: 49fbbdb5ae21cd955be7f7603cb8563ea0b02b77a9ea14016baa5cffc55d20c9
-NONCE: 
-IN: f31003aaf5d8fd6261c01c5bb1e7bf6af248e0be3cf8aac67ccaeb0b7468a40d98be526a8e4f692dd23763563e601915ebcb59ecbf03bf9c665c4c5313c318939a911888fd427d5297b9b2fd91dd33eb7ed38e2f0f6ab74ec263989cdd9915811a022d4a46ed35eef0
-AD: 17e01af2386531ce67d5bc3325d8f83b53a87b38f1c305f99c0798380a7e59d3ecddf33a5ad23a82e33f0fa34eb2438b17e958451439774ab642fafd3794f80a0ee1b9bc165f32df705a6175310670ba54af3a204e446db35170ab02670086c47a475c22d1f14cbe44
-CT: c0a4463350506d2af9e35d8fbd661836d1b74244baca62d7d1cb6717e17e2fb0bcbc8d36b3265a983d557c562b0be60708499d0e7e9626825bc049db79a0ef4d2393fef6024d849089455e55693fd4da3d910eac11496492a645e4376855732765e1b3580461a2a2533cebb482736ac928cba175bb
-TAG: 4596e3802109c899f27f6cfcbdceac5d
-NO_SEAL: 01
-
-KEY: 30d0e4f6425e38c92ac34dcaa06a815166f301289ca9cb0ed08156617d87bdf4
-NONCE: 
-IN: 06f2204ca864dd3f7c9d0290f6fe3d0337eb9442cd5d2b586d1d5c30e58951fc2f4e99831ac7bca4356db4609a0428c482f2580b9e8cf5fd00d86d474fd88ac3b2413f44c1ff66e59e7538c090b2444396f02004ff636aca05ec40439f4e3f470a24916fa4033cb60127223addc1
-AD: 23c1a3e1083904f7226be7242027abb7af9d62f1115340cd4a57611be88303955cbcbeba44eab5488c80aed3e063c70cb7bbdd9ac289c8c8977868c3702be63d0358836838a97b31f6aee148f2b8615ad7c5dc0de7c48db7752e5f1ae8637f8c70335bbecf1313ae1b972ffb9442
-CT: 525618ac9e317405c7d44367afe3e71953bad46ad28113b7c8f2092fdebaeb81626bf94bd7e9dd59e000e8ba31c1ce7f728fe19dbbb42322e54aab278e3c29beb59b2d085e65cb8e54ea45d6a9fb1f561bac0bb74afe18cc8de51abf962c2fbc974c7ed54ccf2c063ff148b3e6cccdaa65cc89ab19fcd9cd0436
-TAG: e9f5edea1fdfc31cd5da693b50b72094
-NO_SEAL: 01
-
-KEY: 661309741227606892db13ab553070b456c5e421cca59087144873ae6d59e590
-NONCE: 
-IN: 40b5f8081b5dd173203e02e90a6c171fc41f804b2903ea18109edcf77c03dba687b47ca389c55389bd7b0ac59bfaefaf43b5f97065df6a5375c1fbb95d95cad589c2a45cd9e1e7960b1d13622440f7180aa565863b4f9dfe26ed336ff4318653e1a520bdb830e01db78a7e598f251834d0c9bb
-AD: e8540d084f24b80414af554f470048b29a5af8adb2f9d55c9759e5ff1595ca74884af67027324587131d90c77ca72b2d15b66564549ce93df7f667d0218a6e874848563a33886c6a0c5a9d00fa435dfabaa9053243b4c8c25779a4dbf79eb4b8530a7c7bf4263ea824713a90cee92dec78c449
-CT: 9f07692c017e1391a981e70ed543f49e6cbe26f1d8a6e058769d5b16e6f8255a28b4d73ba2cbdf664bbc5ded73f9dea12a11b86b6a6acd578f685afabc232dbe9ff8431a5318ec7f0202959a310595b147353a7ca89c9d1fc2d2b92ea610cf6d9ad2716df2dfed70f5b74d498edab114058c22c96873a2a64abc254c82af46
-TAG: 31a8441886d0e4c6bfcd6d74f6a5ee5e
-NO_SEAL: 01
-
-KEY: a248b0d683973d205ef2d3f86468cf5a343d6ad7c5aaac0b9b6b2a412eed3552
-NONCE: 
-IN: c2d7d29256832def577392acb9fe4f249eb4859025ea55cc0c4a67806caba3e1cb81bc7f5717d94e1c91ff06607b23c238daafcb0fa96905616f02205b702508970fe3bfca87270ed1102a9ab96df57ebdcfd86ef6e9c4c4242b4febd82b0220b0d6f76d8c2d0fba33ca49279907f6bcf7e8401d1419ed58
-AD: c738cdbde6dc277ab81dae20fbbb4a50d71bcf0ac1ee0ec6a39747ccd87be40b1f0f2c37f2c6b32ea99722979fcfddd0ddc2e4ff34a2e6113b591cbfda317c6f4b021ad30325276f8d8dd78f757618b53297fec091f029f9b00850b35f3863a3801c882422b318b4a1bdd89002f928371ea05c6fabcb1792
-CT: 8f62ffac4027f4dfeacf3df27a837df292ad2e58f21b89da43a74de411e1746556fe47db55a136757513bd249384bf67887a5c1f605e7f7e3057596e17039701ea351e5ccaf0fd4882559e87197144632977cf07cf9e86784a959fa7399476a4fd196d7c507fe3876d759e2b37bd37edb3c12b89716f29ddc8b64974263a1ec1b6364b0e
-TAG: 291098a2376a0faa5da6fb2606b4f2a4
-NO_SEAL: 01
-
-KEY: 80634a8baea1c4fe5dedb664c9b5d714422dd1726d642e60d15e02364195206e
-NONCE: 
-IN: 4d1d8855b4d155e77bd1bf34b3d049ef09b2b94f4e604306406b015a2d520e8772b084ed668b868e32c7563085f2a82e7d99219da549e507aff9515e45a045c7cd5292c0e09a3a38c769acfd0a11826b27d8bf05184971670200e79c49754debbfc57d9ebc661b25f22f241c4d143bd922f7b0981a48c6a63462cb5cfd
-AD: 12b3fa94a64454dc5b47433df1ce0a7dd5e8066d05b2433c6cbcb83087bb7d22d153a19c05aeb76141431c5f9801cb13531691655939c0c812611c6a30083ed3ec27e63e6868f186be559c48367a00b18085ffb8c7727638e833a7b907ff8465e3a01d654b52432767b18b855c05a9cfb5d4aabae19164f0dc2ca6346c
-CT: 725ee5023ae08fece15d621a6b01e934916823f391cd0d2829c224a12eeddc79f18351d2484ef6cb5d492ec9ec4d8c4bd3354f01d538bbd81327f6360a7d157feee64b539489bfdd1be4d7f724d2a6dfa1af91e4108dbfffd529afa71388b07e5079236644da289ae236100b2fbeda0c17bf2a01e76cd1f88081682c2d074223fb8a41d59e70a37870
-TAG: 55762e95d897a33c4c75106449112986
-NO_SEAL: 01
-
-KEY: 4f2edc967b11983f05ef5ee2a4364039ac02dbcccef3f3719913ae2719c8217c
-NONCE: 
-IN: f8217163bcaf77c1383089e396b271e22c517e8ccda244256cc39315fab7d0c291078d90e9b6e336992f015282caa1ec0ea858a179c9735b7a2f0d50f6f1eecaf3b9308772279ebb95f8aa53826e9dd60fb354de0c50c10001c98812b59d7c0f36daa1aecda6782ca36130fbb559363fe07704b0b91ea85be319ada027e47840c764
-AD: 1dc7065f1585384b88be47598ca484782716c78f49b3b6bf5d24a5b0d24fbd7831f18d77d80951d2c4fafb6f939d46362a69b558afadb3bb4d8aa27f7fcf3dd9624e1e075fce9bb239926d51ea9dff03619d64d5828103a414e360adcda8fd864fca55c21df86c76972c3765ab1d68ce89f708e7e5a3e06cd4de08573cf750c6f5f9
-CT: 255f8209b0c67a6277bdb42e6719849b7cea3f7f2a8e4de13d7a864d581b7c638f49fb06378a768d2034548179963c33f0ad099254c2edda9ef771daf5d299f58850033e2e449d7bc21ca3f7d3b7408429b596da615c8582886a6d8c1a9ba81fec4a41a38b7cbf1a80ee0ec8bd71451e727051fbf2a1d1e3c6ca98ee113e47650ba4fe80451e79b04abc8bb99a2a
-TAG: 2ac7f962553a8007de3369c7795bc876
-NO_SEAL: 01
-
-KEY: 51c5cf1f0c76ec96f4a5f9aa50a36185521f3ba259145ac6cb4da3cd12467696
-NONCE: 
-IN: fcda42cd098b7936f4bebaa37d5850cb0fdd6526966b1b5734f23d5050ee44466627576e1144957929123198e40b64eaef74476870afecd7b70f7583208603a1b5247074c6c77e10b9bbd41a3d468ff41db89895b0e9ca95be77526ddb30d4c5eb0796ba97d7d5c56d0eece344dde3ebd7de586226c00da224b04e74d9abe832686797df067c52
-AD: 343ae5e73fd1da48dce92ba7b86d21de0a203ba8587536fbaf4646bc45051a7feb343e38916f6c4c75b65f940045e830857c7b62b34a44622a36b34268b8a397892ed3e4de5df3fa7384d4ca50202b5b0833f921349c877931f4b735cec45db6b95410c8042ba49c1a39870276e0165f09c73b14bdf7f36d19084f958695c7ad2cc56f0487eae9
-CT: c751e5e7e3d75874acfd2bfa04192659d6a2f1b7be472372c8f969a7de388c97d37b4a89653593e48b630947d2160b569379698e94de49b21572ef0b4dd330487a8be814a84e959a1a8e3cf33dcc9f7464fd44814d0cd7ab85e4c01c9d015f42ce3723c8ef8c311222b0c78eb83d81696c217992be725faf27701b4922c6e6099442787ddde2b7572500a5320a4d0c787b786e
-TAG: 23c7a866574976dca8f401c4b5b58292
-NO_SEAL: 01
-
-KEY: 1cec3efc0311d623f34b6853b3dc97e470fa728cdfd65993d9d48fdc192b28e9
-NONCE: 
-IN: 722e503a97166a07974dcbf136fbaec6c03668fa52495b040383433ca59f6311103f2fc6a95ba4c925f8637167537321eff6949aa3051269fc094393a7b17d1ac8d29af052760835665b0ee89adda5dae7738656af9e8513c96e8a532a46ef34cd7430832d2be51c586a14e9aaec2458c1911bbc0f90b496737e838a12ff37d3db058bda9360d7d33e11629a
-AD: fd5ccf6b6948c3eb96543aa40f107fafe94e5206c326dd8900ea510c6b61d1bcf746151a75404e31406c8e991fbf6e660db7c18e243fd2608aa22dd7ca9de88f277037661ce6dea4ff0a86809dbfe1708cd47d3061a34657cad143e6577549c9944e081f79c276300bb406378b26f349a91fa87de02a1405d712c516ae11b4bcf30ac9d56e677d03eb33e3be
-CT: 320fe742ef171b7b8cb615cc363c1d6b806a6d97e2fddf53b242378e1d2b818828863fbb3f856f7737d63998a84e02d6c91e1df5f5eb6cf89f7ef53e16d10ad52f82362292d3acafaa02c23be7da7616a8b8daf8ee3ae74ee1078742c4ddc3e5a110e510417b9f43fbcbb00e17af3301b2fbcb784fb0a05b66469e771fbd78114fce3c4352c42928bf5a0ecc49228a3c930b0790bde7ad7b
-TAG: 669482999be99149f9b723b60fec62d3
-NO_SEAL: 01
-
-KEY: d3465cdecaecbf25943b7bbf8084ccabc15474a4228c46cbe652a99be24a861b
-NONCE: 
-IN: 81e0e984ce0a4074a44524f93e375eabc650a847a42393f5c524c65523368d38a7e2b677fe08502dd3bc42311775016b5689c660cc0ca8cb33a09b89f3ed3d02fa0fb75ca5bf0dc3c27c546b369ab5e7731f93bc074d37ee50d6f8366f6c8a45f73ac92b05c4aa552ecc5266041dc122a0df69a36ad625a26edb57bfff43a84e527ea0d9d3cf076f8de9eda28eb09de3ff
-AD: e4adc14ac4bbf3ae7ec7d97f5c0e6090bf8127a75e8b70e9b86496a62a759dba5a4eef64a8c679c362785501260d29b58e1af647782564947950428dbf14edab8e6841c7afaf9e7949b560419c44bae30315c597f6f6e02204da7ec605a4d9a8753de1268bb0b1c84c972b4e7296da5c969781feeb35a44d2aef799ed228aa399ea04e21cf9f7d5600a2c07b047aa78388
-CT: 04fc836de3a1420b8e7136cad7995e7b610eede708526c05c584039d48b9b4356fc71b0c37ec2559309a688a7c69ac9655f94e178cd2311db58587863b0fbb990554dc9a6aa849571f945c61e5611ae7e1a96903be725a1aa75adc381b86e43fbc68a36f44e0e0cb8fe5c494caa91f758597b6ef3b80a879154cd8a7e5f570893b4f768105b24b58efb67c5f07c6db60e0f48eba9563f17d38aaf0847e
-TAG: cc3fe61642c2d7fcbd579048fdfb19ec
-NO_SEAL: 01
-
-KEY: 1a0dfe2a6bc6a69659c68942ad0858e1df905890f47dab728ab9c73f742f469f
-NONCE: 
-IN: d93eead436e835a061ca061e3a53c3f9c66c6f011b21682b8a6fed098bde2018a2462aa5ab542c69bfa2805612cf6146c9150888b9720db1dcd0f359c1fa3416df4cd225dd0b0d949e917adfb3e83bf5ba2b967d48908e6b6d8aabc545335014d951a67390d7b5c7cd7dcbcf66e4e3f02aa4e5e9cccaf73e75622bad006c63433d36cb1c6aa4aa253dd1b2eacac75c548aa6648ecf9d
-AD: 56ca2d5340629ca75de4e98921da352941559bd79f47ef0ab42d1d5857059352f96ee877f5458f090ca237e4eef5b08a53311c8dfd4c4582f18a93aaa8cf75080734cb2ea3389c9c74d2b04ead614eb54512ea93f0e3434e9a9366454b303a8129d6ce6cf96b1d6dd4f751311c736b517dcb50a6f6e0962c46637b4f5aaf0f34bff518cbd551a7aad3fa615708b17cf6d8fbc864f580
-CT: f8f76b014116ba61392597de8dc4d8483dc665b174ba32d6b6244da5f2a8fcc4b1865d662ec23057838b332a07ff073ecc893d413696f3fffc6dca5d107a5673f14abe8e0457a02e61138380d25e269686cbbd23cb7da3060f482f62bf80a40dcc2e711ecf5f7836ca14e456c4b73a48bef90749024393f5f8af01b73302e81bc37c4110dc26174702231d831cd14231905d2dd3f375cf2bef0425084d5b19f1039f
-TAG: 825e7b7e195f65c454ce9fdd637138c1
-NO_SEAL: 01
-
-KEY: 03cec87d0a947822493b5b67b918b5c6a6bbdebe45d016ec5cb6779c3ddfb35d
-NONCE: 
-IN: 2326102c58524326759ad399222c5b5a563cd01a29809d6aed4d49772a4723cfdf30c9f85f031063e838f543c201412d6f085a8f5435b0b2fe94659aaf70cf7bde99309239ed5b815b48342d4f81011f5aefe10ba105ac15601c64a91076c29c3cdafaa12bdd5706dd7305b48e923873cf06944b5027b210c59d79856f602bd6481980ea909152216756d77362c59d57673cedb91ee6f56a40061e
-AD: 4d0fbeb69c1869d2d23198ec49b3dc23149005a84aace7025293c3afb8cb2e38c167a822e25c2fdf667d3677f4e94ed6574529c987de506d26b7ffccf3b7a36d9adac48bca76084710338eeb5bfca9df1bf6b403e33e90761a0b3152afac333071a5ef4f54010b945d03b51f123865673e8877f41ca23359e60518f076cc64232b306bd858634417e92e546ede4ac6231635c9cfcf43aab1f8fc1e
-CT: eb7d261a6b56a179c88e88ad06746f993843901ce72f2fcd4af7d15e64b3102d2f9bec0fe72cdd0b97e43177a1a2238c9c1dfc3311f701196653249e767a73dbe819b660cee07a5f3bb8f25823875fb4b4d34a5a3a212d2e166311bbe11fb1d36f4e725c3b74054ed7fffb7082203ccb5e9d65873cb8a1ce28d5c6e2b6555c1a864a725e6c7d5555d37dcaf1d0884264be72d38cc4b65bc2f0d039d542c5055da56c57e084b804
-TAG: d36a4b6d2f592d4f0d347d906fc319cc
-NO_SEAL: 01
-
-KEY: 7f4b4bfa26719d9610c80ba3f474c43127f4aa3414fb070fc2f389e5219886e1
-NONCE: 
-IN: 638982b95d66ddb689b7b92e3adb683ac0ac19480148bac9db550be034cd18dbd10f2459c915e99c385cd8dc4dc6ec48b75f97e818030fc2d8fcdf66d66b80df64f0ca4af91bba83a74f3946b17af405bbbc6e216435641f5633ad3ee24c1a2ed1b39f649acce59ee56c282a3aebaee6e97f96b34cfc63d5b0482fec20d755f399dd5f61688fe55878713cc55d562c2d72236eb674a340d1a64932cdd8534a06
-AD: f2fe3d27bfc278cdcf16fffc541846d428b31534ec5cf51c30c8b6d988dc36cd6c0d41a4485a3f4469e92ea0fc7e694065bd8130c2854c95549630bd9cbaab2205f27a6efdc2c918c3be53f2d12f8f7cc8e6a81dc8be7cccd217be1fa2e6887cea7d637d2e2a390f50d2c5be10a32a9b380a400cddbdd40eac67f1fe9ba6033d4bfa88c563eaf57272c8a7052916cf4460f31ad026a0ac2588a45d082fbb5c0e
-CT: b144d4df961d4f1c25342d120d4de3489e09c7239972b675063579e409acbb663bea76bee8fb3f7e8785158ebe1c26db9219a9b97ea29e74762999518613249c3a87fbcd0128f651e2db8e2167f10ab532eced3464b56bcaa09780e5ece18182a6e092477ad933bd8de015c80e67c6802257a97a647fe2b1e9ab6a76c1cbf7d905deeb824aba2a34095f84b276d55ff940d6ab788c16cd63d9b16e0908d718c851a3230b0a37257751df5a38
-TAG: 9f0a882d4456847f44c7287c8ff3ba04
-NO_SEAL: 01
-
-KEY: 9799ae8045d58250e4d9c3b0ccc8897a04b5b9fb164e54019dc58d7d77b65459
-NONCE: 
-IN: 8f323018b1b636617c935791e1c8023f887da67974080af07378b533a7573424f1de9193c5d38f55e9af870f6c60ab49c80d7d1ad1f18f1a34893fd2892d49c315ee668c431f5f35e3f60ecfd534b4b09b64cc77cd16b0e1b8882872cd109a5ca377518e5b660d75052e9a4228e3935705b6bf6b4f4249346b7bf4afb891641a76621cd315cd75de391c898959be945ccca7a96073f2569f217617b08502f7d569bd2f80e0
-AD: 3f1e297bd91a276a4a4b613add617b0488414a57ede2ac75d10934e03be58ec518a418e98a4dbb39d2365889db7c5f389b2a16d8c702cf21b888a4cbf77b356df48a30298c825fb86128de45d7fa0e5f4b0b7bf82a2c4cad2470f33c231802263901fbda54a6edbf2df638716492157ec1407e7fc2eb6c663d9a215afbec3612778b8115e78a5fd68cf6ce66c12c0ca26e5c1f7ab079bc09c3bc7b673d21835671a13dd2a0
-CT: 0f20d002dbcd06528a23d5e09a5758dad7997a766db05d698b43fd491bdcec21352032cc023bcf10e136523219745a56f0360efee75a37de55da23cc7d8184a50ccebb110bcb960dcf6b25fe731e21f26290281d9c1c7715c4e6ff3dc0026cce52929163ba222f123d4f50e1d3cf67725fb4737f4010ee2b5b163ca6251c50efe05c5ab0b1ff57b97ffa24c98653f5c82690d40c791047a3d5e553a0142fa2f4346cfcd1c849a9647885c0daaac9efe222
-TAG: 5b85501a476217f100be680b2f5882cb
-NO_SEAL: 01
-
-KEY: a26c0e3864a7dd3b589d17a74a7c9c1f7e8f9adb4aafa0e75c083d10956b6bf6
-NONCE: 
-IN: 6fd4ec60613646490791d82de30ded1a12e61fd270f1642d2221272dbb150ef63ef2604213e203b740dfc9c4bcdf722b3c85aa20abb1197949de710d7e8311956c8649524afc72a9bf5eddf0b284c7fc6d48a741b82c215a0dcd73bb8afd08d5532a6f7f99b5c6beb2ad793d6da53a81e6523b2240729924ddac996a723421f57125f928990daa7a55a5b6b53d7361d9728f66590d969659aacd9aa5c0ec627d991b55e9fd0bf9c3210f
-AD: d6d8b570eca29a48a4d408d5b27ec6aec291d70cfefcd02bbfe8d8ba8aeb6db770bfd723d2c3a4859f1992767d24e7b33e3e241874292af640e2bd22a5b77e0e9e1e0d5e485041cac41d4694ac929ae1fbc08e7591e1cef689028f5db26f95fc9e0868887fb9c635579fc6335757697f63b4f2b46664ae338eafdd827988c8f2ebad80ea9787871ed8d6b302d5dbf7e8019f2e139c59036cb5964a3701ec049b839e19e33e68b83539c8
-CT: b54a2a43ca3f84aef38243752420e09adb24098038b2750c946551a5f6a5bdf23b126947348ddb5e938b3fcb874b33fbac6407095e05ce62df999e7234cd2b4e413009c71d855b23993cd58c1e26ba0deed891dc88f099fdf852cec0aab45f488a90edd8feb6f4c837036945bd304edbf7a2737921a2f8c1b00a1daaf9e25b908a65a8f69963fc767bc975b5b7bcc215ce37009009dc90b5c7edb1a1174a10ad28f4c1d1a2241e7ffc215edef4f847ceedf7b64f2d15
-TAG: 20521b35310385ae66557740b435d204
-NO_SEAL: 01
-
-KEY: 53ef3dc7a10e435650dd20550cf3ec2b997afc8d9e79cca8f7062622afac3496
-NONCE: 
-IN: 081e2769935f945419aa06fb5fa7d8412efd1f9b52a45863808022850836c1974d53d2b2c5c0cd420711a71e6d1a09e984366b8b677e6c61bbce8f3adf9f5a9fb5860887617a08c923171d681c4fbc6d569690f6a183d42b52a80ef0693862efd22bf83b7b4014a7008424c356b5022df1842309b3a4a2caee0fd3f4d3fc52a17d53959daccf8e0ca889578ee2905dd8c17d52e76712dc104344148e8184c82af8165ea8386f91de585b54fc8535c3
-AD: 5b73ae02bf4a70e57f5d48fbf45f85b8496ae8514c8aeb779c184f9cf823d8c1883c9e5a42b2c099d959c2298ace2d86c4479059256d6a4325e109fa4b6c4ce90f84a8228316e80aa86de9b5e111d88b2be447a29297b35ca90a8eb280d4c0fe92a1d593cb966cb0010bc06831efb0c72c1e222b031e900ef06ab8da542a5abe2870a0efbe92351d5915ab545b14900e41a27c5ca9d75d6277afafe7ae861131c2767eb314c0c3da5c264f8f2b4ac7
-CT: 257a205ed0f84016183f461320ecb6cda861b660656d692c626436227bd4ac17a9bc71f6c84a1917ef3b5a0f6ba370f00fa2e7f1bd5aa8d6c15032572090482c23e4ab7376ef1f4dfb77f79d5dc065792fe3476c9c37614e32f493e461981b519dd7d10234c2c69264ffe5be06a8e14c81022b652c8cfa24adcc7c7536a55a2fc41e9ffcd09e1c483541cba814eafd5e09e9e44477018a41b073e387c9257c07d97e40f0761fe295d015e1f2df5be65b13f34b6ef0fe1b109ad109
-TAG: c129ba4c10bc9e9c2b7d67f5f249d971
-NO_SEAL: 01
-
-KEY: 15ddf0d794b1bf2e67db1af47b45b8abb0c62ff5fe09b29659f63ff943815c39
-NONCE: 
-IN: 9c82ac83e3dd227d0cb9692703dbf41292fbaf4961e28b7407ef069e33850371ce2838b1808ec1f837511dae9899a867959183ef3d988ac20758d7a1a6859cedf687d8a42f3dd53fa4b5843e5be61422fb8774c9eb0fd22cbda5950155caa0ceaa00417f1e89a863fcc08cbf911776fbea8d7c14a6d819c070c9abe76a7f0d04598188d07fcbb822758081172e654c025703bb24c523cee2dfdc31c8d2c84534a60e7efa9f52f7e74e19c859889f9bd024f28763
-AD: 892bc04375e9ad5ad2b5c117d1aacc202a74ee4cd4125019f38ed4d716ce361b8b50463ec3255a00670f5f95d361e79349e90bfccbf084586cb5fa145b9eece8a10187c13055ba0d17c0fa526ba7985f00f3eb4a2cd53b6da488827fa8481cf47f6be58771d1e40125652732a7dd5adc49cf99ed6b085fa9fe8721c86f7241b6efb6002e65ae5f72e16ce6a09ce81365485b20f1fc2e092216024b1acd0bb4c2b4ffe28d62a9a813fcc389774688eedd76c0b041
-CT: a6e6b4fd129bee3ab8144da1e30465518e7dab44b9ca4ab6c86fd7b701e334b050a7889fefd08aa12c9e381acc7875ad5f8574fa44f8550bfc820b6d9a5600cfb82d1f98721a875610a91c8f47960ea64445c0e22fd3ebe94b3564e98b9b00a68e9bd941eef5382a67782c5e24ac44b928fc986c62a02fc702b145843b1c6882188dcbbb6f6b51ce1aa7784da03cbdc3efb1a01c1cfd7e90dc3332fc6e912a6a967ef1f239cfdc9752e235dfe75dab8088f8cc207a4a28994f122859aeb52d01
-TAG: 62e7455cd6b95319efa3ae0d14b88452
-NO_SEAL: 01
-
-KEY: dc0cff51030582f29676482ec8dbf0490a135a4cf3e444edfb7d1ec733cdf7b9
-NONCE: 
-IN: d6c4d49a9431d51bfda5bd4b07997690748fdc3df196d27d219a62480dfcb6300c5a234d675aec1239280446cc134bd4e0e0b5ebf6f10bb11b788caf949c0c3553497b62e729f08700b66c6720c35f1f434f16b15a4e404d627fd054ae1394a77d5ba728f3422aad5d99a608c2aa52b058946a76a408c5dfb210d280629ac999e86ab1f9da8f2b7b79ec07cb666105582564974180ace98c63bdb962e4580692abe58929d29f066d2f7e25c23a3824483d9e49cb6f5fc4a1b0
-AD: ee3bc8d875a4d43c278cfeefed8ced8a3da946adaef93dc356001da151010548990fe08b62edda46634db320601c7f4b50956e29868bda9ae5df186f15c3ab4a19d7cec274209cecc71602e45c37c273b7e4b2a168de5c29278042a3dd1fbea0998d7d9707d412f476ac8de7936e2e5c268a2f22646f682e664e526f88004e7c461bd42337dd21b1cb39ff678974adb67c2ea1b7055ca98697ec16c4b3bfa95b4dcbd7fb015480135634c34acb20f58549f7e7e11e20a991a1
-CT: 58c892d618ceb6027afbabb954eedf8ca21f31d21067af5a05dc3cb99c3dc046540d2cd1664abb32fc7714ac057d039cebdeb124e1ca9511bc71f92ddfd4c6bd3edc8a1934f2fa2511503944f2a0818e30b9bdd26bd3c51b9673f55ad3f2ee5e41de114ccc55abcdce06a5bcf63a5bd61fe71dbbfc97e1c7f3417fcb9c1462e244ad91725081c9176a0b91d3485400d273a16eecd870ec1e9e016a7f4af2fab39a0bc93576ffd1eeef9cc15b7e47feaef85b21de422666ec722cbaef26edd1941e7dc03f72
-TAG: 1cc8c395b2ccae3a685183667ee7bd34
-NO_SEAL: 01
-
-KEY: 90da49f8f64e8a585697a43644a48bcbef33a8ed23c1a93c65e59a217c04a1e0
-NONCE: 
-IN: 26dac57d9f30bae5831f98ed074cbc9af9731a52b2322cdd23f1f0abbf78092c48d6d24a43c7d49edb3fa66086030f37dd9dc67847714437b11577d2bec645b3210baa8f7a540cbfc20deec5973b7489b7607eafe72e249df5d0fed95e29f03cf7f0c7a22fb2f06a0bc75214446b06d25a45ab8087270eec56af3960f53b80412a4ea7b45e54a2c374e8a3789e8eb57e656e22107503920313ee3e4025836b9e1a98541446c23bd5674cb83483642f2f3e8270bd1f77c85bcfb205a9133c
-AD: f2168cef97c27a902d93cbca07b03f35c5c3ed934192d29a743c3a6c480c5a62172c088fc89cb2d8651b8979e5bd1864272ff179be8003c6dee18789c17583dc1de4e8b4fec80e5c7575838e621cac4b5b51ce5952f22e06b1c196101d2ac8d05e797323e5baacc49d1e74db97142e1bed723d46ab858d59fd36d5d08eaa63f696b610eebdc9662e504992fd3481de1264bcac8ac426b09fbc641ebc93f72c5d460088fe0b08420d88fae219b6a5a67420a5f9d1201bf8d64b2ab3e9050a
-CT: 0812f87792508dee6868d45482196d89624689bb172e4ff71619046a91149c8ea99ebbaa3f2c32c77938b5ac466481575dd82a008c7f5867bc46ee44faf95fa40b6237c8c3b62474af2efcf07c771e23a63e65b48b0bd8ed26fc64dffe03e71fac6d3857b1248df63d888567d7d3618c68d6b8f1c88029bd7af8677d3b51f70ccccb4eec9e100768515637ad8a4b2e2e317902e456974ce9fe23095cc68566e85cd913e8b64119444f124640d16ef3e98136f32d618eef78f7ffbafb64227b3185bda8f541c0e7ee8405
-TAG: 71fffdbd6358f755dd22f1dbe42c4aca
-NO_SEAL: 01
-
-KEY: 0b1b256665284390a9193b7b7aa4e3ad15a3d2a58e79d75da8ec284c02fa3a2f
-NONCE: 
-IN: acfa83f56f137ac39d6447d98c5f7d5e812d1d8e7c7fa7f7beea9a87c59961449683fcf5332c9ef1587135030309a1c2d95257114b790b18cc32f65f4c7d1652c0106e3331f826e9b8b0dffc50aa6723d0827076b71c668370ddc8156db3831559a72e48266b3886a6d88318e6ca646ff561ed4f71e665abb7a60089f0a115c7b7fad9cbba6c4cb0c242b9e1f17705825d98f4bc10bacd8ab2e11cf579f29b2a0b085d8c96a372434785856b483c3fc9ae909029b0c931098d7e59f233cb6450fe0b0d
-AD: 64347fc132379d39cf142ca81d7e49c010f54f354ca3365d5195a7e43175c9a47603062c5ca61aaf2b381f5cd538bbf48f50d620ff2b5980c086049a378aca69570ab7c406b510a6aa6b7e8682ade6a091b1f822a97ce671fcf7c911c43c4795b78ce1c86e990e32bc5c9fa34a8a4b22a20d6f7c46722d1bafd49443b4da9634db4615f7cabc3d5bd9a8921e67de45dac261f54bcd0af2b2f845e255a16f2d2f1ffe26e88238f5dbdbe111393aab3409e08dee8b9bc85c51b385c191ee9290454236ab
-CT: 346ae65660de8920605fe8d19d7421330f0c2a525495bc360cd5c2273531d050d461336a254c9af8611d07c3559931cd6804fbdc6e6c9c997283cf40bc23596efd1bf116fffcc6620e45d1c738569af012a7ed0d575ace3c12662f88f3ee480af30ee015ae70db112bf4a185e220660a912f9ad840346e7cc0715e853dcd9b415ca9e865d5e4de2321e6a1b7cd8a35c760abd3f099d395576a91503147bdd51cb4bd1452c4043b42dd526de6f61bcbe819cfa3c122c6f62e0d4c38b443f5a138325a5f0ff8a9a2071c2773ce62edda
-TAG: 2af508d74bcf8157ae9c55b28b5d2db9
-NO_SEAL: 01
-
-KEY: c055bfc7828d9fe8fa8d9851d33f3e4888e0f7e286e1eed455e14832369f26fa
-NONCE: 
-IN: a26a9b189ada0ccafab92a79711360c7c396374c6170de395bd8ed80dc5db96ef1534adc4dcd419fdf1801add1444a195367213e374eb1ab093f1f54cd82eaba5c1cde6b867e0d8fff99cdab4d96e69aee0c58a64120ce0cfd923f15cdf65076a12e06e53ab37463096d9ccb11ec654e401c24309fda7afa45ee26e5e4b8adc8febbddaff1e7cecacad1d825a6b16a115287b4b3c9f8a29b30fa6236ca6e883abda412177af38b93e0e64b012d33d7bf52ed18c4219bdf07f36151b7ea4c53091ddfe58b6c9beeca
-AD: a184e4811d5565849a08d0b312f009143ac954d426ca8d563ad47550688c82dbddc1edbdea672f3a94a3c145676de66085ded7bcf356c5b7e798f5ab3bb3a11bd63c485fbcded50c3b31f914d020840cbc936c24e0b3245fead8c2f0f3e10b165d5f9c3f6be8f8d9e99b97efda5c6722051d5b81a343a7d107e30d9319c94dbc7c31c23b06a4ae948f276d0eabd050394c05781712b879317ac03eb7752462f048bcd0dccb5440f6740ad0a3a4c742c3da32a49dfda82ed1b66380a8cfd09dda73178ffa49236d20
-CT: 2804e5ec079eada8bb3946e458dca29b5008f74bf132947df768dc85e2492a381429f151a3bad3132e63a4a977aa09f10879d206f43f27a26909495d0a2c8cb252fbcb3abd953f6e0ef0f6d5e89d89a1d9ecdb0e44686fbf5567a6fe7557a084a8a5ef5316890917bc432164266a331118c828fad4f5d1776645d163dc5444c2e12def608efb47adeb8f9928a5ffd3c46f963a749c310688e78525e34a510f529472a14bc7a5b65594338f6f5ea1d95bb5bddc6e8e1d1a449d126442accd162e4e03c10824fd48b32df763de5d7700dafc54206b
-TAG: 141c80e1d044e1e9cf1c217bd881589c
-NO_SEAL: 01
-
-KEY: a54a347a7a388c2e0661d4ae1b5743d1c2f9116c0a7aa2d6c778a21e2bf691a9
-NONCE: 
-IN: 3d17e3d9b5020d51295f7bd72e524027e763b94e045755af4b3cc4f86bce632a1286f71734e051dbcac95780b9817b5f1b272c419e6bc00d90c27496ac5ab8a65d63c2ea16eeeebe4b06457e66beeed20fc8d23a9b844ba2cc3eb3d87e16e1230fdb6a9134bad3e42eadccd49baed5e03e055f389a488d939c276982e4bc77f0a1c738fcdee222e2641b06fe12ed63ede2ab2fee3c54d7901d0911c32980b7c663a67d35ece23136c77f8e4536464225ab427d937e7a4260460d55bb5fdd7ea2f105604c4b0cf129dec49b81b1
-AD: c12d1ffb08acf27d51e63f5c0e311180b687438e825204074d4456d70b7c5ba9903ad0b0778a5fe36c3e12e82718c00f5d1ce585e5c73b23d6c5e41ac4a180c97c9418b07ccccbfc58c678e97882ea36395c0a05572b4cd25ddb3c32fa580c89c48a0e3066b8032e3823893a5721a4fd1e59c7d012a01b9e9afc12f3bea93e9d1a2cf5cab26e064576b36bb65606de62fe2887ace0cf399dec08da618954ce55362c8a2bcf31457a1804bbfff68a76d752f9aea81be8868bbca8f1af3375f7137941a1924b8a2b178f06a9e33f
-CT: bd3456b0dd0e971451627522938f8f596e17eae6920410f602c805ad9715833087e1d543eb20b1b313771266dc6a8f86f2ba033609fadec92ac38c1f1f0f728e568fe8bcecbae2ade7b9c4128fb3133c8b4107ad5c29cacbd5937f66905e18cc52d9239c14e4c8edbb2db89b26f5f4a9ff0f2045192fd212af6c65e448834580deb8787b612d6345466483dbec00b03fee4751f543a6155f2dbb745c1094e9721aea3e544a894e4a19a14645725cb8fdc21d259e086b1e411fb1bdb11293d0224ada25da2896dfe0d35095230af6894404d27d901540b0ec35
-TAG: c55c870a5eac5c0c774dd10dbadd3fec
-NO_SEAL: 01
-
-KEY: b262f6a609c4ad6da3710d58530b634fd7bed875956d426bf4b2412209902233
-NONCE: 
-IN: 9cff6ec8832bd0e62d9063e43821db6a1e0f3ae7947ab4d029643b0e7db8224f8bd00a2c011b246a4d5eccf9801fb314aeadc0532fa71cffe188e801d7c045e81b9dfc5cf6ae1e310b363adec4e7ca52fa754ece2540545a5161eaf9ed5748070b6e232125fa8e0fb7548fd3eed57a6be72ce0a9112f166776816a0a4ccf8151b6b93780875d03ea3d59ac57e7904c83b90b7666de85f055b25f9e342af4cb04b0c3f123ea0906c04f252f2b16b28d612e37b2a7b788d66beb8b361385efb73a825ccfb1a5ca55d60afde0349e5dad8096c7
-AD: fb99bc661b51464c0df92ba4f64c4c56d601622287bb1bf8e0a082ed3793e74db6a2f5a546391ef55dc45fd2f24878834bdc2903054d9d02ac05bd5ff122b65555d7ab1664cc36b630039e4432315445f303837e57149fdf6bf8d6856ba97abc5a18b6cd2f8f28cd3ac079355b314561c50126812861c39180fd94f9aa24edbec37bead760093d32b96ce30e389f63b2b271fc051b42952b3f5cf3950def581f7cbb2b4aa5b151a16ed3773166761232c106d3ff57851895640ea12befd69daadecc4122b4a481e85088edb093e02d5d3d8a
-CT: 0b455031d28e4e17a45b7a605341e8c7e67303d5374e3f5693c28dd9f9a5c9368efaaf82d900b4a4ab44337f7d53364544bbd822020d79443e2ab0fd2381bc73750203caa3d28858a8f9a6dba57a7c5248361ebb152a81a89c00b1bf49de9e2d08c0243b38eefe316ef89164b4907515f340468291e0b51009c9d80cf5a998d9cd8fce41d0c7405fc2d1854aae873f0e24cfad253ee07d9f4cd27080ee8ec85d787459080a06d290e6e721d23738470835f173ed815f1a15f293ffe95ad973210486372e19a9cc737c73928572cbc03f64201d1b6fd23ebb7b49d12f2eef
-TAG: 5e0ac1993ceccc89d44cfa37bb319d1c
-NO_SEAL: 01
-
-KEY: 9b4387e01c03d2e039a44ca2991aa8557dea6179d19259d819d70ab2d5179eb0
-NONCE: 
-IN: 92c6f01cd2cd959495bd8aca704f948060bee01ca61c46005b4db43e2e7655af4c0d96656cd75d904325ecc325f5fc9a5fff3eeafde6f81323b0e3b64269028cb64c9fbe866b400e76487f1759d6ab8fc66589e23df0c008974e1613bb4ec556bd1a6a0751f6dbbbaeff219874c57dffca59a955e0aae62e8fd6a904a50fa7eaacccc6dfd4a2b8c6c040505d3448ed2217b7024224bbc4335c63b2ae8172d7d3088b819edbaa17991a4729bcd5a456cad20ba20dbee99ae56f8ef669dff93c99a995c8f5dcb5d113db4178a49516206a1cba7d872682b1
-AD: 92a1d2574182f850e37aa62338b19f403fe99dbc7ddbe1e6524ac67c4092cfe296b5ee9b94eddb5c228c902c18ec1ec26e1ef0263d05c5caf1c71ed9e5ff987e9964b46f27be05a83e20867f1f2107db26b6bc7066af2b0efdcad2b65f2ebe8b31fbe2f3c30171f2e4969f1650c9642ae47c8db5bda47e57e8a9af210a6fd4894dcc2934b4ecf823cc841cdb3c93ecc779b455b8cc796d7d60437da201c3f848dcd5f45e88973e06364e7cd01afd2d49fd3032550f1c1a60c4ba48137398f4d58e5fd0093c06042b103ce0064f2cd1cfdd39b7440121d7
-CT: 852124b4e04d7d1d63743d7428b87d324854d5c9c6ebb303fb802b12d946ed681ed5b3384dce2cd782bfbd022f213f193bcac579176440bbf2af378b019d21dde5d70e42d257722d15417a9fecc8e56430551ea3bee798a01faf74d0fb09be6dd0c14cd03feaae29c7d17581e1fda0b4bce632ef790202e98c8c4f8f842fb3e33b3fa5e8700c8644ed6d64280652bc2a5d40b3ee0e47dd5a9f3535e15b1fabb30264515afd4f9b1caa5c224574636935baebf6d1992bf1a7a3d698d457db4248a2b38a803837ac4fab7998722d52de61bfab4f98e1933a77046bfb3941bb7988acebce
-TAG: 1b07d58be48b81f7007e5683b399dc28
-NO_SEAL: 01
-
-KEY: 9d36155d429b90b5ff22ded128c9f0cfe77ed514d410998091bfca4dce7e3c88
-NONCE: 
-IN: 2510210b420b12300d51ee4a7ad233c9c97d71672c0f9a7b9041d32172fdf3a6ce274aca77a0db6961d7921d1681ede2c1088a7618382481296778e7f56d2c0074c7c545ccda313495ae2a6dfd042474b07d2b59c79a0cd8c3dc16132beff1687111a48ee3d291ac556987e73c5a3807923c2deb3b9a59a135a8fa0d85d5b39016edfe0649dc13be672a639db58839d3362eaeca046767fa1182ef8a63abc104e7cdc8610b1e956aac89af76b40844a358fe6f7343d217e1838aad19587ab4b1c765d2cd7bf7018e338c0207d4c9dabdb1625af0c75749e9a20a0d8d
-AD: 39e96c8d824bee306189a3bc8a8d4862df55e8016726222a528d76de169746a363e82e82e359b774d061a6e98e3c35aca8ba802a5956a2c512501fed44ae341cfa65ec9d95485763d99cbd9aea078ce551f7f82272bf54dfb6420ae7653f275ef145b2c87720c9ccfa56bd286c61cb822d0473dc2cc3fa22d50fd16bc0358e7c615aa1791b990f30b1d737f798219f4446d173e80fa62380dfdfebdb36b1284a62c2b6638f28fc370034812d09b57d27e5b7d589075bbab42fcd6a91fa2714538be6286e4c7b2657b80f045df7f8954738efa7d49a38e5a55a2af934
-CT: a7b73ba1b2b0e846c3f635aa8cb991b10218bfefa522e2f808dc973620ea391623947cb260b852efd28939ccca4c8b1f02d66fd6d0d7058854fac028fa0f23e8de801ed9a4361bf7e5a23e6a7086624a64a29815bedd5e5ebe4d9f9386d47e1408286971654b38ff8e5dd1fef7686d7614ef01900ad33bf97896b4ad02e7445782b1794b45af967ca3ba72a2e5cd5252a9ff0ff550ee56fdd8aa555bbb0bf8a5dd534fd65b13235fa6650761dfe2a28b2757077a2680ef88c84eaada743d1f0d25de38fdd1974ffc07dbb9c7fa67cacca309a10753c6e2561c4784470f5c7e116e12070fb3d87131
-TAG: 665fe87506f8df07d173fedcc401d18b
-NO_SEAL: 01
-
-KEY: bd187500219308edd6ac7340d72813ee20054d6d4b1bc2ebcde466046e96a255
-NONCE: 
-IN: 55b824816e045702526f8b5def71a0d023a2e42257fc1e06f9a8531ef9f7717474ba4f469e442b471d5da6e71aa635a307205c0a935a54b8a59be8856144dec435e29aa1a3568073aa6bd3439bc0f219fa1179ba0a316f7d966ea379da16be4db2f1fdac2fa6d00bef9351b78bb2773bc30ddc9d019e6e7d78dfaf38010080027afac33e751c0429ef6c70a1f2d01f103482818e9353e39a3a4b785a7dd2c7e1ba7a4c36a5f3836d5465c002bcd1ac576d90ad276952ac155dabba6873e6d92b5278280a540071b205ba99b77b7568862e70e6ddbd804906c33fa130f8b0862001
