Snap for 10117275 from 1997a4293128d24fb5bbedb83a1dae1f503aedc1 to udc-d1-releaseandroid-14.0.0_r9 android-14.0.0_r8 android-14.0.0_r7 android-14.0.0_r6 android-14.0.0_r5 android-14.0.0_r4 android-14.0.0_r3 android-14.0.0_r12 android-14.0.0_r11 android-14.0.0_r10 android14-d1-s7-release android14-d1-s6-release android14-d1-s5-release android14-d1-s4-release android14-d1-s3-release android14-d1-s2-release android14-d1-s1-release android14-d1-release

Change-Id: I137e0ff53430dd75d7b72354a08465ab9655fcff
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-05-11 23:05:36 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-05-11 23:05:36 +0000
commit: 306dcf52e8808de3e3c604a7df2e3384885aa8b2 (patch)
tree: 6277566361af6eb7fe6ee64cf862329996d3bff2
parent: 3d20bdc0fee053343fc76e7c4fc0ad1f59e3db20 (diff)
parent: 1997a4293128d24fb5bbedb83a1dae1f503aedc1 (diff)
download: boringssl-android14-d1-s6-release.tar.gz
88 files changed, 6366 insertions, 2166 deletions
diff --git a/BUILD.generated.bzl b/BUILD.generated.bzl
index cd036188..738e1055 100644
--- a/BUILD.generated.bzl
+++ b/BUILD.generated.bzl
@@ -267,8 +267,10 @@ crypto_internal_headers = [
     "src/crypto/x509v3/internal.h",
     "src/third_party/fiat/curve25519_32.h",
     "src/third_party/fiat/curve25519_64.h",
+    "src/third_party/fiat/curve25519_64_msvc.h",
     "src/third_party/fiat/p256_32.h",
     "src/third_party/fiat/p256_64.h",
+    "src/third_party/fiat/p256_64_msvc.h",
 ]
 
 crypto_sources = [
diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl
index c9961d06..92dec1e0 100644
--- a/BUILD.generated_tests.bzl
+++ b/BUILD.generated_tests.bzl
@@ -72,8 +72,10 @@ test_support_sources = [
     "src/ssl/test/test_state.h",
     "src/third_party/fiat/curve25519_32.h",
     "src/third_party/fiat/curve25519_64.h",
+    "src/third_party/fiat/curve25519_64_msvc.h",
     "src/third_party/fiat/p256_32.h",
     "src/third_party/fiat/p256_64.h",
+    "src/third_party/fiat/p256_64_msvc.h",
 ]
 
 crypto_test_sources = [
diff --git a/src/BUILDING.md b/src/BUILDING.md
index bedba3c3..4dcd0f48 100644
--- a/src/BUILDING.md
+++ b/src/BUILDING.md
@@ -48,17 +48,13 @@ most recent stable version of each tool.
 
 Using Ninja (note the 'N' is capitalized in the cmake invocation):
 
-    mkdir build
-    cd build
-    cmake -GNinja ..
-    ninja
+    cmake -GNinja -B build
+    ninja -C build
 
 Using Make (does not work on Windows):
 
-    mkdir build
-    cd build
-    cmake ..
-    make
+    cmake -B build
+    make -C build
 
 You usually don't need to run `cmake` again after changing `CMakeLists.txt`
 files because the build scripts will detect changes to them and rebuild
@@ -69,10 +65,9 @@ debugging—optimisation isn't enabled. Pass `-DCMAKE_BUILD_TYPE=Release` to
 `cmake` to configure a release build.
 
 If you want to cross-compile then there is an example toolchain file for 32-bit
-Intel in `util/`. Wipe out the build directory, recreate it and run `cmake` like
-this:
+Intel in `util/`. Wipe out the build directory, run `cmake` like this:
 
-    cmake -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja ..
+    cmake -B build -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja
 
 If you want to build as a shared library, pass `-DBUILD_SHARED_LIBS=1`. On
 Windows, where functions need to be tagged with `dllimport` when coming from a
@@ -93,12 +88,12 @@ versions of the NDK include a CMake toolchain file which works with CMake 3.6.0
 or later. This has been tested with version r16b of the NDK.
 
 Unpack the Android NDK somewhere and export `ANDROID_NDK` to point to the
-directory. Then make a build directory as above and run CMake like this:
+directory. Then run CMake like this:
 
     cmake -DANDROID_ABI=armeabi-v7a \
           -DANDROID_PLATFORM=android-19 \
           -DCMAKE_TOOLCHAIN_FILE=${ANDROID_NDK}/build/cmake/android.toolchain.cmake \
-          -GNinja ..
+          -GNinja -B build
 
 Once you've run that, Ninja should produce Android-compatible binaries.  You
 can replace `armeabi-v7a` in the above with `arm64-v8a` and use API level 21 or
@@ -140,7 +135,7 @@ In order to build with prefixed symbols, the `BORINGSSL_PREFIX` CMake variable
 should specify the prefix to add to all symbols, and the
 `BORINGSSL_PREFIX_SYMBOLS` CMake variable should specify the path to a file
 which contains a list of symbols which should be prefixed (one per line;
-comments are supported with `#`). In other words, `cmake ..
+comments are supported with `#`). In other words, `cmake -B build
 -DBORINGSSL_PREFIX=MY_CUSTOM_PREFIX
 -DBORINGSSL_PREFIX_SYMBOLS=/path/to/symbols.txt` will configure the build to add
 the prefix `MY_CUSTOM_PREFIX` to all of the symbols listed in
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a1fb1539..aac5f0d1 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -17,6 +17,7 @@ endif()
 
 include(sources.cmake)
 include(cmake/go.cmake)
+include(cmake/paths.cmake)
 include(cmake/perlasm.cmake)
 
 enable_language(C)
diff --git a/src/FUZZING.md b/src/FUZZING.md
index 5653acc1..89cf5e93 100644
--- a/src/FUZZING.md
+++ b/src/FUZZING.md
@@ -7,10 +7,8 @@ We use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing
 In order to build the fuzz tests you will need at least Clang 6.0. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this:
 
 ```
-mkdir build
-cd build
-CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ..
-ninja
+CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 -B build
+ninja -C build
 ```
 
 
diff --git a/src/cmake/go.cmake b/src/cmake/go.cmake
index 61a01f51..966ad32d 100644
--- a/src/cmake/go.cmake
+++ b/src/cmake/go.cmake
@@ -34,10 +34,7 @@ function(go_executable dest package)
   else()
     # Ninja expects the target in the depfile to match the output. This is a
     # relative path from the build directory.
-    string(LENGTH "${CMAKE_BINARY_DIR}" root_dir_length)
-    math(EXPR root_dir_length "${root_dir_length} + 1")
-    string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}" ${root_dir_length} -1 target)
-    set(target "${target}/${dest}")
+    binary_dir_relative_path(${dest} target)
 
     set(depfile "${CMAKE_CURRENT_BINARY_DIR}/${dest}.d")
     add_custom_command(OUTPUT ${dest}
diff --git a/src/cmake/paths.cmake b/src/cmake/paths.cmake
new file mode 100644
index 00000000..43ebc406
--- /dev/null
+++ b/src/cmake/paths.cmake
@@ -0,0 +1,11 @@
+# binary_dir_relative_path sets outvar to
+# ${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}, but expressed relative to
+# ${CMAKE_BINARY_DIR}.
+#
+# TODO(davidben): When we require CMake 3.20 or later, this can be replaced with
+# the built-in cmake_path(RELATIVE_PATH) function.
+function(binary_dir_relative_path cur_bin_dir_relative outvar)
+  string(LENGTH "${CMAKE_BINARY_DIR}/" root_dir_length)
+  string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}" ${root_dir_length} -1 result)
+  set(${outvar} ${result} PARENT_SCOPE)
+endfunction()
diff --git a/src/crypto/cipher_extra/e_tls.c b/src/crypto/cipher_extra/e_tls.c
index cfaf95dc..00b48243 100644
--- a/src/crypto/cipher_extra/e_tls.c
+++ b/src/crypto/cipher_extra/e_tls.c
@@ -442,13 +442,6 @@ static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
   return 1;
 }
 
-static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len,
-                                   enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                       EVP_sha1(), 1 /* implicit iv */);
-}
-
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
     SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
     16,                      // nonce len (IV)
@@ -551,23 +544,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
     aead_tls_tag_len,
 };
 
-static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,  // key len
-    0,                  // nonce len
-    SHA_DIGEST_LENGTH,  // overhead (SHA1)
-    SHA_DIGEST_LENGTH,  // max tag length
-    0,                  // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_null_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_open,
-    aead_tls_seal_scatter,
-    NULL,  // open_gather
-    NULL,  // get_iv
-    aead_tls_tag_len,
-};
-
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
   return &aead_aes_128_cbc_sha1_tls;
 }
@@ -591,5 +567,3 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
   return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
 }
-
-const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
diff --git a/src/crypto/crypto_test.cc b/src/crypto/crypto_test.cc
index caccba53..4543d5c1 100644
--- a/src/crypto/crypto_test.cc
+++ b/src/crypto/crypto_test.cc
@@ -158,3 +158,12 @@ TEST(Crypto, OnDemandIntegrityTest) {
   BORINGSSL_integrity_test();
 }
 #endif
+
+OPENSSL_DEPRECATED static void DeprecatedFunction() {}
+
+OPENSSL_BEGIN_ALLOW_DEPRECATED
+TEST(CryptoTest, DeprecatedFunction) {
+  // This is deprecated, but should not trigger any warnings.
+  DeprecatedFunction();
+}
+OPENSSL_END_ALLOW_DEPRECATED
diff --git a/src/crypto/curve25519/curve25519.c b/src/crypto/curve25519/curve25519.c
index 6a0af2d9..c0289ffe 100644
--- a/src/crypto/curve25519/curve25519.c
+++ b/src/crypto/curve25519/curve25519.c
@@ -35,11 +35,13 @@
 // Various pre-computed constants.
 #include "./curve25519_tables.h"
 
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(BORINGSSL_HAS_UINT128)
 #include "../../third_party/fiat/curve25519_64.h"
+#elif defined(OPENSSL_64_BIT)
+#include "../../third_party/fiat/curve25519_64_msvc.h"
 #else
 #include "../../third_party/fiat/curve25519_32.h"
-#endif  // BORINGSSL_CURVE25519_64BIT
+#endif
 
 
 // Low-level intrinsic operations
@@ -64,7 +66,7 @@ static uint64_t load_4(const uint8_t *in) {
 
 // Field operations.
 
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
 
 typedef uint64_t fe_limb_t;
 #define FE_NUM_LIMBS 5
@@ -144,7 +146,7 @@ typedef uint32_t fe_limb_t;
     }                                                                    \
   } while (0)
 
-#endif  // BORINGSSL_CURVE25519_64BIT
+#endif  // OPENSSL_64_BIT
 
 static_assert(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS,
               "fe_limb_t[FE_NUM_LIMBS] is inconsistent with fe");
diff --git a/src/crypto/curve25519/curve25519_tables.h b/src/crypto/curve25519/curve25519_tables.h
index 310581cf..ad1f036a 100644
--- a/src/crypto/curve25519/curve25519_tables.h
+++ b/src/crypto/curve25519/curve25519_tables.h
@@ -17,7 +17,7 @@
 
 
 static const fe d = {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
     929955233495203, 466365720129213, 1662059464998953, 2033849074728123,
     1442794654840575
 #else
@@ -27,7 +27,7 @@ static const fe d = {{
 }};
 
 static const fe sqrtm1 = {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
     1718705420411056, 234908883556509, 2233514472574048, 2117202627021982,
     765476049583133
 #else
@@ -37,7 +37,7 @@ static const fe sqrtm1 = {{
 }};
 
 static const fe d2 = {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
     1859910466990425, 932731440258426, 1072319116312658, 1815898335770999,
     633789495995903
 #else
@@ -146,7 +146,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1288382639258501, 245678601348599, 269427782077623,
                 1462984067271730, 137412439391563
 #else
@@ -155,7 +155,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 62697248952638, 204681361388450, 631292143396476,
                 338455783676468, 1213667448819585
 #else
@@ -164,7 +164,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 301289933810280, 1259582250014073, 1422107436869536,
                 796239922652654, 1953934009299142
 #else
@@ -175,7 +175,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1380971894829527, 790832306631236, 2067202295274102,
                 1995808275510000, 1566530869037010
 #else
@@ -184,7 +184,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 463307831301544, 432984605774163, 1610641361907204,
                 750899048855000, 1894842303421586
 #else
@@ -193,7 +193,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 748439484463711, 1033211726465151, 1396005112841647,
                 1611506220286469, 1972177495910992
 #else
@@ -204,7 +204,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1601611775252272, 1720807796594148, 1132070835939856,
                 1260455018889551, 2147779492816911
 #else
@@ -213,7 +213,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 316559037616741, 2177824224946892, 1459442586438991,
                 1461528397712656, 751590696113597
 #else
@@ -222,7 +222,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1850748884277385, 1200145853858453, 1068094770532492,
                 672251375690438, 1586055907191707
 #else
@@ -233,7 +233,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 934282339813791, 1846903124198670, 1172395437954843,
                 1007037127761661, 1830588347719256
 #else
@@ -242,7 +242,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1694390458783935, 1735906047636159, 705069562067493,
                 648033061693059, 696214010414170
 #else
@@ -251,7 +251,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1121406372216585, 192876649532226, 190294192191717,
                 1994165897297032, 2245000007398739
 #else
@@ -262,7 +262,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 769950342298419, 132954430919746, 844085933195555,
                 974092374476333, 726076285546016
 #else
@@ -271,7 +271,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 425251763115706, 608463272472562, 442562545713235,
                 837766094556764, 374555092627893
 #else
@@ -280,7 +280,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1086255230780037, 274979815921559, 1960002765731872,
                 929474102396301, 1190409889297339
 #else
@@ -291,7 +291,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1388594989461809, 316767091099457, 394298842192982,
                 1230079486801005, 1440737038838979
 #else
@@ -300,7 +300,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 7380825640100, 146210432690483, 304903576448906,
                 1198869323871120, 997689833219095
 #else
@@ -309,7 +309,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1181317918772081, 114573476638901, 262805072233344,
                 265712217171332, 294181933805782
 #else
@@ -320,7 +320,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 665000864555967, 2065379846933859, 370231110385876,
                 350988370788628, 1233371373142985
 #else
@@ -329,7 +329,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2019367628972465, 676711900706637, 110710997811333,
                 1108646842542025, 517791959672113
 #else
@@ -338,7 +338,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 965130719900578, 247011430587952, 526356006571389,
                 91986625355052, 2157223321444601
 #else
@@ -349,7 +349,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2068619540119183, 1966274918058806, 957728544705549,
                 729906502578991, 159834893065166
 #else
@@ -358,7 +358,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2073601412052185, 31021124762708, 264500969797082,
                 248034690651703, 1030252227928288
 #else
@@ -367,7 +367,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 551790716293402, 1989538725166328, 801169423371717,
                 2052451893578887, 678432056995012
 #else
@@ -380,7 +380,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1368953770187805, 790347636712921, 437508475667162,
                 2142576377050580, 1932081720066286
 #else
@@ -389,7 +389,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 953638594433374, 1092333936795051, 1419774766716690,
                 805677984380077, 859228993502513
 #else
@@ -398,7 +398,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1200766035879111, 20142053207432, 1465634435977050,
                 1645256912097844, 295121984874596
 #else
@@ -409,7 +409,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1735718747031557, 1248237894295956, 1204753118328107,
                 976066523550493, 65943769534592
 #else
@@ -418,7 +418,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1060098822528990, 1586825862073490, 212301317240126,
                 1975302711403555, 666724059764335
 #else
@@ -427,7 +427,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1091990273418756, 1572899409348578, 80968014455247,
                 306009358661350, 1520450739132526
 #else
@@ -438,7 +438,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1480517209436112, 1511153322193952, 1244343858991172,
                 304788150493241, 369136856496443
 #else
@@ -447,7 +447,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2151330273626164, 762045184746182, 1688074332551515,
                 823046109005759, 907602769079491
 #else
@@ -456,7 +456,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2047386910586836, 168470092900250, 1552838872594810,
                 340951180073789, 360819374702533
 #else
@@ -467,7 +467,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1982622644432056, 2014393600336956, 128909208804214,
                 1617792623929191, 105294281913815
 #else
@@ -476,7 +476,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 980234343912898, 1712256739246056, 588935272190264,
                 204298813091998, 841798321043288
 #else
@@ -485,7 +485,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 197561292938973, 454817274782871, 1963754960082318,
                 2113372252160468, 971377527342673
 #else
@@ -496,7 +496,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 164699448829328, 3127451757672, 1199504971548753,
                 1766155447043652, 1899238924683527
 #else
@@ -505,7 +505,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 732262946680281, 1674412764227063, 2182456405662809,
                 1350894754474250, 558458873295247
 #else
@@ -514,7 +514,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2103305098582922, 1960809151316468, 715134605001343,
                 1454892949167181, 40827143824949
 #else
@@ -525,7 +525,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1239289043050212, 1744654158124578, 758702410031698,
                 1796762995074688, 1603056663766
 #else
@@ -534,7 +534,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2232056027107988, 987343914584615, 2115594492994461,
                 1819598072792159, 1119305654014850
 #else
@@ -543,7 +543,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 320153677847348, 939613871605645, 641883205761567,
                 1930009789398224, 329165806634126
 #else
@@ -554,7 +554,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 980930490474130, 1242488692177893, 1251446316964684,
                 1086618677993530, 1961430968465772
 #else
@@ -563,7 +563,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 276821765317453, 1536835591188030, 1305212741412361,
                 61473904210175, 2051377036983058
 #else
@@ -572,7 +572,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 833449923882501, 1750270368490475, 1123347002068295,
                 185477424765687, 278090826653186
 #else
@@ -583,7 +583,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 794524995833413, 1849907304548286, 53348672473145,
                 1272368559505217, 1147304168324779
 #else
@@ -592,7 +592,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1504846112759364, 1203096289004681, 562139421471418,
                 274333017451844, 1284344053775441
 #else
@@ -601,7 +601,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 483048732424432, 2116063063343382, 30120189902313,
                 292451576741007, 1156379271702225
 #else
@@ -614,7 +614,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 928372153029038, 2147692869914564, 1455665844462196,
                 1986737809425946, 185207050258089
 #else
@@ -623,7 +623,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 137732961814206, 706670923917341, 1387038086865771,
                 1965643813686352, 1384777115696347
 #else
@@ -632,7 +632,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 481144981981577, 2053319313589856, 2065402289827512,
                 617954271490316, 1106602634668125
 #else
@@ -643,7 +643,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 696298019648792, 893299659040895, 1148636718636009,
                 26734077349617, 2203955659340681
 #else
@@ -652,7 +652,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 657390353372855, 998499966885562, 991893336905797,
                 810470207106761, 343139804608786
 #else
@@ -661,7 +661,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 791736669492960, 934767652997115, 824656780392914,
                 1759463253018643, 361530362383518
 #else
@@ -672,7 +672,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2022541353055597, 2094700262587466, 1551008075025686,
                 242785517418164, 695985404963562
 #else
@@ -681,7 +681,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1287487199965223, 2215311941380308, 1552928390931986,
                 1664859529680196, 1125004975265243
 #else
@@ -690,7 +690,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 677434665154918, 989582503122485, 1817429540898386,
                 1052904935475344, 1143826298169798
 #else
@@ -701,7 +701,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 367266328308408, 318431188922404, 695629353755355,
                 634085657580832, 24581612564426
 #else
@@ -710,7 +710,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 773360688841258, 1815381330538070, 363773437667376,
                 539629987070205, 783280434248437
 #else
@@ -719,7 +719,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 180820816194166, 168937968377394, 748416242794470,
                 1227281252254508, 1567587861004268
 #else
@@ -730,7 +730,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 478775558583645, 2062896624554807, 699391259285399,
                 358099408427873, 1277310261461761
 #else
@@ -739,7 +739,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1984740906540026, 1079164179400229, 1056021349262661,
                 1659958556483663, 1088529069025527
 #else
@@ -748,7 +748,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 580736401511151, 1842931091388998, 1177201471228238,
                 2075460256527244, 1301133425678027
 #else
@@ -759,7 +759,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1515728832059182, 1575261009617579, 1510246567196186,
                 191078022609704, 116661716289141
 #else
@@ -768,7 +768,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1295295738269652, 1714742313707026, 545583042462581,
                 2034411676262552, 1513248090013606
 #else
@@ -777,7 +777,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 230710545179830, 30821514358353, 760704303452229,
                 390668103790604, 573437871383156
 #else
@@ -788,7 +788,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1169380107545646, 263167233745614, 2022901299054448,
                 819900753251120, 2023898464874585
 #else
@@ -797,7 +797,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2102254323485823, 1570832666216754, 34696906544624,
                 1993213739807337, 70638552271463
 #else
@@ -806,7 +806,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 894132856735058, 548675863558441, 845349339503395,
                 1942269668326667, 1615682209874691
 #else
@@ -817,7 +817,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1287670217537834, 1222355136884920, 1846481788678694,
                 1150426571265110, 1613523400722047
 #else
@@ -826,7 +826,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 793388516527298, 1315457083650035, 1972286999342417,
                 1901825953052455, 338269477222410
 #else
@@ -835,7 +835,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 550201530671806, 778605267108140, 2063911101902983,
                 115500557286349, 2041641272971022
 #else
@@ -848,7 +848,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 717255318455100, 519313764361315, 2080406977303708,
                 541981206705521, 774328150311600
 #else
@@ -857,7 +857,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 261715221532238, 1795354330069993, 1496878026850283,
                 499739720521052, 389031152673770
 #else
@@ -866,7 +866,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1997217696294013, 1717306351628065, 1684313917746180,
                 1644426076011410, 1857378133465451
 #else
@@ -877,7 +877,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1475434724792648, 76931896285979, 1116729029771667,
                 2002544139318042, 725547833803938
 #else
@@ -886,7 +886,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2022306639183567, 726296063571875, 315345054448644,
                 1058733329149221, 1448201136060677
 #else
@@ -895,7 +895,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1710065158525665, 1895094923036397, 123988286168546,
                 1145519900776355, 1607510767693874
 #else
@@ -906,7 +906,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 561605375422540, 1071733543815037, 131496498800990,
                 1946868434569999, 828138133964203
 #else
@@ -915,7 +915,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1548495173745801, 442310529226540, 998072547000384,
                 553054358385281, 644824326376171
 #else
@@ -924,7 +924,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1445526537029440, 2225519789662536, 914628859347385,
                 1064754194555068, 1660295614401091
 #else
@@ -935,7 +935,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1199690223111956, 24028135822341, 66638289244341,
                 57626156285975, 565093967979607
 #else
@@ -944,7 +944,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 876926774220824, 554618976488214, 1012056309841565,
                 839961821554611, 1414499340307677
 #else
@@ -953,7 +953,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 703047626104145, 1266841406201770, 165556500219173,
                 486991595001879, 1011325891650656
 #else
@@ -964,7 +964,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1622861044480487, 1156394801573634, 1869132565415504,
                 327103985777730, 2095342781472284
 #else
@@ -973,7 +973,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 334886927423922, 489511099221528, 129160865966726,
                 1720809113143481, 619700195649254
 #else
@@ -982,7 +982,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1646545795166119, 1758370782583567, 714746174550637,
                 1472693650165135, 898994790308209
 #else
@@ -993,7 +993,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 333403773039279, 295772542452938, 1693106465353610,
                 912330357530760, 471235657950362
 #else
@@ -1002,7 +1002,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1811196219982022, 1068969825533602, 289602974833439,
                 1988956043611592, 863562343398367
 #else
@@ -1011,7 +1011,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 906282429780072, 2108672665779781, 432396390473936,
                 150625823801893, 1708930497638539
 #else
@@ -1022,7 +1022,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 925664675702328, 21416848568684, 1831436641861340,
                 601157008940113, 371818055044496
 #else
@@ -1031,7 +1031,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1479786007267725, 1738881859066675, 68646196476567,
                 2146507056100328, 1247662817535471
 #else
@@ -1040,7 +1040,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 52035296774456, 939969390708103, 312023458773250,
                 59873523517659, 1231345905848899
 #else
@@ -1051,7 +1051,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 643355106415761, 290186807495774, 2013561737429023,
                 319648069511546, 393736678496162
 #else
@@ -1060,7 +1060,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 129358342392716, 1932811617704777, 1176749390799681,
                 398040349861790, 1170779668090425
 #else
@@ -1069,7 +1069,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2051980782668029, 121859921510665, 2048329875753063,
                 1235229850149665, 519062146124755
 #else
@@ -1082,7 +1082,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1608170971973096, 415809060360428, 1350468408164766,
                 2038620059057678, 1026904485989112
 #else
@@ -1091,7 +1091,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1837656083115103, 1510134048812070, 906263674192061,
                 1821064197805734, 565375124676301
 #else
@@ -1100,7 +1100,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 578027192365650, 2034800251375322, 2128954087207123,
                 478816193810521, 2196171989962750
 #else
@@ -1111,7 +1111,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1633188840273139, 852787172373708, 1548762607215796,
                 1266275218902681, 1107218203325133
 #else
@@ -1120,7 +1120,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 462189358480054, 1784816734159228, 1611334301651368,
                 1303938263943540, 707589560319424
 #else
@@ -1129,7 +1129,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1038829280972848, 38176604650029, 753193246598573,
                 1136076426528122, 595709990562434
 #else
@@ -1140,7 +1140,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1408451820859834, 2194984964010833, 2198361797561729,
                 1061962440055713, 1645147963442934
 #else
@@ -1149,7 +1149,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 4701053362120, 1647641066302348, 1047553002242085,
                 1923635013395977, 206970314902065
 #else
@@ -1158,7 +1158,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1750479161778571, 1362553355169293, 1891721260220598,
                 966109370862782, 1024913988299801
 #else
@@ -1169,7 +1169,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 212699049131723, 1117950018299775, 1873945661751056,
                 1403802921984058, 130896082652698
 #else
@@ -1178,7 +1178,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 636808533673210, 1262201711667560, 390951380330599,