-AD: 11b35743bbcd0113d2c188f75d382df44e874a2d4b3c3148ecf8e0406479305f29197a3a71dc7bcd71b6136ab11a7cf46de80140e15046acfa18774cbcc755e9f3beb37202fc308c03b1c20470b3128f5b91d925bd6703dfb3277d65159688f656d5ccd83d2beadfd778854472b1cb8fe440bdb7efe806f4cb95249cddf69fa0013dc5a626eb8ab69a48b3ddb1a317b35f7772f711221cee1cee9469e2639c44448c5942c95324dc2fcfdc952e05aa336ddbaf57cec2d1b33981ecb8f70ccd34a279b211c50a7784906f2981a2d2ad8fb130100c4f6bdb09c95dfcf4b0eb7ac6d5
-CT: aab93d3181e7a04cedf170311e99d06f82333ec8e4fa1e81014458c81325e5d69db561449b153727da35c0b540c570b60488aca6aae58f75f84792388d0160dc45e4e5bef552c49228d806fcc22259f0f94da2f786cc94a3ecf3cc15ac67719379d86abaa54ce41e868110ed2b56dbeeaad4a444eab51a96aed404a4f4b9677d22345fdb67ed0df091d23d8acd70bf6cd29f19c99910888b3281b65637590af984e493ac70011486ca88e72fd14ef1cba06a50070f138dfaed35ab12690a14b1c8ac319f597bb690cae28019d64c868acf9a58fde1d8aa18dc1ec9c3c4a0ee9c4cfff8912b1bf23c805af6df48
-TAG: 1a43147e6e097a46b61f8b05c7dbbe1b
-NO_SEAL: 01
-
-KEY: ce53e967bb4675a51652a9e6e87da6be36d16245c1e37ee00bae09cc30ed8528
-NONCE: 
-IN: 3f2416477ff2ce7da3e5766f043e7a06ea2b87fdf06320d296c71cbaec4b115da356f8c7f34220f91e90c97a5cbbb7fcf0048fb89414eddeb2ec1062d08cc75a39a1f9f214fc3efd6fc8e70d78418007d7d28944b3f37fa5667ff79098d7af36a9324419b53efa76e98a311e1436ecedd977397cd02cc8d377ea8558edca35ff4c71ec31943119b76af4c78a435033eafe73c7079224bf2328b49ed58acef9b043ae3c7ff17a66b521e190d6ca2b2835ed8edc2c173f04616af237391a4440fc5306366c834f6a504e902dca6d3e9e1554088eaf5b15db7fc1fa19f0867ece90ded639ee8072
-AD: 64a596ffca0889833fcb537f58d94791f9ba9b6b7ce0c7f144f2f1a95d62ce334f7bf7f0d2ef0c6e7afa2324b069dc6a7a522f19a001c335cc0252ac4a26079c3f267cdca1e3f933069f52fe72e1a00c83d8fcbd2e76149a912c7b37663c2e7967a3a80656c87094d349af6b9d64b3873f467ed376eaa1e0abae06180c847e981c6a12d32b580acd34f779c343f8b79df1b5004d333a5c37a8be7a94c6f6400f819ffbe6d54d3c1a92824fb15c279fc8121c735b6c42248ee22e665245966d40eadc51f12904cd64110d69354cc9d9fc415b3469317d5e4643942dd4b649de0ee2fc5d200701
-CT: 0f53ed18bfdd28918c3993d9be462da8cc9d8cdf343f7025df0b8b41c24f7b6060cea2d3c63338b6c3e83f0797e966b8c5dd889bf1b5058fb4d694be2178fb33d9be1a351812046a6d3bd36c84ee3665d39fb98159e4d30f8a25a60064caf980f744fc519e2dc451f5fbcc0834b72920d32f0492abedc1022b0db4f2f44b91ec48c588334775fac91f174a4714b3825e96fa53cad3de94807f3b888950c8776189cc18fdf379cdc9d6054952c6ed2b3fb7f6b49beebacee7ddcb19a3eaee2b2e2b7a5d6476e5fc1f216ca443b859a9a661dcf2f7709f87361186368a62f255d78150f09ad4ab1a20e7329f3d96fa2a33cbf6
-TAG: 1cf74908f6fbfa5b2b309ebeff2f3ad1
-NO_SEAL: 01
-
-KEY: 093d932ed969cfae63f07e0c04c7f9eaf1b36f656095f8d5f112517dfc430cdc
-NONCE: 
-IN: d9da99635f8d728843dd587cbb24e68e1df2f81b5f7abfe233a224cdbd48cd8b82da3711d2ab6c1ca722610b87f426a2cdee4456b50781e3b25da037ca636f2a5eea01f4eeea52d0feb7f1f6c2594d63d8c05c2adf339839449cb1d2aca94852d1b64b5641a572c2da02ebe299c7d1ff4da8706f44b14602f44c0ced711fc78005f87b1686106250d3d3860b67f5b38788db1891150f88d4c5276751afa0b2e37a59587cd8b718767455e65eef25bddaf787d52b88556710f740f117b02f244edd47cf0e45646d40e789671ae61ab06336e24fad8b64cd8f60b427ea1f58af443c6f55d54028edd5f40d78
-AD: 5e9c95c3449cee3f9f726be031089b2358ee92fe7b408b355739c8da6369304f3b287ca60dde4685bdc59879e1530ffd8f6589449196abf0f0dc6dcd82ba7fba481f13376cf29b32af2ecca24a161e6e57b6db70a7e02ee2154cc0bb5280b08f8dca35b1a342fa18b8025c7a805cebaed99e30b43c139de7c37adc25b0b6b5d873ed86530622ef2d0ed3ab19e9c27df98a4a15324f902c35a23adcad4598c6e990c64893355be15fa7320c1935b4ad3c069c068d6b3c8f43d6fe0588b59170bf567ac3a53a50db68e4be17964f55acfe695638cb5fdea5c40805334a385c2d35aa836637ccdf71390487d9
-CT: ce36a837ae93a280d2fffc6340380718f069f44c88932af22a10f80513821caa71fd7a9e5c4f37e1c756c43fe491ac13f244bd1299844cc78d7812110f570b693e63614e639ec7395cf65c206eb6fc9bba86f89d03dd19e45d5ec64c7d3a308ced4ac1f59cf4e13be64e49acd9ebee209afc508c97ac817f1367629af9d59b0cd48f138d23abb61f92dac530351f46a4e7f70ac87388e44f6e9548d3e6a26884bb7611f632da7db2a12fd9174773e685df316ea9401d8b352135b6b32a374eef8661b77eeedc34fa4178d0a5731ac9bfc14bce1dfe96af095b0088371ab1a04b2062625f0c4fdf01fc0a6bbf1661cca11932e93690501a
-TAG: ef7f960b146747ba4f25c705d942f8c7
-NO_SEAL: 01
-
-KEY: 86875efa72ec1827f133a8935193292463ecef801bf3b461c96b0312cfcf32e1
-NONCE: 
-IN: d692d3ef47a5c9d0d9a3b6a0d498e90a3ea06278134ce90cc1d69da2159d9a1f5d0a9ef4b4ce5f873e26e8f9d53ced79991491325ba5511be4d9e6563b70459b10e60d8c5da45d3b0b34dad86772b0560314f0215bef7b55c6ae53999cb2d6a14a35b50fe5a1598adb7ebeee097968ee7624bde42862824900c8cb45b12785d9c4d50ef38133d31a66a612d8638008d03edd19c4d7edb5f9b9f195c60883a7d6aa85bc3ca3b59c395b85dbe9bb30ef6896c4ebae8d72cbecfadfa451bf36631aefddd3feb36978aa8d9a45c9fa09bfa0b2c040d9a422840e68f4dcc3eb902f6be1d91b11e1749183d89715761b6cf22c
-AD: 17208cfe5a96adf0ec903c7618d994492d3eb77275fe5bfce5ab1f67d27431c7746314e52934b8c44481e5760cc8f6b0e17d1fcac7fd5b476196e3152c3dc90adeb58c2c9c62cd684b4b18d4a94f8e5b4336ed3f1758b58a254f48b3aecd9cfa63cf758f2df54c52eb246d046198b6eabc90b2a0dd6c5323e915a117235174fc9089cc9bcb1a3bb49080cbcc24367e7f4e17e27a2054bdda0ad8996df1cfc6bcf43f70cd854f4d97aaa4badb5826dd86765d36a2ecc83d3daaf31594eff02999a423185356d693f26025a576037336c156543353423dd3b5da75f45e297c60dd8e091b961f60eb6786fc988f6324f9e8
-CT: 738136465c8935d77c8d4ea455f48dc2b6836b8603e19264382ddfc568b1bf06e678de255d355fd865ef03339f644312c4372494386589431d4ae7af2eaee5dd3c16340ecae3e87dda9220a5f9b9fe6cc3eaa226d9608385b7e8a6216e7da71997088eaf7c67b5402be01c0b182383ed3c0e72e91fc51fc99c59cc8271660dd7a59ee0e7d9626ccd4439bb9a1499c71492807f8126891ce09451d07d9c5525c5f185559ec44aa31498be3fc574389cf948640dcc37d0b122249060bb7d5d7e5194d4b7a7bb64d98d82a1155e30970a854f7c0d294fbb1a9e058f3b9f4762972c21086e0bf228768d0d879a9cdb110f9e3a172feca7417d48b3fa0b0b
-TAG: e588a9849c6b7556b2f9068d5f9ead57
-NO_SEAL: 01
-
-KEY: e9467b3a75dde39b0dd44e7cbf2b70ba1757ba6a2f70cc233d5258e321d5b3ad
-NONCE: 
-IN: d6d7f6112947be12e7ec8d27ce02924503f548456d0ba407bf23e848b9ecc310e4a0c7b00c0de141777a94cb4b84a5cc34b2b05c8a37cda08b6c2dba80e80853f2a18bcc41341a719f84262b601610a93721f638a8ca651a2f6c03c3cf1070f32b92c4ab7a4982a8f5e8ae70800f7513405f3ae28ba97a9ce8241608eeb5351e6cef5560c4209790ee528b3876896846e013a0bd3a1aa89edaefe08fb4b73b3fa64c0c8b0f7ab70653ee138456319230174f0f1f7f3477f0cfc80eab8a96e29e85e20658cebb830ba216b1d8281ce499f729278dcfeb59cde3a043ef3fe2c42705f311a422e9f80fc3b58ca849dd4b99e5e66a958c
-AD: ccab7afe4d320e94f77963d779ade1343e66ae80446eaa5f9ec4d3e3bb3166255e4aac5707ab407b284dfcdbb18ff515cf08790f0470cf335946040438c7de2d2a342096d7607e1920d86b519e96cec1715f4b0dfe375c5959644bd664d23d879b825dffbbdc458ea9da5ede5682ce1ad1cff33dd8820761b1c067cec638873a3cae79c7682ee8d4f97cb96a413dbbded1c242ca669d50ebb6de3c27eca3041fa8aee8974c3d17b0cf79c32c7bbfe20dcfd57303cc40334fbdc43e925df1d63fde57bf60553d7790fc56bd95e675db934dabb1125eb97cded95f397b32bfb3a2d40703e3f11c6c226633b3cb7f9da1e3367de2ba4d
-CT: a9756c7b8e2e2f4e0459f1bb47bb258ddc0945079a0b99ed5cdc0186f453f8e0393cfea258412e423dde4a00c014ac298c4dfe7c03b0d9bbd4ad189624cb6fbaf13e60ec2b4d83c5bc3294dfec30bd6c8f7125e11d7be145a966dfd78fd77af68099b855989fe077cd9f427d4381b4930abc1daae55722540e4bcbe1b560fde208ef1c2dfcaa2c51b76072e67da311c2556eaa2c25413bfc43d00dd84aa8859b296e05945683e028699d60a29227de1363c4138b9ec2db8f3b502fe09d368c5f2ffd81abe50cc1ec1ef216f27f401456d061429d1910623af00bcf500cbc6509c5aebf7de9c956e40a3f0b0d562775b03c282c204e33c0b380ce1475eb5c0441f6
-TAG: 9ea19333f5050354a7937fed68e38dd4
-NO_SEAL: 01
-
-KEY: 4e323dedb68bb5cc4cf2edfe3a54a19b410f849492ed6f66fc053d8903c3d766
-NONCE: 
-IN: a7514c4111d7d8bce2d56faee25d9f5fbb527162576b444fadebf42d48d2631cfed344b0437ce8a7609bf30bf0a44aef172f8b12ea7567cfa5dccbd08bb3115efec59437ff02e7128df9d9e5193794373e30dff7b3d8ec0fcd6cd3872d755c0314f1cd9cb996e4c6ca8ee2e35f9b64a1f0bd1669369f9b333a356ba58e553ff9bf9cb6c5522599dccca2f7f57a91006e7dca4095d11955e5aabff69febb98a408aee92293c0abc12ff23482ebe9d541bf8fc7493eef2c68044dd185eb243b54a2bad9844d831d9b0766a0ef013ad3ac03627b1feeb287e5e61875bb1d0a01315761bae6323a9d678cdcd3c4a85be71b70213d081b348c63fc603
-AD: 9bd10dc97ab5e9b35e1c8c36ef37f90a11bae7dd18af436fa8b283eafe04a5bbb16bede6ce1260187299ae6474628e706cc08b3627f5243f1a9ab469455666e6d5f2ab597b6799bd60a365a9248341decc36d473fa52ac5ac469b965cb2023d43b437dded84ad49de95a6dfc6ae4bbefaf86f9b06e3a33ec90d32ea3af541fd2c43387c75dbd94d44b9582e8ea41afba5e49f1d158d48e979d04888fbd42876e12bfd6695cb99640c537f2f9223d37cf6b627207b9318bd1f4c64556b5db1101c486c53dd8dccd7405e148d6d9b38b7ac875a44bd6df75edfa4da8594a9c43b223e7a6f5b81a5cb8dd6e06e9a976ef156e45520af332e4d56035
-CT: f77b876eff796db621eabe889885d7a11004ec546955fb7a8c77ae57588fa2e7fedcc8e9000123495b9016d1a101fec1e6724302e93eb8e01bd05efbe8502eb97b1064bafa9bba5658b1677819cec4998dbf02df1f1eef51bb3e75c19f570efdda98b0b8dc5dd9250eae8396090ca9ebecdb90f32c5e2085e86b64e57464d251af62d9f8c01d7bd6cec5f9dfa5eb7c4cd412077571bd071a4eff5098883940d63b917c08bf373916cccd7a446abff0aa5c687518703c25cd8d3c5d724f348e20be54f77fd18dbf6344d1d25c788ccb5a5747d575435829b1825e31f9e94abc33c0d2750fb62ae167a7a74fc9e39db620d43e0b8514d5f70a647e53dd5764254b7785b1519474
-TAG: 936072d637b12b0b6a4141050f4024ce
-NO_SEAL: 01
-
-KEY: e57e74595d230e8eae078df1dbc071c66a979a912e2252257e28447e97fc82a7
-NONCE: 
-IN: f1ecbb2a45f04ca844616528b10ffa4d2c5d522ed4ae3366888fb371b6ee7eb4be53c8204783e43265931f58f308623f7b2733384c173540aa0bdf879fad0283c2be6c42a7b4feb2b29265fffdb518ea77d33507dbbff7d9921bd97fd27f1100402e02135f7df4b5df85f7472fa75618facca3e24d487453e831efa91242e62ee9d32880bc20f7ec016eb12edb589dc8a669f7c78375f915d7c2b03457b00ac2aceaf37c0369a85c3f6fe7c0447c022d66bb5acaee62163837a36e882cfb8579ba9182d3153a25623f339758ede5a62f67b199fc8abe235fe4b607a6804fd4d15378c76e0c26c1edf1cd637b7ea59edc66cd5ef9b8cf79b95ff89c235ab195
-AD: bf4c0737e461c1d6fc45b87175fd7833625c98a03e089c4e3d47c6b21f4bf38cb4b7666322217eb8fa022afae473df56ba3502c88cf702276bf39c6fcccf01e629925a83816a5096e612458af6380dcb7f63cfc0eae99d63475616b18b44111a1927b05503c4ce46ca48321b0f8f247a54919fc844fbabd3a2481e83bed8a5ee8086d7559db00fd1d64f4892ee9363d59829ce1e10af66696c28e86297b43190800251f346bec1b577446120529d486266a271c71011528b24ff4caf2c30f9748a2b03c788dd583541368a643075a52127c48b3b6f0c6ef413e61479c9afdbeb4bda44340ff0d81c7bc0321d3de4080cf7e108dda3fd4e480e685b202c6bfc
-CT: b613d6d5fff507e917674f2fafb2aae2dce03cb0bd3467447ef6895a132cec06b9f7764ee24d90078660dc820b8384c01375e03c20a6c688a780d7d7fbe5837d477e8f3d7ab3ab865dacb0eedb5694d3276ea914a421b03b9d4e4f586227a3af7e8d5d579bd832450f038eaa7bac57aab996df55367ddf59b338e5d370e310124e8ef43c9fe54e5d23d60023aee266054ea66c9f32170ce97998b527073fd178ed4e1752cb9c515c0b32766b363c39c513c2e9ff6d1c24807afb43af3c5a317f1536087d8576fa3be3b007d3a77ab0422303cd0b142c4ad194e1bb86471b91861235dc336dfe9666f4f2c6a32a92b8fc52b99873f9792cb359476a2aea21996d21c17ab814de4a52eeeb33
-TAG: 05906cbf531931559cf2d86c383c145e
-NO_SEAL: 01
-
-KEY: 847eb274561fdf0c1af8b565a92da74641f17261a0ea4cf63ba5f36ba7028192
-NONCE: 
-IN: 1e588cd0636f34b656b140b591a9adafb8dc68d0abb75531942e3c6ec1d29e4f67853e3d718dbe61b733490525c7f9ce6746f8639e4d271267a95f0940b3406c67ded0aaed36374b9a4bb8c753579051c6dc3244d6126a8a97d4a912569ba139d55dd00c380e7ec450d44f6c7b9482c2594b21f61ef8d165666c830867139262be5ad3a31f44a286d7e86d4e5c9bd6118147efc8e606c522ad0e9a218aea4daa39d1653157e4c3730240fff67a42e4f34186de1c13ddcb1e44020b7a31d21ba6ba96b3f42360dd1d754a7bae75b6fdb6eb3c76412cc1fd8e900d7aacf4d897f4224f19a1d44a77e06c95eda5fe76b11c6f5088e8ca75c87e07edc64c09a6a31371552449
-AD: 331d48e814f660516f3a796b08afb1312625b3b17218819cfdbbbca4c333378b57fd93482d971992b5b15b62f0724d6e7b9beb5ddffd3c70b6f8bdd3cd826663eeb91d37734a686c987efeb4d4906b80c5378fcd07806d2dbf3eb528472a110743df8cd96b6eb67e98b13ac506c9bda167f045a412c93d78e860c9b4bbd7a2d71adbd3530f30253847b4112d4b898b520c7a14fd075e62605b05084f26fd138179c2791fd6e8d3bfbb2735002ae12d986f92d7d300fd6f1dc12c993449f8522f6f32f506a677c8a981aef9815e83019713b2f9943acc8d5b3f6f65b9e2b9a14ad2e300d636166da2d35a6a0a756a76d08709a043d65341695490124971a7574cf0b5845a
-CT: a379511688390ade6f0318bbfc1f0d7309e6420b42d59740c9b9d4b97075b874015251ad55483068b00f87502b18182b140db07c70a80fd884fd79b7b5fef1d307ca4db0ff046494443e1cae83478d275c31402035f1fc24e26214b78d9a4dac78d074150012f9fee810a121d87a16d8e1eec5700e9facba350029788480a259d9f30df1c2b8df7691629314391719853c0b68614134f6028865700b1fc4e7f34ff28f449c6abc3027f38d7a7f6d84b8f27f7cc5afa09478c809eec346bb58244ab42a3bef61a14ae7640d76591343983de9fe5f1b985ce56c9fcfb2e3f6220779ca6f92a6b8aa726573b38ed7663ebe4c85066ae3f488ea3309593fa41dba8efd2b8f44b9fa8f7a427823c1228093a3
-TAG: f1832022e06228c36181856325d4eb68
-NO_SEAL: 01
-
-KEY: 3828b138f72f8fe793d46c55ad413bab31a51e7a9093cdd10fddb4739e28e678
-NONCE: 
-IN: fec017c1c51da5ce9dcd8e84cdc03a43145b31edfd039c7c85d8811a2f58efe7a2d7590149a98cf0b5af82d3e0a325223bc9d5585ceb1afc4cdd96024be6c8064c2abac14f68e65de49e25e3e967500ce5b4504d00a9cbad1e86bbdcf65c01a7a92de27583b7b92122b6a4923b7192994a1edf00b75d14a982f92559dbc2d5e427a75ad29715375d90193ddbb39b9a52c1a23d75629c539e0a6ce822c7c08fc77dcd3adc357893215df4694673a16d34513de21217ce86897c8f0575d213ce0c66eb1d1985fe73dd86da3ab5e89df4243e1be9dd95af94f878995d02929ee42a062100d6d4d3884730f54593d5ff7b7ae53e03d4f0e10f6f4c3077206499ab7d4de1e825d532d0918f
-AD: e2b16ff2b6c73c9374704ffb4cdfe7bad9eeee32157f2eedf427f99c2cce80c5aa4d9145e85af0cb08e6ed477cbe79ee168ded5c0895f9f4f939c21916b3dd5c9d268b3aabdefb85d953bce9b70732fc9acf6c7b727f78d8c9aaca9e022d7cf0f95583e81744227d87fa34ae19de44d202ba01e3d03993f38c9b2fb00b54dfb677d67e6f5a15f46c29eb5597ae3d5384b37bbeca3f3d825e2b7cceaaeb36a8c1273062259608956dd0c79877cc460d0268de27355e34b9d8d1188c062ac5e10a73f2d70fd0636304b3de06cffeedd246e2db19b8b66785f9f9c62b8f0198f29d37a4ab5280f4aa0320559810f89a1618844d0ad5f3a4f5a0e834ab31e56798b7158217f834d372c36f
-CT: a60413c0ab529ccf3de5846888ea11ef6b6ee6fb0be77bcbf227e77508922550ef0d7534bf05668ae5fcab2f4defe643747716e7e000950e36c6cb24b79987389a150382c091d39ddf841b0a5e31d763d9c59753a3ef36a23b81f38e6e715357395ce715d30c14d6ab5b7454804ecf633daa39b6107f562fae6a646efb25c1119dd17955bb9e640105a21566345408f72f2acc8f2726a0be465551f9ae566da559fc0b92c36764c5ca20a18a316c02e606030a53450e7ae1146050a48a64c600d33cb84389b0bdac7ff45d3d1f2f669a6e365ef722d76d2fe9bef2df93c58bbdd6965e18111b5de0f4a62dbb874161bf8adfa61e9cdecd97b4fff668b3efeb3e32eeb929cf58d94ad8077c0a2ca79e80877c5d9329
-TAG: 9b47afc5816b7229213cd3c9135545ed
-NO_SEAL: 01
-
-KEY: 91ea63dc27d9d6bbc279ec6cecdce6c45ff0b247cfb8e26b6ab15f9b63b031a4
-NONCE: 
-IN: a848e41c77ac8c733370435b5b6a9960af36031e96260d5703ce15b003606875a7901cd11e4571bf88dda29a627c0b98065a8b4e6d382852dfa4f47d86fa08e48ad8f5a98e55c305900b83200d44029f304abd21e0264115192a3fd7b0eb69b9f8ca7865b3be93f4ba5a28468fd7bbb584c32ae867f5146efbeb1412d3ac36c30cb308c327a6f207e30f561d6efe0a535446c693e14176e9e714ffb5a5b1075812909a362a6c4bbe18322e15690c2c9cf5a18e0120c11551cb7055b5aee97e7a56d7c24fdf1214641c8eacb196d74f3d96a7fbecdd4fe52dc7b6ead9041cafd5a3fdf91fd3614e63189b488d4d7c1ea3c6351d112a2223b29d390ac3ab7f09a60bbd3df6e0d606d902aa44244334
-AD: 47940a0694183b2fcb5e760c9ef6dbe4cbff6ccf33208337a981138f9d35c03f8adbd810e94636acaebef6791b531a65e99b03fc78e7eb48036615874e97cf762fa6ca5d880bb2c2f644f1aed70c667880f98834d501caa277cb8ef1095ff882e79c3a92ea8982abebf63ea9ed7e9a24d32cb81d5d98e891974e3d636a59e165984e00f05a040d33f07b39eccb924fb24780a422a6b2b7bddb5b316beddcf6fad20e4cee7d0141c2f7c4e4f759db8691dc7b8525ccbc3ee6071a2ead63e750d6d92dde7eb1303d5b1194702b6c3e0c2e6f9649e60eeddec9c1f71cf309af0672cd2ffcf94ba7e6c3d7cee020a224a9a956274d1d36ba16030e215d90a165756666eff066a8e51bf7d4babe8b7d8d
-CT: 80a134fac73eca30459d5964b90449af99327afb1124bb24f1c8b5cb878423b0370d5f7cd297b28cc4135ee77d6f1913a221cfeee119bafa873072bfa79e303fe377bbed05add41ce3a42ca4632b98f40a36227de1a9ba84d6176c01eca9d33d954d0ebdf4e40f136e0f6a56156fbb33b344a8a433941fd6e08774bd00075aedb0e396c2bc37d1250541248dbeb899e1b5170cdfeaf7b89995b049428bb277c501354f8cd48fb58f6f04f956dfd099c48778dbdbb4c95b7c9d6797cf6d3bcd1d00e88cea885ee4a10d94356509e148990a0e10dd89103a9d5c8434a7bdbed6c0ac1271e0709eba144abf3cf075c020e9f7835d5a98fb2439b399e377ae6e19fc5f32df9ddfb9e936190d3e9c62de99835249d1f32ca3f92ecd44
-TAG: 6ccaf7c142d86b83e4d0b4289b49c4d4
-NO_SEAL: 01
-
-KEY: 1344db082889367fd48c5f06bc39f9cb9e3ad4b92fa484ccf49418dd4caa2e19
-NONCE: 
-IN: b0e12e3122c1ebfdcadded5a45163a6208548e9bdf95cfd18ea504e5d2e97372e58dbfe460a57b724d38f3bc0ce02a54015779bcf127343474d7d4c1402d598bee56897203b903da5b819e2218bd0d1a2af11c542544f02c46969cd2bfac683b76a8de61698ccba63361a1a0b570adf69d24e9a7e466873c8c12e25e0bcead7828386179a4d65d5bbdb800eb52fc01b67498d7b5f9864270162158a8572eccf541b07833f001848672098c57708eb479855799567c318b1aa097efa70db0d8a8d36fe0ac22ebcc2870baacac690a79e07ab286acad9f7a877939cf2989cd6200eb86dfa7a41e969a3683ceacc7c97d1cd5487f13c439a9777a67770687657d38267a347a0b6d3aa3cf64e7f31017246e4369da
-AD: c96db14dbc2aa0ce3ac63794f75c7e78037dac6763282edb307821a7938de4baa3d2e35a8cfe0c8724c2a8d870d0a462ea157e15aacc69a3c881d9c819225ea8be479872d55e655c897936c95b9ab340820264567495fc5e4e3354f42b84e191b470ca9f4d8fc25d011bf9c9e73e1590e1bb919dd2f288b26935fbfb8c93e54331dc8edad5e1cc4aec103c2f3320d59870c1770319f105ee790b704ed655be423e63ab040f1153f41e7070ae3a0f34d217c4649c180c84814463902d99a9396f8c7c85a3a4c8ae2f01737649fae478a40fc72303a108822775e9c421f945cc0eea992730790a9aa0c0d014518dab371b52d30b5a560f34946a9344cfb8a19b09ee9b123bcb8f642780697508f04983b790dd2d
-CT: c04a98e7e29326b5330818d4ffda075dbde7b874995230e1324f17894689baaa7f1354e26100befb546ea23dc74807818e43a3cee00ec1bbb95c82180489ae5f3a1c482dec28f96ecaf5ca4655ff7f33c814197cb1973cf02a0b720a5c44068d8ddff0789fc1e7f20ef408c1a438133fce4f7a3e8c85d95a381b94e949ce47a85895c4be7cbfad468e52a160dee34b8ddeef2ab280eaaed4990ecec790ac16de3c74aac6fe2d5e28ea2b66a921c894a3971cee4a2158054c3567e0d941f867ded5ed1d21d8ab090848fb3eddfb1559bf11815db52b8eed871cfc117980f297da79da31da32de3f162a03d95090d3329da3662df29e6ec9b236e0f7c1d7d957cfd54d5efc99c694b9dece989912388254798513d881e5943ce830729a8e2ddf
-TAG: 81c55fe9aa2de0d63efe3f74a3d8096f
-NO_SEAL: 01
-
-KEY: 31dbefe589b661af00a6fbad426e013f30f448c763f957bbcbaf9c09764f4a95
-NONCE: 
-IN: 908bd801b70d85085dd480e1207a4a4b7ef179dac495a9befb16afe5adf7cb6f6d734882e6e96f587d38bfc080341dc8d5428a5fe3498b9d5faa497f60646bcb1155d2342f6b26381795daeb261d4ab1415f35c6c8ac9c8e90ea34823122df25c6ddae365cc66d92fc2fe2941f60895e00233b2e5968b01e2811c8c6f7a0a229f1c301a72715bd5c35234c1be81ef7d5cc2779e146314d3783a7aa72d87a8f107654b93cb66e3648c26fc9e4a2f0378fa178c586d096092f6a80e2e03708da72d6e4d7316c2384a522459a4ad369c82d192f6f695b0d90fcc47c6f86b8bbc6f2f4ea303aa64f5ce8b8710da62482147bcc29c8238116549256a7a011fd9c78bbb8c40e278740dc156c2cc99c3591fec2918cdeb5240fb428
-AD: 5a32d7044f003b2ffefffe5896933f4d8d64909fa03e321a1bdf063099b9f89752d72e877291d8da12340c5dd570d7d42984ffab5177824fc5483b4faf488504e6822e371dca9af541c6a97312b9cbf341b4198b0902cd2985ac10a8b5b5fe9691bb29a88344f863c980e4e871a72a8b74f92eef68c176e9d2ef037898ff567298e186af52ec62eb7429a8004ac46b945678b82859396d36d388ec3d67653aec35cf1da2684bbc6c78a5f9e3ce1b355af3b207f64e0fa73501c5d48a14638d0906c87eaa876debcf1a532c1475d80ed3d4b96458d2236eb9f67988863bc6d5c16b96b93d898683d248d7bc601b5035fc365481b89465e37a8f7dd64635e19a0282639cecde72c6b1638e0aa6e56f9c00d031cdadc59ce37e
-CT: 147fe99bba0f606c57242314aeab9db30a579ca54195e54a9e6c787f40100c6d12ceee35643f36ae45f618cc9bb66aa4c0fae0ec2686cb4101a5b23a46877460c7e020b38b0d8d1f533ecfa99df03d346bc854a578276d7d5685ad1fb03655683a64aae4159c9efa6781f053057e0811226c7c533967a94587f4025353b28cc3a2ce5763783b4c31e7818b8ad9195bc03be8f294f9f6ceac578f9d30b22b1f5a68d647d46cf6db4a9c3a8a5c06fa97c9efb4578f501ea96db1f40942e3f24c44a7e4070a6b931c39947d9692930b67767357015de51a39e46fff94b6019e4bc1ad9d216a571ba0dc88859c49d2c487ca657384e49b4d382d86a60c8d5195320909c4e82fc077a3b22bd4eccf0f067e66ec78eed642b2d16f0f304f60f1d9ba69e205c982
-TAG: 17ca09e3084504fc22e914ee28312c8e
-NO_SEAL: 01
-
-KEY: 0ecc44c9036961fba57c841ace4ca3c547c51d9f126567bf41626765cfcbd53b
-NONCE: 
-IN: e49a2a5713f507bfa00c140dfbefc0c43e37bcb932e0741db03f0055da61cd837b6e2d8f99115d70750fb23685a17121b52e98a37c87204e0207729fd9219d11a48e57970d790338793cf329f7b239512a44dd4409fe9d157f92123dfc5cba24af106442644dedda87e1d9e95fd395f2f0ad8f7d27f313e6ce1a07d9845dec5ad732e6e4749b3a161527c8ce42331f5de1d700650072fb68e9c7645a0e0e529d0563d2727e3fb38ed341f74ef1ad95a0216a440e1384d0e7ef71cde38cecdc9e2b2d563f19014c40c1f92ea0af3b4f6da9146d433ae85f647153db326a28ef6ea2e0ebac0cc1aff157067c7dba7cc4317d56920ee9deab5764368e7e5b3ce8bebd0fa129f869b15897c09659c53188bf8efb7b6ac7d265c9b85fe96166
-AD: df41db4ef5350d4afcaa88b4a577b3370b96699bbd73e59aeebca6ea856cf22694a9399ae7f97a3bec226d82f5598f8949dfb92530dcfe77770f066f2af988fba5543b8ba7655bc43f8dca032981a34a1beff695c6908169d475c55b2119fe5578623f68a9dd85b653656881b0db4006d3336fdfc784d1805e48ff478fdc196601f044c9d33fca3ddde2db0102f90fff0b370f520e00e3786c2a9b0b4a9a7ea6f9d866f77d870c8ef0f3a8bedef17949a32598512af665679dfbe71e1c3efc3dee8f5d4499e20dc63281191751f67e51f201973a6675896484527d66bed94d6aaceff65fbc4192cec19452b8873f22d72bf2f4981fe656285cb24be5c58e77dafd3e096166b230f18d3f4197fe16f6ec84c060ce0793ae6848311a18b7
-CT: aa98b6ddff7e4b2041f29d70b15b2bc4b9e8ecc5d9c4a6359a805b7590bdb4bfaa9b3fc4d7676d721edc4b3b1ef71b18a3d78f1b31a477cf25e55b278eb3ed774805ae8e5a2a0204f7291d9587663c4d8b1b744154f3b7cef796e0b91590161f3bde82f1d8139cb8d017606ae6d0552ba144788fd8caf435ab09a43a1f4057776af49bad98fc35cefefb159cfebfed76f2e4d18b7be143677ff8b3d6e2b440fe68475b5a1193bcd19ab157d0d2257f33de8e50091ea3388648c3410aa68c830566a0413d92454e4eff433c3edc74e8f7516ec17b2c01cf57a2d7c48db97b706b8d7da0b68051f2d6a87c417f46cf217a48611980890f669d39b478c35d834ed2c79299df2381a1215d6db303cb63e2795fe517649874226e0a6dbfe2c86370b9fbdd8c5de349bfa25f
-TAG: 7082c7ef72c82d23e0ba524132acd208
-NO_SEAL: 01
-
-KEY: c05dc14b5def43f2e8f86c3008ef44e4dc6513768812e9218b2b216818c4cec6
-NONCE: 
-IN: 8a06e2997b8e5f8040b22e07978c83c48d0f90bd2b2f8b426b43feea0b614d3b0681745ea4224cabcaa25ca45c3053a6300c47ffa4f72e838db135ae35c27939aad4cf7f75fb61daa3148d869057598e4e8b44c6fb19b0d9281e18676d8bc137489bb77a51a3a8f807a896d558f00040e8729ea9bbdc7db6102c8b99c8a1eacb0735577bc6533cd1d8147013935b6344116090a1bdef1f2e38a877a50c8fc0f394bafede31375c57476ba06d95ae734e6dae771a32e5091dff71d845c5f7385b9b9069ced12fcfea34a510880b088bb0016e94a5932c89baee038cbafbf06b3d09426afd2d5dd5e392636362e9ffa9186b5c753eb84f82f68fb1286ed06c58a5a936cad018ebc4269037b49f2ea0349373adea99f06062e5dbb0bf94f2883f5c0556
-AD: f2a3f7af8ea984bbd85953f14202c6e478f98d0bcaacd414329ec480d0c29fb4c1a052d3228c883928448f0bef12cee5b69829b4a3eb4680084131867cfc3d3af84fcc0d80c2292d3fe02405634f6cfb20b0fb90345da3a557fb30582175c32e432be66ad096f9425ff4060df54d6741fd6567a1e2fc5f6f3ed95cefc806ff64ae91ae82920b5c829ea026f83fd90d760e240da3c9ddaafe4d08507f4af1049056dc6d09657779a3dbd889d851e97d4ac60dc66df2d24979ba8947a7890a304bb301d0d42b67824e0c68fc882e90cb6deee50c2e3d9f0da59ab23c997b05635a0d56c71fc39aa0e6b19c43a7fe12d4e4145453cd7fbd8a3f33bf5451addf05052df7ef044a33513bc5f1a4cfc8b68015664bb5c8e4bf54a85efff109ee96af75d4a5
-CT: 5cfe0dca6e599ed9aa89ba972cf630548d6f2b449057c7861920308958199f77b123a142c6b7c89c4982f4ed0efa2fe899914ddbf4543e70865a5e683b0721d6c8443df2e697acf31e11c8809aba94196409020a7c64d396fe136826455aec973af23a6c7733cb567f5ea550e50e0b796623a97807d042855568e3c568990cfc818c31a1bf415337f43e9baed57fada2fb2ad3c3543f2b7f2777e03f84040c1c854c310ab1cc5dc7f2a5fb213af79ac068b46c7d9475bea126adf079e2100bb57904a931faf248e0f7d5832ca83ea8a283e0136979737132afb1f4ab38d307ac0774814f4d5ecdc4aad79185c05f8a706f579b78f2c1c7004cb38e6cd22c2080735b34c3f6134955ed3bc36b1ad5c8e33209c9f3c658fb07b59b6002b2526cd8d853a5c624b7108573d7df60c827
-TAG: 3dcdabcd1c82002a551cea41921570e5
-NO_SEAL: 01
-
-KEY: b33f449deccc2ef0d7616f22b4a00fcd84c51a8383782f66f1696bc6405005ee
-NONCE: 
-IN: b0af85a6deae5fcaa94778bce015ce2da7400ab768f3e114cc1b645fb2716789e2aeb96894fda6da5bc24fcf2466124720d6ba99e5475d77e5bcf2c2f8c8e5becf5eb73ad650861bbdeb51ba5ee789c227478934200fc18f36e4fe392c99d4c3fe0b38b40d2e84f831b8ef9bce9ac1362c755943521ecf5b5cf8fbcdf08f2d47ff7cd62838597dd342695a1b037bcede69500bf70bf1edbb40a17b44695bd8ff8bc8664b3211a6bbfdcbd1bffbfb1a2ea0141cfbc6ac841c803b137be5eeb2666c46c09cc1c4fa82be43bfd56e7a2b8ceeecb6efc1933a90213a0e1bc7aca2af35f2d1dad5f0d9002561064a699f1ce76c39d9c2224ae596e88a1517e19c2115370768d50107f3f2a55051838ae5897acf2ac0814ccd864eee2f6b5d7a6728c6ac6e6a57327102
-AD: 2134f74e882a44e457c38b6580cd58ce20e81267baeb4a9d50c41ababc2a91ddf300c39963643d3c0797b628c75a5fc39c058d319e7d6deb836334dbe8e1fe3cc5704b90c712e1fb60a3c8b58d474a73d65fae886394f8b2c029e420b923f2af4d54c9de3c7fa2bccaa1e96664ccf681cacbbf9845069a4bfd6c135c4392d7d6be338eca414e3a45f50510718e2a5a3e5815eafa0c50172cf5f147510645d2269929843bbbab682deb5823d4cdf42bd250bdbd20c43e2919d7a6e48973f43a4cab73454b97cdca96721ebd83b6dbaaec7e12cf0dae678a57c431b81421657037dd47dccbee73a41f56495fd7c25c75744fe8f55cbd1eac4a174d8f7dd6f6ba57b3e53449a9ce7806517e3e07cf6546a0fa62c7b1fa244d42eee64a3182461792edb628e567b23a
-CT: 6afa8baf923f986b5779ac6a0fe35823610ea698aeb5b571f3ebbaf0ac3586ecb3b24fcc7c56943d4426f7fdf4e4a53fb430751456d41551f8e5502faa0e1ac5f452b27b13c1dc63e9231c6b192f8dd2978300293298acb6293459d3204429e374881085d49ed6ad76f1d85e3f6dd5455a7a5a9d7127386a30f80658395dc8eb158e5ca052a7137feef28aa247e176cceb9c031f73fb8d48139e3bdb30e2e19627f7fc3501a6d6287e2fb89ad184cefa1774585aa663586f289c778462eee3cd88071140274770e4ed98b9b83cd4fa659fcdd2d1fde7e58333c6cf7f83fe285b97ad8f276a375fafa15f88e6167f5f2bfb95af1aefee80b0620a9bc09402ab79036e716f0c8d518ae2fa15094f6ea4c5e8b283f97cc27f2f1d0b6367b4b508c7bad16f1539325751bd785e9e08cd508bdb3b84
-TAG: 1976d7e121704ce463a8d4fe1b93d90f
-NO_SEAL: 01
-
-# AES GCM test vectors from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
-
-KEY: 0000000000000000000000000000000000000000000000000000000000000000
-NONCE: 
-IN: ""
-CT: 000000000000000000000000
-AD: ""
-TAG: 530f8afbc74536b9a963b4f1c4cb738b
-NO_SEAL: 01
-
-KEY: 0000000000000000000000000000000000000000000000000000000000000000
-NONCE: 
-IN: 00000000000000000000000000000000
-CT: 000000000000000000000000cea7403d4d606b6e074ec5d3baf39d18
-AD: ""
-TAG: d0d1c8a799996bf0265b98b5d48ab919
-NO_SEAL: 01
-
-KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
-NONCE: 
-IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
-CT: cafebabefacedbaddecaf888522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
-AD: ""
-TAG: b094dac5d93471bdec1a502270e3cc6c
-NO_SEAL: 01
-
-KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
-NONCE: 
-IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
-CT: cafebabefacedbaddecaf888522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662
-AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
-TAG: 76fc6ece0f4e1768cddf8853bb2d551b
-NO_SEAL: 01
@@ -116,6 +116,7 @@ type testCase struct {
 	ad         []byte
 	ciphertext []byte
 	tag        []byte
+	tag_len    int
 	noSeal     bool
 	fails      bool
 }
@@ -270,8 +271,9 @@ func makeTestCase(length int, options options) (*testCase, error) {
 		nonce:      nonce,
 		input:      input,
 		ad:         ad,
-		ciphertext: sealed[:len(sealed)-hash.Size()],
-		tag:        sealed[len(sealed)-hash.Size():],
+		ciphertext: sealed[:len(input)],
+		tag:        sealed[len(input):],
+		tag_len:    hash.Size(),
 		noSeal:     noSeal,
 		fails:      fails,
 	}
@@ -286,6 +288,7 @@ func printTestCase(t *testCase) {
 	fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad))
 	fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext))
 	fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag))
+	fmt.Printf("TAG_LEN: %d\n", t.tag_len)
 	if t.noSeal {
 		fmt.Printf("NO_SEAL: 01\n")
 	}
@@ -317,9 +320,10 @@ func main() {
 	fmt.Printf("# Generated by\n")
 	fmt.Printf("#   %s\n", commandLine)
 	fmt.Printf("#\n")
-	fmt.Printf("# Note: aead_test's input format splits the ciphertext and tag positions of the sealed\n")
-	fmt.Printf("# input. But these legacy AEADs are MAC-then-encrypt and may include padding, so this\n")
-	fmt.Printf("# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above\n")
+	fmt.Printf("# Note: aead_test's input format splits the ciphertext and tag positions of the\n")
+	fmt.Printf("# sealed input. But these legacy AEADs are MAC-then-encrypt and so the 'TAG' may\n")
+	fmt.Printf("# also include padding. We write the byte length of the MAC to 'TAG_LEN' and\n")
+	fmt.Printf("# include the unencrypted MAC in the 'DIGEST' tag above # each test case.\n")
 	fmt.Printf("# each test case.\n")
 	fmt.Printf("\n")