                 1663420692697294, 561951321757406
 #else
@@ -1187,7 +1187,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 520731594438141, 1446301499955692, 273753264629267,
                 1565101517999256, 1019411827004672
 #else
@@ -1198,7 +1198,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 926527492029409, 1191853477411379, 734233225181171,
                 184038887541270, 1790426146325343
 #else
@@ -1207,7 +1207,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1464651961852572, 1483737295721717, 1519450561335517,
                 1161429831763785, 405914998179977
 #else
@@ -1216,7 +1216,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 996126634382301, 796204125879525, 127517800546509,
                 344155944689303, 615279846169038
 #else
@@ -1227,7 +1227,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 738724080975276, 2188666632415296, 1961313708559162,
                 1506545807547587, 1151301638969740
 #else
@@ -1236,7 +1236,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 622917337413835, 1218989177089035, 1284857712846592,
                 970502061709359, 351025208117090
 #else
@@ -1245,7 +1245,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2067814584765580, 1677855129927492, 2086109782475197,
                 235286517313238, 1416314046739645
 #else
@@ -1256,7 +1256,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 586844262630358, 307444381952195, 458399356043426,
                 602068024507062, 1028548203415243
 #else
@@ -1265,7 +1265,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 678489922928203, 2016657584724032, 90977383049628,
                 1026831907234582, 615271492942522
 #else
@@ -1274,7 +1274,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 301225714012278, 1094837270268560, 1202288391010439,
                 644352775178361, 1647055902137983
 #else
@@ -1285,7 +1285,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1210746697896478, 1416608304244708, 686487477217856,
                 1245131191434135, 1051238336855737
 #else
@@ -1294,7 +1294,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1135604073198207, 1683322080485474, 769147804376683,
                 2086688130589414, 900445683120379
 #else
@@ -1303,7 +1303,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1971518477615628, 401909519527336, 448627091057375,
                 1409486868273821, 1214789035034363
 #else
@@ -1316,7 +1316,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1364039144731711, 1897497433586190, 2203097701135459,
                 145461396811251, 1349844460790699
 #else
@@ -1325,7 +1325,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1045230323257973, 818206601145807, 630513189076103,
                 1672046528998132, 807204017562437
 #else
@@ -1334,7 +1334,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 439961968385997, 386362664488986, 1382706320807688,
                 309894000125359, 2207801346498567
 #else
@@ -1345,7 +1345,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1229004686397588, 920643968530863, 123975893911178,
                 681423993215777, 1400559197080973
 #else
@@ -1354,7 +1354,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2003766096898049, 170074059235165, 1141124258967971,
                 1485419893480973, 1573762821028725
 #else
@@ -1363,7 +1363,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 729905708611432, 1270323270673202, 123353058984288,
                 426460209632942, 2195574535456672
 #else
@@ -1374,7 +1374,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1271140255321235, 2044363183174497, 52125387634689,
                 1445120246694705, 942541986339084
 #else
@@ -1383,7 +1383,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1761608437466135, 583360847526804, 1586706389685493,
                 2157056599579261, 1170692369685772
 #else
@@ -1392,7 +1392,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 871476219910823, 1878769545097794, 2241832391238412,
                 548957640601001, 690047440233174
 #else
@@ -1403,7 +1403,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 297194732135507, 1366347803776820, 1301185512245601,
                 561849853336294, 1533554921345731
 #else
@@ -1412,7 +1412,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 999628998628371, 1132836708493400, 2084741674517453,
                 469343353015612, 678782988708035
 #else
@@ -1421,7 +1421,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2189427607417022, 699801937082607, 412764402319267,
                 1478091893643349, 2244675696854460
 #else
@@ -1432,7 +1432,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1712292055966563, 204413590624874, 1405738637332841,
                 408981300829763, 861082219276721
 #else
@@ -1441,7 +1441,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 508561155940631, 966928475686665, 2236717801150132,
                 424543858577297, 2089272956986143
 #else
@@ -1450,7 +1450,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 221245220129925, 1156020201681217, 491145634799213,
                 542422431960839, 828100817819207
 #else
@@ -1461,7 +1461,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 153756971240384, 1299874139923977, 393099165260502,
                 1058234455773022, 996989038681183
 #else
@@ -1470,7 +1470,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 559086812798481, 573177704212711, 1629737083816402,
                 1399819713462595, 1646954378266038
 #else
@@ -1479,7 +1479,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1887963056288059, 228507035730124, 1468368348640282,
                 930557653420194, 613513962454686
 #else
@@ -1490,7 +1490,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1224529808187553, 1577022856702685, 2206946542980843,
                 625883007765001, 279930793512158
 #else
@@ -1499,7 +1499,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1076287717051609, 1114455570543035, 187297059715481,
                 250446884292121, 1885187512550540
 #else
@@ -1508,7 +1508,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 902497362940219, 76749815795675, 1657927525633846,
                 1420238379745202, 1340321636548352
 #else
@@ -1519,7 +1519,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1129576631190784, 1281994010027327, 996844254743018,
                 257876363489249, 1150850742055018
 #else
@@ -1528,7 +1528,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 628740660038789, 1943038498527841, 467786347793886,
                 1093341428303375, 235413859513003
 #else
@@ -1537,7 +1537,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 237425418909360, 469614029179605, 1512389769174935,
                 1241726368345357, 441602891065214
 #else
@@ -1550,7 +1550,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1736417953058555, 726531315520508, 1833335034432527,
                 1629442561574747, 624418919286085
 #else
@@ -1559,7 +1559,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1960754663920689, 497040957888962, 1909832851283095,
                 1271432136996826, 2219780368020940
 #else
@@ -1568,7 +1568,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1537037379417136, 1358865369268262, 2130838645654099,
                 828733687040705, 1999987652890901
 #else
@@ -1579,7 +1579,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 629042105241814, 1098854999137608, 887281544569320,
                 1423102019874777, 7911258951561
 #else
@@ -1588,7 +1588,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1811562332665373, 1501882019007673, 2213763501088999,
                 359573079719636, 36370565049116
 #else
@@ -1597,7 +1597,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 218907117361280, 1209298913016966, 1944312619096112,
                 1130690631451061, 1342327389191701
 #else
@@ -1608,7 +1608,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1369976867854704, 1396479602419169, 1765656654398856,
                 2203659200586299, 998327836117241
 #else
@@ -1617,7 +1617,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2230701885562825, 1348173180338974, 2172856128624598,
                 1426538746123771, 444193481326151
 #else
@@ -1626,7 +1626,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 784210426627951, 918204562375674, 1284546780452985,
                 1324534636134684, 1872449409642708
 #else
@@ -1637,7 +1637,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 319638829540294, 596282656808406, 2037902696412608,
                 1557219121643918, 341938082688094
 #else
@@ -1646,7 +1646,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1901860206695915, 2004489122065736, 1625847061568236,
                 973529743399879, 2075287685312905
 #else
@@ -1655,7 +1655,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1371853944110545, 1042332820512553, 1949855697918254,
                 1791195775521505, 37487364849293
 #else
@@ -1666,7 +1666,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 687200189577855, 1082536651125675, 644224940871546,
                 340923196057951, 343581346747396
 #else
@@ -1675,7 +1675,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2082717129583892, 27829425539422, 145655066671970,
                 1690527209845512, 1865260509673478
 #else
@@ -1684,7 +1684,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1059729620568824, 2163709103470266, 1440302280256872,
                 1769143160546397, 869830310425069
 #else
@@ -1695,7 +1695,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1609516219779025, 777277757338817, 2101121130363987,
                 550762194946473, 1905542338659364
 #else
@@ -1704,7 +1704,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2024821921041576, 426948675450149, 595133284085473,
                 471860860885970, 600321679413000
 #else
@@ -1713,7 +1713,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 598474602406721, 1468128276358244, 1191923149557635,
                 1501376424093216, 1281662691293476
 #else
@@ -1724,7 +1724,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1721138489890707, 1264336102277790, 433064545421287,
                 1359988423149466, 1561871293409447
 #else
@@ -1733,7 +1733,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 719520245587143, 393380711632345, 132350400863381,
                 1543271270810729, 1819543295798660
 #else
@@ -1742,7 +1742,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 396397949784152, 1811354474471839, 1362679985304303,
                 2117033964846756, 498041172552279
 #else
@@ -1753,7 +1753,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1812471844975748, 1856491995543149, 126579494584102,
                 1036244859282620, 1975108050082550
 #else
@@ -1762,7 +1762,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 650623932407995, 1137551288410575, 2125223403615539,
                 1725658013221271, 2134892965117796
 #else
@@ -1771,7 +1771,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 522584000310195, 1241762481390450, 1743702789495384,
                 2227404127826575, 1686746002148897
 #else
@@ -1784,7 +1784,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 427904865186312, 1703211129693455, 1585368107547509,
                 1436984488744336, 761188534613978
 #else
@@ -1793,7 +1793,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 318101947455002, 248138407995851, 1481904195303927,
                 309278454311197, 1258516760217879
 #else
@@ -1802,7 +1802,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1275068538599310, 513726919533379, 349926553492294,
                 688428871968420, 1702400196000666
 #else
@@ -1813,7 +1813,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1061864036265233, 961611260325381, 321859632700838,
                 1045600629959517, 1985130202504038
 #else
@@ -1822,7 +1822,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1558816436882417, 1962896332636523, 1337709822062152,
                 1501413830776938, 294436165831932
 #else
@@ -1831,7 +1831,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 818359826554971, 1862173000996177, 626821592884859,
                 573655738872376, 1749691246745455
 #else
@@ -1842,7 +1842,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1988022651432119, 1082111498586040, 1834020786104821,
                 1454826876423687, 692929915223122
 #else
@@ -1851,7 +1851,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2146513703733331, 584788900394667, 464965657279958,
                 2183973639356127, 238371159456790
 #else
@@ -1860,7 +1860,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1129007025494441, 2197883144413266, 265142755578169,
                 971864464758890, 1983715884903702
 #else
@@ -1871,7 +1871,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1291366624493075, 381456718189114, 1711482489312444,
                 1815233647702022, 892279782992467
 #else
@@ -1880,7 +1880,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 444548969917454, 1452286453853356, 2113731441506810,
                 645188273895859, 810317625309512
 #else
@@ -1889,7 +1889,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2242724082797924, 1373354730327868, 1006520110883049,
                 2147330369940688, 1151816104883620
 #else
@@ -1900,7 +1900,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1745720200383796, 1911723143175317, 2056329390702074,
                 355227174309849, 879232794371100
 #else
@@ -1909,7 +1909,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 163723479936298, 115424889803150, 1156016391581227,
                 1894942220753364, 1970549419986329
 #else
@@ -1918,7 +1918,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 681981452362484, 267208874112496, 1374683991933094,
                 638600984916117, 646178654558546
 #else
@@ -1929,7 +1929,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 13378654854251, 106237307029567, 1944412051589651,
                 1841976767925457, 230702819835573
 #else
@@ -1938,7 +1938,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 260683893467075, 854060306077237, 913639551980112,
                 4704576840123, 280254810808712
 #else
@@ -1947,7 +1947,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 715374893080287, 1173334812210491, 1806524662079626,
                 1894596008000979, 398905715033393
 #else
@@ -1958,7 +1958,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 500026409727661, 1596431288195371, 1420380351989370,
                 985211561521489, 392444930785633
 #else
@@ -1967,7 +1967,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2096421546958141, 1922523000950363, 789831022876840,
                 427295144688779, 320923973161730
 #else
@@ -1976,7 +1976,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1927770723575450, 1485792977512719, 1850996108474547,
                 551696031508956, 2126047405475647
 #else
@@ -1987,7 +1987,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2112099158080148, 742570803909715, 6484558077432,
                 1951119898618916, 93090382703416
 #else
@@ -1996,7 +1996,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 383905201636970, 859946997631870, 855623867637644,
                 1017125780577795, 794250831877809
 #else
@@ -2005,7 +2005,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 77571826285752, 999304298101753, 487841111777762,
                 1038031143212339, 339066367948762
 #else
@@ -2018,7 +2018,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 674994775520533, 266035846330789, 826951213393478,
                 1405007746162285, 1781791018620876
 #else
@@ -2027,7 +2027,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1001412661522686, 348196197067298, 1666614366723946,
                 888424995032760, 580747687801357
 #else
@@ -2036,7 +2036,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1939560076207777, 1409892634407635, 552574736069277,
                 383854338280405, 190706709864139
 #else
@@ -2047,7 +2047,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2177087163428741, 1439255351721944, 1208070840382793,
                 2230616362004769, 1396886392021913
 #else
@@ -2056,7 +2056,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 676962063230039, 1880275537148808, 2046721011602706,
                 888463247083003, 1318301552024067
 #else
@@ -2065,7 +2065,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1466980508178206, 617045217998949, 652303580573628,
                 757303753529064, 207583137376902
 #else
@@ -2076,7 +2076,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1511056752906902, 105403126891277, 493434892772846,
                 1091943425335976, 1802717338077427
 #else
@@ -2085,7 +2085,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1853982405405128, 1878664056251147, 1528011020803992,
                 1019626468153565, 1128438412189035
 #else
@@ -2094,7 +2094,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1963939888391106, 293456433791664, 697897559513649,
                 985882796904380, 796244541237972
 #else
@@ -2105,7 +2105,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 416770998629779, 389655552427054, 1314476859406756,
                 1749382513022778, 1161905598739491
 #else
@@ -2114,7 +2114,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1428358296490651, 1027115282420478, 304840698058337,
                 441410174026628, 1819358356278573
 #else
@@ -2123,7 +2123,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 204943430200135, 1554861433819175, 216426658514651,
                 264149070665950, 2047097371738319
 #else
@@ -2134,7 +2134,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1934415182909034, 1393285083565062, 516409331772960,
                 1157690734993892, 121039666594268
 #else
@@ -2143,7 +2143,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 662035583584445, 286736105093098, 1131773000510616,
                 818494214211439, 472943792054479
 #else
@@ -2152,7 +2152,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 665784778135882, 1893179629898606, 808313193813106,
                 276797254706413, 1563426179676396
 #else
@@ -2163,7 +2163,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 945205108984232, 526277562959295, 1324180513733566,
                 1666970227868664, 153547609289173
 #else
@@ -2172,7 +2172,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2031433403516252, 203996615228162, 170487168837083,
                 981513604791390, 843573964916831
 #else
@@ -2181,7 +2181,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1476570093962618, 838514669399805, 1857930577281364,
                 2017007352225784, 317085545220047
 #else
@@ -2192,7 +2192,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1461557121912842, 1600674043318359, 2157134900399597,
                 1670641601940616, 127765583803283
 #else
@@ -2201,7 +2201,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1293543509393474, 2143624609202546, 1058361566797508,
                 214097127393994, 946888515472729
 #else
@@ -2210,7 +2210,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 357067959932916, 1290876214345711, 521245575443703,
                 1494975468601005, 800942377643885
 #else
@@ -2221,7 +2221,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 566116659100033, 820247422481740, 994464017954148,
                 327157611686365, 92591318111744
 #else
@@ -2230,7 +2230,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 617256647603209, 1652107761099439, 1857213046645471,
                 1085597175214970, 817432759830522
 #else
@@ -2239,7 +2239,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 771808161440705, 1323510426395069, 680497615846440,
                 851580615547985, 1320806384849017
 #else
@@ -2252,7 +2252,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1219260086131915, 647169006596815, 79601124759706,
                 2161724213426748, 404861897060198
 #else
@@ -2261,7 +2261,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1327968293887866, 1335500852943256, 1401587164534264,
                 558137311952440, 1551360549268902
 #else
@@ -2270,7 +2270,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 417621685193956, 1429953819744454, 396157358457099,
                 1940470778873255, 214000046234152
 #else
@@ -2281,7 +2281,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1268047918491973, 2172375426948536, 1533916099229249,
                 1761293575457130, 1590622667026765
 #else
@@ -2290,7 +2290,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1627072914981959, 2211603081280073, 1912369601616504,
                 1191770436221309, 2187309757525860
 #else
@@ -2299,7 +2299,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1149147819689533, 378692712667677, 828475842424202,
                 2218619146419342, 70688125792186
 #else
@@ -2310,7 +2310,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1299739417079761, 1438616663452759, 1536729078504412,
                 2053896748919838, 1008421032591246
 #else
@@ -2319,7 +2319,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2040723824657366, 399555637875075, 632543375452995,
                 872649937008051, 1235394727030233
 #else
@@ -2328,7 +2328,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2211311599327900, 2139787259888175, 938706616835350,
                 12609661139114, 2081897930719789
 #else
@@ -2339,7 +2339,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1324994503390450, 336982330582631, 1183998925654177,
                 1091654665913274, 48727673971319
 #else
@@ -2348,7 +2348,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1845522914617879, 1222198248335542, 150841072760134,
                 1927029069940982, 1189913404498011
 #else
@@ -2357,7 +2357,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1079559557592645, 2215338383666441, 1903569501302605,
                 49033973033940, 305703433934152
 #else
@@ -2368,7 +2368,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 94653405416909, 1386121349852999, 1062130477891762,
                 36553947479274, 833669648948846
 #else
@@ -2377,7 +2377,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1432015813136298, 440364795295369, 1395647062821501,
                 1976874522764578, 934452372723352
 #else
@@ -2386,7 +2386,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1296625309219774, 2068273464883862, 1858621048097805,
                 1492281814208508, 2235868981918946
 #else
@@ -2397,7 +2397,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1490330266465570, 1858795661361448, 1436241134969763,
                 294573218899647, 1208140011028933
 #else
@@ -2406,7 +2406,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1282462923712748, 741885683986255, 2027754642827561,
                 518989529541027, 1826610009555945
 #else
@@ -2415,7 +2415,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1525827120027511, 723686461809551, 1597702369236987,
                 244802101764964, 1502833890372311
 #else
@@ -2426,7 +2426,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 113622036244513, 1233740067745854, 674109952278496,
                 2114345180342965, 166764512856263
 #else
@@ -2435,7 +2435,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2041668749310338, 2184405322203901, 1633400637611036,
                 2110682505536899, 2048144390084644
 #else
@@ -2444,7 +2444,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 503058759232932, 760293024620937, 2027152777219493,
                 666858468148475, 1539184379870952
 #else
@@ -2455,7 +2455,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1916168475367211, 915626432541343, 883217071712575,
                 363427871374304, 1976029821251593
 #else
@@ -2464,7 +2464,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 678039535434506, 570587290189340, 1605302676614120,
                 2147762562875701, 1706063797091704
 #else
@@ -2473,7 +2473,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1439489648586438, 2194580753290951, 832380563557396,
                 561521973970522, 584497280718389
 #else
@@ -2486,7 +2486,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 187989455492609, 681223515948275, 1933493571072456,
                 1872921007304880, 488162364135671
 #else
@@ -2495,7 +2495,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1413466089534451, 410844090765630, 1397263346404072,
                 408227143123410, 1594561803147811
 #else
@@ -2504,7 +2504,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2102170800973153, 719462588665004, 1479649438510153,
                 1097529543970028, 1302363283777685
 #else
@@ -2515,7 +2515,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 942065717847195, 1069313679352961, 2007341951411051,
                 70973416446291, 1419433790163706
 #else
@@ -2524,7 +2524,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1146565545556377, 1661971299445212, 406681704748893,
                 564452436406089, 1109109865829139
 #else
@@ -2533,7 +2533,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2214421081775077, 1165671861210569, 1890453018796184,
                 3556249878661, 442116172656317
 #else
@@ -2544,7 +2544,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 753830546620811, 1666955059895019, 1530775289309243,
                 1119987029104146, 2164156153857580
 #else
@@ -2553,7 +2553,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 615171919212796, 1523849404854568, 854560460547503,
                 2067097370290715, 1765325848586042
 #else
@@ -2562,7 +2562,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1094538949313667, 1796592198908825, 870221004284388,
                 2025558921863561, 1699010892802384
 #else
@@ -2573,7 +2573,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1951351290725195, 1916457206844795, 198025184438026,
                 1909076887557595, 1938542290318919
 #else
@@ -2582,7 +2582,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1014323197538413, 869150639940606, 1756009942696599,
                 1334952557375672, 1544945379082874
 #else
@@ -2591,7 +2591,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 764055910920305, 1603590757375439, 146805246592357,
                 1843313433854297, 954279890114939
 #else
@@ -2602,7 +2602,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 80113526615750, 764536758732259, 1055139345100233,
                 469252651759390, 617897512431515
 #else
@@ -2611,7 +2611,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 74497112547268, 740094153192149, 1745254631717581,
                 727713886503130, 1283034364416928
 #else
@@ -2620,7 +2620,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 525892105991110, 1723776830270342, 1476444848991936,
                 573789489857760, 133864092632978
 #else
@@ -2631,7 +2631,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 542611720192581, 1986812262899321, 1162535242465837,
                 481498966143464, 544600533583622
 #else
@@ -2640,7 +2640,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 64123227344372, 1239927720647794, 1360722983445904,
                 222610813654661, 62429487187991
 #else
@@ -2649,7 +2649,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1793193323953132, 91096687857833, 70945970938921,
                 2158587638946380, 1537042406482111
 #else
@@ -2660,7 +2660,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1895854577604609, 1394895708949416, 1728548428495944,
                 1140864900240149, 563645333603061
 #else
@@ -2669,7 +2669,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 141358280486863, 91435889572504, 1087208572552643,
                 1829599652522921, 1193307020643647
 #else
@@ -2678,7 +2678,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1611230858525381, 950720175540785, 499589887488610,
                 2001656988495019, 88977313255908
 #else
@@ -2689,7 +2689,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1189080501479658, 2184348804772597, 1040818725742319,
                 2018318290311834, 1712060030915354
 #else
@@ -2698,7 +2698,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 873966876953756, 1090638350350440, 1708559325189137,
                 672344594801910, 1320437969700239
 #else
@@ -2707,7 +2707,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1508590048271766, 1131769479776094, 101550868699323,
                 428297785557897, 561791648661744
 #else
@@ -2720,7 +2720,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 756417570499462, 237882279232602, 2136263418594016,
                 1701968045454886, 703713185137472
 #else
@@ -2729,7 +2729,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1781187809325462, 1697624151492346, 1381393690939988,
                 175194132284669, 1483054666415238
 #else
@@ -2738,7 +2738,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2175517777364616, 708781536456029, 955668231122942,
                 1967557500069555, 2021208005604118
 #else
@@ -2749,7 +2749,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1115135966606887, 224217372950782, 915967306279222,
                 593866251291540, 561747094208006
 #else
@@ -2758,7 +2758,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1443163092879439, 391875531646162, 2180847134654632,
                 464538543018753, 1594098196837178
 #else
@@ -2767,7 +2767,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 850858855888869, 319436476624586, 327807784938441,
                 740785849558761, 17128415486016
 #else
@@ -2778,7 +2778,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2132756334090067, 536247820155645, 48907151276867,
                 608473197600695, 1261689545022784
 #else
@@ -2787,7 +2787,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1525176236978354, 974205476721062, 293436255662638,
                 148269621098039, 137961998433963
 #else
@@ -2796,7 +2796,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1121075518299410, 2071745529082111, 1265567917414828,
                 1648196578317805, 496232102750820
 #else
@@ -2807,7 +2807,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 122321229299801, 1022922077493685, 2001275453369484,
                 2017441881607947, 993205880778002
 #else
@@ -2816,7 +2816,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 654925550560074, 1168810995576858, 575655959430926,
                 905758704861388, 496774564663534
 #else
@@ -2825,7 +2825,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1954109525779738, 2117022646152485, 338102630417180,
                 1194140505732026, 107881734943492
 #else
@@ -2836,7 +2836,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1714785840001267, 2036500018681589, 1876380234251966,
                 2056717182974196, 1645855254384642
 #else
@@ -2845,7 +2845,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 106431476499341, 62482972120563, 1513446655109411,
                 807258751769522, 538491469114
 #else
@@ -2854,7 +2854,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2002850762893643, 1243624520538135, 1486040410574605,
                 2184752338181213, 378495998083531
 #else
@@ -2865,7 +2865,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 922510868424903, 1089502620807680, 402544072617374,
                 1131446598479839, 1290278588136533
 #else
@@ -2874,7 +2874,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1867998812076769, 715425053580701, 39968586461416,
                 2173068014586163, 653822651801304
 #else
@@ -2883,7 +2883,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 162892278589453, 182585796682149, 75093073137630,
                 497037941226502, 133871727117371
 #else
@@ -2894,7 +2894,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1914596576579670, 1608999621851578, 1987629837704609,
                 1519655314857977, 1819193753409464
 #else
@@ -2903,7 +2903,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1949315551096831, 1069003344994464, 1939165033499916,
                 1548227205730856, 1933767655861407
 #else
@@ -2912,7 +2912,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1730519386931635, 1393284965610134, 1597143735726030,
                 416032382447158, 1429665248828629
 #else
@@ -2923,7 +2923,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 360275475604565, 547835731063078, 215360904187529,
                 596646739879007, 332709650425085
 #else
@@ -2932,7 +2932,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 47602113726801, 1522314509708010, 437706261372925,
                 814035330438027, 335930650933545
 #else
@@ -2941,7 +2941,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1291597595523886, 1058020588994081, 402837842324045,
                 1363323695882781, 2105763393033193
 #else
@@ -2954,7 +2954,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 109521982566564, 1715257748585139, 1112231216891516,
                 2046641005101484, 134249157157013
 #else
@@ -2963,7 +2963,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2156991030936798, 2227544497153325, 1869050094431622,
                 754875860479115, 1754242344267058
 #else
@@ -2972,7 +2972,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1846089562873800, 98894784984326, 1412430299204844,
                 171351226625762, 1100604760929008
 #else
@@ -2983,7 +2983,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 84172382130492, 499710970700046, 425749630620778,
                 1762872794206857, 612842602127960
 #else
@@ -2992,7 +2992,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 868309334532756, 1703010512741873, 1952690008738057,
                 4325269926064, 2071083554962116
 #else
@@ -3001,7 +3001,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 523094549451158, 401938899487815, 1407690589076010,
                 2022387426254453, 158660516411257
 #else
@@ -3012,7 +3012,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 612867287630009, 448212612103814, 571629077419196,
                 1466796750919376, 1728478129663858
 #else
@@ -3021,7 +3021,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1723848973783452, 2208822520534681, 1718748322776940,
                 1974268454121942, 1194212502258141
 #else
@@ -3030,7 +3030,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1254114807944608, 977770684047110, 2010756238954993,
                 1783628927194099, 1525962994408256
 #else
@@ -3041,7 +3041,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 232464058235826, 1948628555342434, 1835348780427694,
                 1031609499437291, 64472106918373
 #else
@@ -3050,7 +3050,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 767338676040683, 754089548318405, 1523192045639075,
                 435746025122062, 512692508440385
 #else
@@ -3059,7 +3059,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1255955808701983, 1700487367990941, 1166401238800299,
                 1175121994891534, 1190934801395380
 #else
@@ -3070,7 +3070,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 349144008168292, 1337012557669162, 1475912332999108,
                 1321618454900458, 47611291904320
 #else
@@ -3079,7 +3079,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 877519947135419, 2172838026132651, 272304391224129,
                 1655143327559984, 886229406429814
 #else
@@ -3088,7 +3088,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 375806028254706, 214463229793940, 572906353144089,
                 572168269875638, 697556386112979
 #else
@@ -3099,7 +3099,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1168827102357844, 823864273033637, 2071538752104697,
                 788062026895924, 599578340743362
 #else
@@ -3108,7 +3108,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1948116082078088, 2054898304487796, 2204939184983900,
                 210526805152138, 786593586607626
 #else
@@ -3117,7 +3117,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1915320147894736, 156481169009469, 655050471180417,
                 592917090415421, 2165897438660879
 #else
@@ -3128,7 +3128,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1726336468579724, 1119932070398949, 1929199510967666,
                 33918788322959, 1836837863503150
 #else
@@ -3137,7 +3137,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 829996854845988, 217061778005138, 1686565909803640,
                 1346948817219846, 1723823550730181
 #else
@@ -3146,7 +3146,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 384301494966394, 687038900403062, 2211195391021739,
                 254684538421383, 1245698430589680
 #else
@@ -3157,7 +3157,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1247567493562688, 1978182094455847, 183871474792955,
                 806570235643435, 288461518067916
 #else
@@ -3166,7 +3166,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1449077384734201, 38285445457996, 2136537659177832,
                 2146493000841573, 725161151123125
 #else
@@ -3175,7 +3175,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1201928866368855, 800415690605445, 1703146756828343,
                 997278587541744, 1858284414104014
 #else
@@ -3188,7 +3188,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 356468809648877, 782373916933152, 1718002439402870,
                 1392222252219254, 663171266061951
 #else
@@ -3197,7 +3197,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 759628738230460, 1012693474275852, 353780233086498,
                 246080061387552, 2030378857679162
 #else
@@ -3206,7 +3206,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2040672435071076, 888593182036908, 1298443657189359,
                 1804780278521327, 354070726137060
 #else
@@ -3217,7 +3217,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1894938527423184, 1463213041477277, 474410505497651,
                 247294963033299, 877975941029128
 #else
@@ -3226,7 +3226,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 207937160991127, 12966911039119, 820997788283092,
                 1010440472205286, 1701372890140810
 #else
@@ -3235,7 +3235,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 218882774543183, 533427444716285, 1233243976733245,
                 435054256891319, 1509568989549904
 #else
@@ -3246,7 +3246,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1888838535711826, 1052177758340622, 1213553803324135,
                 169182009127332, 463374268115872
 #else