@@ -62,13 +62,13 @@
 #include "../fipsmodule/cipher/internal.h"


-/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
- * field. (SHA-384/512 have 128-bit length.) */
+// MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
+// field. (SHA-384/512 have 128-bit length.)
 #define MAX_HASH_BIT_COUNT_BYTES 16

-/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
- * Currently SHA-384/512 has a 128-byte block size and that's the largest
- * supported by TLS.) */
+// MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
+// Currently SHA-384/512 has a 128-byte block size and that's the largest
+// supported by TLS.)
 #define MAX_HASH_BLOCK_SIZE 128

 int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
@@ -76,7 +76,7 @@ int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
                               size_t block_size, size_t mac_size) {
  const size_t overhead = 1 /* padding length byte */ + mac_size;

-  /* These lengths are all public so we can test them in non-constant time. */
+  // These lengths are all public so we can test them in non-constant time.
  if (overhead > in_len) {
    return 0;
  }
@@ -84,16 +84,16 @@ int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
  size_t padding_length = in[in_len - 1];

  crypto_word_t good = constant_time_ge_w(in_len, overhead + padding_length);
-  /* The padding consists of a length byte at the end of the record and
-   * then that many bytes of padding, all with the same value as the
-   * length byte. Thus, with the length byte included, there are i+1
-   * bytes of padding.
-   *
-   * We can't check just |padding_length+1| bytes because that leaks
-   * decrypted information. Therefore we always have to check the maximum
-   * amount of padding possible. (Again, the length of the record is
-   * public information so we can use it.) */
-  size_t to_check = 256; /* maximum amount of padding, inc length byte. */
+  // The padding consists of a length byte at the end of the record and
+  // then that many bytes of padding, all with the same value as the
+  // length byte. Thus, with the length byte included, there are i+1
+  // bytes of padding.
+  //
+  // We can't check just |padding_length+1| bytes because that leaks
+  // decrypted information. Therefore we always have to check the maximum
+  // amount of padding possible. (Again, the length of the record is
+  // public information so we can use it.)
+  size_t to_check = 256;  // maximum amount of padding, inc length byte.
  if (to_check > in_len) {
    to_check = in_len;
  }
@@ -101,19 +101,19 @@ int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
  for (size_t i = 0; i < to_check; i++) {
    uint8_t mask = constant_time_ge_8(padding_length, i);
    uint8_t b = in[in_len - 1 - i];
-    /* The final |padding_length+1| bytes should all have the value
-     * |padding_length|. Therefore the XOR should be zero. */
+    // The final |padding_length+1| bytes should all have the value
+    // |padding_length|. Therefore the XOR should be zero.
    good &= ~(mask & (padding_length ^ b));
  }

-  /* If any of the final |padding_length+1| bytes had the wrong value,
-   * one or more of the lower eight bits of |good| will be cleared. */
+  // If any of the final |padding_length+1| bytes had the wrong value,
+  // one or more of the lower eight bits of |good| will be cleared.
  good = constant_time_eq_w(0xff, good & 0xff);

-  /* Always treat |padding_length| as zero on error. If, assuming block size of
-   * 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
-   * and returned -1, distinguishing good MAC and bad padding from bad MAC and
-   * bad padding would give POODLE's padding oracle. */
+  // Always treat |padding_length| as zero on error. If, assuming block size of
+  // 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
+  // and returned -1, distinguishing good MAC and bad padding from bad MAC and
+  // bad padding would give POODLE's padding oracle.
  padding_length = good & (padding_length + 1);
  *out_len = in_len - padding_length;
  *out_padding_ok = good;
@@ -126,7 +126,7 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
  uint8_t *rotated_mac = rotated_mac1;
  uint8_t *rotated_mac_tmp = rotated_mac2;

-  /* mac_end is the index of |in| just after the end of the MAC. */
+  // mac_end is the index of |in| just after the end of the MAC.
  size_t mac_end = in_len;
  size_t mac_start = mac_end - md_size;

@@ -134,10 +134,10 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
  assert(in_len >= md_size);
  assert(md_size <= EVP_MAX_MD_SIZE);

-  /* scan_start contains the number of bytes that we can ignore because
-   * the MAC's position can only vary by 255 bytes. */
+  // scan_start contains the number of bytes that we can ignore because
+  // the MAC's position can only vary by 255 bytes.
  size_t scan_start = 0;
-  /* This information is public so it's safe to branch based on it. */
+  // This information is public so it's safe to branch based on it.
  if (orig_len > md_size + 255 + 1) {
    scan_start = orig_len - (md_size + 255 + 1);
  }
@@ -153,15 +153,15 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
    mac_started |= is_mac_start;
    uint8_t mac_ended = constant_time_ge_8(i, mac_end);
    rotated_mac[j] |= in[i] & mac_started & ~mac_ended;
-    /* Save the offset that |mac_start| is mapped to. */
+    // Save the offset that |mac_start| is mapped to.
    rotate_offset |= j & is_mac_start;
  }

-  /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
-   * position. */
+  // Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
+  // position.
  for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) {
-    /* Rotate by |offset| iff the corresponding bit is set in
-     * |rotate_offset|, placing the result in |rotated_mac_tmp|. */
+    // Rotate by |offset| iff the corresponding bit is set in
+    // |rotate_offset|, placing the result in |rotated_mac_tmp|.
    const uint8_t skip_rotate = (rotate_offset & 1) - 1;
    for (size_t i = 0, j = offset; i < md_size; i++, j++) {
      if (j >= md_size) {
@@ -171,9 +171,9 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
          constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);
    }

-    /* Swap pointers so |rotated_mac| contains the (possibly) rotated value.
-     * Note the number of iterations and thus the identity of these pointers is
-     * public information. */
+    // Swap pointers so |rotated_mac| contains the (possibly) rotated value.
+    // Note the number of iterations and thus the identity of these pointers is
+    // public information.
    uint8_t *tmp = rotated_mac;
    rotated_mac = rotated_mac_tmp;
    rotated_mac_tmp = tmp;
@@ -182,8 +182,8 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
  OPENSSL_memcpy(out, rotated_mac, md_size);
 }

-/* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
- * big-endian order. The value of p is advanced by four. */
+// u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+// big-endian order. The value of p is advanced by four.
 #define u32toBE(n, p)                \
  do {                               \
    *((p)++) = (uint8_t)((n) >> 24); \
@@ -192,8 +192,8 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
    *((p)++) = (uint8_t)((n));       \
  } while (0)

-/* u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
- * big-endian order. The value of p is advanced by eight. */
+// u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
+// big-endian order. The value of p is advanced by eight.
 #define u64toBE(n, p)                \
  do {                               \
    *((p)++) = (uint8_t)((n) >> 56); \
@@ -224,9 +224,9 @@ static void tls1_sha512_transform(HASH_CTX *ctx, const uint8_t *block) {
  SHA512_Transform(&ctx->sha512, block);
 }

-/* These functions serialize the state of a hash and thus perform the standard
- * "final" operation without adding the padding and length that such a function
- * typically does. */
+// These functions serialize the state of a hash and thus perform the standard
+// "final" operation without adding the padding and length that such a function
+// typically does.
 static void tls1_sha1_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
  SHA_CTX *sha1 = &ctx->sha1;
  u32toBE(sha1->h[0], md_out);
@@ -272,13 +272,13 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
  void (*md_final_raw)(HASH_CTX *ctx, uint8_t *md_out);
  void (*md_transform)(HASH_CTX *ctx, const uint8_t *block);
  unsigned md_size, md_block_size = 64;
-  /* md_length_size is the number of bytes in the length field that terminates
-   * the hash. */
+  // md_length_size is the number of bytes in the length field that terminates
+  // the hash.
  unsigned md_length_size = 8;

-  /* Bound the acceptable input so we can forget about many possible overflows
-   * later in this function. This is redundant with the record size limits in
-   * TLS. */
+  // Bound the acceptable input so we can forget about many possible overflows
+  // later in this function. This is redundant with the record size limits in
+  // TLS.
  if (data_plus_mac_plus_padding_size >= 1024 * 1024) {
    assert(0);
    return 0;
@@ -309,8 +309,8 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
      break;

    default:
-      /* EVP_tls_cbc_record_digest_supported should have been called first to
-       * check that the hash function is supported. */
+      // EVP_tls_cbc_record_digest_supported should have been called first to
+      // check that the hash function is supported.
      assert(0);
      *md_out_size = 0;
      return 0;
@@ -322,45 +322,45 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,

  static const size_t kHeaderLength = 13;

-  /* kVarianceBlocks is the number of blocks of the hash that we have to
-   * calculate in constant time because they could be altered by the
-   * padding value.
-   *
-   * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
-   * required to be minimal. Therefore we say that the final six blocks
-   * can vary based on the padding. */
+  // kVarianceBlocks is the number of blocks of the hash that we have to
+  // calculate in constant time because they could be altered by the
+  // padding value.
+  //
+  // TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
+  // required to be minimal. Therefore we say that the final six blocks
+  // can vary based on the padding.
  static const size_t kVarianceBlocks = 6;

-  /* From now on we're dealing with the MAC, which conceptually has 13
-   * bytes of `header' before the start of the data. */
+  // From now on we're dealing with the MAC, which conceptually has 13
+  // bytes of `header' before the start of the data.
  size_t len = data_plus_mac_plus_padding_size + kHeaderLength;
-  /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
-   * |header|, assuming that there's no padding. */
+  // max_mac_bytes contains the maximum bytes of bytes in the MAC, including
+  // |header|, assuming that there's no padding.
  size_t max_mac_bytes = len - md_size - 1;
-  /* num_blocks is the maximum number of hash blocks. */
+  // num_blocks is the maximum number of hash blocks.
  size_t num_blocks =
      (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
-  /* In order to calculate the MAC in constant time we have to handle
-   * the final blocks specially because the padding value could cause the
-   * end to appear somewhere in the final |kVarianceBlocks| blocks and we
-   * can't leak where. However, |num_starting_blocks| worth of data can
-   * be hashed right away because no padding value can affect whether
-   * they are plaintext. */
+  // In order to calculate the MAC in constant time we have to handle
+  // the final blocks specially because the padding value could cause the
+  // end to appear somewhere in the final |kVarianceBlocks| blocks and we
+  // can't leak where. However, |num_starting_blocks| worth of data can
+  // be hashed right away because no padding value can affect whether
+  // they are plaintext.
  size_t num_starting_blocks = 0;
-  /* k is the starting byte offset into the conceptual header||data where
-   * we start processing. */
+  // k is the starting byte offset into the conceptual header||data where
+  // we start processing.
  size_t k = 0;
-  /* mac_end_offset is the index just past the end of the data to be
-   * MACed. */
+  // mac_end_offset is the index just past the end of the data to be
+  // MACed.
  size_t mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;
-  /* c is the index of the 0x80 byte in the final hash block that
-   * contains application data. */
+  // c is the index of the 0x80 byte in the final hash block that
+  // contains application data.
  size_t c = mac_end_offset % md_block_size;
-  /* index_a is the hash block number that contains the 0x80 terminating
-   * value. */
+  // index_a is the hash block number that contains the 0x80 terminating
+  // value.
  size_t index_a = mac_end_offset / md_block_size;
-  /* index_b is the hash block number that contains the 64-bit hash
-   * length, in bits. */
+  // index_b is the hash block number that contains the 64-bit hash
+  // length, in bits.
  size_t index_b = (mac_end_offset + md_length_size) / md_block_size;

  if (num_blocks > kVarianceBlocks) {
@@ -368,13 +368,13 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
    k = md_block_size * num_starting_blocks;
  }

-  /* bits is the hash-length in bits. It includes the additional hash
-   * block for the masked HMAC key. */
-  size_t bits = 8 * mac_end_offset; /* at most 18 bits to represent */
+  // bits is the hash-length in bits. It includes the additional hash
+  // block for the masked HMAC key.
+  size_t bits = 8 * mac_end_offset;  // at most 18 bits to represent

-  /* Compute the initial HMAC block. */
+  // Compute the initial HMAC block.
  bits += 8 * md_block_size;
-  /* hmac_pad is the masked HMAC key. */
+  // hmac_pad is the masked HMAC key.
  uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];
  OPENSSL_memset(hmac_pad, 0, md_block_size);
  assert(mac_secret_length <= sizeof(hmac_pad));
@@ -385,7 +385,7 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,

  md_transform(&md_state, hmac_pad);

-  /* The length check means |bits| fits in four bytes. */
+  // The length check means |bits| fits in four bytes.
  uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];
  OPENSSL_memset(length_bytes, 0, md_length_size - 4);
  length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);
@@ -394,7 +394,7 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
  length_bytes[md_length_size - 1] = (uint8_t)bits;

  if (k > 0) {
-    /* k is a multiple of md_block_size. */
+    // k is a multiple of md_block_size.
    uint8_t first_block[MAX_HASH_BLOCK_SIZE];
    OPENSSL_memcpy(first_block, header, 13);
    OPENSSL_memcpy(first_block + 13, data, md_block_size - 13);
@@ -407,10 +407,10 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
  uint8_t mac_out[EVP_MAX_MD_SIZE];
  OPENSSL_memset(mac_out, 0, sizeof(mac_out));

-  /* We now process the final hash blocks. For each block, we construct
-   * it in constant time. If the |i==index_a| then we'll include the 0x80
-   * bytes and zero pad etc. For each block we selectively copy it, in
-   * constant time, to |mac_out|. */
+  // We now process the final hash blocks. For each block, we construct
+  // it in constant time. If the |i==index_a| then we'll include the 0x80
+  // bytes and zero pad etc. For each block we selectively copy it, in
+  // constant time, to |mac_out|.
  for (size_t i = num_starting_blocks;
       i <= num_starting_blocks + kVarianceBlocks; i++) {
    uint8_t block[MAX_HASH_BLOCK_SIZE];
@@ -427,24 +427,24 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,

      uint8_t is_past_c = is_block_a & constant_time_ge_8(j, c);
      uint8_t is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
-      /* If this is the block containing the end of the
-       * application data, and we are at the offset for the
-       * 0x80 value, then overwrite b with 0x80. */
+      // If this is the block containing the end of the
+      // application data, and we are at the offset for the
+      // 0x80 value, then overwrite b with 0x80.
      b = constant_time_select_8(is_past_c, 0x80, b);
-      /* If this the the block containing the end of the
-       * application data and we're past the 0x80 value then
-       * just write zero. */
+      // If this the the block containing the end of the
+      // application data and we're past the 0x80 value then
+      // just write zero.
      b = b & ~is_past_cp1;
-      /* If this is index_b (the final block), but not
-       * index_a (the end of the data), then the 64-bit
-       * length didn't fit into index_a and we're having to
-       * add an extra block of zeros. */
+      // If this is index_b (the final block), but not
+      // index_a (the end of the data), then the 64-bit
+      // length didn't fit into index_a and we're having to
+      // add an extra block of zeros.
      b &= ~is_block_b | is_block_a;

-      /* The final bytes of one of the blocks contains the
-       * length. */
+      // The final bytes of one of the blocks contains the
+      // length.
      if (j >= md_block_size - md_length_size) {
-        /* If this is index_b, write a length byte. */
+        // If this is index_b, write a length byte.
        b = constant_time_select_8(
            is_block_b, length_bytes[j - (md_block_size - md_length_size)], b);
      }
@@ -453,7 +453,7 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,

    md_transform(&md_state, block);
    md_final_raw(&md_state, block);
-    /* If this is index_b, copy the hash value to |mac_out|. */
+    // If this is index_b, copy the hash value to |mac_out|.
    for (size_t j = 0; j < md_size; j++) {
      mac_out[j] |= block[j] & is_block_b;
    }
@@ -466,7 +466,7 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
    return 0;
  }

-  /* Complete the HMAC in the standard manner. */
+  // Complete the HMAC in the standard manner.
  for (size_t i = 0; i < md_block_size; i++) {
    hmac_pad[i] ^= 0x6a;
  }
@@ -60,13 +60,13 @@

 struct cmac_ctx_st {
  EVP_CIPHER_CTX cipher_ctx;
-  /* k1 and k2 are the CMAC subkeys. See
-   * https://tools.ietf.org/html/rfc4493#section-2.3 */
+  // k1 and k2 are the CMAC subkeys. See
+  // https://tools.ietf.org/html/rfc4493#section-2.3
  uint8_t k1[AES_BLOCK_SIZE];
  uint8_t k2[AES_BLOCK_SIZE];
-  /* Last (possibly partial) scratch */
+  // Last (possibly partial) scratch
  uint8_t block[AES_BLOCK_SIZE];
-  /* block_used contains the number of valid bytes in |block|. */
+  // block_used contains the number of valid bytes in |block|.
  unsigned block_used;
 };

@@ -124,20 +124,20 @@ void CMAC_CTX_free(CMAC_CTX *ctx) {
  OPENSSL_free(ctx);
 }

-/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
- * with a hard-coded reduction polynomial and sets |out| as x times the
- * input.
- *
- * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+// binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
+// with a hard-coded reduction polynomial and sets |out| as x times the
+// input.
+//
+// See https://tools.ietf.org/html/rfc4493#section-2.3
 static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
  unsigned i;

-  /* Shift |in| to left, including carry. */
+  // Shift |in| to left, including carry.
  for (i = 0; i < 15; i++) {
    out[i] = (in[i] << 1) | (in[i+1] >> 7);
  }

-  /* If MSB set fixup with R. */
+  // If MSB set fixup with R.
  const uint8_t carry = in[0] >> 7;
  out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
 }
@@ -152,7 +152,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
      EVP_CIPHER_key_length(cipher) != key_len ||
      !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
      !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
-      /* Reset context again ready for first data. */
+      // Reset context again ready for first data.
      !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
    return 0;
  }
@@ -183,11 +183,11 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
    in_len -= todo;
    ctx->block_used += todo;

-    /* If |in_len| is zero then either |ctx->block_used| is less than
-     * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
-     * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
-     * latter case we don't want to process this block now because it might be
-     * the last block and that block is treated specially. */
+    // If |in_len| is zero then either |ctx->block_used| is less than
+    // |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+    // is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+    // latter case we don't want to process this block now because it might be
+    // the last block and that block is treated specially.
    if (in_len == 0) {
      return 1;
    }
@@ -199,7 +199,7 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
    }
  }

-  /* Encrypt all but one of the remaining blocks. */
+  // Encrypt all but one of the remaining blocks.
  while (in_len > AES_BLOCK_SIZE) {
    if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
      return 0;
@@ -223,8 +223,8 @@ int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
  const uint8_t *mask = ctx->k1;

  if (ctx->block_used != AES_BLOCK_SIZE) {
-    /* If the last block is incomplete, terminate it with a single 'one' bit
-     * followed by zeros. */
+    // If the last block is incomplete, terminate it with a single 'one' bit
+    // followed by zeros.
    ctx->block[ctx->block_used] = 0x80;
    OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,
                   AES_BLOCK_SIZE - (ctx->block_used + 1));
@@ -149,11 +149,11 @@ TEST(CompilerTest, IntegerRepresentation) {
  CheckRepresentation(static_cast<uint64_t>(0));
 }