@@ -3255,7 +3255,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 299137589460312, 1594371588983567, 868058494039073,
                 257771590636681, 1805012993142921
 #else
@@ -3264,7 +3264,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1806842755664364, 2098896946025095, 1356630998422878,
                 1458279806348064, 347755825962072
 #else
@@ -3275,7 +3275,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1402334161391744, 1560083671046299, 1008585416617747,
                 1147797150908892, 1420416683642459
 #else
@@ -3284,7 +3284,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 665506704253369, 273770475169863, 799236974202630,
                 848328990077558, 1811448782807931
 #else
@@ -3293,7 +3293,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1468412523962641, 771866649897997, 1931766110147832,
                 799561180078482, 524837559150077
 #else
@@ -3304,7 +3304,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2223212657821850, 630416247363666, 2144451165500328,
                 816911130947791, 1024351058410032
 #else
@@ -3313,7 +3313,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1266603897524861, 156378408858100, 1275649024228779,
                 447738405888420, 253186462063095
 #else
@@ -3322,7 +3322,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2022215964509735, 136144366993649, 1800716593296582,
                 1193970603800203, 871675847064218
 #else
@@ -3333,7 +3333,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1862751661970328, 851596246739884, 1519315554814041,
                 1542798466547449, 1417975335901520
 #else
@@ -3342,7 +3342,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1228168094547481, 334133883362894, 587567568420081,
                 433612590281181, 603390400373205
 #else
@@ -3351,7 +3351,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 121893973206505, 1843345804916664, 1703118377384911,
                 497810164760654, 101150811654673
 #else
@@ -3362,7 +3362,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 458346255946468, 290909935619344, 1452768413850679,
                 550922875254215, 1537286854336538
 #else
@@ -3371,7 +3371,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 584322311184395, 380661238802118, 114839394528060,
                 655082270500073, 2111856026034852
 #else
@@ -3380,7 +3380,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 996965581008991, 2148998626477022, 1012273164934654,
                 1073876063914522, 1688031788934939
 #else
@@ -3391,7 +3391,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 923487018849600, 2085106799623355, 528082801620136,
                 1606206360876188, 735907091712524
 #else
@@ -3400,7 +3400,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1697697887804317, 1335343703828273, 831288615207040,
                 949416685250051, 288760277392022
 #else
@@ -3409,7 +3409,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1419122478109648, 1325574567803701, 602393874111094,
                 2107893372601700, 1314159682671307
 #else
@@ -3422,7 +3422,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2201150872731804, 2180241023425241, 97663456423163,
                 1633405770247824, 848945042443986
 #else
@@ -3431,7 +3431,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1173339555550611, 818605084277583, 47521504364289,
                 924108720564965, 735423405754506
 #else
@@ -3440,7 +3440,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 830104860549448, 1886653193241086, 1600929509383773,
                 1475051275443631, 286679780900937
 #else
@@ -3451,7 +3451,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1577111294832995, 1030899169768747, 144900916293530,
                 1964672592979567, 568390100955250
 #else
@@ -3460,7 +3460,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 278388655910247, 487143369099838, 927762205508727,
                 181017540174210, 1616886700741287
 #else
@@ -3469,7 +3469,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1191033906638969, 940823957346562, 1606870843663445,
                 861684761499847, 658674867251089
 #else
@@ -3480,7 +3480,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1875032594195546, 1427106132796197, 724736390962158,
                 901860512044740, 635268497268760
 #else
@@ -3489,7 +3489,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 622869792298357, 1903919278950367, 1922588621661629,
                 1520574711600434, 1087100760174640
 #else
@@ -3498,7 +3498,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 25465949416618, 1693639527318811, 1526153382657203,
                 125943137857169, 145276964043999
 #else
@@ -3509,7 +3509,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 214739857969358, 920212862967915, 1939901550972269,
                 1211862791775221, 85097515720120
 #else
@@ -3518,7 +3518,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2006245852772938, 734762734836159, 254642929763427,
                 1406213292755966, 239303749517686
 #else
@@ -3527,7 +3527,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1619678837192149, 1919424032779215, 1357391272956794,
                 1525634040073113, 1310226789796241
 #else
@@ -3538,7 +3538,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1040763709762123, 1704449869235352, 605263070456329,
                 1998838089036355, 1312142911487502
 #else
@@ -3547,7 +3547,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1996723311435669, 1844342766567060, 985455700466044,
                 1165924681400960, 311508689870129
 #else
@@ -3556,7 +3556,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 43173156290518, 2202883069785309, 1137787467085917,
                 1733636061944606, 1394992037553852
 #else
@@ -3567,7 +3567,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 670078326344559, 555655025059356, 471959386282438,
                 2141455487356409, 849015953823125
 #else
@@ -3576,7 +3576,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2197214573372804, 794254097241315, 1030190060513737,
                 267632515541902, 2040478049202624
 #else
@@ -3585,7 +3585,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1812516004670529, 1609256702920783, 1706897079364493,
                 258549904773295, 996051247540686
 #else
@@ -3596,7 +3596,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1540374301420584, 1764656898914615, 1810104162020396,
                 923808779163088, 664390074196579
 #else
@@ -3605,7 +3605,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1323460699404750, 1262690757880991, 871777133477900,
                 1060078894988977, 1712236889662886
 #else
@@ -3614,7 +3614,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1696163952057966, 1391710137550823, 608793846867416,
                 1034391509472039, 1780770894075012
 #else
@@ -3625,7 +3625,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1367603834210841, 2131988646583224, 890353773628144,
                 1908908219165595, 270836895252891
 #else
@@ -3634,7 +3634,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 597536315471731, 40375058742586, 1942256403956049,
                 1185484645495932, 312666282024145
 #else
@@ -3643,7 +3643,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1919411405316294, 1234508526402192, 1066863051997083,
                 1008444703737597, 1348810787701552
 #else
@@ -3656,7 +3656,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2102881477513865, 1570274565945361, 1573617900503708,
                 18662635732583, 2232324307922098
 #else
@@ -3665,7 +3665,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1853931367696942, 8107973870707, 350214504129299,
                 775206934582587, 1752317649166792
 #else
@@ -3674,7 +3674,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1417148368003523, 721357181628282, 505725498207811,
                 373232277872983, 261634707184480
 #else
@@ -3685,7 +3685,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2186733281493267, 2250694917008620, 1014829812957440,
                 479998161452389, 83566193876474
 #else
@@ -3694,7 +3694,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1268116367301224, 560157088142809, 802626839600444,
                 2210189936605713, 1129993785579988
 #else
@@ -3703,7 +3703,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 615183387352312, 917611676109240, 878893615973325,
                 978940963313282, 938686890583575
 #else
@@ -3714,7 +3714,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 522024729211672, 1045059315315808, 1892245413707790,
                 1907891107684253, 2059998109500714
 #else
@@ -3723,7 +3723,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1799679152208884, 912132775900387, 25967768040979,
                 432130448590461, 274568990261996
 #else
@@ -3732,7 +3732,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 98698809797682, 2144627600856209, 1907959298569602,
                 811491302610148, 1262481774981493
 #else
@@ -3743,7 +3743,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1791451399743152, 1713538728337276, 118349997257490,
                 1882306388849954, 158235232210248
 #else
@@ -3752,7 +3752,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1217809823321928, 2173947284933160, 1986927836272325,
                 1388114931125539, 12686131160169
 #else
@@ -3761,7 +3761,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1650875518872272, 1136263858253897, 1732115601395988,
                 734312880662190, 1252904681142109
 #else
@@ -3772,7 +3772,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 372986456113865, 525430915458171, 2116279931702135,
                 501422713587815, 1907002872974925
 #else
@@ -3781,7 +3781,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 803147181835288, 868941437997146, 316299302989663,
                 943495589630550, 571224287904572
 #else
@@ -3790,7 +3790,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 227742695588364, 1776969298667369, 628602552821802,
                 457210915378118, 2041906378111140
 #else
@@ -3801,7 +3801,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 815000523470260, 913085688728307, 1052060118271173,
                 1345536665214223, 541623413135555
 #else
@@ -3810,7 +3810,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1580216071604333, 1877997504342444, 857147161260913,
                 703522726778478, 2182763974211603
 #else
@@ -3819,7 +3819,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1870080310923419, 71988220958492, 1783225432016732,
                 615915287105016, 1035570475990230
 #else
@@ -3830,7 +3830,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 730987750830150, 857613889540280, 1083813157271766,
                 1002817255970169, 1719228484436074
 #else
@@ -3839,7 +3839,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 377616581647602, 1581980403078513, 804044118130621,
                 2034382823044191, 643844048472185
 #else
@@ -3848,7 +3848,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 176957326463017, 1573744060478586, 528642225008045,
                 1816109618372371, 1515140189765006
 #else
@@ -3859,7 +3859,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1888911448245718, 1387110895611080, 1924503794066429,
                 1731539523700949, 2230378382645454
 #else
@@ -3868,7 +3868,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 443392177002051, 233793396845137, 2199506622312416,
                 1011858706515937, 974676837063129
 #else
@@ -3877,7 +3877,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1846351103143623, 1949984838808427, 671247021915253,
                 1946756846184401, 1929296930380217
 #else
@@ -3890,7 +3890,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 849646212452002, 1410198775302919, 73767886183695,
                 1641663456615812, 762256272452411
 #else
@@ -3899,7 +3899,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 692017667358279, 723305578826727, 1638042139863265,
                 748219305990306, 334589200523901
 #else
@@ -3908,7 +3908,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 22893968530686, 2235758574399251, 1661465835630252,
                 925707319443452, 1203475116966621
 #else
@@ -3919,7 +3919,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 801299035785166, 1733292596726131, 1664508947088596,
                 467749120991922, 1647498584535623
 #else
@@ -3928,7 +3928,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 903105258014366, 427141894933047, 561187017169777,
                 1884330244401954, 1914145708422219
 #else
@@ -3937,7 +3937,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1344191060517578, 1960935031767890, 1518838929955259,
                 1781502350597190, 1564784025565682
 #else
@@ -3948,7 +3948,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 673723351748086, 1979969272514923, 1175287312495508,
                 1187589090978666, 1881897672213940
 #else
@@ -3957,7 +3957,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1917185587363432, 1098342571752737, 5935801044414,
                 2000527662351839, 1538640296181569
 #else
@@ -3966,7 +3966,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2495540013192, 678856913479236, 224998292422872,
                 219635787698590, 1972465269000940
 #else
@@ -3977,7 +3977,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 271413961212179, 1353052061471651, 344711291283483,
                 2014925838520662, 2006221033113941
 #else
@@ -3986,7 +3986,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 194583029968109, 514316781467765, 829677956235672,
                 1676415686873082, 810104584395840
 #else
@@ -3995,7 +3995,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1980510813313589, 1948645276483975, 152063780665900,
                 129968026417582, 256984195613935
 #else
@@ -4006,7 +4006,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1860190562533102, 1936576191345085, 461100292705964,
                 1811043097042830, 957486749306835
 #else
@@ -4015,7 +4015,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 796664815624365, 1543160838872951, 1500897791837765,
                 1667315977988401, 599303877030711
 #else
@@ -4024,7 +4024,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1151480509533204, 2136010406720455, 738796060240027,
                 319298003765044, 1150614464349587
 #else
@@ -4035,7 +4035,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1731069268103150, 735642447616087, 1364750481334268,
                 417232839982871, 927108269127661
 #else
@@ -4044,7 +4044,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1017222050227968, 1987716148359, 2234319589635701,
                 621282683093392, 2132553131763026
 #else
@@ -4053,7 +4053,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1567828528453324, 1017807205202360, 565295260895298,
                 829541698429100, 307243822276582
 #else
@@ -4064,7 +4064,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 249079270936248, 1501514259790706, 947909724204848,
                 944551802437487, 552658763982480
 #else
@@ -4073,7 +4073,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2089966982947227, 1854140343916181, 2151980759220007,
                 2139781292261749, 158070445864917
 #else
@@ -4082,7 +4082,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1338766321464554, 1906702607371284, 1519569445519894,
                 115384726262267, 1393058953390992
 #else
@@ -4093,7 +4093,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1364621558265400, 1512388234908357, 1926731583198686,
                 2041482526432505, 920401122333774
 #else
@@ -4102,7 +4102,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1884844597333588, 601480070269079, 620203503079537,
                 1079527400117915, 1202076693132015
 #else
@@ -4111,7 +4111,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 840922919763324, 727955812569642, 1303406629750194,
                 522898432152867, 294161410441865
 #else
@@ -4124,7 +4124,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 353760790835310, 1598361541848743, 1122905698202299,
                 1922533590158905, 419107700666580
 #else
@@ -4133,7 +4133,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 359856369838236, 180914355488683, 861726472646627,
                 218807937262986, 575626773232501
 #else
@@ -4142,7 +4142,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 755467689082474, 909202735047934, 730078068932500,
                 936309075711518, 2007798262842972
 #else
@@ -4153,7 +4153,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1609384177904073, 362745185608627, 1335318541768201,
                 800965770436248, 547877979267412
 #else
@@ -4162,7 +4162,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 984339177776787, 815727786505884, 1645154585713747,
                 1659074964378553, 1686601651984156
 #else
@@ -4171,7 +4171,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1697863093781930, 599794399429786, 1104556219769607,
                 830560774794755, 12812858601017
 #else
@@ -4182,7 +4182,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1168737550514982, 897832437380552, 463140296333799,
                 302564600022547, 2008360505135501
 #else
@@ -4191,7 +4191,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1856930662813910, 678090852002597, 1920179140755167,
                 1259527833759868, 55540971895511
 #else
@@ -4200,7 +4200,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1158643631044921, 476554103621892, 178447851439725,
                 1305025542653569, 103433927680625
 #else
@@ -4211,7 +4211,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2176793111709008, 1576725716350391, 2009350167273523,
                 2012390194631546, 2125297410909580
 #else
@@ -4220,7 +4220,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 825403285195098, 2144208587560784, 1925552004644643,
                 1915177840006985, 1015952128947864
 #else
@@ -4229,7 +4229,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1807108316634472, 1534392066433717, 347342975407218,
                 1153820745616376, 7375003497471
 #else
@@ -4240,7 +4240,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 983061001799725, 431211889901241, 2201903782961093,
                 817393911064341, 2214616493042167
 #else
@@ -4249,7 +4249,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 228567918409756, 865093958780220, 358083886450556,
                 159617889659320, 1360637926292598
 #else
@@ -4258,7 +4258,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 234147501399755, 2229469128637390, 2175289352258889,
                 1397401514549353, 1885288963089922
 #else
@@ -4269,7 +4269,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1111762412951562, 252849572507389, 1048714233823341,
                 146111095601446, 1237505378776770
 #else
@@ -4278,7 +4278,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1113790697840279, 1051167139966244, 1045930658550944,
                 2011366241542643, 1686166824620755
 #else
@@ -4287,7 +4287,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1054097349305049, 1872495070333352, 182121071220717,
                 1064378906787311, 100273572924182
 #else
@@ -4298,7 +4298,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1306410853171605, 1627717417672447, 50983221088417,
                 1109249951172250, 870201789081392
 #else
@@ -4307,7 +4307,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 104233794644221, 1548919791188248, 2224541913267306,
                 2054909377116478, 1043803389015153
 #else
@@ -4316,7 +4316,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 216762189468802, 707284285441622, 190678557969733,
                 973969342604308, 1403009538434867
 #else
@@ -4327,7 +4327,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1279024291038477, 344776835218310, 273722096017199,
                 1834200436811442, 634517197663804
 #else
@@ -4336,7 +4336,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 343805853118335, 1302216857414201, 566872543223541,
                 2051138939539004, 321428858384280
 #else
@@ -4345,7 +4345,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 470067171324852, 1618629234173951, 2000092177515639,
                 7307679772789, 1117521120249968
 #else
@@ -4358,7 +4358,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 278151578291475, 1810282338562947, 1771599529530998,
                 1383659409671631, 685373414471841
 #else
@@ -4367,7 +4367,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 577009397403102, 1791440261786291, 2177643735971638,
                 174546149911960, 1412505077782326
 #else
@@ -4376,7 +4376,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 893719721537457, 1201282458018197, 1522349501711173,
                 58011597740583, 1130406465887139
 #else
@@ -4387,7 +4387,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 412607348255453, 1280455764199780, 2233277987330768,
                 14180080401665, 331584698417165
 #else
@@ -4396,7 +4396,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 262483770854550, 990511055108216, 526885552771698,
                 571664396646158, 354086190278723
 #else
@@ -4405,7 +4405,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1820352417585487, 24495617171480, 1547899057533253,
                 10041836186225, 480457105094042
 #else
@@ -4416,7 +4416,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2023310314989233, 637905337525881, 2106474638900687,
                 557820711084072, 1687858215057826
 #else
@@ -4425,7 +4425,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1144168702609745, 604444390410187, 1544541121756138,
                 1925315550126027, 626401428894002
 #else
@@ -4434,7 +4434,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1922168257351784, 2018674099908659, 1776454117494445,
                 956539191509034, 36031129147635
 #else
@@ -4445,7 +4445,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 544644538748041, 1039872944430374, 876750409130610,
                 710657711326551, 1216952687484972
 #else
@@ -4454,7 +4454,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 58242421545916, 2035812695641843, 2118491866122923,
                 1191684463816273, 46921517454099
 #else
@@ -4463,7 +4463,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 272268252444639, 1374166457774292, 2230115177009552,
                 1053149803909880, 1354288411641016
 #else
@@ -4474,7 +4474,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1857910905368338, 1754729879288912, 885945464109877,
                 1516096106802166, 1602902393369811
 #else
@@ -4483,7 +4483,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1193437069800958, 901107149704790, 999672920611411,
                 477584824802207, 364239578697845
 #else
@@ -4492,7 +4492,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 886299989548838, 1538292895758047, 1590564179491896,
                 1944527126709657, 837344427345298
 #else
@@ -4503,7 +4503,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 754558365378305, 1712186480903618, 1703656826337531,
                 750310918489786, 518996040250900
 #else
@@ -4512,7 +4512,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1309847803895382, 1462151862813074, 211370866671570,
                 1544595152703681, 1027691798954090
 #else
@@ -4521,7 +4521,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 803217563745370, 1884799722343599, 1357706345069218,
                 2244955901722095, 730869460037413
 #else
@@ -4532,7 +4532,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 689299471295966, 1831210565161071, 1375187341585438,
                 1106284977546171, 1893781834054269
 #else
@@ -4541,7 +4541,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 696351368613042, 1494385251239250, 738037133616932,
                 636385507851544, 927483222611406
 #else
@@ -4550,7 +4550,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1949114198209333, 1104419699537997, 783495707664463,
                 1747473107602770, 2002634765788641
 #else
@@ -4561,7 +4561,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1607325776830197, 530883941415333, 1451089452727895,
                 1581691157083423, 496100432831154
 #else
@@ -4570,7 +4570,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1068900648804224, 2006891997072550, 1134049269345549,
                 1638760646180091, 2055396084625778
 #else
@@ -4579,7 +4579,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2222475519314561, 1870703901472013, 1884051508440561,
                 1344072275216753, 1318025677799069
 #else
@@ -4592,7 +4592,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 155711679280656, 681100400509288, 389811735211209,
                 2135723811340709, 408733211204125
 #else
@@ -4601,7 +4601,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 7813206966729, 194444201427550, 2071405409526507,
                 1065605076176312, 1645486789731291
 #else
@@ -4610,7 +4610,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 16625790644959, 1647648827778410, 1579910185572704,
                 436452271048548, 121070048451050
 #else
@@ -4621,7 +4621,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1037263028552531, 568385780377829, 297953104144430,
                 1558584511931211, 2238221839292471
 #else
@@ -4630,7 +4630,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 190565267697443, 672855706028058, 338796554369226,
                 337687268493904, 853246848691734
 #else
@@ -4639,7 +4639,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1763863028400139, 766498079432444, 1321118624818005,
                 69494294452268, 858786744165651
 #else
@@ -4650,7 +4650,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1292056768563024, 1456632109855638, 1100631247050184,
                 1386133165675321, 1232898350193752
 #else
@@ -4659,7 +4659,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 366253102478259, 525676242508811, 1449610995265438,
                 1183300845322183, 185960306491545
 #else
@@ -4668,7 +4668,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 28315355815982, 460422265558930, 1799675876678724,
                 1969256312504498, 1051823843138725
 #else
@@ -4679,7 +4679,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 156914999361983, 1606148405719949, 1665208410108430,
                 317643278692271, 1383783705665320
 #else
@@ -4688,7 +4688,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 54684536365732, 2210010038536222, 1194984798155308,
                 535239027773705, 1516355079301361
 #else
@@ -4697,7 +4697,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1484387703771650, 198537510937949, 2186282186359116,
                 617687444857508, 647477376402122
 #else
@@ -4708,7 +4708,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2147715541830533, 500032538445817, 646380016884826,
                 352227855331122, 1488268620408052
 #else
@@ -4717,7 +4717,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 159386186465542, 1877626593362941, 618737197060512,
                 1026674284330807, 1158121760792685
 #else
@@ -4726,7 +4726,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1744544377739822, 1964054180355661, 1685781755873170,
                 2169740670377448, 1286112621104591
 #else
@@ -4737,7 +4737,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 81977249784993, 1667943117713086, 1668983819634866,
                 1605016835177615, 1353960708075544
 #else
@@ -4746,7 +4746,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1602253788689063, 439542044889886, 2220348297664483,
                 657877410752869, 157451572512238
 #else
@@ -4755,7 +4755,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1029287186166717, 65860128430192, 525298368814832,
                 1491902500801986, 1461064796385400
 #else
@@ -4766,7 +4766,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 408216988729246, 2121095722306989, 913562102267595,
                 1879708920318308, 241061448436731
 #else
@@ -4775,7 +4775,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1185483484383269, 1356339572588553, 584932367316448,
                 102132779946470, 1792922621116791
 #else
@@ -4784,7 +4784,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1966196870701923, 2230044620318636, 1425982460745905,
                 261167817826569, 46517743394330
 #else
@@ -4795,7 +4795,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 107077591595359, 884959942172345, 27306869797400,
                 2224911448949390, 964352058245223
 #else
@@ -4804,7 +4804,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1730194207717538, 431790042319772, 1831515233279467,
                 1372080552768581, 1074513929381760
 #else
@@ -4813,7 +4813,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1450880638731607, 1019861580989005, 1229729455116861,
                 1174945729836143, 826083146840706
 #else
@@ -4826,7 +4826,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1899935429242705, 1602068751520477, 940583196550370,
                 82431069053859, 1540863155745696
 #else
@@ -4835,7 +4835,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2136688454840028, 2099509000964294, 1690800495246475,
                 1217643678575476, 828720645084218
 #else
@@ -4844,7 +4844,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 765548025667841, 462473984016099, 998061409979798,
                 546353034089527, 2212508972466858
 #else
@@ -4855,7 +4855,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 46575283771160, 892570971573071, 1281983193144090,
                 1491520128287375, 75847005908304
 #else
@@ -4864,7 +4864,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1801436127943107, 1734436817907890, 1268728090345068,
                 167003097070711, 2233597765834956
 #else
@@ -4873,7 +4873,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1997562060465113, 1048700225534011, 7615603985628,
                 1855310849546841, 2242557647635213
 #else
@@ -4884,7 +4884,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1161017320376250, 492624580169043, 2169815802355237,
                 976496781732542, 1770879511019629
 #else
@@ -4893,7 +4893,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1357044908364776, 729130645262438, 1762469072918979,
                 1365633616878458, 181282906404941
 #else
@@ -4902,7 +4902,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1080413443139865, 1155205815510486, 1848782073549786,
                 622566975152580, 124965574467971
 #else
@@ -4913,7 +4913,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1184526762066993, 247622751762817, 692129017206356,
                 820018689412496, 2188697339828085
 #else
@@ -4922,7 +4922,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2020536369003019, 202261491735136, 1053169669150884,
                 2056531979272544, 778165514694311
 #else
@@ -4931,7 +4931,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 237404399610207, 1308324858405118, 1229680749538400,
                 720131409105291, 1958958863624906
 #else
@@ -4942,7 +4942,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 515583508038846, 17656978857189, 1717918437373989,
                 1568052070792483, 46975803123923
 #else
@@ -4951,7 +4951,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 281527309158085, 36970532401524, 866906920877543,
                 2222282602952734, 1289598729589882
 #else
@@ -4960,7 +4960,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1278207464902042, 494742455008756, 1262082121427081,
                 1577236621659884, 1888786707293291
 #else
@@ -4971,7 +4971,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 353042527954210, 1830056151907359, 1111731275799225,
                 174960955838824, 404312815582675
 #else
@@ -4980,7 +4980,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2064251142068628, 1666421603389706, 1419271365315441,
                 468767774902855, 191535130366583
 #else
@@ -4989,7 +4989,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1716987058588002, 1859366439773457, 1767194234188234,
                 64476199777924, 1117233614485261
 #else
@@ -5000,7 +5000,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 984292135520292, 135138246951259, 2220652137473167,
                 1722843421165029, 190482558012909
 #else
@@ -5009,7 +5009,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 298845952651262, 1166086588952562, 1179896526238434,
                 1347812759398693, 1412945390096208
 #else
@@ -5018,7 +5018,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1143239552672925, 906436640714209, 2177000572812152,
                 2075299936108548, 325186347798433
 #else
@@ -5029,7 +5029,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 721024854374772, 684487861263316, 1373438744094159,
                 2193186935276995, 1387043709851261
 #else
@@ -5038,7 +5038,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 418098668140962, 715065997721283, 1471916138376055,
                 2168570337288357, 937812682637044
 #else
@@ -5047,7 +5047,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1043584187226485, 2143395746619356, 2209558562919611,
                 482427979307092, 847556718384018
 #else
@@ -5060,7 +5060,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1248731221520759, 1465200936117687, 540803492710140,
                 52978634680892, 261434490176109
 #else
@@ -5069,7 +5069,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1057329623869501, 620334067429122, 461700859268034,
                 2012481616501857, 297268569108938
 #else
@@ -5078,7 +5078,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1055352180870759, 1553151421852298, 1510903185371259,
                 1470458349428097, 1226259419062731
 #else
@@ -5089,7 +5089,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1492988790301668, 790326625573331, 1190107028409745,
                 1389394752159193, 1620408196604194
 #else
@@ -5098,7 +5098,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 47000654413729, 1004754424173864, 1868044813557703,
                 173236934059409, 588771199737015
 #else
@@ -5107,7 +5107,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 30498470091663, 1082245510489825, 576771653181956,
                 806509986132686, 1317634017056939
 #else
@@ -5118,7 +5118,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 420308055751555, 1493354863316002, 165206721528088,
                 1884845694919786, 2065456951573059
 #else
@@ -5127,7 +5127,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1115636332012334, 1854340990964155, 83792697369514,
                 1972177451994021, 457455116057587
 #else
@@ -5136,7 +5136,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1698968457310898, 1435137169051090, 1083661677032510,
                 938363267483709, 340103887207182
 #else
@@ -5147,7 +5147,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1995325341336574, 911500251774648, 164010755403692,
                 855378419194762, 1573601397528842
 #else
@@ -5156,7 +5156,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 241719380661528, 310028521317150, 1215881323380194,
                 1408214976493624, 2141142156467363
 #else
@@ -5165,7 +5165,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1315157046163473, 727368447885818, 1363466668108618,
                 1668921439990361, 1398483384337907
 #else
@@ -5176,7 +5176,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 75029678299646, 1015388206460473, 1849729037055212,
                 1939814616452984, 444404230394954
 #else
@@ -5185,7 +5185,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2053597130993710, 2024431685856332, 2233550957004860,
                 2012407275509545, 872546993104440
 #else
@@ -5194,7 +5194,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1217269667678610, 599909351968693, 1390077048548598,
                 1471879360694802, 739586172317596
 #else
@@ -5205,7 +5205,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1718318639380794, 1560510726633958, 904462881159922,
                 1418028351780052, 94404349451937
 #else
@@ -5214,7 +5214,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2132502667405250, 214379346175414, 1502748313768060,
                 1960071701057800, 1353971822643138
 #else
@@ -5223,7 +5223,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 319394212043702, 2127459436033571, 717646691535162,
                 663366796076914, 318459064945314
 #else
@@ -5234,7 +5234,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 405989424923593, 1960452633787083, 667349034401665,
                 1492674260767112, 1451061489880787
 #else
@@ -5243,7 +5243,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 947085906234007, 323284730494107, 1485778563977200,
                 728576821512394, 901584347702286
 #else
@@ -5252,7 +5252,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1575783124125742, 2126210792434375, 1569430791264065,
                 1402582372904727, 1891780248341114
 #else
@@ -5263,7 +5263,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 838432205560695, 1997703511451664, 1018791879907867,
                 1662001808174331, 78328132957753
 #else
@@ -5272,7 +5272,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 739152638255629, 2074935399403557, 505483666745895,
                 1611883356514088, 628654635394878
 #else
@@ -5281,7 +5281,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1822054032121349, 643057948186973, 7306757352712,
                 577249257962099, 284735863382083
 #else
@@ -5294,7 +5294,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1366558556363930, 1448606567552086, 1478881020944768,
                 165803179355898, 1115718458123498
 #else
@@ -5303,7 +5303,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 204146226972102, 1630511199034723, 2215235214174763,
                 174665910283542, 956127674017216
 #else
@@ -5312,7 +5312,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1562934578796716, 1070893489712745, 11324610642270,
                 958989751581897, 2172552325473805
 #else
@@ -5323,7 +5323,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1770564423056027, 735523631664565, 1326060113795289,
                 1509650369341127, 65892421582684
 #else