-// Converting pointers to integers and doing arithmetic on those values are both
-// defined. Converting those values back into pointers is undefined, but, for
-// aliasing checks, we require that the implementation-defined result of that
-// computation commutes with pointer arithmetic.
 TEST(CompilerTest, PointerRepresentation) {
+  // Converting pointers to integers and doing arithmetic on those values are
+  // both defined. Converting those values back into pointers is undefined,
+  // but, for aliasing checks, we require that the implementation-defined
+  // result of that computation commutes with pointer arithmetic.
  char chars[256];
  for (size_t i = 0; i < sizeof(chars); i++) {
    EXPECT_EQ(reinterpret_cast<uintptr_t>(chars) + i,
@@ -165,4 +165,11 @@ TEST(CompilerTest, PointerRepresentation) {
    EXPECT_EQ(reinterpret_cast<uintptr_t>(ints) + i * sizeof(int),
              reinterpret_cast<uintptr_t>(ints + i));
  }
+
+  // nullptr must be represented by all zeros in memory. This is necessary so
+  // structs may be initialized by memset(0).
+  int *null = nullptr;
+  uint8_t bytes[sizeof(null)] = {0};
+  EXPECT_EQ(Bytes(bytes),
+            Bytes(reinterpret_cast<uint8_t *>(&null), sizeof(null)));
 }
@@ -69,8 +69,8 @@
 #include "../internal.h"


-/* The maximum length we can grow a value to after variable expansion. 64k
- * should be more than enough for all reasonable uses. */
+// The maximum length we can grow a value to after variable expansion. 64k
+// should be more than enough for all reasonable uses.
 #define MAX_CONF_VALUE_LENGTH 65536

 static uint32_t conf_value_hash(const CONF_VALUE *v) {
@@ -263,7 +263,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) {
    } else if (IS_EOF(conf, *from)) {
      break;
    } else if (*from == '$') {
-      /* try to expand it */
+      // try to expand it
      rrp = NULL;
      s = &(from[1]);
      if (*s == '{') {
@@ -303,14 +303,14 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) {
        }
        e++;
      }
-      /* So at this point we have
-       * np which is the start of the name string which is
-       *   '\0' terminated.
-       * cp which is the start of the section string which is
-       *   '\0' terminated.
-       * e is the 'next point after'.
-       * r and rr are the chars replaced by the '\0'
-       * rp and rrp is where 'r' and 'rr' came from. */
+      // So at this point we have
+      // np which is the start of the name string which is
+      //   '\0' terminated.
+      // cp which is the start of the section string which is
+      //   '\0' terminated.
+      // e is the 'next point after'.
+      // r and rr are the chars replaced by the '\0'
+      // rp and rrp is where 'r' and 'rr' came from.
      p = NCONF_get_string(conf, cp, np);
      if (rrp != NULL) {
        *rrp = rr;
@@ -566,25 +566,25 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
        i--;
      }
    }
-    /* we removed some trailing stuff so there is a new
-     * line on the end. */
+    // we removed some trailing stuff so there is a new
+    // line on the end.
    if (ii && i == ii) {
-      again = 1; /* long line */
+      again = 1;  // long line
    } else {
      p[i] = '\0';
-      eline++; /* another input line */
+      eline++;  // another input line
    }

-    /* we now have a line with trailing \r\n removed */
+    // we now have a line with trailing \r\n removed

-    /* i is the number of bytes */
+    // i is the number of bytes
    bufnum += i;

    v = NULL;
-    /* check for line continuation */
+    // check for line continuation
    if (bufnum >= 1) {
-      /* If we have bytes and the last char '\\' and
-       * second last char is not '\\' */
+      // If we have bytes and the last char '\\' and
+      // second last char is not '\\'
      p = &(buff->data[bufnum - 1]);
      if (IS_ESC(conf, p[0]) && ((bufnum <= 1) || !IS_ESC(conf, p[-1]))) {
        bufnum--;
@@ -600,7 +600,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
    clear_comments(conf, buf);
    s = eat_ws(conf, buf);
    if (IS_EOF(conf, *s)) {
-      continue; /* blank line */
+      continue;  // blank line
    }
    if (*s == '[') {
      char *ss;
@@ -20,12 +20,12 @@ extern "C" {
 #endif


-/* CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. */
+// CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|.
 CONF_VALUE *CONF_VALUE_new(void);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H */
+#endif  // OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H
@@ -28,8 +28,8 @@ extern uint32_t OPENSSL_armcap_P;
 void OPENSSL_cpuid_setup(void) {
  unsigned long hwcap = getauxval(AT_HWCAP);

-  /* See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
-   * these values. */
+  // See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
+  // these values.
  static const unsigned long kNEON = 1 << 1;
  static const unsigned long kAES = 1 << 3;
  static const unsigned long kPMULL = 1 << 4;
@@ -37,8 +37,8 @@ void OPENSSL_cpuid_setup(void) {
  static const unsigned long kSHA256 = 1 << 6;

  if ((hwcap & kNEON) == 0) {
-    /* Matching OpenSSL, if NEON is missing, don't report other features
-     * either. */
+    // Matching OpenSSL, if NEON is missing, don't report other features
+    // either.
    return;
  }

@@ -58,4 +58,4 @@ void OPENSSL_cpuid_setup(void) {
  }
 }

-#endif /* OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP */
+#endif  // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP
@@ -34,15 +34,15 @@

 #define HWCAP_NEON (1 << 12)

-/* See /usr/include/asm/hwcap.h on an ARM installation for the source of
- * these values. */
+// See /usr/include/asm/hwcap.h on an ARM installation for the source of
+// these values.
 #define HWCAP2_AES (1 << 0)
 #define HWCAP2_PMULL (1 << 1)
 #define HWCAP2_SHA1 (1 << 2)
 #define HWCAP2_SHA2 (1 << 3)

-/* |getauxval| is not available on Android until API level 20. Link it as a weak
- * symbol and use other methods as fallback. */
+// |getauxval| is not available on Android until API level 20. Link it as a weak
+// symbol and use other methods as fallback.
 unsigned long getauxval(unsigned long type) __attribute__((weak));

 static int open_eintr(const char *path, int flags) {
@@ -61,8 +61,8 @@ static ssize_t read_eintr(int fd, void *out, size_t len) {
  return ret;
 }

-/* read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
- * file, it returns zero. */
+// read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
+// file, it returns zero.
 static int read_full(int fd, void *out, size_t len) {
  char *outp = out;
  while (len > 0) {
@@ -76,9 +76,9 @@ static int read_full(int fd, void *out, size_t len) {
  return 1;
 }

-/* read_file opens |path| and reads until end-of-file. On success, it returns
- * one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
- * contents. Otherwise, it returns zero. */
+// read_file opens |path| and reads until end-of-file. On success, it returns
+// one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
+// contents. Otherwise, it returns zero.
 static int read_file(char **out_ptr, size_t *out_len, const char *path) {
  int fd = open_eintr(path, O_RDONLY);
  if (fd < 0) {
@@ -128,7 +128,7 @@ err:
  return ret;
 }

-/* getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv. */
+// getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv.
 static unsigned long getauxval_proc(unsigned long type) {
  int fd = open_eintr("/proc/self/auxv", O_RDONLY);
  if (fd < 0) {
@@ -164,16 +164,16 @@ static int STRING_PIECE_equals(const STRING_PIECE *a, const char *b) {
  return a->len == b_len && OPENSSL_memcmp(a->data, b, b_len) == 0;
 }

-/* STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
- * sets |*out_left| and |*out_right| to |in| split before and after it. It
- * returns one if |sep| was found and zero otherwise. */
+// STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
+// sets |*out_left| and |*out_right| to |in| split before and after it. It
+// returns one if |sep| was found and zero otherwise.
 static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,
                              const STRING_PIECE *in, char sep) {
  const char *p = OPENSSL_memchr(in->data, sep, in->len);
  if (p == NULL) {
    return 0;
  }
-  /* |out_left| or |out_right| may alias |in|, so make a copy. */
+  // |out_left| or |out_right| may alias |in|, so make a copy.
  STRING_PIECE in_copy = *in;
  out_left->data = in_copy.data;
  out_left->len = p - in_copy.data;
@@ -182,7 +182,7 @@ static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,
  return 1;
 }

-/* STRING_PIECE_trim removes leading and trailing whitespace from |s|. */
+// STRING_PIECE_trim removes leading and trailing whitespace from |s|.
 static void STRING_PIECE_trim(STRING_PIECE *s) {
  while (s->len != 0 && (s->data[0] == ' ' || s->data[0] == '\t')) {
    s->data++;
@@ -194,12 +194,12 @@ static void STRING_PIECE_trim(STRING_PIECE *s) {
  }
 }

-/* extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
- * |in|.  If found, it sets |*out| to the value and returns one. Otherwise, it
- * returns zero. */
+// extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
+// |in|.  If found, it sets |*out| to the value and returns one. Otherwise, it
+// returns zero.
 static int extract_cpuinfo_field(STRING_PIECE *out, const STRING_PIECE *in,
                                 const char *field) {
-  /* Process |in| one line at a time. */
+  // Process |in| one line at a time.
  STRING_PIECE remaining = *in, line;
  while (STRING_PIECE_split(&line, &remaining, &remaining, '\n')) {
    STRING_PIECE key, value;
@@ -224,8 +224,8 @@ static int cpuinfo_field_equals(const STRING_PIECE *cpuinfo, const char *field,
         STRING_PIECE_equals(&extracted, value);
 }

-/* has_list_item treats |list| as a space-separated list of items and returns
- * one if |item| is contained in |list| and zero otherwise. */
+// has_list_item treats |list| as a space-separated list of items and returns
+// one if |item| is contained in |list| and zero otherwise.
 static int has_list_item(const STRING_PIECE *list, const char *item) {
  STRING_PIECE remaining = *list, feature;
  while (STRING_PIECE_split(&feature, &remaining, &remaining, ' ')) {
@@ -238,11 +238,11 @@ static int has_list_item(const STRING_PIECE *list, const char *item) {

 static unsigned long get_hwcap_cpuinfo(const STRING_PIECE *cpuinfo) {
  if (cpuinfo_field_equals(cpuinfo, "CPU architecture", "8")) {
-    /* This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
-     * available on ARMv8. Linux omits required features, so reading the
-     * "Features" line does not work. (For simplicity, use strict equality. We
-     * assume everything running on future ARM architectures will have a
-     * working |getauxval|.) */
+    // This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
+    // available on ARMv8. Linux omits required features, so reading the
+    // "Features" line does not work. (For simplicity, use strict equality. We
+    // assume everything running on future ARM architectures will have a
+    // working |getauxval|.)
    return HWCAP_NEON;
  }

@@ -276,8 +276,8 @@ static unsigned long get_hwcap2_cpuinfo(const STRING_PIECE *cpuinfo) {
  return ret;
 }

-/* has_broken_neon returns one if |in| matches a CPU known to have a broken
- * NEON unit. See https://crbug.com/341598. */
+// has_broken_neon returns one if |in| matches a CPU known to have a broken
+// NEON unit. See https://crbug.com/341598.
 static int has_broken_neon(const STRING_PIECE *cpuinfo) {
  return cpuinfo_field_equals(cpuinfo, "CPU implementer", "0x51") &&
         cpuinfo_field_equals(cpuinfo, "CPU architecture", "7") &&
@@ -288,7 +288,7 @@ static int has_broken_neon(const STRING_PIECE *cpuinfo) {

 extern uint32_t OPENSSL_armcap_P;

-static int g_has_broken_neon;
+static int g_has_broken_neon, g_needs_hwcap2_workaround;

 void OPENSSL_cpuid_setup(void) {
  char *cpuinfo_data;
@@ -300,13 +300,13 @@ void OPENSSL_cpuid_setup(void) {
  cpuinfo.data = cpuinfo_data;
  cpuinfo.len = cpuinfo_len;

-  /* |getauxval| is not available on Android until API level 20. If it is
-   * unavailable, read from /proc/self/auxv as a fallback. This is unreadable
-   * on some versions of Android, so further fall back to /proc/cpuinfo.
-   *
-   * See
-   * https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
-   * and b/13679666 (Google-internal) for details. */
+  // |getauxval| is not available on Android until API level 20. If it is
+  // unavailable, read from /proc/self/auxv as a fallback. This is unreadable
+  // on some versions of Android, so further fall back to /proc/cpuinfo.
+  //
+  // See
+  // https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
+  // and b/13679666 (Google-internal) for details.
  unsigned long hwcap = 0;
  if (getauxval != NULL) {
    hwcap = getauxval(AT_HWCAP);
@@ -318,24 +318,25 @@ void OPENSSL_cpuid_setup(void) {
    hwcap = get_hwcap_cpuinfo(&cpuinfo);
  }

-  /* Clear NEON support if known broken. */
+  // Clear NEON support if known broken.
  g_has_broken_neon = has_broken_neon(&cpuinfo);
  if (g_has_broken_neon) {
    hwcap &= ~HWCAP_NEON;
  }

-  /* Matching OpenSSL, only report other features if NEON is present. */
+  // Matching OpenSSL, only report other features if NEON is present.
  if (hwcap & HWCAP_NEON) {
    OPENSSL_armcap_P |= ARMV7_NEON;

-    /* Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
-     * /proc/cpuinfo. See https://crbug.com/596156. */
+    // Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
+    // /proc/cpuinfo. See https://crbug.com/596156.
    unsigned long hwcap2 = 0;
    if (getauxval != NULL) {
      hwcap2 = getauxval(AT_HWCAP2);
    }
    if (hwcap2 == 0) {
      hwcap2 = get_hwcap2_cpuinfo(&cpuinfo);
+      g_needs_hwcap2_workaround = hwcap2 != 0;
    }

    if (hwcap2 & HWCAP2_AES) {
@@ -357,4 +358,6 @@ void OPENSSL_cpuid_setup(void) {

 int CRYPTO_has_broken_NEON(void) { return g_has_broken_neon; }

-#endif /* OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP */
+int CRYPTO_needs_hwcap2_workaround(void) { return g_needs_hwcap2_workaround; }
+
+#endif  // OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP
@@ -68,7 +68,7 @@
 #include <stdlib.h>
 #include <string.h>

-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
 OPENSSL_MSVC_PRAGMA(warning(push, 3))
 #include <immintrin.h>
 #include <intrin.h>
@@ -78,12 +78,12 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #include "internal.h"


-/* OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
- * is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
- * |*out_edx|. */
+// OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
+// is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
+// |*out_edx|.
 static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,
                          uint32_t *out_ecx, uint32_t *out_edx, uint32_t leaf) {
-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
  int tmp[4];
  __cpuid(tmp, (int)leaf);
  *out_eax = (uint32_t)tmp[0];
@@ -91,8 +91,8 @@ static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,
  *out_ecx = (uint32_t)tmp[2];
  *out_edx = (uint32_t)tmp[3];
 #elif defined(__pic__) && defined(OPENSSL_32_BIT)
-  /* Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
-   * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602. */
+  // Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
+  // See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602.
  __asm__ volatile (
    "xor %%ecx, %%ecx\n"
    "mov %%ebx, %%edi\n"
@@ -111,10 +111,10 @@ static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,
 #endif
 }

-/* OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
- * Currently only XCR0 is defined by Intel so |xcr| should always be zero. */
+// OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
+// Currently only XCR0 is defined by Intel so |xcr| should always be zero.
 static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
  return (uint64_t)_xgetbv(xcr);
 #else
  uint32_t eax, edx;
@@ -123,8 +123,8 @@ static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
 #endif
 }

-/* handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
- * and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this. */
+// handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
+// and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.
 static void handle_cpu_env(uint32_t *out, const char *in) {
  const int invert = in[0] == '~';
  uint64_t v;
@@ -143,7 +143,7 @@ static void handle_cpu_env(uint32_t *out, const char *in) {
 }

 void OPENSSL_cpuid_setup(void) {
-  /* Determine the vendor and maximum input value. */
+  // Determine the vendor and maximum input value.
  uint32_t eax, ebx, ecx, edx;
  OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0);

@@ -158,8 +158,8 @@ void OPENSSL_cpuid_setup(void) {

  int has_amd_xop = 0;
  if (is_amd) {
-    /* AMD-specific logic.
-     * See http://developer.amd.com/wordpress/media/2012/10/254811.pdf */
+    // AMD-specific logic.
+    // See http://developer.amd.com/wordpress/media/2012/10/254811.pdf
    OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0x80000000);
    uint32_t num_extended_ids = eax;
    if (num_extended_ids >= 0x80000001) {
@@ -176,23 +176,23 @@ void OPENSSL_cpuid_setup(void) {
    extended_features = ebx;
  }

-  /* Determine the number of cores sharing an L1 data cache to adjust the
-   * hyper-threading bit. */
+  // Determine the number of cores sharing an L1 data cache to adjust the
+  // hyper-threading bit.
  uint32_t cores_per_cache = 0;
  if (is_amd) {
-    /* AMD CPUs never share an L1 data cache between threads but do set the HTT
-     * bit on multi-core CPUs. */
+    // AMD CPUs never share an L1 data cache between threads but do set the HTT
+    // bit on multi-core CPUs.
    cores_per_cache = 1;
  } else if (num_ids >= 4) {
-    /* TODO(davidben): The Intel manual says this CPUID leaf enumerates all
-     * caches using ECX and doesn't say which is first. Does this matter? */
+    // TODO(davidben): The Intel manual says this CPUID leaf enumerates all
+    // caches using ECX and doesn't say which is first. Does this matter?
    OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 4);
    cores_per_cache = 1 + ((eax >> 14) & 0xfff);
  }

  OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1);

-  /* Adjust the hyper-threading bit. */
+  // Adjust the hyper-threading bit.
  if (edx & (1 << 28)) {
    uint32_t num_logical_cores = (ebx >> 16) & 0xff;
    if (cores_per_cache == 1 || num_logical_cores <= 1) {
@@ -200,18 +200,26 @@ void OPENSSL_cpuid_setup(void) {
    }
  }

-  /* Reserved bit #20 was historically repurposed to control the in-memory
-   * representation of RC4 state. Always set it to zero. */
+  // Reserved bit #20 was historically repurposed to control the in-memory
+  // representation of RC4 state. Always set it to zero.
  edx &= ~(1 << 20);

-  /* Reserved bit #30 is repurposed to signal an Intel CPU. */
+  // Reserved bit #30 is repurposed to signal an Intel CPU.
  if (is_intel) {
    edx |= (1 << 30);
+
+    // Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables
+    // some Silvermont-specific codepaths which perform better. See OpenSSL
+    // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
+    if ((eax & 0x0fff0ff0) == 0x00050670 /* Knights Landing */ ||
+        (eax & 0x0fff0ff0) == 0x00080650 /* Knights Mill (per SDE) */) {
+      ecx &= ~(1 << 26);
+    }
  } else {
    edx &= ~(1 << 30);
  }

-  /* The SDBG bit is repurposed to denote AMD XOP support. */
+  // The SDBG bit is repurposed to denote AMD XOP support.
  if (has_amd_xop) {
    ecx |= (1 << 11);
  } else {
@@ -220,16 +228,33 @@ void OPENSSL_cpuid_setup(void) {

  uint64_t xcr0 = 0;
  if (ecx & (1 << 27)) {
-    /* XCR0 may only be queried if the OSXSAVE bit is set. */
+    // XCR0 may only be queried if the OSXSAVE bit is set.
    xcr0 = OPENSSL_xgetbv(0);
  }
-  /* See Intel manual, section 14.3. */
+  // See Intel manual, volume 1, section 14.3.
  if ((xcr0 & 6) != 6) {
-    /* YMM registers cannot be used. */
-    ecx &= ~(1 << 28); /* AVX */
-    ecx &= ~(1 << 12); /* FMA */
-    ecx &= ~(1 << 11); /* AMD XOP */
-    extended_features &= ~(1 << 5); /* AVX2 */
+    // YMM registers cannot be used.
+    ecx &= ~(1 << 28);  // AVX
+    ecx &= ~(1 << 12);  // FMA
+    ecx &= ~(1 << 11);  // AMD XOP
+    // Clear AVX2 and AVX512* bits.
+    //
+    // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
+    // doesn't clear those.
+    extended_features &=
+        ~((1 << 5) | (1 << 16) | (1 << 21) | (1 << 30) | (1 << 31));
+  }
+  // See Intel manual, volume 1, section 15.2.
+  if ((xcr0 & 0xe6) != 0xe6) {
+    // Clear AVX512F. Note we don't touch other AVX512 extensions because they
+    // can be used with YMM.
+    extended_features &= ~(1 << 16);
+  }
+
+  // Disable ADX instructions on Knights Landing. See OpenSSL commit
+  // 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
+  if ((ecx & (1 << 26)) == 0) {
+    extended_features &= ~(1 << 19);
  }

  OPENSSL_ia32cap_P[0] = edx;
@@ -243,15 +268,15 @@ void OPENSSL_cpuid_setup(void) {
    return;
  }

-  /* OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
-   * Each value is a 64-bit, unsigned value which may start with "0x" to
-   * indicate a hex value. Prior to the 64-bit value, a '~' may be given.
-   *
-   * If '~' isn't present, then the value is taken as the result of the CPUID.
-   * Otherwise the value is inverted and ANDed with the probed CPUID result.
-   *
-   * The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
-   * and [3]. */
+  // OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
+  // Each value is a 64-bit, unsigned value which may start with "0x" to
+  // indicate a hex value. Prior to the 64-bit value, a '~' may be given.
+  //
+  // If '~' isn't present, then the value is taken as the result of the CPUID.
+  // Otherwise the value is inverted and ANDed with the probed CPUID result.
+  //
+  // The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
+  // and [3].

  handle_cpu_env(&OPENSSL_ia32cap_P[0], env1);
  env2 = strchr(env1, ':');
@@ -260,4 +285,4 @@ void OPENSSL_cpuid_setup(void) {
  }
 }

-#endif  /* !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64) */
+#endif  // !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64)
@@ -22,8 +22,8 @@


 #if !defined(PPC_FEATURE2_HAS_VCRYPTO)
-/* PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
- * ABI for Linux Supplement”. */
+// PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
+// ABI for Linux Supplement”.
 #define PPC_FEATURE2_HAS_VCRYPTO 0x02000000
 #endif

@@ -35,4 +35,4 @@ int CRYPTO_is_PPC64LE_vcrypto_capable(void) {
  return (OPENSSL_ppc64le_hwcap2 & PPC_FEATURE2_HAS_VCRYPTO) != 0;
 }

-#endif  /* OPENSSL_PPC64LE */
+#endif  // OPENSSL_PPC64LE
@@ -23,14 +23,14 @@
    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \
     defined(OPENSSL_PPC64LE))
-/* x86, x86_64, the ARMs and ppc64le need to record the result of a
- * cpuid/getauxval call for the asm to work correctly, unless compiled without
- * asm code. */
+// x86, x86_64, the ARMs and ppc64le need to record the result of a
+// cpuid/getauxval call for the asm to work correctly, unless compiled without
+// asm code.
 #define NEED_CPUID

 #else

-/* Otherwise, don't emit a static initialiser. */
+// Otherwise, don't emit a static initialiser.

 #if !defined(BORINGSSL_NO_STATIC_INITIALIZER)
 #define BORINGSSL_NO_STATIC_INITIALIZER
@@ -40,23 +40,23 @@
                               OPENSSL_ARM || OPENSSL_AARCH64) */


-/* The capability variables are defined in this file in order to work around a
- * linker bug. When linking with a .a, if no symbols in a .o are referenced
- * then the .o is discarded, even if it has constructor functions.
- *
- * This still means that any binaries that don't include some functionality
- * that tests the capability values will still skip the constructor but, so
- * far, the init constructor function only sets the capability variables. */
+// The capability variables are defined in this file in order to work around a
+// linker bug. When linking with a .a, if no symbols in a .o are referenced
+// then the .o is discarded, even if it has constructor functions.
+//
+// This still means that any binaries that don't include some functionality
+// that tests the capability values will still skip the constructor but, so
+// far, the init constructor function only sets the capability variables.

 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)

-/* This value must be explicitly initialised to zero in order to work around a
- * bug in libtool or the linker on OS X.
- *
- * If not initialised then it becomes a "common symbol". When put into an
- * archive, linking on OS X will fail to resolve common symbols. By
- * initialising it to zero, it becomes a "data symbol", which isn't so
- * affected. */
+// This value must be explicitly initialised to zero in order to work around a
+// bug in libtool or the linker on OS X.
+//
+// If not initialised then it becomes a "common symbol". When put into an
+// archive, linking on OS X will fail to resolve common symbols. By
+// initialising it to zero, it becomes a "data symbol", which isn't so
+// affected.
 uint32_t OPENSSL_ia32cap_P[4] = {0};

 #elif defined(OPENSSL_PPC64LE)
@@ -73,16 +73,16 @@ uint32_t OPENSSL_armcap_P =
 #if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON__)
    ARMV7_NEON |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_AES)
+#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO)
    ARMV8_AES |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_SHA1)
+#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_CRYPTO)
    ARMV8_SHA1 |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_SHA256)
+#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_CRYPTO)
    ARMV8_SHA256 |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_PMULL)
+#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_CRYPTO)
    ARMV8_PMULL |
 #endif
    0;
@@ -94,8 +94,8 @@ uint32_t OPENSSL_armcap_P = 0;
 #endif

 #if defined(BORINGSSL_FIPS)
-/* In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
- * because we have to ensure that CPUID detection occurs first. */
+// In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
+// because we have to ensure that CPUID detection occurs first.
 #define BORINGSSL_NO_STATIC_INITIALIZER
 #endif

@@ -107,7 +107,7 @@ uint32_t OPENSSL_armcap_P = 0;

 #if defined(BORINGSSL_NO_STATIC_INITIALIZER)
 static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
-#elif defined(OPENSSL_WINDOWS)
+#elif defined(_MSC_VER)
 #pragma section(".CRT$XCU", read)
 static void __cdecl do_library_init(void);
 __declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) =
@@ -116,21 +116,21 @@ __declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) =
 static void do_library_init(void) __attribute__ ((constructor));
 #endif

-/* do_library_init is the actual initialization function. If
- * BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
- * initializer. Otherwise, it is called by CRYPTO_library_init. */
+// do_library_init is the actual initialization function. If
+// BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
+// initializer. Otherwise, it is called by CRYPTO_library_init.
 static void OPENSSL_CDECL do_library_init(void) {
- /* WARNING: this function may only configure the capability variables. See the
-  * note above about the linker bug. */
+ // WARNING: this function may only configure the capability variables. See the
+ // note above about the linker bug.
 #if defined(NEED_CPUID)
  OPENSSL_cpuid_setup();
 #endif
 }

 void CRYPTO_library_init(void) {
-  /* TODO(davidben): It would be tidier if this build knob could be replaced
-   * with an internal lazy-init mechanism that would handle things correctly
-   * in-library. https://crbug.com/542879 */
+  // TODO(davidben): It would be tidier if this build knob could be replaced
+  // with an internal lazy-init mechanism that would handle things correctly
+  // in-library. https://crbug.com/542879
 #if defined(BORINGSSL_NO_STATIC_INITIALIZER)
  CRYPTO_once(&once, do_library_init);
 #endif
@@ -156,10 +156,18 @@ const char *SSLeay_version(int unused) {
  return "BoringSSL";
 }

+const char *OpenSSL_version(int unused) {
+  return "BoringSSL";
+}
+
 unsigned long SSLeay(void) {
  return OPENSSL_VERSION_NUMBER;
 }

+unsigned long OpenSSL_version_num(void) {
+  return OPENSSL_VERSION_NUMBER;
+}
+
 int CRYPTO_malloc_init(void) {
  return 1;
 }
@@ -171,3 +179,8 @@ int ENGINE_register_all_complete(void) {
 }

 void OPENSSL_load_builtin_modules(void) {}
+
+int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
+  CRYPTO_library_init();
+  return 1;
+}
@@ -12,12 +12,12 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.

 #include <openssl/curve25519.h>

@@ -55,7 +55,7 @@ static uint64_t load_4(const uint8_t *in) {
 }

 static void fe_frombytes(fe h, const uint8_t *s) {
-  /* Ignores top bit of h. */
+  // Ignores top bit of h.
  int64_t h0 = load_4(s);
  int64_t h1 = load_3(s + 4) << 6;
  int64_t h2 = load_3(s + 7) << 5;
@@ -101,28 +101,28 @@ static void fe_frombytes(fe h, const uint8_t *s) {
  h[9] = h9;
 }

-/* Preconditions:
- *  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Write p=2^255-19; q=floor(h/p).
- * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
- *
- * Proof:
- *   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
- *   Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
- *
- *   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
- *   Then 0<y<1.
- *
- *   Write r=h-pq.
- *   Have 0<=r<=p-1=2^255-20.
- *   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
- *
- *   Write x=r+19(2^-255)r+y.
- *   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
- *
- *   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
- *   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
+// Preconditions:
+//  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Write p=2^255-19; q=floor(h/p).
+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+//
+// Proof:
+//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+//   Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
+//
+//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+//   Then 0<y<1.
+//
+//   Write r=h-pq.
+//   Have 0<=r<=p-1=2^255-20.
+//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
+//
+//   Write x=r+19(2^-255)r+y.
+//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
+//
+//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
+//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
 static void fe_tobytes(uint8_t *s, const fe h) {
  int32_t h0 = h[0];
  int32_t h1 = h[1];
@@ -148,9 +148,9 @@ static void fe_tobytes(uint8_t *s, const fe h) {
  q = (h8 + q) >> 26;
  q = (h9 + q) >> 25;

-  /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+  // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
  h0 += 19 * q;
-  /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+  // Goal: Output h-2^255 q, which is between 0 and 2^255-20.

  h1 += h0 >> 26; h0 &= kBottom26Bits;
  h2 += h1 >> 25; h1 &= kBottom25Bits;
@@ -162,12 +162,12 @@ static void fe_tobytes(uint8_t *s, const fe h) {
  h8 += h7 >> 25; h7 &= kBottom25Bits;
  h9 += h8 >> 26; h8 &= kBottom26Bits;
                  h9 &= kBottom25Bits;
-                  /* h10 = carry9 */
+                  // h10 = carry9

-  /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-   * Have h0+...+2^230 h9 between 0 and 2^255-1;
-   * evidently 2^255 h10-2^255 q = 0.
-   * Goal: Output h0+...+2^230 h9.  */
+  // Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+  // Have h0+...+2^230 h9 between 0 and 2^255-1;
+  // evidently 2^255 h10-2^255 q = 0.
+  // Goal: Output h0+...+2^230 h9.

  s[0] = h0 >> 0;
  s[1] = h0 >> 8;
@@ -203,29 +203,29 @@ static void fe_tobytes(uint8_t *s, const fe h) {
  s[31] = h9 >> 18;
 }

-/* h = f */
+// h = f
 static void fe_copy(fe h, const fe f) {
  OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
 }

-/* h = 0 */
+// h = 0
 static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }

-/* h = 1 */
+// h = 1
 static void fe_1(fe h) {
  OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
  h[0] = 1;
 }

-/* h = f + g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f + g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static void fe_add(fe h, const fe f, const fe g) {
  unsigned i;
  for (i = 0; i < 10; i++) {
@@ -233,15 +233,15 @@ static void fe_add(fe h, const fe f, const fe g) {
  }
 }

-/* h = f - g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f - g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static void fe_sub(fe h, const fe f, const fe g) {
  unsigned i;
  for (i = 0; i < 10; i++) {
@@ -249,33 +249,33 @@ static void fe_sub(fe h, const fe f, const fe g) {
  }
 }

-/* h = f * g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *    |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * Notes on implementation strategy:
- *
- * Using schoolbook multiplication.
- * Karatsuba would save a little in some cost models.
- *
- * Most multiplications by 2 and 19 are 32-bit precomputations;
- * cheaper than 64-bit postcomputations.
- *
- * There is one remaining multiplication by 19 in the carry chain;
- * one *19 precomputation can be merged into this,
- * but the resulting data flow is considerably less clean.
- *
- * There are 12 carries below.
- * 10 of them are 2-way parallelizable and vectorizable.
- * Can get away with 11 carries, but then data flow is much deeper.
- *
- * With tighter constraints on inputs can squeeze carries into int32. */
+// h = f * g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//    |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// Notes on implementation strategy:
+//
+// Using schoolbook multiplication.
+// Karatsuba would save a little in some cost models.
+//
+// Most multiplications by 2 and 19 are 32-bit precomputations;
+// cheaper than 64-bit postcomputations.
+//
+// There is one remaining multiplication by 19 in the carry chain;
+// one *19 precomputation can be merged into this,
+// but the resulting data flow is considerably less clean.
+//
+// There are 12 carries below.
+// 10 of them are 2-way parallelizable and vectorizable.
+// Can get away with 11 carries, but then data flow is much deeper.
+//
+// With tighter constraints on inputs can squeeze carries into int32.
 static void fe_mul(fe h, const fe f, const fe g) {
  int32_t f0 = f[0];
  int32_t f1 = f[1];
@@ -297,8 +297,8 @@ static void fe_mul(fe h, const fe f, const fe g) {
  int32_t g7 = g[7];
  int32_t g8 = g[8];
  int32_t g9 = g[9];
-  int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
-  int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+  int32_t g1_19 = 19 * g1;  // 1.959375*2^29
+  int32_t g2_19 = 19 * g2;  // 1.959375*2^30; still ok
  int32_t g3_19 = 19 * g3;
  int32_t g4_19 = 19 * g4;
  int32_t g5_19 = 19 * g5;
@@ -432,53 +432,53 @@ static void fe_mul(fe h, const fe f, const fe g) {
  int64_t carry8;
  int64_t carry9;

-  /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
-   *   i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
-   * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
-   *   i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
+  // |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+  //   i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+  // |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+  //   i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9

  carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
  carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
-  /* |h0| <= 2^25 */
-  /* |h4| <= 2^25 */
-  /* |h1| <= 1.71*2^59 */
-  /* |h5| <= 1.71*2^59 */
+  // |h0| <= 2^25
+  // |h4| <= 2^25
+  // |h1| <= 1.71*2^59
+  // |h5| <= 1.71*2^59

  carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
  carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
-  /* |h1| <= 2^24; from now on fits into int32 */
-  /* |h5| <= 2^24; from now on fits into int32 */
-  /* |h2| <= 1.41*2^60 */
-  /* |h6| <= 1.41*2^60 */
+  // |h1| <= 2^24; from now on fits into int32
+  // |h5| <= 2^24; from now on fits into int32
+  // |h2| <= 1.41*2^60
+  // |h6| <= 1.41*2^60

  carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
  carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
-  /* |h2| <= 2^25; from now on fits into int32 unchanged */
-  /* |h6| <= 2^25; from now on fits into int32 unchanged */
-  /* |h3| <= 1.71*2^59 */
-  /* |h7| <= 1.71*2^59 */
+  // |h2| <= 2^25; from now on fits into int32 unchanged
+  // |h6| <= 2^25; from now on fits into int32 unchanged
+  // |h3| <= 1.71*2^59
+  // |h7| <= 1.71*2^59

  carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
  carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-  /* |h3| <= 2^24; from now on fits into int32 unchanged */
-  /* |h7| <= 2^24; from now on fits into int32 unchanged */
-  /* |h4| <= 1.72*2^34 */
-  /* |h8| <= 1.41*2^60 */
+  // |h3| <= 2^24; from now on fits into int32 unchanged
+  // |h7| <= 2^24; from now on fits into int32 unchanged
+  // |h4| <= 1.72*2^34
+  // |h8| <= 1.41*2^60

  carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
  carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-  /* |h4| <= 2^25; from now on fits into int32 unchanged */
-  /* |h8| <= 2^25; from now on fits into int32 unchanged */
-  /* |h5| <= 1.01*2^24 */
-  /* |h9| <= 1.71*2^59 */
+  // |h4| <= 2^25; from now on fits into int32 unchanged
+  // |h8| <= 2^25; from now on fits into int32 unchanged
+  // |h5| <= 1.01*2^24
+  // |h9| <= 1.71*2^59

  carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
-  /* |h9| <= 2^24; from now on fits into int32 unchanged */
-  /* |h0| <= 1.1*2^39 */
+  // |h9| <= 2^24; from now on fits into int32 unchanged
+  // |h0| <= 1.1*2^39

  carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
-  /* |h0| <= 2^25; from now on fits into int32 unchanged */
-  /* |h1| <= 1.01*2^24 */
+  // |h0| <= 2^25; from now on fits into int32 unchanged
+  // |h1| <= 1.01*2^24

  h[0] = h0;
  h[1] = h1;
@@ -492,16 +492,16 @@ static void fe_mul(fe h, const fe f, const fe g) {
  h[9] = h9;
 }