@@ -5332,7 +5332,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 623682558650637, 1337866509471512, 990313350206649,
                 1314236615762469, 1164772974270275
 #else
@@ -5341,7 +5341,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 223256821462517, 723690150104139, 1000261663630601,
                 933280913953265, 254872671543046
 #else
@@ -5352,7 +5352,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1969087237026041, 624795725447124, 1335555107635969,
                 2069986355593023, 1712100149341902
 #else
@@ -5361,7 +5361,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1236103475266979, 1837885883267218, 1026072585230455,
                 1025865513954973, 1801964901432134
 #else
@@ -5370,7 +5370,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1115241013365517, 1712251818829143, 2148864332502771,
                 2096001471438138, 2235017246626125
 #else
@@ -5381,7 +5381,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1299268198601632, 2047148477845621, 2165648650132450,
                 1612539282026145, 514197911628890
 #else
@@ -5390,7 +5390,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 118352772338543, 1067608711804704, 1434796676193498,
                 1683240170548391, 230866769907437
 #else
@@ -5399,7 +5399,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1850689576796636, 1601590730430274, 1139674615958142,
                 1954384401440257, 76039205311
 #else
@@ -5410,7 +5410,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1723387471374172, 997301467038410, 533927635123657,
                 20928644693965, 1756575222802513
 #else
@@ -5419,7 +5419,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2146711623855116, 503278928021499, 625853062251406,
                 1109121378393107, 1033853809911861
 #else
@@ -5428,7 +5428,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 571005965509422, 2005213373292546, 1016697270349626,
                 56607856974274, 914438579435146
 #else
@@ -5439,7 +5439,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1346698876211176, 2076651707527589, 1084761571110205,
                 265334478828406, 1068954492309671
 #else
@@ -5448,7 +5448,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1769967932677654, 1695893319756416, 1151863389675920,
                 1781042784397689, 400287774418285
 #else
@@ -5457,7 +5457,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1851867764003121, 403841933237558, 820549523771987,
                 761292590207581, 1743735048551143
 #else
@@ -5468,7 +5468,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 410915148140008, 2107072311871739, 1004367461876503,
                 99684895396761, 1180818713503224
 #else
@@ -5477,7 +5477,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 285945406881439, 648174397347453, 1098403762631981,
                 1366547441102991, 1505876883139217
 #else
@@ -5486,7 +5486,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 672095903120153, 1675918957959872, 636236529315028,
                 1569297300327696, 2164144194785875
 #else
@@ -5497,7 +5497,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1902708175321798, 1035343530915438, 1178560808893263,
                 301095684058146, 1280977479761118
 #else
@@ -5506,7 +5506,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1615357281742403, 404257611616381, 2160201349780978,
                 1160947379188955, 1578038619549541
 #else
@@ -5515,7 +5515,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2013087639791217, 822734930507457, 1785668418619014,
                 1668650702946164, 389450875221715
 #else
@@ -5528,7 +5528,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 453918449698368, 106406819929001, 2072540975937135,
                 308588860670238, 1304394580755385
 #else
@@ -5537,7 +5537,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1295082798350326, 2091844511495996, 1851348972587817,
                 3375039684596, 789440738712837
 #else
@@ -5546,7 +5546,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2083069137186154, 848523102004566, 993982213589257,
                 1405313299916317, 1532824818698468
 #else
@@ -5557,7 +5557,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1495961298852430, 1397203457344779, 1774950217066942,
                 139302743555696, 66603584342787
 #else
@@ -5566,7 +5566,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1782411379088302, 1096724939964781, 27593390721418,
                 542241850291353, 1540337798439873
 #else
@@ -5575,7 +5575,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 693543956581437, 171507720360750, 1557908942697227,
                 1074697073443438, 1104093109037196
 #else
@@ -5586,7 +5586,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 345288228393419, 1099643569747172, 134881908403743,
                 1740551994106740, 248212179299770
 #else
@@ -5595,7 +5595,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 231429562203065, 1526290236421172, 2021375064026423,
                 1520954495658041, 806337791525116
 #else
@@ -5604,7 +5604,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1079623667189886, 872403650198613, 766894200588288,
                 2163700860774109, 2023464507911816
 #else
@@ -5615,7 +5615,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 854645372543796, 1936406001954827, 151460662541253,
                 825325739271555, 1554306377287556
 #else
@@ -5624,7 +5624,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1497138821904622, 1044820250515590, 1742593886423484,
                 1237204112746837, 849047450816987
 #else
@@ -5633,7 +5633,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 667962773375330, 1897271816877105, 1399712621683474,
                 1143302161683099, 2081798441209593
 #else
@@ -5644,7 +5644,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 127147851567005, 1936114012888110, 1704424366552046,
                 856674880716312, 716603621335359
 #else
@@ -5653,7 +5653,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1072409664800960, 2146937497077528, 1508780108920651,
                 935767602384853, 1112800433544068
 #else
@@ -5662,7 +5662,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 333549023751292, 280219272863308, 2104176666454852,
                 1036466864875785, 536135186520207
 #else
@@ -5673,7 +5673,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 373666279883137, 146457241530109, 304116267127857,
                 416088749147715, 1258577131183391
 #else
@@ -5682,7 +5682,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1186115062588401, 2251609796968486, 1098944457878953,
                 1153112761201374, 1791625503417267
 #else
@@ -5691,7 +5691,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1870078460219737, 2129630962183380, 852283639691142,
                 292865602592851, 401904317342226
 #else
@@ -5702,7 +5702,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1361070124828035, 815664541425524, 1026798897364671,
                 1951790935390647, 555874891834790
 #else
@@ -5711,7 +5711,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1546301003424277, 459094500062839, 1097668518375311,
                 1780297770129643, 720763293687608
 #else
@@ -5720,7 +5720,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1212405311403990, 1536693382542438, 61028431067459,
                 1863929423417129, 1223219538638038
 #else
@@ -5731,7 +5731,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1294303766540260, 1183557465955093, 882271357233093,
                 63854569425375, 2213283684565087
 #else
@@ -5740,7 +5740,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 339050984211414, 601386726509773, 413735232134068,
                 966191255137228, 1839475899458159
 #else
@@ -5749,7 +5749,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 235605972169408, 2174055643032978, 1538335001838863,
                 1281866796917192, 1815940222628465
 #else
@@ -5762,7 +5762,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1632352921721536, 1833328609514701, 2092779091951987,
                 1923956201873226, 2210068022482919
 #else
@@ -5771,7 +5771,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 35271216625062, 1712350667021807, 983664255668860,
                 98571260373038, 1232645608559836
 #else
@@ -5780,7 +5780,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1998172393429622, 1798947921427073, 784387737563581,
                 1589352214827263, 1589861734168180
 #else
@@ -5791,7 +5791,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1733739258725305, 31715717059538, 201969945218860,
                 992093044556990, 1194308773174556
 #else
@@ -5800,7 +5800,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 846415389605137, 746163495539180, 829658752826080,
                 592067705956946, 957242537821393
 #else
@@ -5809,7 +5809,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1758148849754419, 619249044817679, 168089007997045,
                 1371497636330523, 1867101418880350
 #else
@@ -5820,7 +5820,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 326633984209635, 261759506071016, 1700682323676193,
                 1577907266349064, 1217647663383016
 #else
@@ -5829,7 +5829,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1714182387328607, 1477856482074168, 574895689942184,
                 2159118410227270, 1555532449716575
 #else
@@ -5838,7 +5838,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 853828206885131, 998498946036955, 1835887550391235,
                 207627336608048, 258363815956050
 #else
@@ -5849,7 +5849,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 141141474651677, 1236728744905256, 643101419899887,
                 1646615130509173, 1208239602291765
 #else
@@ -5858,7 +5858,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1501663228068911, 1354879465566912, 1444432675498247,
                 897812463852601, 855062598754348
 #else
@@ -5867,7 +5867,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 714380763546606, 1032824444965790, 1774073483745338,
                 1063840874947367, 1738680636537158
 #else
@@ -5878,7 +5878,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1640635546696252, 633168953192112, 2212651044092396,
                 30590958583852, 368515260889378
 #else
@@ -5887,7 +5887,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1171650314802029, 1567085444565577, 1453660792008405,
                 757914533009261, 1619511342778196
 #else
@@ -5896,7 +5896,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 420958967093237, 971103481109486, 2169549185607107,
                 1301191633558497, 1661514101014240
 #else
@@ -5907,7 +5907,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 907123651818302, 1332556122804146, 1824055253424487,
                 1367614217442959, 1982558335973172
 #else
@@ -5916,7 +5916,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1121533090144639, 1021251337022187, 110469995947421,
                 1511059774758394, 2110035908131662
 #else
@@ -5925,7 +5925,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 303213233384524, 2061932261128138, 352862124777736,
                 40828818670255, 249879468482660
 #else
@@ -5936,7 +5936,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 856559257852200, 508517664949010, 1378193767894916,
                 1723459126947129, 1962275756614521
 #else
@@ -5945,7 +5945,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1445691340537320, 40614383122127, 402104303144865,
                 485134269878232, 1659439323587426
 #else
@@ -5954,7 +5954,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 20057458979482, 1183363722525800, 2140003847237215,
                 2053873950687614, 2112017736174909
 #else
@@ -5965,7 +5965,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2228654250927986, 1483591363415267, 1368661293910956,
                 1076511285177291, 526650682059608
 #else
@@ -5974,7 +5974,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 709481497028540, 531682216165724, 316963769431931,
                 1814315888453765, 258560242424104
 #else
@@ -5983,7 +5983,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1053447823660455, 1955135194248683, 1010900954918985,
                 1182614026976701, 1240051576966610
 #else
@@ -5996,7 +5996,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1957943897155497, 1788667368028035, 137692910029106,
                 1039519607062, 826404763313028
 #else
@@ -6005,7 +6005,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1848942433095597, 1582009882530495, 1849292741020143,
                 1068498323302788, 2001402229799484
 #else
@@ -6014,7 +6014,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1528282417624269, 2142492439828191, 2179662545816034,
                 362568973150328, 1591374675250271
 #else
@@ -6025,7 +6025,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 160026679434388, 232341189218716, 2149181472355545,
                 598041771119831, 183859001910173
 #else
@@ -6034,7 +6034,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2013278155187349, 662660471354454, 793981225706267,
                 411706605985744, 804490933124791
 #else
@@ -6043,7 +6043,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2051892037280204, 488391251096321, 2230187337030708,
                 930221970662692, 679002758255210
 #else
@@ -6054,7 +6054,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1530723630438670, 875873929577927, 341560134269988,
                 449903119530753, 1055551308214179
 #else
@@ -6063,7 +6063,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1461835919309432, 1955256480136428, 180866187813063,
                 1551979252664528, 557743861963950
 #else
@@ -6072,7 +6072,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 359179641731115, 1324915145732949, 902828372691474,
                 294254275669987, 1887036027752957
 #else
@@ -6083,7 +6083,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2043271609454323, 2038225437857464, 1317528426475850,
                 1398989128982787, 2027639881006861
 #else
@@ -6092,7 +6092,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2072902725256516, 312132452743412, 309930885642209,
                 996244312618453, 1590501300352303
 #else
@@ -6101,7 +6101,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1397254305160710, 695734355138021, 2233992044438756,
                 1776180593969996, 1085588199351115
 #else
@@ -6112,7 +6112,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 440567051331029, 254894786356681, 493869224930222,
                 1556322069683366, 1567456540319218
 #else
@@ -6121,7 +6121,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1950722461391320, 1907845598854797, 1822757481635527,
                 2121567704750244, 73811931471221
 #else
@@ -6130,7 +6130,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 387139307395758, 2058036430315676, 1220915649965325,
                 1794832055328951, 1230009312169328
 #else
@@ -6141,7 +6141,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1765973779329517, 659344059446977, 19821901606666,
                 1301928341311214, 1116266004075885
 #else
@@ -6150,7 +6150,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1127572801181483, 1224743760571696, 1276219889847274,
                 1529738721702581, 1589819666871853
 #else
@@ -6159,7 +6159,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2181229378964934, 2190885205260020, 1511536077659137,
                 1246504208580490, 668883326494241
 #else
@@ -6170,7 +6170,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 437866655573314, 669026411194768, 81896997980338,
                 523874406393178, 245052060935236
 #else
@@ -6179,7 +6179,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1975438052228868, 1071801519999806, 594652299224319,
                 1877697652668809, 1489635366987285
 #else
@@ -6188,7 +6188,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 958592545673770, 233048016518599, 851568750216589,
                 567703851596087, 1740300006094761
 #else
@@ -6199,7 +6199,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2014540178270324, 192672779514432, 213877182641530,
                 2194819933853411, 1716422829364835
 #else
@@ -6208,7 +6208,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1540769606609725, 2148289943846077, 1597804156127445,
                 1230603716683868, 815423458809453
 #else
@@ -6217,7 +6217,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1738560251245018, 1779576754536888, 1783765347671392,
                 1880170990446751, 1088225159617541
 #else
@@ -6230,7 +6230,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 659303913929492, 1956447718227573, 1830568515922666,
                 841069049744408, 1669607124206368
 #else
@@ -6239,7 +6239,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1143465490433355, 1532194726196059, 1093276745494697,
                 481041706116088, 2121405433561163
 #else
@@ -6248,7 +6248,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1686424298744462, 1451806974487153, 266296068846582,
                 1834686947542675, 1720762336132256
 #else
@@ -6259,7 +6259,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 889217026388959, 1043290623284660, 856125087551909,
                 1669272323124636, 1603340330827879
 #else
@@ -6268,7 +6268,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1206396181488998, 333158148435054, 1402633492821422,
                 1120091191722026, 1945474114550509
 #else
@@ -6277,7 +6277,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 766720088232571, 1512222781191002, 1189719893490790,
                 2091302129467914, 2141418006894941
 #else
@@ -6288,7 +6288,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 419663647306612, 1998875112167987, 1426599870253707,
                 1154928355379510, 486538532138187
 #else
@@ -6297,7 +6297,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 938160078005954, 1421776319053174, 1941643234741774,
                 180002183320818, 1414380336750546
 #else
@@ -6306,7 +6306,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 398001940109652, 1577721237663248, 1012748649830402,
                 1540516006905144, 1011684812884559
 #else
@@ -6317,7 +6317,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1653276489969630, 6081825167624, 1921777941170836,
                 1604139841794531, 861211053640641
 #else
@@ -6326,7 +6326,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 996661541407379, 1455877387952927, 744312806857277,
                 139213896196746, 1000282908547789
 #else
@@ -6335,7 +6335,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1450817495603008, 1476865707053229, 1030490562252053,
                 620966950353376, 1744760161539058
 #else
@@ -6346,7 +6346,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 559728410002599, 37056661641185, 2038622963352006,
                 1637244893271723, 1026565352238948
 #else
@@ -6355,7 +6355,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 962165956135846, 1116599660248791, 182090178006815,
                 1455605467021751, 196053588803284
 #else
@@ -6364,7 +6364,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 796863823080135, 1897365583584155, 420466939481601,