-/* h = f * f
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = f * f
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
 static void fe_sq(fe h, const fe f) {
  int32_t f0 = f[0];
  int32_t f1 = f[1];
@@ -521,11 +521,11 @@ static void fe_sq(fe h, const fe f) {
  int32_t f5_2 = 2 * f5;
  int32_t f6_2 = 2 * f6;
  int32_t f7_2 = 2 * f7;
-  int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-  int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-  int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-  int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-  int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+  int32_t f5_38 = 38 * f5;  // 1.959375*2^30
+  int32_t f6_19 = 19 * f6;  // 1.959375*2^30
+  int32_t f7_38 = 38 * f7;  // 1.959375*2^30
+  int32_t f8_19 = 19 * f8;  // 1.959375*2^30
+  int32_t f9_38 = 38 * f9;  // 1.959375*2^30
  int64_t f0f0    = f0   * (int64_t) f0;
  int64_t f0f1_2  = f0_2 * (int64_t) f1;
  int64_t f0f2_2  = f0_2 * (int64_t) f2;
@@ -691,13 +691,13 @@ static void fe_invert(fe out, const fe z) {
  fe_mul(out, t1, t0);
 }

-/* h = -f
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = -f
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 static void fe_neg(fe h, const fe f) {
  unsigned i;
  for (i = 0; i < 10; i++) {
@@ -705,10 +705,10 @@ static void fe_neg(fe h, const fe f) {
  }
 }

-/* Replace (f,g) with (g,g) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,g) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
 static void fe_cmov(fe f, const fe g, unsigned b) {
  b = 0-b;
  unsigned i;
@@ -719,11 +719,11 @@ static void fe_cmov(fe f, const fe g, unsigned b) {
  }
 }

-/* return 0 if f == 0
- * return 1 if f != 0
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 0 if f == 0
+// return 1 if f != 0
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static int fe_isnonzero(const fe f) {
  uint8_t s[32];
  fe_tobytes(s, f);
@@ -732,27 +732,27 @@ static int fe_isnonzero(const fe f) {
  return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
 }

-/* return 1 if f is in {1,3,5,...,q-2}
- * return 0 if f is in {0,2,4,...,q-1}
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 1 if f is in {1,3,5,...,q-2}
+// return 0 if f is in {0,2,4,...,q-1}
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static int fe_isnegative(const fe f) {
  uint8_t s[32];
  fe_tobytes(s, f);
  return s[0] & 1;
 }

-/* h = 2 * f * f
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = 2 * f * f
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
 static void fe_sq2(fe h, const fe f) {
  int32_t f0 = f[0];
  int32_t f1 = f[1];
@@ -772,11 +772,11 @@ static void fe_sq2(fe h, const fe f) {
  int32_t f5_2 = 2 * f5;
  int32_t f6_2 = 2 * f6;
  int32_t f7_2 = 2 * f7;
-  int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-  int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-  int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-  int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-  int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+  int32_t f5_38 = 38 * f5;  // 1.959375*2^30
+  int32_t f6_19 = 19 * f6;  // 1.959375*2^30
+  int32_t f7_38 = 38 * f7;  // 1.959375*2^30
+  int32_t f8_19 = 19 * f8;  // 1.959375*2^30
+  int32_t f9_38 = 38 * f9;  // 1.959375*2^30
  int64_t f0f0    = f0   * (int64_t) f0;
  int64_t f0f1_2  = f0_2 * (int64_t) f1;
  int64_t f0f2_2  = f0_2 * (int64_t) f2;
@@ -993,24 +993,24 @@ int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
  fe_1(h->Z);
  fe_sq(u, h->Y);
  fe_mul(v, u, d);
-  fe_sub(u, u, h->Z); /* u = y^2-1 */
-  fe_add(v, v, h->Z); /* v = dy^2+1 */
+  fe_sub(u, u, h->Z);  // u = y^2-1
+  fe_add(v, v, h->Z);  // v = dy^2+1

  fe_sq(v3, v);
-  fe_mul(v3, v3, v); /* v3 = v^3 */
+  fe_mul(v3, v3, v);  // v3 = v^3
  fe_sq(h->X, v3);
  fe_mul(h->X, h->X, v);
-  fe_mul(h->X, h->X, u); /* x = uv^7 */
+  fe_mul(h->X, h->X, u);  // x = uv^7

-  fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+  fe_pow22523(h->X, h->X);  // x = (uv^7)^((q-5)/8)
  fe_mul(h->X, h->X, v3);
-  fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+  fe_mul(h->X, h->X, u);  // x = uv^3(uv^7)^((q-5)/8)

  fe_sq(vxx, h->X);
  fe_mul(vxx, vxx, v);
-  fe_sub(check, vxx, u); /* vx^2-u */
+  fe_sub(check, vxx, u);  // vx^2-u
  if (fe_isnonzero(check)) {
-    fe_add(check, vxx, u); /* vx^2+u */
+    fe_add(check, vxx, u);  // vx^2+u
    if (fe_isnonzero(check)) {
      return -1;
    }
@@ -1051,7 +1051,7 @@ static void ge_precomp_0(ge_precomp *h) {
  fe_0(h->xy2d);
 }

-/* r = p */
+// r = p
 static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
  fe_copy(r->X, p->X);
  fe_copy(r->Y, p->Y);
@@ -1061,7 +1061,7 @@ static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
 static const fe d2 = {-21827239, -5839606,  -30745221, 13898782, 229458,
                      15978800,  -12551817, -6495438,  29715968, 9444199};

-/* r = p */
+// r = p
 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
  fe_add(r->YplusX, p->Y, p->X);
  fe_sub(r->YminusX, p->Y, p->X);
@@ -1069,14 +1069,14 @@ void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
  fe_mul(r->T2d, p->T, d2);
 }

-/* r = p */
+// r = p
 void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
  fe_mul(r->X, p->X, p->T);
  fe_mul(r->Y, p->Y, p->Z);
  fe_mul(r->Z, p->Z, p->T);
 }

-/* r = p */
+// r = p
 void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
  fe_mul(r->X, p->X, p->T);
  fe_mul(r->Y, p->Y, p->Z);
@@ -1084,14 +1084,14 @@ void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
  fe_mul(r->T, p->X, p->Y);
 }

-/* r = p */
+// r = p
 static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {
  ge_p3 t;
  x25519_ge_p1p1_to_p3(&t, p);
  x25519_ge_p3_to_cached(r, &t);
 }

-/* r = 2 * p */
+// r = 2 * p
 static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
  fe t0;

@@ -1106,14 +1106,14 @@ static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
  fe_sub(r->T, r->T, r->Z);
 }

-/* r = 2 * p */
+// r = 2 * p
 static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
  ge_p2 q;
  ge_p3_to_p2(&q, p);
  ge_p2_dbl(r, &q);
 }

-/* r = p + q */
+// r = p + q
 static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe t0;

@@ -1129,7 +1129,7 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe_sub(r->T, t0, r->T);
 }

-/* r = p - q */
+// r = p - q
 static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe t0;

@@ -1145,7 +1145,7 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe_add(r->T, t0, r->T);
 }

-/* r = p + q */
+// r = p + q
 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
  fe t0;

@@ -1162,7 +1162,7 @@ void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
  fe_sub(r->T, t0, r->T);
 }

-/* r = p - q */
+// r = p - q
 void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
  fe t0;

@@ -1182,10 +1182,10 @@ void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
 static uint8_t equal(signed char b, signed char c) {
  uint8_t ub = b;
  uint8_t uc = c;
-  uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
-  uint32_t y = x;      /* 0: yes; 1..255: no */
-  y -= 1;              /* 4294967295: yes; 0..254: no */
-  y >>= 31;            /* 1: yes; 0: no */
+  uint8_t x = ub ^ uc;  // 0: yes; 1..255: no
+  uint32_t y = x;       // 0: yes; 1..255: no
+  y -= 1;               // 4294967295: yes; 0..254: no
+  y >>= 31;             // 1: yes; 0: no
  return y;
 }

@@ -1197,8 +1197,8 @@ static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {

 void x25519_ge_scalarmult_small_precomp(
    ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {
-  /* precomp_table is first expanded into matching |ge_precomp|
-   * elements. */
+  // precomp_table is first expanded into matching |ge_precomp|
+  // elements.
  ge_precomp multiples[15];

  unsigned i;
@@ -1215,9 +1215,9 @@ void x25519_ge_scalarmult_small_precomp(
    fe_mul(out->xy2d, out->xy2d, d2);
  }

-  /* See the comment above |k25519SmallPrecomp| about the structure of the
-   * precomputed elements. This loop does 64 additions and 64 doublings to
-   * calculate the result. */
+  // See the comment above |k25519SmallPrecomp| about the structure of the
+  // precomputed elements. This loop does 64 additions and 64 doublings to
+  // calculate the result.
  ge_p3_0(h);

  for (i = 63; i < 64; i--) {
@@ -1249,14 +1249,14 @@ void x25519_ge_scalarmult_small_precomp(

 #if defined(OPENSSL_SMALL)

-/* This block of code replaces the standard base-point table with a much smaller
- * one. The standard table is 30,720 bytes while this one is just 960.
- *
- * This table contains 15 pairs of group elements, (x, y), where each field
- * element is serialised with |fe_tobytes|. If |i| is the index of the group
- * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
- * is the most significant bit). The value of the group element is then:
- * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */
+// This block of code replaces the standard base-point table with a much smaller
+// one. The standard table is 30,720 bytes while this one is just 960.
+//
+// This table contains 15 pairs of group elements, (x, y), where each field
+// element is serialised with |fe_tobytes|. If |i| is the index of the group
+// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
+// is the most significant bit). The value of the group element is then:
+// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator.
 static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {
    0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
    0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
@@ -1346,7 +1346,7 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {

 #else

-/* k25519Precomp[i][j] = (j+1)*256^i*B */
+// k25519Precomp[i][j] = (j+1)*256^i*B
 static const ge_precomp k25519Precomp[32][8] = {
    {
        {
@@ -3464,7 +3464,7 @@ static const ge_precomp k25519Precomp[32][8] = {

 static uint8_t negative(signed char b) {
  uint32_t x = b;
-  x >>= 31; /* 1: yes; 0: no */
+  x >>= 31;  // 1: yes; 0: no
  return x;
 }

@@ -3488,12 +3488,12 @@ static void table_select(ge_precomp *t, int pos, signed char b) {
  cmov(t, &minust, bnegative);
 }

-/* h = a * B
- * where a = a[0]+256*a[1]+...+256^31 a[31]
- * B is the Ed25519 base point (x,4/5) with x positive.
- *
- * Preconditions:
- *   a[31] <= 127 */
+// h = a * B
+// where a = a[0]+256*a[1]+...+256^31 a[31]
+// B is the Ed25519 base point (x,4/5) with x positive.
+//
+// Preconditions:
+//   a[31] <= 127
 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
  signed char e[64];
  signed char carry;
@@ -3506,8 +3506,8 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
    e[2 * i + 0] = (a[i] >> 0) & 15;
    e[2 * i + 1] = (a[i] >> 4) & 15;
  }
-  /* each e[i] is between 0 and 15 */
-  /* e[63] is between 0 and 7 */
+  // each e[i] is between 0 and 15
+  // e[63] is between 0 and 7

  carry = 0;
  for (i = 0; i < 63; ++i) {
@@ -3517,7 +3517,7 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
    e[i] -= carry << 4;
  }
  e[63] += carry;
-  /* each e[i] is between -8 and 8 */
+  // each e[i] is between -8 and 8

  ge_p3_0(h);
  for (i = 1; i < 64; i += 2) {
@@ -3551,8 +3551,8 @@ static void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) {
  fe_cmov(t->T2d, u->T2d, b);
 }

-/* r = scalar * A.
- * where a = a[0]+256*a[1]+...+256^31 a[31]. */
+// r = scalar * A.
+// where a = a[0]+256*a[1]+...+256^31 a[31].
 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
  ge_p2 Ai_p2[8];
  ge_cached Ai[16];
@@ -3706,15 +3706,15 @@ static const ge_precomp Bi[8] = {
    },
 };

-/* r = a * A + b * B
- * where a = a[0]+256*a[1]+...+256^31 a[31].
- * and b = b[0]+256*b[1]+...+256^31 b[31].
- * B is the Ed25519 base point (x,4/5) with x positive. */
+// r = a * A + b * B
+// where a = a[0]+256*a[1]+...+256^31 a[31].
+// and b = b[0]+256*b[1]+...+256^31 b[31].
+// B is the Ed25519 base point (x,4/5) with x positive.
 static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
                                         const ge_p3 *A, const uint8_t *b) {
  signed char aslide[256];
  signed char bslide[256];
-  ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+  ge_cached Ai[8];  // A,3A,5A,7A,9A,11A,13A,15A
  ge_p1p1 t;
  ge_p3 u;
  ge_p3 A2;
@@ -3779,16 +3779,16 @@ static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
  }
 }

-/* The set of scalars is \Z/l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// The set of scalars is \Z/l
+// where l = 2^252 + 27742317777372353535851937790883648493.

-/* Input:
- *   s[0]+256*s[1]+...+256^63*s[63] = s
- *
- * Output:
- *   s[0]+256*s[1]+...+256^31*s[31] = s mod l
- *   where l = 2^252 + 27742317777372353535851937790883648493.
- *   Overwrites s in place. */
+// Input:
+//   s[0]+256*s[1]+...+256^63*s[63] = s
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = s mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+//   Overwrites s in place.
 void x25519_sc_reduce(uint8_t *s) {
  int64_t s0 = 2097151 & load_3(s);
  int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
@@ -4122,14 +4122,14 @@ void x25519_sc_reduce(uint8_t *s) {
  s[31] = s11 >> 17;
 }

-/* Input:
- *   a[0]+256*a[1]+...+256^31*a[31] = a
- *   b[0]+256*b[1]+...+256^31*b[31] = b
- *   c[0]+256*c[1]+...+256^31*c[31] = c
- *
- * Output:
- *   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- *   where l = 2^252 + 27742317777372353535851937790883648493. */
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   b[0]+256*b[1]+...+256^31*b[31] = b
+//   c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
 static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
                      const uint8_t *c) {
  int64_t a0 = 2097151 & load_3(a);
@@ -4716,10 +4716,10 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],

 #else

-/* Replace (f,g) with (g,f) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,f) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
 static void fe_cswap(fe f, fe g, unsigned int b) {
  b = 0-b;
  unsigned i;
@@ -4731,14 +4731,14 @@ static void fe_cswap(fe f, fe g, unsigned int b) {
  }
 }

-/* h = f * 121666
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = f * 121666
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 static void fe_mul121666(fe h, fe f) {
  int32_t f0 = f[0];
  int32_t f1 = f[1];
@@ -4858,25 +4858,25 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
  x25519_scalar_mult_generic(out, scalar, point);
 }

-#endif  /* BORINGSSL_X25519_X86_64 */
+#endif  // BORINGSSL_X25519_X86_64


 void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
  RAND_bytes(out_private_key, 32);

-  /* All X25519 implementations should decode scalars correctly (see
-   * https://tools.ietf.org/html/rfc7748#section-5). However, if an
-   * implementation doesn't then it might interoperate with random keys a
-   * fraction of the time because they'll, randomly, happen to be correctly
-   * formed.
-   *
-   * Thus we do the opposite of the masking here to make sure that our private
-   * keys are never correctly masked and so, hopefully, any incorrect
-   * implementations are deterministically broken.
-   *
-   * This does not affect security because, although we're throwing away
-   * entropy, a valid implementation of scalarmult should throw away the exact
-   * same bits anyway. */
+  // All X25519 implementations should decode scalars correctly (see
+  // https://tools.ietf.org/html/rfc7748#section-5). However, if an
+  // implementation doesn't then it might interoperate with random keys a
+  // fraction of the time because they'll, randomly, happen to be correctly
+  // formed.
+  //
+  // Thus we do the opposite of the masking here to make sure that our private
+  // keys are never correctly masked and so, hopefully, any incorrect
+  // implementations are deterministically broken.
+  //
+  // This does not affect security because, although we're throwing away
+  // entropy, a valid implementation of scalarmult should throw away the exact
+  // same bits anyway.
  out_private_key[0] |= 7;
  out_private_key[31] &= 63;
  out_private_key[31] |= 128;
@@ -4888,15 +4888,15 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
           const uint8_t peer_public_value[32]) {
  static const uint8_t kZeros[32] = {0};
  x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
-  /* The all-zero output results when the input is a point of small order. */
+  // The all-zero output results when the input is a point of small order.
  return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
 }

 #if defined(BORINGSSL_X25519_X86_64)

-/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
- * the Montgomery ladder because it's faster. Otherwise it's done using the
- * Ed25519 tables. */
+// When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
+// the Montgomery ladder because it's faster. Otherwise it's done using the
+// Ed25519 tables.

 void X25519_public_from_private(uint8_t out_public_value[32],
                                const uint8_t private_key[32]) {
@@ -4925,8 +4925,8 @@ void X25519_public_from_private(uint8_t out_public_value[32],
  ge_p3 A;
  x25519_ge_scalarmult_base(&A, e);

-  /* We only need the u-coordinate of the curve25519 point. The map is
-   * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
+  // We only need the u-coordinate of the curve25519 point. The map is
+  // u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y).
  fe zplusy, zminusy, zminusy_inv;
  fe_add(zplusy, A.Z, A.Y);
  fe_sub(zminusy, A.Z, A.Y);
@@ -4935,4 +4935,4 @@ void X25519_public_from_private(uint8_t out_public_value[32],
  fe_tobytes(out_public_value, zplusy);
 }

-#endif  /* BORINGSSL_X25519_X86_64 */
+#endif  // BORINGSSL_X25519_X86_64
@@ -32,15 +32,15 @@ void x25519_x86_64(uint8_t out[32], const uint8_t scalar[32],
 #if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)
 #define BORINGSSL_X25519_NEON

-/* x25519_NEON is defined in asm/x25519-arm.S. */
+// x25519_NEON is defined in asm/x25519-arm.S.
 void x25519_NEON(uint8_t out[32], const uint8_t scalar[32],
                 const uint8_t point[32]);
 #endif

-/* fe means field element. Here the field is \Z/(2^255-19). An element t,
- * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
- * t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
- * context.  */
+// fe means field element. Here the field is \Z/(2^255-19). An element t,
+// entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
+// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
+// context.
 typedef int32_t fe[10];

 /* ge means group element.
@@ -101,9 +101,29 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]);
 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A);
 void x25519_sc_reduce(uint8_t *s);

+enum spake2_state_t {
+  spake2_state_init = 0,
+  spake2_state_msg_generated,
+  spake2_state_key_generated,
+};
+
+struct spake2_ctx_st {
+  uint8_t private_key[32];
+  uint8_t my_msg[32];
+  uint8_t password_scalar[32];
+  uint8_t password_hash[64];
+  uint8_t *my_name;
+  size_t my_name_len;
+  uint8_t *their_name;
+  size_t their_name_len;
+  enum spake2_role_t my_role;
+  enum spake2_state_t state;
+  char disable_password_scalar_hack;
+};
+

 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_CURVE25519_INTERNAL_H */
+#endif  // OPENSSL_HEADER_CURVE25519_INTERNAL_H
@@ -14,6 +14,7 @@

 #include <openssl/curve25519.h>

+#include <assert.h>
 #include <string.h>

 #include <openssl/bytestring.h>
@@ -25,80 +26,82 @@
 #include "../internal.h"


-/* The following precomputation tables are for the following
- * points used in the SPAKE2 protocol.
- *
- * N:
- *   x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
- *   y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
- *   encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
- *
- * M:
- *   x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
- *   y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
- *   encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
- *
- * These points and their precomputation tables are generated with the
- * following Python code. For a description of the precomputation table,
- * see curve25519.c in this directory.
- *
- * Exact copies of the source code are kept in bug 27296743.
- *
- * import hashlib
- * import ed25519 as E  # http://ed25519.cr.yp.to/python/ed25519.py
- *
- * SEED_N = 'edwards25519 point generation seed (N)'
- * SEED_M = 'edwards25519 point generation seed (M)'
- *
- * def genpoint(seed):
- *     v = hashlib.sha256(seed).digest()
- *     it = 1
- *     while True:
- *         try:
- *             x,y = E.decodepoint(v)
- *         except Exception, e:
- *             print e
- *             it += 1
- *             v = hashlib.sha256(v).digest()
- *             continue
- *         print "Found in %d iterations:" % it
- *         print "  x = %d" % x
- *         print "  y = %d" % y
- *         print " Encoded (hex)"
- *         print E.encodepoint((x,y)).encode('hex')
- *         return (x,y)
- *
- * def gentable(P):
- *     t = []
- *     for i in range(1,16):
- *         k = (i >> 3 & 1) * (1 << 192) + \
- *             (i >> 2 & 1) * (1 << 128) + \
- *             (i >> 1 & 1) * (1 <<  64) + \
- *             (i      & 1)
- *         t.append(E.scalarmult(P, k))
- *     return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
- *
- * def printtable(table, name):
- *     print "static const uint8_t %s[15 * 2 * 32] = {" % name,
- *     for i in range(15 * 2 * 32):
- *         if i % 12 == 0:
- *             print "\n   ",
- *         print " 0x%02x," % ord(table[i]),
- *     print "\n};"
- *
- * if __name__ == "__main__":
- *     print "Searching for N"
- *     N = genpoint(SEED_N)
- *     print "Generating precomputation table for N"
- *     Ntable = gentable(N)
- *     printtable(Ntable, "kSpakeNSmallPrecomp")
- *
- *     print "Searching for M"
- *     M = genpoint(SEED_M)
- *     print "Generating precomputation table for M"
- *     Mtable = gentable(M)
- *     printtable(Mtable, "kSpakeMSmallPrecomp")
- */
+// The following precomputation tables are for the following
+// points used in the SPAKE2 protocol.
+//
+// N:
+//   x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
+//   y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
+//   encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
+//
+// M:
+//   x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
+//   y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
+//   encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
+//
+// These points and their precomputation tables are generated with the
+// following Python code. For a description of the precomputation table,
+// see curve25519.c in this directory.
+//
+// Exact copies of the source code are kept in bug 27296743.
+//
+// import hashlib
+// import ed25519 as E  # http://ed25519.cr.yp.to/python/ed25519.py
+//
+// SEED_N = 'edwards25519 point generation seed (N)'
+// SEED_M = 'edwards25519 point generation seed (M)'
+
+/*
+def genpoint(seed):
+    v = hashlib.sha256(seed).digest()
+    it = 1
+    while True:
+        try:
+            x,y = E.decodepoint(v)
+        except Exception, e:
+            print e
+            it += 1
+            v = hashlib.sha256(v).digest()
+            continue
+        print "Found in %d iterations:" % it
+        print "  x = %d" % x
+        print "  y = %d" % y
+        print " Encoded (hex)"
+        print E.encodepoint((x,y)).encode('hex')
+        return (x,y)
+
+def gentable(P):
+    t = []
+    for i in range(1,16):
+        k = (i >> 3 & 1) * (1 << 192) + \
+            (i >> 2 & 1) * (1 << 128) + \
+            (i >> 1 & 1) * (1 <<  64) + \
+            (i      & 1)
+        t.append(E.scalarmult(P, k))
+    return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
+
+def printtable(table, name):
+    print "static const uint8_t %s[15 * 2 * 32] = {" % name,
+    for i in range(15 * 2 * 32):
+        if i % 12 == 0:
+            print "\n   ",
+        print " 0x%02x," % ord(table[i]),
+    print "\n};"
+
+if __name__ == "__main__":
+    print "Searching for N"
+    N = genpoint(SEED_N)
+    print "Generating precomputation table for N"
+    Ntable = gentable(N)
+    printtable(Ntable, "kSpakeNSmallPrecomp")
+
+    print "Searching for M"
+    M = genpoint(SEED_M)
+    print "Generating precomputation table for M"
+    Mtable = gentable(M)
+    printtable(Mtable, "kSpakeMSmallPrecomp")
+*/
+
 static const uint8_t kSpakeNSmallPrecomp[15 * 2 * 32] = {
    0x20, 0x1b, 0xc5, 0xb3, 0x43, 0x17, 0x71, 0x10, 0x44, 0x1e, 0x73, 0xb3,
    0xae, 0x3f, 0xbf, 0x9f, 0xf5, 0x44, 0xc8, 0x13, 0x8f, 0xd1, 0x01, 0xc2,
@@ -265,25 +268,6 @@ static const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = {
    0xa6, 0x76, 0x81, 0x28, 0xb2, 0x65, 0xe8, 0x47, 0x14, 0xc6, 0x39, 0x06,
 };

-enum spake2_state_t {
-  spake2_state_init = 0,
-  spake2_state_msg_generated,
-  spake2_state_key_generated,
-};
-
-struct spake2_ctx_st {
-  uint8_t private_key[32];
-  uint8_t my_msg[32];
-  uint8_t password_scalar[32];
-  uint8_t password_hash[SHA512_DIGEST_LENGTH];
-  uint8_t *my_name;
-  size_t my_name_len;
-  uint8_t *their_name;
-  size_t their_name_len;
-  enum spake2_role_t my_role;
-  enum spake2_state_t state;
-};
-
 SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role,
                           const uint8_t *my_name, size_t my_name_len,
                           const uint8_t *their_name, size_t their_name_len) {
@@ -317,8 +301,8 @@ void SPAKE2_CTX_free(SPAKE2_CTX *ctx) {
  OPENSSL_free(ctx);
 }

-/* left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
- * order. */
+// left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
+// order.
 static void left_shift_3(uint8_t n[32]) {
  uint8_t carry = 0;
  unsigned i;
@@ -330,6 +314,48 @@ static void left_shift_3(uint8_t n[32]) {
  }
 }

+typedef union {
+  uint8_t bytes[32];
+  uint32_t words[8];
+} scalar;
+
+// kOrder is the order of the prime-order subgroup of curve25519 in
+// little-endian order.
+static const scalar kOrder = {{0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+                               0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}};
+
+// scalar_cmov copies |src| to |dest| if |mask| is all ones.
+static void scalar_cmov(scalar *dest, const scalar *src, crypto_word_t mask) {
+  for (size_t i = 0; i < 8; i++) {
+    dest->words[i] =
+        constant_time_select_w(mask, src->words[i], dest->words[i]);
+  }
+}
+
+// scalar_double sets |s| to |2×s|.
+static void scalar_double(scalar *s) {
+  uint32_t carry = 0;
+
+  for (size_t i = 0; i < 8; i++) {
+    const uint32_t carry_out = s->words[i] >> 31;
+    s->words[i] = (s->words[i] << 1) | carry;
+    carry = carry_out;
+  }
+}
+
+// scalar_add sets |dest| to |dest| plus |src|.
+static void scalar_add(scalar *dest, const scalar *src) {
+  uint32_t carry = 0;
+
+  for (size_t i = 0; i < 8; i++) {
+    uint64_t tmp = ((uint64_t)dest->words[i] + src->words[i]) + carry;
+    dest->words[i] = (uint32_t)tmp;
+    carry = (uint32_t)(tmp >> 32);
+  }
+}
+
 int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
                         size_t max_out_len, const uint8_t *password,
                         size_t password_len) {
@@ -344,34 +370,82 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
  uint8_t private_tmp[64];
  RAND_bytes(private_tmp, sizeof(private_tmp));
  x25519_sc_reduce(private_tmp);
-  /* Multiply by the cofactor (eight) so that we'll clear it when operating on
-   * the peer's point later in the protocol. */
+  // Multiply by the cofactor (eight) so that we'll clear it when operating on
+  // the peer's point later in the protocol.
  left_shift_3(private_tmp);
  OPENSSL_memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));

  ge_p3 P;
  x25519_ge_scalarmult_base(&P, ctx->private_key);

-  /* mask = h(password) * <N or M>. */
+  // mask = h(password) * <N or M>.
  uint8_t password_tmp[SHA512_DIGEST_LENGTH];
  SHA512(password, password_len, password_tmp);
  OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));
  x25519_sc_reduce(password_tmp);
-  OPENSSL_memcpy(ctx->password_scalar, password_tmp, sizeof(ctx->password_scalar));
+
+  // Due to a copy-paste error, the call to |left_shift_3| was omitted after
+  // the |x25519_sc_reduce|, just above. This meant that |ctx->password_scalar|
+  // was not a multiple of eight to clear the cofactor and thus three bits of
+  // the password hash would leak. In order to fix this in a unilateral way,
+  // points of small order are added to the mask point such that it is in the
+  // prime-order subgroup. Since the ephemeral scalar is a multiple of eight,
+  // these points will cancel out when calculating the shared secret.
+  //
+  // Adding points of small order is the same as adding multiples of the prime
+  // order to the password scalar. Since that's faster, that is what is done
+  // below. The prime order (kOrder) is a large prime, thus odd, thus the LSB
+  // is one. So adding it will flip the LSB. Adding twice it will flip the next
+  // bit and so one for all the bottom three bits.
+
+  scalar password_scalar;
+  OPENSSL_memcpy(&password_scalar, password_tmp, sizeof(password_scalar));
+
+  // |password_scalar| is the result of |x25519_sc_reduce| and thus is, at
+  // most, $l-1$ (where $l$ is |kOrder|, the order of the prime-order subgroup
+  // of Ed25519). In the following, we may add $l + 2×l + 4×l$ for a max value
+  // of $8×l-1$. That is < 2**256, as required.
+
+  if (!ctx->disable_password_scalar_hack) {
+    scalar order = kOrder;
+    scalar tmp;
+
+    OPENSSL_memset(&tmp, 0, sizeof(tmp));
+    scalar_cmov(&tmp, &order,
+                constant_time_eq_w(password_scalar.bytes[0] & 1, 1));
+    scalar_add(&password_scalar, &tmp);
+
+    scalar_double(&order);
+    OPENSSL_memset(&tmp, 0, sizeof(tmp));
+    scalar_cmov(&tmp, &order,
+                constant_time_eq_w(password_scalar.bytes[0] & 2, 2));
+    scalar_add(&password_scalar, &tmp);
+
+    scalar_double(&order);
+    OPENSSL_memset(&tmp, 0, sizeof(tmp));
+    scalar_cmov(&tmp, &order,
+                constant_time_eq_w(password_scalar.bytes[0] & 4, 4));
+    scalar_add(&password_scalar, &tmp);
+
+    assert((password_scalar.bytes[0] & 7) == 0);
+  }
+
+  OPENSSL_memcpy(ctx->password_scalar, password_scalar.bytes,
+                 sizeof(ctx->password_scalar));

  ge_p3 mask;
  x25519_ge_scalarmult_small_precomp(&mask, ctx->password_scalar,
-                              ctx->my_role == spake2_role_alice
-                                  ? kSpakeMSmallPrecomp
-                                  : kSpakeNSmallPrecomp);
+                                     ctx->my_role == spake2_role_alice
+                                         ? kSpakeMSmallPrecomp
+                                         : kSpakeNSmallPrecomp);

-  /* P* = P + mask. */
+  // P* = P + mask.
  ge_cached mask_cached;
  x25519_ge_p3_to_cached(&mask_cached, &mask);
  ge_p1p1 Pstar;
  x25519_ge_add(&Pstar, &P, &mask_cached);

-  /* Encode P* */
+  // Encode P*
  ge_p2 Pstar_proj;
  x25519_ge_p1p1_to_p2(&Pstar_proj, &Pstar);
  x25519_ge_tobytes(ctx->my_msg, &Pstar_proj);
@@ -408,11 +482,11 @@ int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len,

  ge_p3 Qstar;
  if (0 != x25519_ge_frombytes_vartime(&Qstar, their_msg)) {
-    /* Point received from peer was not on the curve. */
+    // Point received from peer was not on the curve.
    return 0;
  }

-  /* Unmask peer's value. */
+  // Unmask peer's value.
  ge_p3 peers_mask;
  x25519_ge_scalarmult_small_precomp(&peers_mask, ctx->password_scalar,
                                    ctx->my_role == spake2_role_alice
@@ -23,9 +23,10 @@
 #include <gtest/gtest.h>

 #include "../internal.h"
+#include "internal.h"


-/* TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down. */
+// TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down.

 struct SPAKE2Run {
  bool Run() {
@@ -46,6 +47,13 @@ struct SPAKE2Run {
      return false;
    }

+    if (alice_disable_password_scalar_hack) {
+      alice->disable_password_scalar_hack = 1;
+    }
+    if (bob_disable_password_scalar_hack) {
+      bob->disable_password_scalar_hack = 1;
+    }
+
    uint8_t alice_msg[SPAKE2_MAX_MSG_SIZE];
    uint8_t bob_msg[SPAKE2_MAX_MSG_SIZE];
    size_t alice_msg_len, bob_msg_len;
@@ -90,6 +98,8 @@ struct SPAKE2Run {
  std::string bob_password = "password";
  std::pair<std::string, std::string> alice_names = {"alice", "bob"};
  std::pair<std::string, std::string> bob_names = {"bob", "alice"};
+  bool alice_disable_password_scalar_hack = false;
+  bool bob_disable_password_scalar_hack = false;
  int alice_corrupt_msg_bit = -1;

 private:
@@ -104,6 +114,24 @@ TEST(SPAKE25519Test, SPAKE2) {
  }
 }

+TEST(SPAKE25519Test, OldAlice) {
+  for (unsigned i = 0; i < 20; i++) {
+    SPAKE2Run spake2;
+    spake2.alice_disable_password_scalar_hack = true;
+    ASSERT_TRUE(spake2.Run());
+    EXPECT_TRUE(spake2.key_matches());
+  }
+}
+
+TEST(SPAKE25519Test, OldBob) {
+  for (unsigned i = 0; i < 20; i++) {
+    SPAKE2Run spake2;
+    spake2.bob_disable_password_scalar_hack = true;
+    ASSERT_TRUE(spake2.Run());
+    EXPECT_TRUE(spake2.key_matches());
+  }
+}
+
 TEST(SPAKE25519Test, WrongPassword) {
  SPAKE2Run spake2;
  spake2.bob_password = "wrong password";
@@ -12,12 +12,12 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.

 #include <openssl/curve25519.h>

@@ -31,7 +31,7 @@

 typedef struct { uint64_t v[5]; } fe25519;

-/* These functions are defined in asm/x25519-x86_64.S */
+// These functions are defined in asm/x25519-x86_64.S
 void x25519_x86_64_work_cswap(fe25519 *, uint64_t);
 void x25519_x86_64_mul(fe25519 *out, const fe25519 *a, const fe25519 *b);
 void x25519_x86_64_square(fe25519 *out, const fe25519 *a);
@@ -46,7 +46,7 @@ static void fe25519_setint(fe25519 *r, unsigned v) {
  r->v[4] = 0;
 }

-/* Assumes input x being reduced below 2^255 */
+// Assumes input x being reduced below 2^255
 static void fe25519_pack(unsigned char r[32], const fe25519 *x) {
  fe25519 t;
  t = *x;
@@ -244,4 +244,4 @@ void x25519_x86_64(uint8_t out[32], const uint8_t scalar[32],
  fe25519_pack(out, &t);
 }

-#endif  /* BORINGSSL_X25519_X86_64 */
+#endif  // BORINGSSL_X25519_X86_64
@@ -59,8 +59,8 @@
 #include <openssl/bn.h>


-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {
-  *ret = 0;
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {
+  *out_flags = 0;

  BN_CTX *ctx = BN_CTX_new();
  if (ctx == NULL) {
@@ -70,34 +70,34 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {

  int ok = 0;

-  /* Check |pub_key| is greater than 1. */
+  // Check |pub_key| is greater than 1.
  BIGNUM *tmp = BN_CTX_get(ctx);
  if (tmp == NULL ||
      !BN_set_word(tmp, 1)) {
    goto err;
  }
  if (BN_cmp(pub_key, tmp) <= 0) {
-    *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
+    *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;
  }

-  /* Check |pub_key| is less than |dh->p| - 1. */
+  // Check |pub_key| is less than |dh->p| - 1.
  if (!BN_copy(tmp, dh->p) ||
      !BN_sub_word(tmp, 1)) {
    goto err;
  }
  if (BN_cmp(pub_key, tmp) >= 0) {
-    *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+    *out_flags |= DH_CHECK_PUBKEY_TOO_LARGE;
  }

  if (dh->q != NULL) {
-    /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
-     * groups which are not safe primes but pick a generator on a prime-order
-     * subgroup of size |dh->q|. */
+    // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
+    // groups which are not safe primes but pick a generator on a prime-order
+    // subgroup of size |dh->q|.
    if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {
      goto err;
    }
    if (!BN_is_one(tmp)) {
-      *ret |= DH_CHECK_PUBKEY_INVALID;
+      *out_flags |= DH_CHECK_PUBKEY_INVALID;
    }
  }

@@ -110,20 +110,19 @@ err:
 }


-int DH_check(const DH *dh, int *ret) {
-  /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
-   * suitable generator where:
-   *   for 2, p mod 24 == 11
-   *   for 3, p mod 12 == 5
-   *   for 5, p mod 10 == 3 or 7
-   * should hold.
-   */
+int DH_check(const DH *dh, int *out_flags) {
+  // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
+  // suitable generator where:
+  //   for 2, p mod 24 == 11
+  //   for 3, p mod 12 == 5
+  //   for 5, p mod 10 == 3 or 7
+  // should hold.
  int ok = 0, r;
  BN_CTX *ctx = NULL;
  BN_ULONG l;
  BIGNUM *t1 = NULL, *t2 = NULL;

-  *ret = 0;
+  *out_flags = 0;
  ctx = BN_CTX_new();
  if (ctx == NULL) {
    goto err;
@@ -140,16 +139,16 @@ int DH_check(const DH *dh, int *ret) {

  if (dh->q) {
    if (BN_cmp(dh->g, BN_value_one()) <= 0) {
-      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
    } else if (BN_cmp(dh->g, dh->p) >= 0) {
-      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
    } else {
-      /* Check g^q == 1 mod p */
+      // Check g^q == 1 mod p
      if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {
        goto err;
      }
      if (!BN_is_one(t1)) {
-        *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+        *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
      }
    }
    r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
@@ -157,17 +156,17 @@ int DH_check(const DH *dh, int *ret) {
      goto err;
    }
    if (!r) {
-      *ret |= DH_CHECK_Q_NOT_PRIME;
+      *out_flags |= DH_CHECK_Q_NOT_PRIME;
    }
-    /* Check p == 1 mod q  i.e. q divides p - 1 */
+    // Check p == 1 mod q  i.e. q divides p - 1
    if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
      goto err;
    }
    if (!BN_is_one(t2)) {
-      *ret |= DH_CHECK_INVALID_Q_VALUE;
+      *out_flags |= DH_CHECK_INVALID_Q_VALUE;
    }
    if (dh->j && BN_cmp(dh->j, t1)) {
-      *ret |= DH_CHECK_INVALID_J_VALUE;
+      *out_flags |= DH_CHECK_INVALID_J_VALUE;
    }
  } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
    l = BN_mod_word(dh->p, 24);
@@ -175,7 +174,7 @@ int DH_check(const DH *dh, int *ret) {
      goto err;
    }
    if (l != 11) {
-      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
    }
  } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
    l = BN_mod_word(dh->p, 10);
@@ -183,10 +182,10 @@ int DH_check(const DH *dh, int *ret) {
      goto err;
    }
    if (l != 3 && l != 7) {
-      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
    }
  } else {
-    *ret |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
+    *out_flags |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
  }

  r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
@@ -194,7 +193,7 @@ int DH_check(const DH *dh, int *ret) {
    goto err;
  }
  if (!r) {
-    *ret |= DH_CHECK_P_NOT_PRIME;
+    *out_flags |= DH_CHECK_P_NOT_PRIME;
  } else if (!dh->q) {
    if (!BN_rshift1(t1, dh->p)) {
      goto err;
@@ -204,7 +203,7 @@ int DH_check(const DH *dh, int *ret) {
      goto err;
    }
    if (!r) {
-      *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+      *out_flags |= DH_CHECK_P_NOT_SAFE_PRIME;
    }
  }
  ok = 1;
@@ -124,6 +124,20 @@ void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key,
  }
 }

+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
+  if (pub_key != NULL) {
+    BN_free(dh->pub_key);
+    dh->pub_key = pub_key;
+  }
+
+  if (priv_key != NULL) {
+    BN_free(dh->priv_key);
+    dh->priv_key = priv_key;
+  }
+
+  return 1;
+}
+
 void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q,
                 const BIGNUM **out_g) {
  if (out_p != NULL) {
@@ -137,33 +151,55 @@ void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q,
  }
 }

-int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
-  /* We generate DH parameters as follows
-   * find a prime q which is prime_bits/2 bits long.
-   * p=(2*q)+1 or (p-1)/2 = q
-   * For this case, g is a generator if
-   * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
-   * Since the factors of p-1 are q and 2, we just need to check
-   * g^2 mod p != 1 and g^q mod p != 1.
-   *
-   * Having said all that,
-   * there is another special case method for the generators 2, 3 and 5.
-   * for 2, p mod 24 == 11
-   * for 3, p mod 12 == 5  <<<<< does not work for safe primes.
-   * for 5, p mod 10 == 3 or 7
-   *
-   * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
-   * special generators and for answering some of my questions.
-   *
-   * I've implemented the second simple method :-).
-   * Since DH should be using a safe prime (both p and q are prime),
-   * this generator function can take a very very long time to run.
-   */
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+  if ((dh->p == NULL && p == NULL) ||
+      (dh->g == NULL && g == NULL)) {
+    return 0;
+  }

-  /* Actually there is no reason to insist that 'generator' be a generator.
-   * It's just as OK (and in some sense better) to use a generator of the
-   * order-q subgroup.
-   */
+  if (p != NULL) {
+    BN_free(dh->p);
+    dh->p = p;
+  }
+
+  if (q != NULL) {
+    BN_free(dh->q);
+    dh->q = q;
+  }
+
+  if (g != NULL) {
+    BN_free(dh->g);
+    dh->g = g;
+  }
+
+  return 1;
+}
+
+int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
+  // We generate DH parameters as follows
+  // find a prime q which is prime_bits/2 bits long.
+  // p=(2*q)+1 or (p-1)/2 = q
+  // For this case, g is a generator if
+  // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+  // Since the factors of p-1 are q and 2, we just need to check
+  // g^2 mod p != 1 and g^q mod p != 1.
+  //
+  // Having said all that,
+  // there is another special case method for the generators 2, 3 and 5.
+  // for 2, p mod 24 == 11
+  // for 3, p mod 12 == 5  <<<<< does not work for safe primes.
+  // for 5, p mod 10 == 3 or 7
+  //
+  // Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+  // special generators and for answering some of my questions.
+  //
+  // I've implemented the second simple method :-).
+  // Since DH should be using a safe prime (both p and q are prime),
+  // this generator function can take a very very long time to run.
+
+  // Actually there is no reason to insist that 'generator' be a generator.
+  // It's just as OK (and in some sense better) to use a generator of the
+  // order-q subgroup.

  BIGNUM *t1, *t2;
  int g, ok = 0;
@@ -180,7 +216,7 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *c
    goto err;
  }

-  /* Make sure |dh| has the necessary elements */
+  // Make sure |dh| has the necessary elements
  if (dh->p == NULL) {
    dh->p = BN_new();
    if (dh->p == NULL) {
@@ -213,14 +249,14 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *c
    if (!BN_set_word(t2, 3)) {
      goto err;
    }
-    /* BN_set_word(t3,7); just have to miss
-     * out on these ones :-( */
+    // BN_set_word(t3,7); just have to miss
+    // out on these ones :-(
    g = 5;
  } else {
-    /* in the general case, don't worry if 'generator' is a
-     * generator or not: since we are using safe primes,
-     * it will generate either an order-q or an order-2q group,
-     * which both is OK */
+    // in the general case, don't worry if 'generator' is a
+    // generator or not: since we are using safe primes,
+    // it will generate either an order-q or an order-2q group,
+    // which both is OK
    if (!BN_set_word(t1, 2)) {
      goto err;
    }
@@ -299,7 +335,7 @@ int DH_generate_key(DH *dh) {
        goto err;
      }
    } else {
-      /* secret exponent length */
+      // secret exponent length
      unsigned priv_bits = dh->priv_length;
      if (priv_bits == 0) {
        const unsigned p_bits = BN_num_bits(dh->p);
@@ -76,7 +76,7 @@ static int parse_integer(CBS *cbs, BIGNUM **out) {

 static int marshal_integer(CBB *cbb, BIGNUM *bn) {
  if (bn == NULL) {
-    /* A DH object may be missing some components. */
+    // A DH object may be missing some components.
    OPENSSL_PUT_ERROR(DH, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
@@ -74,7 +74,6 @@


 static bool RunBasicTests();
-static bool RunRFC5114Tests();
 static bool TestBadY();
 static bool TestASN1();
 static bool TestRFC3526();
@@ -82,7 +81,6 @@ static bool TestRFC3526();
 // TODO(davidben): Convert this file to GTest properly.
 TEST(DHTest, AllTests) {
  if (!RunBasicTests() ||
-      !RunRFC5114Tests() ||
      !TestBadY() ||
      !TestASN1() ||
      !TestRFC3526()) {
@@ -203,284 +201,61 @@ static bool RunBasicTests() {
  return true;
 }

-/* Test data from RFC 5114 */
-
-static const uint8_t kDHTest1024_160_xA[] = {
-    0xB9, 0xA3, 0xB3, 0xAE, 0x8F, 0xEF, 0xC1, 0xA2, 0x93, 0x04,
-    0x96, 0x50, 0x70, 0x86, 0xF8, 0x45, 0x5D, 0x48, 0x94, 0x3E};
-static const uint8_t kDHTest1024_160_yA[] = {
-    0x2A, 0x85, 0x3B, 0x3D, 0x92, 0x19, 0x75, 0x01, 0xB9, 0x01, 0x5B, 0x2D,
-    0xEB, 0x3E, 0xD8, 0x4F, 0x5E, 0x02, 0x1D, 0xCC, 0x3E, 0x52, 0xF1, 0x09,
-    0xD3, 0x27, 0x3D, 0x2B, 0x75, 0x21, 0x28, 0x1C, 0xBA, 0xBE, 0x0E, 0x76,
-    0xFF, 0x57, 0x27, 0xFA, 0x8A, 0xCC, 0xE2, 0x69, 0x56, 0xBA, 0x9A, 0x1F,
-    0xCA, 0x26, 0xF2, 0x02, 0x28, 0xD8, 0x69, 0x3F, 0xEB, 0x10, 0x84, 0x1D,
-    0x84, 0xA7, 0x36, 0x00, 0x54, 0xEC, 0xE5, 0xA7, 0xF5, 0xB7, 0xA6, 0x1A,
-    0xD3, 0xDF, 0xB3, 0xC6, 0x0D, 0x2E, 0x43, 0x10, 0x6D, 0x87, 0x27, 0xDA,
-    0x37, 0xDF, 0x9C, 0xCE, 0x95, 0xB4, 0x78, 0x75, 0x5D, 0x06, 0xBC, 0xEA,
-    0x8F, 0x9D, 0x45, 0x96, 0x5F, 0x75, 0xA5, 0xF3, 0xD1, 0xDF, 0x37, 0x01,
-    0x16, 0x5F, 0xC9, 0xE5, 0x0C, 0x42, 0x79, 0xCE, 0xB0, 0x7F, 0x98, 0x95,
-    0x40, 0xAE, 0x96, 0xD5, 0xD8, 0x8E, 0xD7, 0x76};
-static const uint8_t kDHTest1024_160_xB[] = {
-    0x93, 0x92, 0xC9, 0xF9, 0xEB, 0x6A, 0x7A, 0x6A, 0x90, 0x22,
-    0xF7, 0xD8, 0x3E, 0x72, 0x23, 0xC6, 0x83, 0x5B, 0xBD, 0xDA};
-static const uint8_t kDHTest1024_160_yB[] = {
-    0x71, 0x7A, 0x6C, 0xB0, 0x53, 0x37, 0x1F, 0xF4, 0xA3, 0xB9, 0x32, 0x94,
-    0x1C, 0x1E, 0x56, 0x63, 0xF8, 0x61, 0xA1, 0xD6, 0xAD, 0x34, 0xAE, 0x66,
-    0x57, 0x6D, 0xFB, 0x98, 0xF6, 0xC6, 0xCB, 0xF9, 0xDD, 0xD5, 0xA5, 0x6C,
-    0x78, 0x33, 0xF6, 0xBC, 0xFD, 0xFF, 0x09, 0x55, 0x82, 0xAD, 0x86, 0x8E,
-    0x44, 0x0E, 0x8D, 0x09, 0xFD, 0x76, 0x9E, 0x3C, 0xEC, 0xCD, 0xC3, 0xD3,
-    0xB1, 0xE4, 0xCF, 0xA0, 0x57, 0x77, 0x6C, 0xAA, 0xF9, 0x73, 0x9B, 0x6A,
-    0x9F, 0xEE, 0x8E, 0x74, 0x11, 0xF8, 0xD6, 0xDA, 0xC0, 0x9D, 0x6A, 0x4E,
-    0xDB, 0x46, 0xCC, 0x2B, 0x5D, 0x52, 0x03, 0x09, 0x0E, 0xAE, 0x61, 0x26,
-    0x31, 0x1E, 0x53, 0xFD, 0x2C, 0x14, 0xB5, 0x74, 0xE6, 0xA3, 0x10, 0x9A,
-    0x3D, 0xA1, 0xBE, 0x41, 0xBD, 0xCE, 0xAA, 0x18, 0x6F, 0x5C, 0xE0, 0x67,
-    0x16, 0xA2, 0xB6, 0xA0, 0x7B, 0x3C, 0x33, 0xFE};
-static const uint8_t kDHTest1024_160_Z[] = {
-    0x5C, 0x80, 0x4F, 0x45, 0x4D, 0x30, 0xD9, 0xC4, 0xDF, 0x85, 0x27, 0x1F,
-    0x93, 0x52, 0x8C, 0x91, 0xDF, 0x6B, 0x48, 0xAB, 0x5F, 0x80, 0xB3, 0xB5,
-    0x9C, 0xAA, 0xC1, 0xB2, 0x8F, 0x8A, 0xCB, 0xA9, 0xCD, 0x3E, 0x39, 0xF3,
-    0xCB, 0x61, 0x45, 0x25, 0xD9, 0x52, 0x1D, 0x2E, 0x64, 0x4C, 0x53, 0xB8,
-    0x07, 0xB8, 0x10, 0xF3, 0x40, 0x06, 0x2F, 0x25, 0x7D, 0x7D, 0x6F, 0xBF,
-    0xE8, 0xD5, 0xE8, 0xF0, 0x72, 0xE9, 0xB6, 0xE9, 0xAF, 0xDA, 0x94, 0x13,
-    0xEA, 0xFB, 0x2E, 0x8B, 0x06, 0x99, 0xB1, 0xFB, 0x5A, 0x0C, 0xAC, 0xED,
-    0xDE, 0xAE, 0xAD, 0x7E, 0x9C, 0xFB, 0xB3, 0x6A, 0xE2, 0xB4, 0x20, 0x83,
-    0x5B, 0xD8, 0x3A, 0x19, 0xFB, 0x0B, 0x5E, 0x96, 0xBF, 0x8F, 0xA4, 0xD0,
-    0x9E, 0x34, 0x55, 0x25, 0x16, 0x7E, 0xCD, 0x91, 0x55, 0x41, 0x6F, 0x46,
-    0xF4, 0x08, 0xED, 0x31, 0xB6, 0x3C, 0x6E, 0x6D};
-static const uint8_t kDHTest2048_224_xA[] = {
-    0x22, 0xE6, 0x26, 0x01, 0xDB, 0xFF, 0xD0, 0x67, 0x08, 0xA6,
-    0x80, 0xF7, 0x47, 0xF3, 0x61, 0xF7, 0x6D, 0x8F, 0x4F, 0x72,
-    0x1A, 0x05, 0x48, 0xE4, 0x83, 0x29, 0x4B, 0x0C};
-static const uint8_t kDHTest2048_224_yA[] = {
-    0x1B, 0x3A, 0x63, 0x45, 0x1B, 0xD8, 0x86, 0xE6, 0x99, 0xE6, 0x7B, 0x49,
-    0x4E, 0x28, 0x8B, 0xD7, 0xF8, 0xE0, 0xD3, 0x70, 0xBA, 0xDD, 0xA7, 0xA0,
-    0xEF, 0xD2, 0xFD, 0xE7, 0xD8, 0xF6, 0x61, 0x45, 0xCC, 0x9F, 0x28, 0x04,
-    0x19, 0x97, 0x5E, 0xB8, 0x08, 0x87, 0x7C, 0x8A, 0x4C, 0x0C, 0x8E, 0x0B,
-    0xD4, 0x8D, 0x4A, 0x54, 0x01, 0xEB, 0x1E, 0x87, 0x76, 0xBF, 0xEE, 0xE1,
-    0x34, 0xC0, 0x38, 0x31, 0xAC, 0x27, 0x3C, 0xD9, 0xD6, 0x35, 0xAB, 0x0C,
-    0xE0, 0x06, 0xA4, 0x2A, 0x88, 0x7E, 0x3F, 0x52, 0xFB, 0x87, 0x66, 0xB6,
-    0x50, 0xF3, 0x80, 0x78, 0xBC, 0x8E, 0xE8, 0x58, 0x0C, 0xEF, 0xE2, 0x43,
-    0x96, 0x8C, 0xFC, 0x4F, 0x8D, 0xC3, 0xDB, 0x08, 0x45, 0x54, 0x17, 0x1D,
-    0x41, 0xBF, 0x2E, 0x86, 0x1B, 0x7B, 0xB4, 0xD6, 0x9D, 0xD0, 0xE0, 0x1E,
-    0xA3, 0x87, 0xCB, 0xAA, 0x5C, 0xA6, 0x72, 0xAF, 0xCB, 0xE8, 0xBD, 0xB9,
-    0xD6, 0x2D, 0x4C, 0xE1, 0x5F, 0x17, 0xDD, 0x36, 0xF9, 0x1E, 0xD1, 0xEE,
-    0xDD, 0x65, 0xCA, 0x4A, 0x06, 0x45, 0x5C, 0xB9, 0x4C, 0xD4, 0x0A, 0x52,
-    0xEC, 0x36, 0x0E, 0x84, 0xB3, 0xC9, 0x26, 0xE2, 0x2C, 0x43, 0x80, 0xA3,
-    0xBF, 0x30, 0x9D, 0x56, 0x84, 0x97, 0x68, 0xB7, 0xF5, 0x2C, 0xFD, 0xF6,
-    0x55, 0xFD, 0x05, 0x3A, 0x7E, 0xF7, 0x06, 0x97, 0x9E, 0x7E, 0x58, 0x06,
-    0xB1, 0x7D, 0xFA, 0xE5, 0x3A, 0xD2, 0xA5, 0xBC, 0x56, 0x8E, 0xBB, 0x52,
-    0x9A, 0x7A, 0x61, 0xD6, 0x8D, 0x25, 0x6F, 0x8F, 0xC9, 0x7C, 0x07, 0x4A,
-    0x86, 0x1D, 0x82, 0x7E, 0x2E, 0xBC, 0x8C, 0x61, 0x34, 0x55, 0x31, 0x15,
-    0xB7, 0x0E, 0x71, 0x03, 0x92, 0x0A, 0xA1, 0x6D, 0x85, 0xE5, 0x2B, 0xCB,
-    0xAB, 0x8D, 0x78, 0x6A, 0x68, 0x17, 0x8F, 0xA8, 0xFF, 0x7C, 0x2F, 0x5C,
-    0x71, 0x64, 0x8D, 0x6F};
-static const uint8_t kDHTest2048_224_xB[] = {
-    0x4F, 0xF3, 0xBC, 0x96, 0xC7, 0xFC, 0x6A, 0x6D, 0x71, 0xD3,
-    0xB3, 0x63, 0x80, 0x0A, 0x7C, 0xDF, 0xEF, 0x6F, 0xC4, 0x1B,
-    0x44, 0x17, 0xEA, 0x15, 0x35, 0x3B, 0x75, 0x90};
-static const uint8_t kDHTest2048_224_yB[] = {
-    0x4D, 0xCE, 0xE9, 0x92, 0xA9, 0x76, 0x2A, 0x13, 0xF2, 0xF8, 0x38, 0x44,
-    0xAD, 0x3D, 0x77, 0xEE, 0x0E, 0x31, 0xC9, 0x71, 0x8B, 0x3D, 0xB6, 0xC2,
-    0x03, 0x5D, 0x39, 0x61, 0x18, 0x2C, 0x3E, 0x0B, 0xA2, 0x47, 0xEC, 0x41,
-    0x82, 0xD7, 0x60, 0xCD, 0x48, 0xD9, 0x95, 0x99, 0x97, 0x06, 0x22, 0xA1,
-    0x88, 0x1B, 0xBA, 0x2D, 0xC8, 0x22, 0x93, 0x9C, 0x78, 0xC3, 0x91, 0x2C,
-    0x66, 0x61, 0xFA, 0x54, 0x38, 0xB2, 0x07, 0x66, 0x22, 0x2B, 0x75, 0xE2,
-    0x4C, 0x2E, 0x3A, 0xD0, 0xC7, 0x28, 0x72, 0x36, 0x12, 0x95, 0x25, 0xEE,
-    0x15, 0xB5, 0xDD, 0x79, 0x98, 0xAA, 0x04, 0xC4, 0xA9, 0x69, 0x6C, 0xAC,
-    0xD7, 0x17, 0x20, 0x83, 0xA9, 0x7A, 0x81, 0x66, 0x4E, 0xAD, 0x2C, 0x47,
-    0x9E, 0x44, 0x4E, 0x4C, 0x06, 0x54, 0xCC, 0x19, 0xE2, 0x8D, 0x77, 0x03,
-    0xCE, 0xE8, 0xDA, 0xCD, 0x61, 0x26, 0xF5, 0xD6, 0x65, 0xEC, 0x52, 0xC6,
-    0x72, 0x55, 0xDB, 0x92, 0x01, 0x4B, 0x03, 0x7E, 0xB6, 0x21, 0xA2, 0xAC,
-    0x8E, 0x36, 0x5D, 0xE0, 0x71, 0xFF, 0xC1, 0x40, 0x0A, 0xCF, 0x07, 0x7A,
-    0x12, 0x91, 0x3D, 0xD8, 0xDE, 0x89, 0x47, 0x34, 0x37, 0xAB, 0x7B, 0xA3,
-    0x46, 0x74, 0x3C, 0x1B, 0x21, 0x5D, 0xD9, 0xC1, 0x21, 0x64, 0xA7, 0xE4,
-    0x05, 0x31, 0x18, 0xD1, 0x99, 0xBE, 0xC8, 0xEF, 0x6F, 0xC5, 0x61, 0x17,
-    0x0C, 0x84, 0xC8, 0x7D, 0x10, 0xEE, 0x9A, 0x67, 0x4A, 0x1F, 0xA8, 0xFF,
-    0xE1, 0x3B, 0xDF, 0xBA, 0x1D, 0x44, 0xDE, 0x48, 0x94, 0x6D, 0x68, 0xDC,
-    0x0C, 0xDD, 0x77, 0x76, 0x35, 0xA7, 0xAB, 0x5B, 0xFB, 0x1E, 0x4B, 0xB7,
-    0xB8, 0x56, 0xF9, 0x68, 0x27, 0x73, 0x4C, 0x18, 0x41, 0x38, 0xE9, 0x15,
-    0xD9, 0xC3, 0x00, 0x2E, 0xBC, 0xE5, 0x31, 0x20, 0x54, 0x6A, 0x7E, 0x20,
-    0x02, 0x14, 0x2B, 0x6C};
-static const uint8_t kDHTest2048_224_Z[] = {
-    0x34, 0xD9, 0xBD, 0xDC, 0x1B, 0x42, 0x17, 0x6C, 0x31, 0x3F, 0xEA, 0x03,
-    0x4C, 0x21, 0x03, 0x4D, 0x07, 0x4A, 0x63, 0x13, 0xBB, 0x4E, 0xCD, 0xB3,
-    0x70, 0x3F, 0xFF, 0x42, 0x45, 0x67, 0xA4, 0x6B, 0xDF, 0x75, 0x53, 0x0E,
-    0xDE, 0x0A, 0x9D, 0xA5, 0x22, 0x9D, 0xE7, 0xD7, 0x67, 0x32, 0x28, 0x6C,
-    0xBC, 0x0F, 0x91, 0xDA, 0x4C, 0x3C, 0x85, 0x2F, 0xC0, 0x99, 0xC6, 0x79,
-    0x53, 0x1D, 0x94, 0xC7, 0x8A, 0xB0, 0x3D, 0x9D, 0xEC, 0xB0, 0xA4, 0xE4,
-    0xCA, 0x8B, 0x2B, 0xB4, 0x59, 0x1C, 0x40, 0x21, 0xCF, 0x8C, 0xE3, 0xA2,
-    0x0A, 0x54, 0x1D, 0x33, 0x99, 0x40, 0x17, 0xD0, 0x20, 0x0A, 0xE2, 0xC9,
-    0x51, 0x6E, 0x2F, 0xF5, 0x14, 0x57, 0x79, 0x26, 0x9E, 0x86, 0x2B, 0x0F,
-    0xB4, 0x74, 0xA2, 0xD5, 0x6D, 0xC3, 0x1E, 0xD5, 0x69, 0xA7, 0x70, 0x0B,
-    0x4C, 0x4A, 0xB1, 0x6B, 0x22, 0xA4, 0x55, 0x13, 0x53, 0x1E, 0xF5, 0x23,
-    0xD7, 0x12, 0x12, 0x07, 0x7B, 0x5A, 0x16, 0x9B, 0xDE, 0xFF, 0xAD, 0x7A,
-    0xD9, 0x60, 0x82, 0x84, 0xC7, 0x79, 0x5B, 0x6D, 0x5A, 0x51, 0x83, 0xB8,
-    0x70, 0x66, 0xDE, 0x17, 0xD8, 0xD6, 0x71, 0xC9, 0xEB, 0xD8, 0xEC, 0x89,
-    0x54, 0x4D, 0x45, 0xEC, 0x06, 0x15, 0x93, 0xD4, 0x42, 0xC6, 0x2A, 0xB9,
-    0xCE, 0x3B, 0x1C, 0xB9, 0x94, 0x3A, 0x1D, 0x23, 0xA5, 0xEA, 0x3B, 0xCF,
-    0x21, 0xA0, 0x14, 0x71, 0xE6, 0x7E, 0x00, 0x3E, 0x7F, 0x8A, 0x69, 0xC7,
-    0x28, 0xBE, 0x49, 0x0B, 0x2F, 0xC8, 0x8C, 0xFE, 0xB9, 0x2D, 0xB6, 0xA2,
-    0x15, 0xE5, 0xD0, 0x3C, 0x17, 0xC4, 0x64, 0xC9, 0xAC, 0x1A, 0x46, 0xE2,
-    0x03, 0xE1, 0x3F, 0x95, 0x29, 0x95, 0xFB, 0x03, 0xC6, 0x9D, 0x3C, 0xC4,
-    0x7F, 0xCB, 0x51, 0x0B, 0x69, 0x98, 0xFF, 0xD3, 0xAA, 0x6D, 0xE7, 0x3C,
-    0xF9, 0xF6, 0x38, 0x69};
-static const uint8_t kDHTest2048_256_xA[] = {
-    0x08, 0x81, 0x38, 0x2C, 0xDB, 0x87, 0x66, 0x0C, 0x6D, 0xC1, 0x3E,
-    0x61, 0x49, 0x38, 0xD5, 0xB9, 0xC8, 0xB2, 0xF2, 0x48, 0x58, 0x1C,
-    0xC5, 0xE3, 0x1B, 0x35, 0x45, 0x43, 0x97, 0xFC, 0xE5, 0x0E};
-static const uint8_t kDHTest2048_256_yA[] = {
-    0x2E, 0x93, 0x80, 0xC8, 0x32, 0x3A, 0xF9, 0x75, 0x45, 0xBC, 0x49, 0x41,
-    0xDE, 0xB0, 0xEC, 0x37, 0x42, 0xC6, 0x2F, 0xE0, 0xEC, 0xE8, 0x24, 0xA6,
-    0xAB, 0xDB, 0xE6, 0x6C, 0x59, 0xBE, 0xE0, 0x24, 0x29, 0x11, 0xBF, 0xB9,
-    0x67, 0x23, 0x5C, 0xEB, 0xA3, 0x5A, 0xE1, 0x3E, 0x4E, 0xC7, 0x52, 0xBE,
-    0x63, 0x0B, 0x92, 0xDC, 0x4B, 0xDE, 0x28, 0x47, 0xA9, 0xC6, 0x2C, 0xB8,
-    0x15, 0x27, 0x45, 0x42, 0x1F, 0xB7, 0xEB, 0x60, 0xA6, 0x3C, 0x0F, 0xE9,
-    0x15, 0x9F, 0xCC, 0xE7, 0x26, 0xCE, 0x7C, 0xD8, 0x52, 0x3D, 0x74, 0x50,
-    0x66, 0x7E, 0xF8, 0x40, 0xE4, 0x91, 0x91, 0x21, 0xEB, 0x5F, 0x01, 0xC8,
-    0xC9, 0xB0, 0xD3, 0xD6, 0x48, 0xA9, 0x3B, 0xFB, 0x75, 0x68, 0x9E, 0x82,
-    0x44, 0xAC, 0x13, 0x4A, 0xF5, 0x44, 0x71, 0x1C, 0xE7, 0x9A, 0x02, 0xDC,
-    0xC3, 0x42, 0x26, 0x68, 0x47, 0x80, 0xDD, 0xDC, 0xB4, 0x98, 0x59, 0x41,
-    0x06, 0xC3, 0x7F, 0x5B, 0xC7, 0x98, 0x56, 0x48, 0x7A, 0xF5, 0xAB, 0x02,
-    0x2A, 0x2E, 0x5E, 0x42, 0xF0, 0x98, 0x97, 0xC1, 0xA8, 0x5A, 0x11, 0xEA,
-    0x02, 0x12, 0xAF, 0x04, 0xD9, 0xB4, 0xCE, 0xBC, 0x93, 0x7C, 0x3C, 0x1A,
-    0x3E, 0x15, 0xA8, 0xA0, 0x34, 0x2E, 0x33, 0x76, 0x15, 0xC8, 0x4E, 0x7F,
-    0xE3, 0xB8, 0xB9, 0xB8, 0x7F, 0xB1, 0xE7, 0x3A, 0x15, 0xAF, 0x12, 0xA3,
-    0x0D, 0x74, 0x6E, 0x06, 0xDF, 0xC3, 0x4F, 0x29, 0x0D, 0x79, 0x7C, 0xE5,
-    0x1A, 0xA1, 0x3A, 0xA7, 0x85, 0xBF, 0x66, 0x58, 0xAF, 0xF5, 0xE4, 0xB0,
-    0x93, 0x00, 0x3C, 0xBE, 0xAF, 0x66, 0x5B, 0x3C, 0x2E, 0x11, 0x3A, 0x3A,
-    0x4E, 0x90, 0x52, 0x69, 0x34, 0x1D, 0xC0, 0x71, 0x14, 0x26, 0x68, 0x5F,
-    0x4E, 0xF3, 0x7E, 0x86, 0x8A, 0x81, 0x26, 0xFF, 0x3F, 0x22, 0x79, 0xB5,
-    0x7C, 0xA6, 0x7E, 0x29};
-static const uint8_t kDHTest2048_256_xB[] = {
-    0x7D, 0x62, 0xA7, 0xE3, 0xEF, 0x36, 0xDE, 0x61, 0x7B, 0x13, 0xD1,
-    0xAF, 0xB8, 0x2C, 0x78, 0x0D, 0x83, 0xA2, 0x3B, 0xD4, 0xEE, 0x67,
-    0x05, 0x64, 0x51, 0x21, 0xF3, 0x71, 0xF5, 0x46, 0xA5, 0x3D};
-static const uint8_t kDHTest2048_256_yB[] = {
-    0x57, 0x5F, 0x03, 0x51, 0xBD, 0x2B, 0x1B, 0x81, 0x74, 0x48, 0xBD, 0xF8,
-    0x7A, 0x6C, 0x36, 0x2C, 0x1E, 0x28, 0x9D, 0x39, 0x03, 0xA3, 0x0B, 0x98,
-    0x32, 0xC5, 0x74, 0x1F, 0xA2, 0x50, 0x36, 0x3E, 0x7A, 0xCB, 0xC7, 0xF7,
-    0x7F, 0x3D, 0xAC, 0xBC, 0x1F, 0x13, 0x1A, 0xDD, 0x8E, 0x03, 0x36, 0x7E,
-    0xFF, 0x8F, 0xBB, 0xB3, 0xE1, 0xC5, 0x78, 0x44, 0x24, 0x80, 0x9B, 0x25,
-    0xAF, 0xE4, 0xD2, 0x26, 0x2A, 0x1A, 0x6F, 0xD2, 0xFA, 0xB6, 0x41, 0x05,
-    0xCA, 0x30, 0xA6, 0x74, 0xE0, 0x7F, 0x78, 0x09, 0x85, 0x20, 0x88, 0x63,
-    0x2F, 0xC0, 0x49, 0x23, 0x37, 0x91, 0xAD, 0x4E, 0xDD, 0x08, 0x3A, 0x97,
-    0x8B, 0x88, 0x3E, 0xE6, 0x18, 0xBC, 0x5E, 0x0D, 0xD0, 0x47, 0x41, 0x5F,
-    0x2D, 0x95, 0xE6, 0x83, 0xCF, 0x14, 0x82, 0x6B, 0x5F, 0xBE, 0x10, 0xD3,
-    0xCE, 0x41, 0xC6, 0xC1, 0x20, 0xC7, 0x8A, 0xB2, 0x00, 0x08, 0xC6, 0x98,
-    0xBF, 0x7F, 0x0B, 0xCA, 0xB9, 0xD7, 0xF4, 0x07, 0xBE, 0xD0, 0xF4, 0x3A,
-    0xFB, 0x29, 0x70, 0xF5, 0x7F, 0x8D, 0x12, 0x04, 0x39, 0x63, 0xE6, 0x6D,
-    0xDD, 0x32, 0x0D, 0x59, 0x9A, 0xD9, 0x93, 0x6C, 0x8F, 0x44, 0x13, 0x7C,
-    0x08, 0xB1, 0x80, 0xEC, 0x5E, 0x98, 0x5C, 0xEB, 0xE1, 0x86, 0xF3, 0xD5,
-    0x49, 0x67, 0x7E, 0x80, 0x60, 0x73, 0x31, 0xEE, 0x17, 0xAF, 0x33, 0x80,
-    0xA7, 0x25, 0xB0, 0x78, 0x23, 0x17, 0xD7, 0xDD, 0x43, 0xF5, 0x9D, 0x7A,
-    0xF9, 0x56, 0x8A, 0x9B, 0xB6, 0x3A, 0x84, 0xD3, 0x65, 0xF9, 0x22, 0x44,
-    0xED, 0x12, 0x09, 0x88, 0x21, 0x93, 0x02, 0xF4, 0x29, 0x24, 0xC7, 0xCA,
-    0x90, 0xB8, 0x9D, 0x24, 0xF7, 0x1B, 0x0A, 0xB6, 0x97, 0x82, 0x3D, 0x7D,
-    0xEB, 0x1A, 0xFF, 0x5B, 0x0E, 0x8E, 0x4A, 0x45, 0xD4, 0x9F, 0x7F, 0x53,
-    0x75, 0x7E, 0x19, 0x13};
-static const uint8_t kDHTest2048_256_Z[] = {
-    0x86, 0xC7, 0x0B, 0xF8, 0xD0, 0xBB, 0x81, 0xBB, 0x01, 0x07, 0x8A, 0x17,
-    0x21, 0x9C, 0xB7, 0xD2, 0x72, 0x03, 0xDB, 0x2A, 0x19, 0xC8, 0x77, 0xF1,
-    0xD1, 0xF1, 0x9F, 0xD7, 0xD7, 0x7E, 0xF2, 0x25, 0x46, 0xA6, 0x8F, 0x00,
-    0x5A, 0xD5, 0x2D, 0xC8, 0x45, 0x53, 0xB7, 0x8F, 0xC6, 0x03, 0x30, 0xBE,
-    0x51, 0xEA, 0x7C, 0x06, 0x72, 0xCA, 0xC1, 0x51, 0x5E, 0x4B, 0x35, 0xC0,
-    0x47, 0xB9, 0xA5, 0x51, 0xB8, 0x8F, 0x39, 0xDC, 0x26, 0xDA, 0x14, 0xA0,
-    0x9E, 0xF7, 0x47, 0x74, 0xD4, 0x7C, 0x76, 0x2D, 0xD1, 0x77, 0xF9, 0xED,
-    0x5B, 0xC2, 0xF1, 0x1E, 0x52, 0xC8, 0x79, 0xBD, 0x95, 0x09, 0x85, 0x04,
-    0xCD, 0x9E, 0xEC, 0xD8, 0xA8, 0xF9, 0xB3, 0xEF, 0xBD, 0x1F, 0x00, 0x8A,
-    0xC5, 0x85, 0x30, 0x97, 0xD9, 0xD1, 0x83, 0x7F, 0x2B, 0x18, 0xF7, 0x7C,
-    0xD7, 0xBE, 0x01, 0xAF, 0x80, 0xA7, 0xC7, 0xB5, 0xEA, 0x3C, 0xA5, 0x4C,
-    0xC0, 0x2D, 0x0C, 0x11, 0x6F, 0xEE, 0x3F, 0x95, 0xBB, 0x87, 0x39, 0x93,
-    0x85, 0x87, 0x5D, 0x7E, 0x86, 0x74, 0x7E, 0x67, 0x6E, 0x72, 0x89, 0x38,
-    0xAC, 0xBF, 0xF7, 0x09, 0x8E, 0x05, 0xBE, 0x4D, 0xCF, 0xB2, 0x40, 0x52,
-    0xB8, 0x3A, 0xEF, 0xFB, 0x14, 0x78, 0x3F, 0x02, 0x9A, 0xDB, 0xDE, 0x7F,
-    0x53, 0xFA, 0xE9, 0x20, 0x84, 0x22, 0x40, 0x90, 0xE0, 0x07, 0xCE, 0xE9,
-    0x4D, 0x4B, 0xF2, 0xBA, 0xCE, 0x9F, 0xFD, 0x4B, 0x57, 0xD2, 0xAF, 0x7C,
-    0x72, 0x4D, 0x0C, 0xAA, 0x19, 0xBF, 0x05, 0x01, 0xF6, 0xF1, 0x7B, 0x4A,
-    0xA1, 0x0F, 0x42, 0x5E, 0x3E, 0xA7, 0x60, 0x80, 0xB4, 0xB9, 0xD6, 0xB3,
-    0xCE, 0xFE, 0xA1, 0x15, 0xB2, 0xCE, 0xB8, 0x78, 0x9B, 0xB8, 0xA3, 0xB0,
-    0xEA, 0x87, 0xFE, 0xBE, 0x63, 0xB6, 0xC8, 0xF8, 0x46, 0xEC, 0x6D, 0xB0,
-    0xC2, 0x6C, 0x5D, 0x7C};
-
-struct RFC5114TestData {
-  DH *(*get_param)(const ENGINE *engine);
-  const uint8_t *xA;
-  size_t xA_len;
-  const uint8_t *yA;
-  size_t yA_len;
-  const uint8_t *xB;
-  size_t xB_len;
-  const uint8_t *yB;
-  size_t yB_len;
-  const uint8_t *Z;
-  size_t Z_len;
+// The following parameters are taken from RFC 5114, section 2.2. This is not a
+// safe prime. Do not use these parameters.
+static const uint8_t kRFC5114_2048_224P[] = {
+    0xad, 0x10, 0x7e, 0x1e, 0x91, 0x23, 0xa9, 0xd0, 0xd6, 0x60, 0xfa, 0xa7,
+    0x95, 0x59, 0xc5, 0x1f, 0xa2, 0x0d, 0x64, 0xe5, 0x68, 0x3b, 0x9f, 0xd1,
+    0xb5, 0x4b, 0x15, 0x97, 0xb6, 0x1d, 0x0a, 0x75, 0xe6, 0xfa, 0x14, 0x1d,
+    0xf9, 0x5a, 0x56, 0xdb, 0xaf, 0x9a, 0x3c, 0x40, 0x7b, 0xa1, 0xdf, 0x15,
+    0xeb, 0x3d, 0x68, 0x8a, 0x30, 0x9c, 0x18, 0x0e, 0x1d, 0xe6, 0xb8, 0x5a,
+    0x12, 0x74, 0xa0, 0xa6, 0x6d, 0x3f, 0x81, 0x52, 0xad, 0x6a, 0xc2, 0x12,
+    0x90, 0x37, 0xc9, 0xed, 0xef, 0xda, 0x4d, 0xf8, 0xd9, 0x1e, 0x8f, 0xef,
+    0x55, 0xb7, 0x39, 0x4b, 0x7a, 0xd5, 0xb7, 0xd0, 0xb6, 0xc1, 0x22, 0x07,
+    0xc9, 0xf9, 0x8d, 0x11, 0xed, 0x34, 0xdb, 0xf6, 0xc6, 0xba, 0x0b, 0x2c,
+    0x8b, 0xbc, 0x27, 0xbe, 0x6a, 0x00, 0xe0, 0xa0, 0xb9, 0xc4, 0x97, 0x08,
+    0xb3, 0xbf, 0x8a, 0x31, 0x70, 0x91, 0x88, 0x36, 0x81, 0x28, 0x61, 0x30,
+    0xbc, 0x89, 0x85, 0xdb, 0x16, 0x02, 0xe7, 0x14, 0x41, 0x5d, 0x93, 0x30,
+    0x27, 0x82, 0x73, 0xc7, 0xde, 0x31, 0xef, 0xdc, 0x73, 0x10, 0xf7, 0x12,
+    0x1f, 0xd5, 0xa0, 0x74, 0x15, 0x98, 0x7d, 0x9a, 0xdc, 0x0a, 0x48, 0x6d,
+    0xcd, 0xf9, 0x3a, 0xcc, 0x44, 0x32, 0x83, 0x87, 0x31, 0x5d, 0x75, 0xe1,
+    0x98, 0xc6, 0x41, 0xa4, 0x80, 0xcd, 0x86, 0xa1, 0xb9, 0xe5, 0x87, 0xe8,
+    0xbe, 0x60, 0xe6, 0x9c, 0xc9, 0x28, 0xb2, 0xb9, 0xc5, 0x21, 0x72, 0xe4,
+    0x13, 0x04, 0x2e, 0x9b, 0x23, 0xf1, 0x0b, 0x0e, 0x16, 0xe7, 0x97, 0x63,
+    0xc9, 0xb5, 0x3d, 0xcf, 0x4b, 0xa8, 0x0a, 0x29, 0xe3, 0xfb, 0x73, 0xc1,
+    0x6b, 0x8e, 0x75, 0xb9, 0x7e, 0xf3, 0x63, 0xe2, 0xff, 0xa3, 0x1f, 0x71,
+    0xcf, 0x9d, 0xe5, 0x38, 0x4e, 0x71, 0xb8, 0x1c, 0x0a, 0xc4, 0xdf, 0xfe,
+    0x0c, 0x10, 0xe6, 0x4f,
+};
+static const uint8_t kRFC5114_2048_224G[] = {
+    0xac, 0x40, 0x32, 0xef, 0x4f, 0x2d, 0x9a, 0xe3, 0x9d, 0xf3, 0x0b, 0x5c,
+    0x8f, 0xfd, 0xac, 0x50, 0x6c, 0xde, 0xbe, 0x7b, 0x89, 0x99, 0x8c, 0xaf,
+    0x74, 0x86, 0x6a, 0x08, 0xcf, 0xe4, 0xff, 0xe3, 0xa6, 0x82, 0x4a, 0x4e,
+    0x10, 0xb9, 0xa6, 0xf0, 0xdd, 0x92, 0x1f, 0x01, 0xa7, 0x0c, 0x4a, 0xfa,
+    0xab, 0x73, 0x9d, 0x77, 0x00, 0xc2, 0x9f, 0x52, 0xc5, 0x7d, 0xb1, 0x7c,
+    0x62, 0x0a, 0x86, 0x52, 0xbe, 0x5e, 0x90, 0x01, 0xa8, 0xd6, 0x6a, 0xd7,
+    0xc1, 0x76, 0x69, 0x10, 0x19, 0x99, 0x02, 0x4a, 0xf4, 0xd0, 0x27, 0x27,
+    0x5a, 0xc1, 0x34, 0x8b, 0xb8, 0xa7, 0x62, 0xd0, 0x52, 0x1b, 0xc9, 0x8a,
+    0xe2, 0x47, 0x15, 0x04, 0x22, 0xea, 0x1e, 0xd4, 0x09, 0x93, 0x9d, 0x54,
+    0xda, 0x74, 0x60, 0xcd, 0xb5, 0xf6, 0xc6, 0xb2, 0x50, 0x71, 0x7c, 0xbe,
+    0xf1, 0x80, 0xeb, 0x34, 0x11, 0x8e, 0x98, 0xd1, 0x19, 0x52, 0x9a, 0x45,
+    0xd6, 0xf8, 0x34, 0x56, 0x6e, 0x30, 0x25, 0xe3, 0x16, 0xa3, 0x30, 0xef,
+    0xbb, 0x77, 0xa8, 0x6f, 0x0c, 0x1a, 0xb1, 0x5b, 0x05, 0x1a, 0xe3, 0xd4,
+    0x28, 0xc8, 0xf8, 0xac, 0xb7, 0x0a, 0x81, 0x37, 0x15, 0x0b, 0x8e, 0xeb,
+    0x10, 0xe1, 0x83, 0xed, 0xd1, 0x99, 0x63, 0xdd, 0xd9, 0xe2, 0x63, 0xe4,
+    0x77, 0x05, 0x89, 0xef, 0x6a, 0xa2, 0x1e, 0x7f, 0x5f, 0x2f, 0xf3, 0x81,
+    0xb5, 0x39, 0xcc, 0xe3, 0x40, 0x9d, 0x13, 0xcd, 0x56, 0x6a, 0xfb, 0xb4,
+    0x8d, 0x6c, 0x01, 0x91, 0x81, 0xe1, 0xbc, 0xfe, 0x94, 0xb3, 0x02, 0x69,
+    0xed, 0xfe, 0x72, 0xfe, 0x9b, 0x6a, 0xa4, 0xbd, 0x7b, 0x5a, 0x0f, 0x1c,
+    0x71, 0xcf, 0xff, 0x4c, 0x19, 0xc4, 0x18, 0xe1, 0xf6, 0xec, 0x01, 0x79,
+    0x81, 0xbc, 0x08, 0x7f, 0x2a, 0x70, 0x65, 0xb3, 0x84, 0xb8, 0x90, 0xd3,
+    0x19, 0x1f, 0x2b, 0xfa,
+};
+static const uint8_t kRFC5114_2048_224Q[] = {
+    0x80, 0x1c, 0x0d, 0x34, 0xc5, 0x8d, 0x93, 0xfe, 0x99, 0x71,
+    0x77, 0x10, 0x1f, 0x80, 0x53, 0x5a, 0x47, 0x38, 0xce, 0xbc,
+    0xbf, 0x38, 0x9a, 0x99, 0xb3, 0x63, 0x71, 0xeb,
 };
-
-#define MAKE_RFC5114_TEST_DATA(pre)                                           \
-  {                                                                           \
-    DH_get_##pre, kDHTest##pre##_xA, sizeof(kDHTest##pre##_xA),               \
-        kDHTest##pre##_yA, sizeof(kDHTest##pre##_yA), kDHTest##pre##_xB,      \
-        sizeof(kDHTest##pre##_xB), kDHTest##pre##_yB,                         \
-        sizeof(kDHTest##pre##_yB), kDHTest##pre##_Z, sizeof(kDHTest##pre##_Z) \
-  }
-
-static const RFC5114TestData kRFCTestData[] = {
-    MAKE_RFC5114_TEST_DATA(1024_160),
-    MAKE_RFC5114_TEST_DATA(2048_224),
-    MAKE_RFC5114_TEST_DATA(2048_256),
- };
-
-static bool RunRFC5114Tests() {
-  for (unsigned i = 0; i < sizeof(kRFCTestData) / sizeof(RFC5114TestData); i++) {
-    const RFC5114TestData *td = kRFCTestData + i;
-    /* Set up DH structures setting key components */
-    bssl::UniquePtr<DH> dhA(td->get_param(nullptr));
-    bssl::UniquePtr<DH> dhB(td->get_param(nullptr));
-    if (!dhA || !dhB) {
-      fprintf(stderr, "Initialisation error RFC5114 set %u\n", i + 1);
-      return false;
-    }
-
-    dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, nullptr);
-    dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, nullptr);
-
-    dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, nullptr);
-    dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, nullptr);
-
-    if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key) {
-      fprintf(stderr, "BN_bin2bn error RFC5114 set %u\n", i + 1);
-      return false;
-    }
-
-    if ((td->Z_len != (size_t)DH_size(dhA.get())) ||
-        (td->Z_len != (size_t)DH_size(dhB.get()))) {
-      return false;
-    }
-
-    std::vector<uint8_t> Z1(DH_size(dhA.get()));
-    std::vector<uint8_t> Z2(DH_size(dhB.get()));
-    /* Work out shared secrets using both sides and compare
-     * with expected values. */
-    int ret1 = DH_compute_key(Z1.data(), dhB->pub_key, dhA.get());
-    int ret2 = DH_compute_key(Z2.data(), dhA->pub_key, dhB.get());
-    if (ret1 < 0 || ret2 < 0) {
-      fprintf(stderr, "DH_compute_key error RFC5114 set %u\n", i + 1);
-      return false;
-    }
-
-    if (static_cast<size_t>(ret1) != td->Z_len ||
-        OPENSSL_memcmp(Z1.data(), td->Z, td->Z_len) != 0 ||
-        static_cast<size_t>(ret2) != td->Z_len ||
-        OPENSSL_memcmp(Z2.data(), td->Z, td->Z_len) != 0) {
-      fprintf(stderr, "Test failed RFC5114 set %u\n", i + 1);
-      return false;
-    }
-
-    printf("RFC5114 parameter test %u OK\n", i + 1);
-  }
-
-  return 1;
-}

 // kRFC5114_2048_224BadY is a bad y-coordinate for RFC 5114's 2048-bit MODP
 // Group with 224-bit Prime Order Subgroup (section 2.2).
@@ -510,7 +285,14 @@ static const uint8_t kRFC5114_2048_224BadY[] = {
 };

 static bool TestBadY() {
-  bssl::UniquePtr<DH> dh(DH_get_2048_224(nullptr));
+  bssl::UniquePtr<DH> dh(DH_new());
+  dh->p = BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr);
+  dh->g = BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr);
+  dh->q = BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr);
+  if (!dh->p || !dh->g || !dh->q) {
+    return false;
+  }
+
  bssl::UniquePtr<BIGNUM> pub_key(
      BN_bin2bn(kRFC5114_2048_224BadY, sizeof(kRFC5114_2048_224BadY), nullptr));
  if (!dh || !pub_key || !DH_generate_key(dh.get())) {
@@ -57,166 +57,6 @@
 #include "../fipsmodule/bn/internal.h"


-static const BN_ULONG dh1024_160_p[] = {
-    TOBN(0xDF1FB2BC, 0x2E4A4371), TOBN(0xE68CFDA7, 0x6D4DA708),
-    TOBN(0x45BF37DF, 0x365C1A65), TOBN(0xA151AF5F, 0x0DC8B4BD),
-    TOBN(0xFAA31A4F, 0xF55BCCC0), TOBN(0x4EFFD6FA, 0xE5644738),
-    TOBN(0x98488E9C, 0x219A7372), TOBN(0xACCBDD7D, 0x90C4BD70),
-    TOBN(0x24975C3C, 0xD49B83BF), TOBN(0x13ECB4AE, 0xA9061123),
-    TOBN(0x9838EF1E, 0x2EE652C0), TOBN(0x6073E286, 0x75A23D18),
-    TOBN(0x9A6A9DCA, 0x52D23B61), TOBN(0x52C99FBC, 0xFB06A3C6),
-    TOBN(0xDE92DE5E, 0xAE5D54EC), TOBN(0xB10B8F96, 0xA080E01D),
-};
-static const BN_ULONG dh1024_160_g[] = {
-    TOBN(0x855E6EEB, 0x22B3B2E5), TOBN(0x858F4DCE, 0xF97C2A24),
-    TOBN(0x2D779D59, 0x18D08BC8), TOBN(0xD662A4D1, 0x8E73AFA3),
-    TOBN(0x1DBF0A01, 0x69B6A28A), TOBN(0xA6A24C08, 0x7A091F53),
-    TOBN(0x909D0D22, 0x63F80A76), TOBN(0xD7FBD7D3, 0xB9A92EE1),
-    TOBN(0x5E91547F, 0x9E2749F4), TOBN(0x160217B4, 0xB01B886A),
-    TOBN(0x777E690F, 0x5504F213), TOBN(0x266FEA1E, 0x5C41564B),
-    TOBN(0xD6406CFF, 0x14266D31), TOBN(0xF8104DD2, 0x58AC507F),
-    TOBN(0x6765A442, 0xEFB99905), TOBN(0xA4D1CBD5, 0xC3FD3412),
-};
-static const BN_ULONG dh1024_160_q[] = {
-    TOBN(0x64B7CB9D, 0x49462353), TOBN(0x81A8DF27, 0x8ABA4E7D), 0xF518AA87,
-};
-
-static const BN_ULONG dh2048_224_p[] = {
-    TOBN(0x0AC4DFFE, 0x0C10E64F), TOBN(0xCF9DE538, 0x4E71B81C),
-    TOBN(0x7EF363E2, 0xFFA31F71), TOBN(0xE3FB73C1, 0x6B8E75B9),
-    TOBN(0xC9B53DCF, 0x4BA80A29), TOBN(0x23F10B0E, 0x16E79763),
-    TOBN(0xC52172E4, 0x13042E9B), TOBN(0xBE60E69C, 0xC928B2B9),
-    TOBN(0x80CD86A1, 0xB9E587E8), TOBN(0x315D75E1, 0x98C641A4),
-    TOBN(0xCDF93ACC, 0x44328387), TOBN(0x15987D9A, 0xDC0A486D),
-    TOBN(0x7310F712, 0x1FD5A074), TOBN(0x278273C7, 0xDE31EFDC),
-    TOBN(0x1602E714, 0x415D9330), TOBN(0x81286130, 0xBC8985DB),
-    TOBN(0xB3BF8A31, 0x70918836), TOBN(0x6A00E0A0, 0xB9C49708),
-    TOBN(0xC6BA0B2C, 0x8BBC27BE), TOBN(0xC9F98D11, 0xED34DBF6),
-    TOBN(0x7AD5B7D0, 0xB6C12207), TOBN(0xD91E8FEF, 0x55B7394B),
-    TOBN(0x9037C9ED, 0xEFDA4DF8), TOBN(0x6D3F8152, 0xAD6AC212),
-    TOBN(0x1DE6B85A, 0x1274A0A6), TOBN(0xEB3D688A, 0x309C180E),
-    TOBN(0xAF9A3C40, 0x7BA1DF15), TOBN(0xE6FA141D, 0xF95A56DB),
-    TOBN(0xB54B1597, 0xB61D0A75), TOBN(0xA20D64E5, 0x683B9FD1),
-    TOBN(0xD660FAA7, 0x9559C51F), TOBN(0xAD107E1E, 0x9123A9D0),
-};
-
-static const BN_ULONG dh2048_224_g[] = {
-    TOBN(0x84B890D3, 0x191F2BFA), TOBN(0x81BC087F, 0x2A7065B3),
-    TOBN(0x19C418E1, 0xF6EC0179), TOBN(0x7B5A0F1C, 0x71CFFF4C),
-    TOBN(0xEDFE72FE, 0x9B6AA4BD), TOBN(0x81E1BCFE, 0x94B30269),
-    TOBN(0x566AFBB4, 0x8D6C0191), TOBN(0xB539CCE3, 0x409D13CD),
-    TOBN(0x6AA21E7F, 0x5F2FF381), TOBN(0xD9E263E4, 0x770589EF),
-    TOBN(0x10E183ED, 0xD19963DD), TOBN(0xB70A8137, 0x150B8EEB),
-    TOBN(0x051AE3D4, 0x28C8F8AC), TOBN(0xBB77A86F, 0x0C1AB15B),
-    TOBN(0x6E3025E3, 0x16A330EF), TOBN(0x19529A45, 0xD6F83456),
-    TOBN(0xF180EB34, 0x118E98D1), TOBN(0xB5F6C6B2, 0x50717CBE),
-    TOBN(0x09939D54, 0xDA7460CD), TOBN(0xE2471504, 0x22EA1ED4),
-    TOBN(0xB8A762D0, 0x521BC98A), TOBN(0xF4D02727, 0x5AC1348B),
-    TOBN(0xC1766910, 0x1999024A), TOBN(0xBE5E9001, 0xA8D66AD7),
-    TOBN(0xC57DB17C, 0x620A8652), TOBN(0xAB739D77, 0x00C29F52),
-    TOBN(0xDD921F01, 0xA70C4AFA), TOBN(0xA6824A4E, 0x10B9A6F0),
-    TOBN(0x74866A08, 0xCFE4FFE3), TOBN(0x6CDEBE7B, 0x89998CAF),
-    TOBN(0x9DF30B5C, 0x8FFDAC50), TOBN(0xAC4032EF, 0x4F2D9AE3),
-};
-
-static const BN_ULONG dh2048_224_q[] = {
-    TOBN(0xBF389A99, 0xB36371EB), TOBN(0x1F80535A, 0x4738CEBC),
-    TOBN(0xC58D93FE, 0x99717710), 0x801C0D34,
-};
-
-static const BN_ULONG dh2048_256_p[] = {
-    TOBN(0xDB094AE9, 0x1E1A1597), TOBN(0x693877FA, 0xD7EF09CA),
-    TOBN(0x6116D227, 0x6E11715F), TOBN(0xA4B54330, 0xC198AF12),
-    TOBN(0x75F26375, 0xD7014103), TOBN(0xC3A3960A, 0x54E710C3),
-    TOBN(0xDED4010A, 0xBD0BE621), TOBN(0xC0B857F6, 0x89962856),
-    TOBN(0xB3CA3F79, 0x71506026), TOBN(0x1CCACB83, 0xE6B486F6),
-    TOBN(0x67E144E5, 0x14056425), TOBN(0xF6A167B5, 0xA41825D9),
-    TOBN(0x3AD83477, 0x96524D8E), TOBN(0xF13C6D9A, 0x51BFA4AB),
-    TOBN(0x2D525267, 0x35488A0E), TOBN(0xB63ACAE1, 0xCAA6B790),
-    TOBN(0x4FDB70C5, 0x81B23F76), TOBN(0xBC39A0BF, 0x12307F5C),
-    TOBN(0xB941F54E, 0xB1E59BB8), TOBN(0x6C5BFC11, 0xD45F9088),
-    TOBN(0x22E0B1EF, 0x4275BF7B), TOBN(0x91F9E672, 0x5B4758C0),
-    TOBN(0x5A8A9D30, 0x6BCF67ED), TOBN(0x209E0C64, 0x97517ABD),
-    TOBN(0x3BF4296D, 0x830E9A7C), TOBN(0x16C3D911, 0x34096FAA),
-    TOBN(0xFAF7DF45, 0x61B2AA30), TOBN(0xE00DF8F1, 0xD61957D4),
-    TOBN(0x5D2CEED4, 0x435E3B00), TOBN(0x8CEEF608, 0x660DD0F2),
-    TOBN(0xFFBBD19C, 0x65195999), TOBN(0x87A8E61D, 0xB4B6663C),
-};
-static const BN_ULONG dh2048_256_g[] = {
-    TOBN(0x664B4C0F, 0x6CC41659), TOBN(0x5E2327CF, 0xEF98C582),
-    TOBN(0xD647D148, 0xD4795451), TOBN(0x2F630784, 0x90F00EF8),
-    TOBN(0x184B523D, 0x1DB246C3), TOBN(0xC7891428, 0xCDC67EB6),
-    TOBN(0x7FD02837, 0x0DF92B52), TOBN(0xB3353BBB, 0x64E0EC37),
-    TOBN(0xECD06E15, 0x57CD0915), TOBN(0xB7D2BBD2, 0xDF016199),
-    TOBN(0xC8484B1E, 0x052588B9), TOBN(0xDB2A3B73, 0x13D3FE14),
-    TOBN(0xD052B985, 0xD182EA0A), TOBN(0xA4BD1BFF, 0xE83B9C80),
-    TOBN(0xDFC967C1, 0xFB3F2E55), TOBN(0xB5045AF2, 0x767164E1),
-    TOBN(0x1D14348F, 0x6F2F9193), TOBN(0x64E67982, 0x428EBC83),
-    TOBN(0x8AC376D2, 0x82D6ED38), TOBN(0x777DE62A, 0xAAB8A862),
-    TOBN(0xDDF463E5, 0xE9EC144B), TOBN(0x0196F931, 0xC77A57F2),
-    TOBN(0xA55AE313, 0x41000A65), TOBN(0x901228F8, 0xC28CBB18),
-    TOBN(0xBC3773BF, 0x7E8C6F62), TOBN(0xBE3A6C1B, 0x0C6B47B1),
-    TOBN(0xFF4FED4A, 0xAC0BB555), TOBN(0x10DBC150, 0x77BE463F),
-    TOBN(0x07F4793A, 0x1A0BA125), TOBN(0x4CA7B18F, 0x21EF2054),
-    TOBN(0x2E775066, 0x60EDBD48), TOBN(0x3FB32C9B, 0x73134D0B),
-};
-static const BN_ULONG dh2048_256_q[] = {
-    TOBN(0xA308B0FE, 0x64F5FBD3), TOBN(0x99B1A47D, 0x1EB3750B),
-    TOBN(0xB4479976, 0x40129DA2), TOBN(0x8CF83642, 0xA709A097),
-};
-
-struct standard_parameters {
-  BIGNUM p, q, g;
-};
-
-static const struct standard_parameters dh1024_160 = {
-  STATIC_BIGNUM(dh1024_160_p),
-  STATIC_BIGNUM(dh1024_160_q),
-  STATIC_BIGNUM(dh1024_160_g),
-};
-
-static const struct standard_parameters dh2048_224 = {
-  STATIC_BIGNUM(dh2048_224_p),
-  STATIC_BIGNUM(dh2048_224_q),
-  STATIC_BIGNUM(dh2048_224_g),
-};
-
-static const struct standard_parameters dh2048_256 = {
-  STATIC_BIGNUM(dh2048_256_p),
-  STATIC_BIGNUM(dh2048_256_q),
-  STATIC_BIGNUM(dh2048_256_g),
-};
-
-static DH *get_standard_parameters(const struct standard_parameters *params,
-                                   const ENGINE *engine) {
-  DH *dh = DH_new();
-  if (!dh) {
-    return NULL;
-  }
-
-  dh->p = BN_dup(&params->p);
-  dh->q = BN_dup(&params->q);
-  dh->g = BN_dup(&params->g);
-  if (!dh->p || !dh->q || !dh->g) {
-    DH_free(dh);
-    return NULL;
-  }
-
-  return dh;
-}
-
-DH *DH_get_1024_160(const ENGINE *engine) {
-  return get_standard_parameters(&dh1024_160, engine);
-}
-
-DH *DH_get_2048_224(const ENGINE *engine) {
-  return get_standard_parameters(&dh2048_224, engine);
-}
-
-DH *DH_get_2048_256(const ENGINE *engine) {
-  return get_standard_parameters(&dh2048_256, engine);
-}
-
 BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret) {
  static const BN_ULONG kPrime1536Data[] = {
      TOBN(0xffffffff, 0xffffffff), TOBN(0xf1746c08, 0xca237327),
@@ -62,7 +62,6 @@
 #include <openssl/bytestring.h>
 #include <openssl/nid.h>

-#include "internal.h"
 #include "../internal.h"


@@ -82,11 +81,11 @@ static const struct nid_to_digest nid_to_digest_mapping[] = {
    {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
    {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
    {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
-    /* As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
-     * hash function when given a signature OID. To avoid unintended lax parsing
-     * of hash OIDs, this is no longer supported for lookup by OID or NID.
-     * Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
-     * consumers so we retain it there. */
+    // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
+    // hash function when given a signature OID. To avoid unintended lax parsing
+    // of hash OIDs, this is no longer supported for lookup by OID or NID.
+    // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
+    // consumers so we retain it there.
    {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
    {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
    {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
@@ -104,7 +103,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = {

 const EVP_MD* EVP_get_digestbynid(int nid) {
  if (nid == NID_undef) {
-    /* Skip the |NID_undef| entries in |nid_to_digest_mapping|. */
+    // Skip the |NID_undef| entries in |nid_to_digest_mapping|.
    return NULL;
  }

@@ -120,22 +119,22 @@ const EVP_MD* EVP_get_digestbynid(int nid) {
 static const struct {
  uint8_t oid[9];
  uint8_t oid_len;
-  const EVP_MD *(*md_func) (void);
+  int nid;
 } kMDOIDs[] = {
-  /* 1.2.840.113549.2.4 */
-  { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, EVP_md4 },
-  /* 1.2.840.113549.2.5 */
-  { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, EVP_md5 },
-  /* 1.3.14.3.2.26 */
-  { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, EVP_sha1 },
-  /* 2.16.840.1.101.3.4.2.1 */
-  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, EVP_sha256 },
-  /* 2.16.840.1.101.3.4.2.2 */
-  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, EVP_sha384 },
-  /* 2.16.840.1.101.3.4.2.3 */
-  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, EVP_sha512 },
-  /* 2.16.840.1.101.3.4.2.4 */
-  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, EVP_sha224 },
+  // 1.2.840.113549.2.4
+  { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4 },
+  // 1.2.840.113549.2.5
+  { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5 },
+  // 1.3.14.3.2.26
+  { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1 },
+  // 2.16.840.1.101.3.4.2.1
+  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256 },
+  // 2.16.840.1.101.3.4.2.2
+  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384 },
+  // 2.16.840.1.101.3.4.2.3
+  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512 },
+  // 2.16.840.1.101.3.4.2.4
+  { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224 },
 };

 static const EVP_MD *cbs_to_md(const CBS *cbs) {
@@ -143,7 +142,7 @@ static const EVP_MD *cbs_to_md(const CBS *cbs) {
    if (CBS_len(cbs) == kMDOIDs[i].oid_len &&
        OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) ==
            0) {
-      return kMDOIDs[i].md_func();
+      return EVP_get_digestbynid(kMDOIDs[i].nid);
    }
  }

@@ -151,7 +150,7 @@ static const EVP_MD *cbs_to_md(const CBS *cbs) {
 }

 const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
-  /* Handle objects with no corresponding OID. */
+  // Handle objects with no corresponding OID.
  if (obj->nid != NID_undef) {
    return EVP_get_digestbynid(obj->nid);
  }
@@ -175,10 +174,10 @@ const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {
    return NULL;
  }

-  /* The parameters, if present, must be NULL. Historically, whether the NULL
-   * was included or omitted was not well-specified. When parsing an
-   * AlgorithmIdentifier, we allow both. (Note this code is not used when
-   * verifying RSASSA-PKCS1-v1_5 signatures.) */
+  // The parameters, if present, must be NULL. Historically, whether the NULL
+  // was included or omitted was not well-specified. When parsing an
+  // AlgorithmIdentifier, we allow both. (Note this code is not used when
+  // verifying RSASSA-PKCS1-v1_5 signatures.)
  if (CBS_len(&algorithm) > 0) {
    CBS param;
    if (!CBS_get_asn1(&algorithm, &param, CBS_ASN1_NULL) ||
@@ -192,6 +191,41 @@ const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {
  return ret;
 }

+int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) {
+  CBB algorithm, oid, null;
+  if (!CBB_add_asn1(cbb, &algorithm, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
+    OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  int found = 0;
+  int nid = EVP_MD_type(md);
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {
+    if (nid == kMDOIDs[i].nid) {
+      if (!CBB_add_bytes(&oid, kMDOIDs[i].oid, kMDOIDs[i].oid_len)) {
+        OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
+        return 0;
+      }
+      found = 1;
+      break;
+    }
+  }
+
+  if (!found) {
+    OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
+    return 0;
+  }
+
+  if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) ||
+      !CBB_flush(cbb)) {
+    OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  return 1;
+}
+
 const EVP_MD *EVP_get_digestbyname(const char *name) {
  for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
    const char *short_name = nid_to_digest_mapping[i].short_name;
@@ -21,6 +21,7 @@
 #include <gtest/gtest.h>

 #include <openssl/asn1.h>
+#include <openssl/bytestring.h>
 #include <openssl/crypto.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
@@ -31,6 +32,7 @@
 #include <openssl/sha.h>

 #include "../internal.h"
+#include "../test/test_util.h"


 struct MD {
@@ -215,3 +217,44 @@ TEST(DigestTest, Getters) {
  EXPECT_EQ(EVP_md5_sha1(), EVP_get_digestbyobj(OBJ_nid2obj(NID_md5_sha1)));
  EXPECT_EQ(EVP_sha1(), EVP_get_digestbyobj(OBJ_nid2obj(NID_sha1)));
 }
+
+TEST(DigestTest, ASN1) {
+  bssl::ScopedCBB cbb;
+  ASSERT_TRUE(CBB_init(cbb.get(), 0));
+  EXPECT_FALSE(EVP_marshal_digest_algorithm(cbb.get(), EVP_md5_sha1()));
+
+  static const uint8_t kSHA256[] = {0x30, 0x0d, 0x06, 0x09, 0x60,
+                                    0x86, 0x48, 0x01, 0x65, 0x03,
+                                    0x04, 0x02, 0x01, 0x05, 0x00};
+  static const uint8_t kSHA256NoParam[] = {0x30, 0x0b, 0x06, 0x09, 0x60,
+                                           0x86, 0x48, 0x01, 0x65, 0x03,
+                                           0x04, 0x02, 0x01};
+  static const uint8_t kSHA256GarbageParam[] = {
+      0x30, 0x0e, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+      0x65, 0x03, 0x04, 0x02, 0x01, 0x02, 0x01, 0x2a};
+
+  // Serialize SHA-256.
+  cbb.Reset();
+  ASSERT_TRUE(CBB_init(cbb.get(), 0));
+  ASSERT_TRUE(EVP_marshal_digest_algorithm(cbb.get(), EVP_sha256()));
+  uint8_t *der;
+  size_t der_len;
+  ASSERT_TRUE(CBB_finish(cbb.get(), &der, &der_len));
+  bssl::UniquePtr<uint8_t> free_der(der);
+  EXPECT_EQ(Bytes(kSHA256), Bytes(der, der_len));
+
+  // Parse SHA-256.
+  CBS cbs;
+  CBS_init(&cbs, kSHA256, sizeof(kSHA256));
+  EXPECT_EQ(EVP_sha256(), EVP_parse_digest_algorithm(&cbs));
+  EXPECT_EQ(0u, CBS_len(&cbs));
+
+  // Missing parameters are tolerated for compatibility.
+  CBS_init(&cbs, kSHA256NoParam, sizeof(kSHA256NoParam));
+  EXPECT_EQ(EVP_sha256(), EVP_parse_digest_algorithm(&cbs));
+  EXPECT_EQ(0u, CBS_len(&cbs));
+
+  // Garbage parameters are not.
+  CBS_init(&cbs, kSHA256GarbageParam, sizeof(kSHA256GarbageParam));
+  EXPECT_FALSE(EVP_parse_digest_algorithm(&cbs));
+}
@@ -1,32 +0,0 @@
-/* Copyright (c) 2017, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#ifndef OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL_H
-#define OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL_H
-
-#include <openssl/base.h>
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs);
-
-
-#if defined(__cplusplus)
-}  /* extern C */
-#endif
-
-#endif  /* OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL */
@@ -78,8 +78,8 @@

 #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

-/* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
- * Rabin-Miller */
+// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
+// Rabin-Miller
 #define DSS_prime_checks 50

 static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
@@ -153,6 +153,46 @@ void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,
  }
 }

+int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) {
+  if (dsa->pub_key == NULL && pub_key == NULL) {
+    return 0;
+  }
+
+  if (pub_key != NULL) {
+    BN_free(dsa->pub_key);
+    dsa->pub_key = pub_key;
+  }
+  if (priv_key != NULL) {
+    BN_free(dsa->priv_key);
+    dsa->priv_key = priv_key;
+  }
+
+  return 1;
+}
+
+int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+  if ((dsa->p == NULL && p == NULL) ||
+      (dsa->q == NULL && q == NULL) ||
+      (dsa->g == NULL && g == NULL)) {
+    return 0;
+  }
+
+  if (p != NULL) {
+    BN_free(dsa->p);
+    dsa->p = p;
+  }
+  if (q != NULL) {
+    BN_free(dsa->q);
+    dsa->q = q;
+  }
+  if (g != NULL) {
+    BN_free(dsa->g);
+    dsa->g = g;
+  }
+
+  return 1;
+}
+
 int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
                               size_t seed_len, int *out_counter,
                               unsigned long *out_h, BN_GENCB *cb) {
@@ -186,7 +226,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
      return 0;
    }
    if (seed_len > (size_t)qsize) {
-      /* Only consume as much seed as is expected. */
+      // Only consume as much seed as is expected.
      seed_len = qsize;
    }
    OPENSSL_memcpy(seed, seed_in, seed_len);
@@ -217,9 +257,9 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
  }

  for (;;) {
-    /* Find q. */
+    // Find q.
    for (;;) {
-      /* step 1 */
+      // step 1
      if (!BN_GENCB_call(cb, 0, m++)) {
        goto err;
      }
@@ -230,12 +270,12 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
          goto err;
        }
      } else {
-        /* If we come back through, use random seed next time. */
+        // If we come back through, use random seed next time.
        seed_in = NULL;
      }
      OPENSSL_memcpy(buf, seed, qsize);
      OPENSSL_memcpy(buf2, seed, qsize);
-      /* precompute "SEED + 1" for step 7: */
+      // precompute "SEED + 1" for step 7:
      for (i = qsize - 1; i < qsize; i--) {
        buf[i]++;
        if (buf[i] != 0) {
@@ -243,7 +283,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        }
      }

-      /* step 2 */
+      // step 2
      if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||
          !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {
        goto err;
@@ -252,14 +292,14 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        md[i] ^= buf2[i];
      }

-      /* step 3 */
+      // step 3
      md[0] |= 0x80;
      md[qsize - 1] |= 0x01;
      if (!BN_bin2bn(md, qsize, q)) {
        goto err;
      }

-      /* step 4 */
+      // step 4
      r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
      if (r > 0) {
        break;
@@ -268,17 +308,17 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        goto err;
      }

-      /* do a callback call */
-      /* step 5 */
+      // do a callback call
+      // step 5
    }

    if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {
      goto err;
    }

-    /* step 6 */
+    // step 6
    counter = 0;
-    /* "offset = 2" */
+    // "offset = 2"

    n = (bits - 1) / 160;

@@ -287,11 +327,11 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        goto err;
      }

-      /* step 7 */
+      // step 7
      BN_zero(W);
-      /* now 'buf' contains "SEED + offset - 1" */
+      // now 'buf' contains "SEED + offset - 1"
      for (k = 0; k <= n; k++) {
-        /* obtain "SEED + offset + k" by incrementing: */
+        // obtain "SEED + offset + k" by incrementing:
        for (i = qsize - 1; i < qsize; i--) {
          buf[i]++;
          if (buf[i] != 0) {
@@ -303,7 +343,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
          goto err;
        }

-        /* step 8 */
+        // step 8
        if (!BN_bin2bn(md, qsize, r0) ||
            !BN_lshift(r0, r0, (qsize << 3) * k) ||
            !BN_add(W, W, r0)) {
@@ -311,14 +351,14 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        }
      }

-      /* more of step 8 */
+      // more of step 8
      if (!BN_mask_bits(W, bits - 1) ||
          !BN_copy(X, W) ||
          !BN_add(X, X, test)) {
        goto err;
      }

-      /* step 9 */
+      // step 9
      if (!BN_lshift1(r0, q) ||
          !BN_mod(c, X, r0, ctx) ||
          !BN_sub(r0, c, BN_value_one()) ||
@@ -326,23 +366,23 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
        goto err;
      }

-      /* step 10 */
+      // step 10
      if (BN_cmp(p, test) >= 0) {
-        /* step 11 */
+        // step 11
        r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
        if (r > 0) {
-          goto end; /* found it */
+          goto end;  // found it
        }
        if (r != 0) {
          goto err;
        }
      }

-      /* step 13 */
+      // step 13
      counter++;
-      /* "offset = offset + n + 1" */
+      // "offset = offset + n + 1"

-      /* step 14 */
+      // step 14
      if (counter >= 4096) {
        break;
      }
@@ -353,8 +393,8 @@ end:
    goto err;
  }

-  /* We now need to generate g */
-  /* Set r0=(p-1)/q */
+  // We now need to generate g
+  // Set r0=(p-1)/q
  if (!BN_sub(test, p, BN_value_one()) ||
      !BN_div(r0, NULL, test, q, ctx)) {
    goto err;
@@ -366,7 +406,7 @@ end:
  }

  for (;;) {
-    /* g=test^r0%p */
+    // g=test^r0%p
    if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {
      goto err;
    }
@@ -544,9 +584,9 @@ redo:
  }

  if (digest_len > BN_num_bytes(dsa->q)) {
-    /* if the digest length is greater than the size of q use the
-     * BN_num_bits(dsa->q) leftmost bits of the digest, see
-     * fips 186-3, 4.2 */
+    // if the digest length is greater than the size of q use the
+    // BN_num_bits(dsa->q) leftmost bits of the digest, see
+    // fips 186-3, 4.2
    digest_len = BN_num_bytes(dsa->q);
  }

@@ -554,12 +594,12 @@ redo:
    goto err;
  }

-  /* Compute  s = inv(k) (m + xr) mod q */
+  // Compute  s = inv(k) (m + xr) mod q
  if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {
-    goto err; /* s = xr */
+    goto err;  // s = xr
  }
  if (!BN_add(s, &xr, &m)) {
-    goto err; /* s = m + xr */
+    goto err;  // s = m + xr
  }
  if (BN_cmp(s, dsa->q) > 0) {
    if (!BN_sub(s, s, dsa->q)) {
@@ -570,8 +610,8 @@ redo:
    goto err;
  }

-  /* Redo if r or s is zero as required by FIPS 186-3: this is
-   * very unlikely. */
+  // Redo if r or s is zero as required by FIPS 186-3: this is
+  // very unlikely.
  if (BN_is_zero(r) || BN_is_zero(s)) {
    if (noredo) {
      reason = DSA_R_NEED_NEW_SETUP_VALUES;
@@ -624,7 +664,7 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
  }

  i = BN_num_bits(dsa->q);
-  /* fips 186-3 allows only different sizes for q */
+  // fips 186-3 allows only different sizes for q
  if (i != 160 && i != 224 && i != 256) {
    OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
    return 0;
@@ -655,17 +695,17 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
    goto err;
  }

-  /* Calculate W = inv(S) mod Q
-   * save W in u2 */
+  // Calculate W = inv(S) mod Q
+  // save W in u2
  if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {
    goto err;
  }

-  /* save M in u1 */
+  // save M in u1
  if (digest_len > (i >> 3)) {
-    /* if the digest length is greater than the size of q use the
-     * BN_num_bits(dsa->q) leftmost bits of the digest, see
-     * fips 186-3, 4.2 */
+    // if the digest length is greater than the size of q use the
+    // BN_num_bits(dsa->q) leftmost bits of the digest, see
+    // fips 186-3, 4.2
    digest_len = (i >> 3);
  }

@@ -673,12 +713,12 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
    goto err;
  }

-  /* u1 = M * w mod q */
+  // u1 = M * w mod q
  if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {
    goto err;
  }

-  /* u2 = r * w mod q */
+  // u2 = r * w mod q
  if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {
    goto err;
  }
@@ -694,14 +734,14 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
    goto err;
  }

-  /* BN_copy(&u1,&t1); */
-  /* let u1 = u1 mod q */
+  // BN_copy(&u1,&t1);
+  // let u1 = u1 mod q
  if (!BN_mod(&u1, &t1, dsa->q, ctx)) {
    goto err;
  }

-  /* V is now in u1.  If the signature is correct, it will be
-   * equal to R. */
+  // V is now in u1.  If the signature is correct, it will be
+  // equal to R.
  *out_valid = BN_ucmp(&u1, sig->r) == 0;
  ret = 1;

@@ -758,7 +798,7 @@ int DSA_check_signature(int *out_valid, const uint8_t *digest,
    goto err;
  }

-  /* Ensure that the signature uses DER and doesn't have trailing garbage. */
+  // Ensure that the signature uses DER and doesn't have trailing garbage.
  int der_len = i2d_DSA_SIG(s, &der);
  if (der_len < 0 || (size_t)der_len != sig_len ||
      OPENSSL_memcmp(sig, der, sig_len)) {
@@ -773,8 +813,8 @@ err:
  return ret;
 }

-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
 static size_t der_len_len(size_t len) {
  if (len < 0x80) {
    return 1;
@@ -789,18 +829,18 @@ static size_t der_len_len(size_t len) {

 int DSA_size(const DSA *dsa) {
  size_t order_len = BN_num_bytes(dsa->q);
-  /* Compute the maximum length of an |order_len| byte integer. Defensively
-   * assume that the leading 0x00 is included. */
+  // Compute the maximum length of an |order_len| byte integer. Defensively
+  // assume that the leading 0x00 is included.
  size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
  if (integer_len < order_len) {
    return 0;
  }
-  /* A DSA signature is two INTEGERs. */
+  // A DSA signature is two INTEGERs.
  size_t value_len = 2 * integer_len;
  if (value_len < integer_len) {
    return 0;
  }
-  /* Add the header. */
+  // Add the header.
  size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
  if (ret < value_len) {
    return 0;
@@ -835,7 +875,7 @@ int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
    goto err;
  }

-  /* Get random k */
+  // Get random k
  if (!BN_rand_range_ex(&k, 1, dsa->q)) {
    goto err;
  }
@@ -849,16 +889,16 @@ int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
    goto err;
  }

-  /* Compute r = (g^k mod p) mod q */
+  // Compute r = (g^k mod p) mod q
  if (!BN_copy(&kq, &k)) {
    goto err;
  }

-  /* We do not want timing information to leak the length of k,
-   * so we compute g^k using an equivalent exponent of fixed length.
-   *
-   * (This is a kludge that we need because the BN_mod_exp_mont()
-   * does not let us specify the desired timing behaviour.) */
+  // We do not want timing information to leak the length of k,
+  // so we compute g^k using an equivalent exponent of fixed length.
+  //
+  // (This is a kludge that we need because the BN_mod_exp_mont()
+  // does not let us specify the desired timing behaviour.)

  if (!BN_add(&kq, &kq, dsa->q)) {
    goto err;
@@ -875,8 +915,8 @@ int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
    goto err;
  }

-  /* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
-   * Theorem. */
+  // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
+  // Theorem.
  kinv = BN_new();
  if (kinv == NULL ||
      !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {
@@ -917,35 +957,35 @@ int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
  return index;
 }

-int DSA_set_ex_data(DSA *d, int idx, void *arg) {
-  return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
+int DSA_set_ex_data(DSA *dsa, int idx, void *arg) {
+  return CRYPTO_set_ex_data(&dsa->ex_data, idx, arg);
 }

-void *DSA_get_ex_data(const DSA *d, int idx) {
-  return CRYPTO_get_ex_data(&d->ex_data, idx);
+void *DSA_get_ex_data(const DSA *dsa, int idx) {
+  return CRYPTO_get_ex_data(&dsa->ex_data, idx);
 }

-DH *DSA_dup_DH(const DSA *r) {
-  DH *ret = NULL;
-
-  if (r == NULL) {
-    goto err;
+DH *DSA_dup_DH(const DSA *dsa) {
+  if (dsa == NULL) {
+    return NULL;
  }
-  ret = DH_new();
+
+  DH *ret = DH_new();
  if (ret == NULL) {
    goto err;
  }
-  if (r->q != NULL) {
-    ret->priv_length = BN_num_bits(r->q);
-    if ((ret->q = BN_dup(r->q)) == NULL) {
+  if (dsa->q != NULL) {
+    ret->priv_length = BN_num_bits(dsa->q);
+    if ((ret->q = BN_dup(dsa->q)) == NULL) {
      goto err;
    }
  }
-  if ((r->p != NULL && (ret->p = BN_dup(r->p)) == NULL) ||
-      (r->g != NULL && (ret->g = BN_dup(r->g)) == NULL) ||
-      (r->pub_key != NULL && (ret->pub_key = BN_dup(r->pub_key)) == NULL) ||
-      (r->priv_key != NULL && (ret->priv_key = BN_dup(r->priv_key)) == NULL)) {
-      goto err;
+  if ((dsa->p != NULL && (ret->p = BN_dup(dsa->p)) == NULL) ||
+      (dsa->g != NULL && (ret->g = BN_dup(dsa->g)) == NULL) ||
+      (dsa->pub_key != NULL && (ret->pub_key = BN_dup(dsa->pub_key)) == NULL) ||
+      (dsa->priv_key != NULL &&
+       (ret->priv_key = BN_dup(dsa->priv_key)) == NULL)) {
+    goto err;
  }

  return ret;
@@ -75,7 +75,7 @@ static int parse_integer(CBS *cbs, BIGNUM **out) {

 static int marshal_integer(CBB *cbb, BIGNUM *bn) {
  if (bn == NULL) {
-    /* A DSA object may be missing some components. */
+    // A DSA object may be missing some components.
    OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
@@ -71,8 +71,8 @@
 #include "../internal.h"


-/* The following values are taken from the updated Appendix 5 to FIPS PUB 186
- * and also appear in Appendix 5 to FIPS PUB 186-1. */
+// The following values are taken from the updated Appendix 5 to FIPS PUB 186
+// and also appear in Appendix 5 to FIPS PUB 186-1.

 static const uint8_t seed[20] = {
    0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b,
@@ -121,7 +121,7 @@ static const uint8_t fips_digest[] = {
    0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d,
 };

-/* fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1. */
+// fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1.
 static const uint8_t fips_sig[] = {
    0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
    0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -130,7 +130,7 @@ static const uint8_t fips_sig[] = {
    0xdc, 0xd8, 0xc8,
 };

-/* fips_sig_negative is fips_sig with r encoded as a negative number. */
+// fips_sig_negative is fips_sig with r encoded as a negative number.
 static const uint8_t fips_sig_negative[] = {
    0x30, 0x2c, 0x02, 0x14, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43,
    0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3,
@@ -139,7 +139,7 @@ static const uint8_t fips_sig_negative[] = {
    0xd8, 0xc8,
 };

-/* fip_sig_extra is fips_sig with trailing data. */
+// fip_sig_extra is fips_sig with trailing data.
 static const uint8_t fips_sig_extra[] = {
    0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
    0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -148,7 +148,7 @@ static const uint8_t fips_sig_extra[] = {
    0xdc, 0xd8, 0xc8, 0x00,
 };

-/* fips_sig_lengths is fips_sig with a non-minimally encoded length. */
+// fips_sig_lengths is fips_sig with a non-minimally encoded length.
 static const uint8_t fips_sig_bad_length[] = {
    0x30, 0x81, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64,
    0x10, 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c,
@@ -157,7 +157,7 @@ static const uint8_t fips_sig_bad_length[] = {
    0xb6, 0xdc, 0xd8, 0xc8, 0x00,
 };

-/* fips_sig_bad_r is fips_sig with a bad r value. */
+// fips_sig_bad_r is fips_sig with a bad r value.
 static const uint8_t fips_sig_bad_r[] = {
    0x30, 0x2d, 0x02, 0x15, 0x00, 0x8c, 0xac, 0x1a, 0xb6, 0x64, 0x10,
    0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -299,7 +299,7 @@ static bool TestVerify(const uint8_t *sig, size_t sig_len, int expect) {
    return false;
  }

-  /* Clear any errors from a test with expected failure. */
+  // Clear any errors from a test with expected failure.
  ERR_clear_error();
  return true;
 }
@@ -83,14 +83,14 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
    return NULL;
  }

-  /* Parse the optional parameters field. */
+  // Parse the optional parameters field.
  EC_GROUP *inner_group = NULL;
  EC_KEY *ret = NULL;
  if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) {
-    /* Per SEC 1, as an alternative to omitting it, one is allowed to specify
-     * this field and put in a NULL to mean inheriting this value. This was
-     * omitted in a previous version of this logic without problems, so leave it
-     * unimplemented. */
+    // Per SEC 1, as an alternative to omitting it, one is allowed to specify
+    // this field and put in a NULL to mean inheriting this value. This was
+    // omitted in a previous version of this logic without problems, so leave it
+    // unimplemented.
    CBS child;
    if (!CBS_get_asn1(&ec_private_key, &child, kParametersTag)) {
      OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
@@ -103,7 +103,7 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
    if (group == NULL) {
      group = inner_group;
    } else if (EC_GROUP_cmp(group, inner_group, NULL) != 0) {
-      /* If a group was supplied externally, it must match. */
+      // If a group was supplied externally, it must match.
      OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
      goto err;
    }
@@ -123,9 +123,9 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
    goto err;
  }

-  /* Although RFC 5915 specifies the length of the key, OpenSSL historically
-   * got this wrong, so accept any length. See upstream's
-   * 30cd4ff294252c4b6a4b69cbef6a5b4117705d22. */
+  // Although RFC 5915 specifies the length of the key, OpenSSL historically
+  // got this wrong, so accept any length. See upstream's
+  // 30cd4ff294252c4b6a4b69cbef6a5b4117705d22.
  ret->priv_key =
      BN_bin2bn(CBS_data(&private_key), CBS_len(&private_key), NULL);
  ret->pub_key = EC_POINT_new(group);
@@ -143,12 +143,12 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
    uint8_t padding;
    if (!CBS_get_asn1(&ec_private_key, &child, kPublicKeyTag) ||
        !CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
-        /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
-         * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+        // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+        // encoded as a BIT STRING with bits ordered as in the DER encoding.
        !CBS_get_u8(&public_key, &padding) ||
        padding != 0 ||
-        /* Explicitly check |public_key| is non-empty to save the conversion
-         * form later. */
+        // Explicitly check |public_key| is non-empty to save the conversion
+        // form later.
        CBS_len(&public_key) == 0 ||
        !EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key),
                            CBS_len(&public_key), NULL) ||
@@ -157,17 +157,17 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
      goto err;
    }

-    /* Save the point conversion form.
-     * TODO(davidben): Consider removing this. */
+    // Save the point conversion form.
+    // TODO(davidben): Consider removing this.
    ret->conv_form =
        (point_conversion_form_t)(CBS_data(&public_key)[0] & ~0x01);
  } else {
-    /* Compute the public key instead. */
+    // Compute the public key instead.
    if (!EC_POINT_mul(group, ret->pub_key, ret->priv_key, NULL, NULL, NULL)) {
      goto err;
    }
-    /* Remember the original private-key-only encoding.
-     * TODO(davidben): Consider removing this. */
+    // Remember the original private-key-only encoding.
+    // TODO(davidben): Consider removing this.
    ret->enc_flag |= EC_PKEY_NO_PUBKEY;
  }

@@ -176,7 +176,7 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {
    goto err;
  }

-  /* Ensure the resulting key is valid. */
+  // Ensure the resulting key is valid.
  if (!EC_KEY_check_key(ret)) {
    goto err;
  }
@@ -218,13 +218,13 @@ int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,
    }
  }

-  /* TODO(fork): replace this flexibility with sensible default? */
+  // TODO(fork): replace this flexibility with sensible default?
  if (!(enc_flags & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) {
    CBB child, public_key;
    if (!CBB_add_asn1(&ec_private_key, &child, kPublicKeyTag) ||
        !CBB_add_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
-        /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
-         * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+        // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+        // encoded as a BIT STRING with bits ordered as in the DER encoding.
        !CBB_add_u8(&public_key, 0 /* padding */) ||
        !EC_POINT_point2cbb(&public_key, key->group, key->pub_key,
                            key->conv_form, NULL) ||
@@ -242,8 +242,8 @@ int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,
  return 1;
 }

-/* is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
- * zero otherwise. */
+// is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
+// zero otherwise.
 static int is_unsigned_integer(const CBS *cbs) {
  if (CBS_len(cbs) == 0) {
    return 0;
@@ -251,20 +251,20 @@ static int is_unsigned_integer(const CBS *cbs) {
  uint8_t byte = CBS_data(cbs)[0];
  if ((byte & 0x80) ||
      (byte == 0 && CBS_len(cbs) > 1 && (CBS_data(cbs)[1] & 0x80) == 0)) {
-    /* Negative or not minimally-encoded. */
+    // Negative or not minimally-encoded.
    return 0;
  }
  return 1;
 }

-/* kPrimeFieldOID is the encoding of 1.2.840.10045.1.1. */
+// kPrimeFieldOID is the encoding of 1.2.840.10045.1.1.
 static const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01};

 static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
                                      CBS *out_b, CBS *out_base_x,
                                      CBS *out_base_y, CBS *out_order) {
-  /* See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
-   * ECParameters while RFC 5480 calls it a SpecifiedECDomain. */
+  // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
+  // ECParameters while RFC 5480 calls it a SpecifiedECDomain.
  CBS params, field_id, field_type, curve, base;
  uint64_t version;
  if (!CBS_get_asn1(in, &params, CBS_ASN1_SEQUENCE) ||
@@ -280,7 +280,7 @@ static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
      !CBS_get_asn1(&params, &curve, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&curve, out_a, CBS_ASN1_OCTETSTRING) ||
      !CBS_get_asn1(&curve, out_b, CBS_ASN1_OCTETSTRING) ||
-      /* |curve| has an optional BIT STRING seed which we ignore. */
+      // |curve| has an optional BIT STRING seed which we ignore.
      !CBS_get_asn1(&params, &base, CBS_ASN1_OCTETSTRING) ||
      !CBS_get_asn1(&params, out_order, CBS_ASN1_INTEGER) ||
      !is_unsigned_integer(out_order)) {
@@ -288,11 +288,11 @@ static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
    return 0;
  }

-  /* |params| has an optional cofactor which we ignore. With the optional seed
-   * in |curve|, a group already has arbitrarily many encodings. Parse enough to
-   * uniquely determine the curve. */
+  // |params| has an optional cofactor which we ignore. With the optional seed
+  // in |curve|, a group already has arbitrarily many encodings. Parse enough to
+  // uniquely determine the curve.

-  /* Require that the base point use uncompressed form. */
+  // Require that the base point use uncompressed form.
  uint8_t form;
  if (!CBS_get_u8(&base, &form) || form != POINT_CONVERSION_UNCOMPRESSED) {
    OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);
@@ -310,10 +310,10 @@ static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
  return 1;
 }

-/* integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
- * zero otherwise. */
+// integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
+// zero otherwise.
 static int integers_equal(const CBS *a, const uint8_t *b, size_t b_len) {
-  /* Remove leading zeros from |a| and |b|. */
+  // Remove leading zeros from |a| and |b|.
  CBS a_copy = *a;
  while (CBS_len(&a_copy) > 0 && CBS_data(&a_copy)[0] == 0) {
    CBS_skip(&a_copy, 1);
@@ -332,7 +332,7 @@ EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) {
    return NULL;
  }

-  /* Look for a matching curve. */
+  // Look for a matching curve.
  const struct built_in_curves *const curves = OPENSSL_built_in_curves();
  for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
    const struct built_in_curve *curve = &curves->curves[i];
@@ -374,32 +374,32 @@ EC_GROUP *EC_KEY_parse_parameters(CBS *cbs) {
    return EC_KEY_parse_curve_name(cbs);
  }

-  /* OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
-   * of named curves.
-   *
-   * TODO(davidben): Remove support for this. */
+  // OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
+  // of named curves.
+  //
+  // TODO(davidben): Remove support for this.
  CBS prime, a, b, base_x, base_y, order;
  if (!parse_explicit_prime_curve(cbs, &prime, &a, &b, &base_x, &base_y,
                                  &order)) {
    return NULL;
  }

-  /* Look for a matching prime curve. */
+  // Look for a matching prime curve.
  const struct built_in_curves *const curves = OPENSSL_built_in_curves();
  for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
    const struct built_in_curve *curve = &curves->curves[i];
-    const unsigned param_len = curve->data->param_len;
-    /* |curve->data->data| is ordered p, a, b, x, y, order, each component
-     * zero-padded up to the field length. Although SEC 1 states that the
-     * Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
-     * |a| and |b|, so this comparison must allow omitting leading zeros. (This
-     * is relevant for P-521 whose |b| has a leading 0.) */
-    if (integers_equal(&prime, curve->data->data, param_len) &&
-        integers_equal(&a, curve->data->data + param_len, param_len) &&
-        integers_equal(&b, curve->data->data + param_len * 2, param_len) &&
-        integers_equal(&base_x, curve->data->data + param_len * 3, param_len) &&
-        integers_equal(&base_y, curve->data->data + param_len * 4, param_len) &&
-        integers_equal(&order, curve->data->data + param_len * 5, param_len)) {
+    const unsigned param_len = curve->param_len;
+    // |curve->params| is ordered p, a, b, x, y, order, each component
+    // zero-padded up to the field length. Although SEC 1 states that the
+    // Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
+    // |a| and |b|, so this comparison must allow omitting leading zeros. (This
+    // is relevant for P-521 whose |b| has a leading 0.)
+    if (integers_equal(&prime, curve->params, param_len) &&
+        integers_equal(&a, curve->params + param_len, param_len) &&
+        integers_equal(&b, curve->params + param_len * 2, param_len) &&
+        integers_equal(&base_x, curve->params + param_len * 3, param_len) &&
+        integers_equal(&base_y, curve->params + param_len * 4, param_len) &&
+        integers_equal(&order, curve->params + param_len * 5, param_len)) {
      return EC_GROUP_new_by_curve_name(curve->nid);
    }
  }
@@ -420,8 +420,8 @@ int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point,
 }

 EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {
-  /* This function treats its |out| parameter differently from other |d2i|
-   * functions. If supplied, take the group from |*out|. */
+  // This function treats its |out| parameter differently from other |d2i|
+  // functions. If supplied, take the group from |*out|.
  const EC_GROUP *group = NULL;
  if (out != NULL && *out != NULL) {
    group = EC_KEY_get0_group(*out);
@@ -515,7 +515,7 @@ EC_KEY *o2i_ECPublicKey(EC_KEY **keyp, const uint8_t **inp, long len) {
    OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
    return NULL;
  }
-  /* save the point conversion form */
+  // save the point conversion form
  ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01);
  *inp += len;
  return ret;
@@ -534,7 +534,7 @@ int i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) {
                               0, NULL);

  if (outp == NULL || buf_len == 0) {
-    /* out == NULL => just return the length of the octet string */
+    // out == NULL => just return the length of the octet string
    return buf_len;
  }

@@ -7,14 +7,3 @@ add_library(

  ecdh.c
 )
-
-add_executable(
-  ecdh_test
-
-  ecdh_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(ecdh_test crypto)
-add_dependencies(all_tests ecdh_test)
@@ -138,7 +138,7 @@ int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
      goto err;
    }
  } else {
-    /* no KDF, just copy as much as we can */
+    // no KDF, just copy as much as we can
    if (buflen < outlen) {
      outlen = buflen;
    }
@@ -16,6 +16,8 @@

 #include <vector>

+#include <gtest/gtest.h>
+
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ec.h>
@@ -24,6 +26,7 @@
 #include <openssl/nid.h>

 #include "../test/file_test.h"
+#include "../test/test_util.h"


 static bssl::UniquePtr<EC_GROUP> GetCurve(FileTest *t, const char *key) {
@@ -59,67 +62,53 @@ static bssl::UniquePtr<BIGNUM> GetBIGNUM(FileTest *t, const char *key) {
  return bssl::UniquePtr<BIGNUM>(BN_bin2bn(bytes.data(), bytes.size(), nullptr));
 }

-static bool TestECDH(FileTest *t, void *arg) {
-  bssl::UniquePtr<EC_GROUP> group = GetCurve(t, "Curve");
-  bssl::UniquePtr<BIGNUM> priv_key = GetBIGNUM(t, "Private");
-  bssl::UniquePtr<BIGNUM> x = GetBIGNUM(t, "X");
-  bssl::UniquePtr<BIGNUM> y = GetBIGNUM(t, "Y");
-  bssl::UniquePtr<BIGNUM> peer_x = GetBIGNUM(t, "PeerX");
-  bssl::UniquePtr<BIGNUM> peer_y = GetBIGNUM(t, "PeerY");
-  std::vector<uint8_t> z;
-  if (!group || !priv_key || !x || !y || !peer_x || !peer_y ||
-      !t->GetBytes(&z, "Z")) {
-    return false;
-  }
+TEST(ECDHTest, TestVectors) {
+  FileTestGTest("crypto/ecdh/ecdh_tests.txt", [](FileTest *t) {
+    bssl::UniquePtr<EC_GROUP> group = GetCurve(t, "Curve");
+    ASSERT_TRUE(group);
+    bssl::UniquePtr<BIGNUM> priv_key = GetBIGNUM(t, "Private");
+    ASSERT_TRUE(priv_key);
+    bssl::UniquePtr<BIGNUM> x = GetBIGNUM(t, "X");
+    ASSERT_TRUE(x);
+    bssl::UniquePtr<BIGNUM> y = GetBIGNUM(t, "Y");
+    ASSERT_TRUE(y);
+    bssl::UniquePtr<BIGNUM> peer_x = GetBIGNUM(t, "PeerX");
+    ASSERT_TRUE(peer_x);
+    bssl::UniquePtr<BIGNUM> peer_y = GetBIGNUM(t, "PeerY");
+    ASSERT_TRUE(peer_y);
+    std::vector<uint8_t> z;
+    ASSERT_TRUE(t->GetBytes(&z, "Z"));

-  bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
-  bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));
-  bssl::UniquePtr<EC_POINT> peer_pub_key(EC_POINT_new(group.get()));
-  if (!key || !pub_key || !peer_pub_key ||
-      !EC_KEY_set_group(key.get(), group.get()) ||
-      !EC_KEY_set_private_key(key.get(), priv_key.get()) ||
-      !EC_POINT_set_affine_coordinates_GFp(group.get(), pub_key.get(), x.get(),
-                                           y.get(), nullptr) ||
-      !EC_POINT_set_affine_coordinates_GFp(group.get(), peer_pub_key.get(),
-                                           peer_x.get(), peer_y.get(),
-                                           nullptr) ||
-      !EC_KEY_set_public_key(key.get(), pub_key.get()) ||
-      !EC_KEY_check_key(key.get())) {
-    return false;
-  }
+    bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
+    ASSERT_TRUE(key);
+    bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));
+    ASSERT_TRUE(pub_key);
+    bssl::UniquePtr<EC_POINT> peer_pub_key(EC_POINT_new(group.get()));
+    ASSERT_TRUE(peer_pub_key);
+    ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get()));
+    ASSERT_TRUE(EC_KEY_set_private_key(key.get(), priv_key.get()));
+    ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp(group.get(), pub_key.get(),
+                                                    x.get(), y.get(), nullptr));
+    ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp(
+        group.get(), peer_pub_key.get(), peer_x.get(), peer_y.get(), nullptr));
+    ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get()));
+    ASSERT_TRUE(EC_KEY_check_key(key.get()));

-  std::vector<uint8_t> actual_z;
-  // Make |actual_z| larger than expected to ensure |ECDH_compute_key| returns
-  // the right amount of data.
-  actual_z.resize(z.size() + 1);
-  int ret = ECDH_compute_key(actual_z.data(), actual_z.size(),
-                             peer_pub_key.get(), key.get(), nullptr);
-  if (ret < 0 ||
-      !t->ExpectBytesEqual(z.data(), z.size(), actual_z.data(),
-                           static_cast<size_t>(ret))) {
-    return false;
-  }
+    std::vector<uint8_t> actual_z;
+    // Make |actual_z| larger than expected to ensure |ECDH_compute_key| returns
+    // the right amount of data.
+    actual_z.resize(z.size() + 1);
+    int ret = ECDH_compute_key(actual_z.data(), actual_z.size(),
+                               peer_pub_key.get(), key.get(), nullptr);
+    ASSERT_GE(ret, 0);
+    EXPECT_EQ(Bytes(z), Bytes(actual_z.data(), static_cast<size_t>(ret)));

-  // Test |ECDH_compute_key| truncates.
-  actual_z.resize(z.size() - 1);
-  ret = ECDH_compute_key(actual_z.data(), actual_z.size(), peer_pub_key.get(),
-                         key.get(), nullptr);
-  if (ret < 0 ||
-      !t->ExpectBytesEqual(z.data(), z.size() - 1, actual_z.data(),
-                           static_cast<size_t>(ret))) {
-    return false;
-  }
-
-  return true;
-}
-
-int main(int argc, char *argv[]) {
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  return FileTestMain(TestECDH, nullptr, argv[1]);
+    // Test |ECDH_compute_key| truncates.
+    actual_z.resize(z.size() - 1);
+    ret = ECDH_compute_key(actual_z.data(), actual_z.size(), peer_pub_key.get(),
+                           key.get(), nullptr);
+    ASSERT_GE(ret, 0);
+    EXPECT_EQ(Bytes(z.data(), z.size() - 1),
+              Bytes(actual_z.data(), static_cast<size_t>(ret)));
+  });
 }
@@ -120,17 +120,17 @@ int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
  int ret = 0;
  uint8_t *der = NULL;

-  /* Decode the ECDSA signature. */
+  // Decode the ECDSA signature.
  s = ECDSA_SIG_from_bytes(sig, sig_len);
  if (s == NULL) {
    goto err;
  }

-  /* Defend against potential laxness in the DER parser. */
+  // Defend against potential laxness in the DER parser.
  size_t der_len;
  if (!ECDSA_SIG_to_bytes(&der, &der_len, s) ||
      der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) {
-    /* This should never happen. crypto/bytestring is strictly DER. */
+    // This should never happen. crypto/bytestring is strictly DER.
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
    goto err;
  }
@@ -219,8 +219,8 @@ int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
  return 1;
 }

-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
 static size_t der_len_len(size_t len) {
  if (len < 0x80) {
    return 1;
@@ -234,18 +234,18 @@ static size_t der_len_len(size_t len) {
 }

 size_t ECDSA_SIG_max_len(size_t order_len) {
-  /* Compute the maximum length of an |order_len| byte integer. Defensively
-   * assume that the leading 0x00 is included. */
+  // Compute the maximum length of an |order_len| byte integer. Defensively
+  // assume that the leading 0x00 is included.
  size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
  if (integer_len < order_len) {
    return 0;
  }
-  /* An ECDSA signature is two INTEGERs. */
+  // An ECDSA signature is two INTEGERs.
  size_t value_len = 2 * integer_len;
  if (value_len < integer_len) {
    return 0;
  }
-  /* Add the header. */
+  // Add the header.
  size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
  if (ret < value_len) {
    return 0;
@@ -42,15 +42,15 @@ ENGINE *ENGINE_new(void) {
 }

 void ENGINE_free(ENGINE *engine) {
-  /* Methods are currently required to be static so are not unref'ed. */
+  // Methods are currently required to be static so are not unref'ed.
  OPENSSL_free(engine);
 }

-/* set_method takes a pointer to a method and its given size and sets
- * |*out_member| to point to it. This function might want to be extended in the
- * future to support making a copy of the method so that a stable ABI for
- * ENGINEs can be supported. But, for the moment, all *_METHODS must be
- * static. */
+// set_method takes a pointer to a method and its given size and sets
+// |*out_member| to point to it. This function might want to be extended in the
+// future to support making a copy of the method so that a stable ABI for
+// ENGINEs can be supported. But, for the moment, all *_METHODS must be
+// static.
 static int set_method(void **out_member, const void *method, size_t method_size,
                      size_t compiled_size) {
  const struct openssl_method_common_st *common = method;
@@ -9,6 +9,7 @@ CIPHER,107,INITIALIZATION_ERROR
 CIPHER,108,INPUT_NOT_INITIALIZED
 CIPHER,109,INVALID_AD_SIZE
 CIPHER,110,INVALID_KEY_LENGTH
+CIPHER,125,INVALID_NONCE
 CIPHER,111,INVALID_NONCE_SIZE
 CIPHER,112,INVALID_OPERATION
 CIPHER,113,IV_TOO_LARGE
--- a/Show More
+++ b/Show More