                 2165972651724672, 932177357788289
 #else
@@ -6375,7 +6375,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 877047233620632, 1375632631944375, 643773611882121,
                 660022738847877, 19353932331831
 #else
@@ -6384,7 +6384,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2216943882299338, 394841323190322, 2222656898319671,
                 558186553950529, 1077236877025190
 #else
@@ -6393,7 +6393,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 801118384953213, 1914330175515892, 574541023311511,
                 1471123787903705, 1526158900256288
 #else
@@ -6404,7 +6404,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 949617889087234, 2207116611267331, 912920039141287,
                 501158539198789, 62362560771472
 #else
@@ -6413,7 +6413,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1474518386765335, 1760793622169197, 1157399790472736,
                 1622864308058898, 165428294422792
 #else
@@ -6422,7 +6422,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1961673048027128, 102619413083113, 1051982726768458,
                 1603657989805485, 1941613251499678
 #else
@@ -6433,7 +6433,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1401939116319266, 335306339903072, 72046196085786,
                 862423201496006, 850518754531384
 #else
@@ -6442,7 +6442,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1234706593321979, 1083343891215917, 898273974314935,
                 1640859118399498, 157578398571149
 #else
@@ -6451,7 +6451,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1143483057726416, 1992614991758919, 674268662140796,
                 1773370048077526, 674318359920189
 #else
@@ -6464,7 +6464,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1835401379538542, 173900035308392, 818247630716732,
                 1762100412152786, 1021506399448291
 #else
@@ -6473,7 +6473,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1506632088156630, 2127481795522179, 513812919490255,
                 140643715928370, 442476620300318
 #else
@@ -6482,7 +6482,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2056683376856736, 219094741662735, 2193541883188309,
                 1841182310235800, 556477468664293
 #else
@@ -6493,7 +6493,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1315019427910827, 1049075855992603, 2066573052986543,
                 266904467185534, 2040482348591520
 #else
@@ -6502,7 +6502,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 94096246544434, 922482381166992, 24517828745563,
                 2139430508542503, 2097139044231004
 #else
@@ -6511,7 +6511,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 537697207950515, 1399352016347350, 1563663552106345,
                 2148749520888918, 549922092988516
 #else
@@ -6522,7 +6522,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1747985413252434, 680511052635695, 1809559829982725,
                 594274250930054, 201673170745982
 #else
@@ -6531,7 +6531,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 323583936109569, 1973572998577657, 1192219029966558,
                 79354804385273, 1374043025560347
 #else
@@ -6540,7 +6540,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 213277331329947, 416202017849623, 1950535221091783,
                 1313441578103244, 2171386783823658
 #else
@@ -6551,7 +6551,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 189088804229831, 993969372859110, 895870121536987,
                 1547301535298256, 1477373024911350
 #else
@@ -6560,7 +6560,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1620578418245010, 541035331188469, 2235785724453865,
                 2154865809088198, 1974627268751826
 #else
@@ -6569,7 +6569,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1346805451740245, 1350981335690626, 942744349501813,
                 2155094562545502, 1012483751693409
 #else
@@ -6580,7 +6580,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2107080134091762, 1132567062788208, 1824935377687210,
                 769194804343737, 1857941799971888
 #else
@@ -6589,7 +6589,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1074666112436467, 249279386739593, 1174337926625354,
                 1559013532006480, 1472287775519121
 #else
@@ -6598,7 +6598,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1872620123779532, 1892932666768992, 1921559078394978,
                 1270573311796160, 1438913646755037
 #else
@@ -6609,7 +6609,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 837390187648199, 1012253300223599, 989780015893987,
                 1351393287739814, 328627746545550
 #else
@@ -6618,7 +6618,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1028328827183114, 1711043289969857, 1350832470374933,
                 1923164689604327, 1495656368846911
 #else
@@ -6627,7 +6627,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1900828492104143, 430212361082163, 687437570852799,
                 832514536673512, 1685641495940794
 #else
@@ -6638,7 +6638,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 842632847936398, 605670026766216, 290836444839585,
                 163210774892356, 2213815011799645
 #else
@@ -6647,7 +6647,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1176336383453996, 1725477294339771, 12700622672454,
                 678015708818208, 162724078519879
 #else
@@ -6656,7 +6656,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1448049969043497, 1789411762943521, 385587766217753,
                 90201620913498, 832999441066823
 #else
@@ -6667,7 +6667,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 516086333293313, 2240508292484616, 1351669528166508,
                 1223255565316488, 750235824427138
 #else
@@ -6676,7 +6676,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1263624896582495, 1102602401673328, 526302183714372,
                 2152015839128799, 1483839308490010
 #else
@@ -6685,7 +6685,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 442991718646863, 1599275157036458, 1925389027579192,
                 899514691371390, 350263251085160
 #else
@@ -6698,7 +6698,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1689713572022143, 593854559254373, 978095044791970,
                 1985127338729499, 1676069120347625
 #else
@@ -6707,7 +6707,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1557207018622683, 340631692799603, 1477725909476187,
                 614735951619419, 2033237123746766
 #else
@@ -6716,7 +6716,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 968764929340557, 1225534776710944, 662967304013036,
                 1155521416178595, 791142883466590
 #else
@@ -6727,7 +6727,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1487081286167458, 993039441814934, 1792378982844640,
                 698652444999874, 2153908693179754
 #else
@@ -6736,7 +6736,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1123181311102823, 685575944875442, 507605465509927,
                 1412590462117473, 568017325228626
 #else
@@ -6745,7 +6745,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 560258797465417, 2193971151466401, 1824086900849026,
                 579056363542056, 1690063960036441
 #else
@@ -6756,7 +6756,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1918407319222416, 353767553059963, 1930426334528099,
                 1564816146005724, 1861342381708096
 #else
@@ -6765,7 +6765,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2131325168777276, 1176636658428908, 1756922641512981,
                 1390243617176012, 1966325177038383
 #else
@@ -6774,7 +6774,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2063958120364491, 2140267332393533, 699896251574968,
                 273268351312140, 375580724713232
 #else
@@ -6785,7 +6785,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2024297515263178, 416959329722687, 1079014235017302,
                 171612225573183, 1031677520051053
 #else
@@ -6794,7 +6794,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2033900009388450, 1744902869870788, 2190580087917640,
                 1949474984254121, 231049754293748
 #else
@@ -6803,7 +6803,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 343868674606581, 550155864008088, 1450580864229630,
                 481603765195050, 896972360018042
 #else
@@ -6814,7 +6814,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2151139328380127, 314745882084928, 59756825775204,
                 1676664391494651, 2048348075599360
 #else
@@ -6823,7 +6823,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1528930066340597, 1605003907059576, 1055061081337675,
                 1458319101947665, 1234195845213142
 #else
@@ -6832,7 +6832,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 830430507734812, 1780282976102377, 1425386760709037,
                 362399353095425, 2168861579799910
 #else
@@ -6843,7 +6843,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1155762232730333, 980662895504006, 2053766700883521,
                 490966214077606, 510405877041357
 #else
@@ -6852,7 +6852,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1683750316716132, 652278688286128, 1221798761193539,
                 1897360681476669, 319658166027343
 #else
@@ -6861,7 +6861,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 618808732869972, 72755186759744, 2060379135624181,
                 1730731526741822, 48862757828238
 #else
@@ -6872,7 +6872,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1463171970593505, 1143040711767452, 614590986558883,
                 1409210575145591, 1882816996436803
 #else
@@ -6881,7 +6881,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2230133264691131, 563950955091024, 2042915975426398,
                 827314356293472, 672028980152815
 #else
@@ -6890,7 +6890,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 264204366029760, 1654686424479449, 2185050199932931,
                 2207056159091748, 506015669043634
 #else
@@ -6901,7 +6901,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1784446333136569, 1973746527984364, 334856327359575,
                 1156769775884610, 1023950124675478
 #else
@@ -6910,7 +6910,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2065270940578383, 31477096270353, 306421879113491,
                 181958643936686, 1907105536686083
 #else
@@ -6919,7 +6919,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1496516440779464, 1748485652986458, 872778352227340,
                 818358834654919, 97932669284220
 #else
@@ -6932,7 +6932,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 471636015770351, 672455402793577, 1804995246884103,
                 1842309243470804, 1501862504981682
 #else
@@ -6941,7 +6941,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1013216974933691, 538921919682598, 1915776722521558,
                 1742822441583877, 1886550687916656
 #else
@@ -6950,7 +6950,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2094270000643336, 303971879192276, 40801275554748,
                 649448917027930, 1818544418535447
 #else
@@ -6961,7 +6961,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2241737709499165, 549397817447461, 838180519319392,
                 1725686958520781, 1705639080897747
 #else
@@ -6970,7 +6970,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1216074541925116, 50120933933509, 1565829004133810,
                 721728156134580, 349206064666188
 #else
@@ -6979,7 +6979,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 948617110470858, 346222547451945, 1126511960599975,
                 1759386906004538, 493053284802266
 #else
@@ -6990,7 +6990,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1454933046815146, 874696014266362, 1467170975468588,
                 1432316382418897, 2111710746366763
 #else
@@ -6999,7 +6999,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2105387117364450, 1996463405126433, 1303008614294500,
                 851908115948209, 1353742049788635
 #else
@@ -7008,7 +7008,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 750300956351719, 1487736556065813, 15158817002104,
                 1511998221598392, 971739901354129
 #else
@@ -7019,7 +7019,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1874648163531693, 2124487685930551, 1810030029384882,
                 918400043048335, 586348627300650
 #else
@@ -7028,7 +7028,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1235084464747900, 1166111146432082, 1745394857881591,
                 1405516473883040, 4463504151617
 #else
@@ -7037,7 +7037,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1663810156463827, 327797390285791, 1341846161759410,
                 1964121122800605, 1747470312055380
 #else
@@ -7048,7 +7048,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 660005247548233, 2071860029952887, 1358748199950107,
                 911703252219107, 1014379923023831
 #else
@@ -7057,7 +7057,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2206641276178231, 1690587809721504, 1600173622825126,
                 2156096097634421, 1106822408548216
 #else
@@ -7066,7 +7066,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1344788193552206, 1949552134239140, 1735915881729557,
                 675891104100469, 1834220014427292
 #else
@@ -7077,7 +7077,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1920949492387964, 158885288387530, 70308263664033,
                 626038464897817, 1468081726101009
 #else
@@ -7086,7 +7086,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 622221042073383, 1210146474039168, 1742246422343683,
                 1403839361379025, 417189490895736
 #else
@@ -7095,7 +7095,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 22727256592983, 168471543384997, 1324340989803650,
                 1839310709638189, 504999476432775
 #else
@@ -7106,7 +7106,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1313240518756327, 1721896294296942, 52263574587266,
                 2065069734239232, 804910473424630
 #else
@@ -7115,7 +7115,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1337466662091884, 1287645354669772, 2018019646776184,
                 652181229374245, 898011753211715
 #else
@@ -7124,7 +7124,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1969792547910734, 779969968247557, 2011350094423418,
                 1823964252907487, 1058949448296945
 #else
@@ -7135,7 +7135,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 207343737062002, 1118176942430253, 758894594548164,
                 806764629546266, 1157700123092949
 #else
@@ -7144,7 +7144,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1273565321399022, 1638509681964574, 759235866488935,
                 666015124346707, 897983460943405
 #else
@@ -7153,7 +7153,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1717263794012298, 1059601762860786, 1837819172257618,
                 1054130665797229, 680893204263559
 #else
@@ -7166,7 +7166,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2237039662793603, 2249022333361206, 2058613546633703,
                 149454094845279, 2215176649164582
 #else
@@ -7175,7 +7175,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 79472182719605, 1851130257050174, 1825744808933107,
                 821667333481068, 781795293511946
 #else
@@ -7184,7 +7184,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 755822026485370, 152464789723500, 1178207602290608,
                 410307889503239, 156581253571278
 #else
@@ -7195,7 +7195,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1418185496130297, 484520167728613, 1646737281442950,
                 1401487684670265, 1349185550126961
 #else
@@ -7204,7 +7204,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1495380034400429, 325049476417173, 46346894893933,
                 1553408840354856, 828980101835683
 #else
@@ -7213,7 +7213,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1280337889310282, 2070832742866672, 1640940617225222,
                 2098284908289951, 450929509534434
 #else
@@ -7224,7 +7224,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 407703353998781, 126572141483652, 286039827513621,
                 1999255076709338, 2030511179441770
 #else
@@ -7233,7 +7233,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1254958221100483, 1153235960999843, 942907704968834,
                 637105404087392, 1149293270147267
 #else
@@ -7242,7 +7242,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 894249020470196, 400291701616810, 406878712230981,
                 1599128793487393, 1145868722604026
 #else
@@ -7253,7 +7253,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1497955250203334, 110116344653260, 1128535642171976,
                 1900106496009660, 129792717460909
 #else
@@ -7262,7 +7262,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 452487513298665, 1352120549024569, 1173495883910956,
                 1999111705922009, 367328130454226
 #else
@@ -7271,7 +7271,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1717539401269642, 1475188995688487, 891921989653942,
                 836824441505699, 1885988485608364
 #else
@@ -7282,7 +7282,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1241784121422547, 187337051947583, 1118481812236193,
                 428747751936362, 30358898927325
 #else
@@ -7291,7 +7291,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2022432361201842, 1088816090685051, 1977843398539868,
                 1854834215890724, 564238862029357
 #else
@@ -7300,7 +7300,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 938868489100585, 1100285072929025, 1017806255688848,
                 1957262154788833, 152787950560442
 #else
@@ -7311,7 +7311,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 867319417678923, 620471962942542, 226032203305716,
                 342001443957629, 1761675818237336
 #else
@@ -7320,7 +7320,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1295072362439987, 931227904689414, 1355731432641687,
                 922235735834035, 892227229410209
 #else
@@ -7329,7 +7329,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1680989767906154, 535362787031440, 2136691276706570,
                 1942228485381244, 1267350086882274
 #else
@@ -7340,7 +7340,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 366018233770527, 432660629755596, 126409707644535,
                 1973842949591662, 645627343442376
 #else
@@ -7349,7 +7349,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 535509430575217, 546885533737322, 1524675609547799,
                 2138095752851703, 1260738089896827
 #else
@@ -7358,7 +7358,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1159906385590467, 2198530004321610, 714559485023225,
                 81880727882151, 1484020820037082
 #else
@@ -7369,7 +7369,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1377485731340769, 2046328105512000, 1802058637158797,
                 62146136768173, 1356993908853901
 #else
@@ -7378,7 +7378,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2013612215646735, 1830770575920375, 536135310219832,
                 609272325580394, 270684344495013
 #else
@@ -7387,7 +7387,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1237542585982777, 2228682050256790, 1385281931622824,
                 593183794882890, 493654978552689
 #else
@@ -7400,7 +7400,7 @@ static const ge_precomp k25519Precomp[32][8] = {
     {
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 47341488007760, 1891414891220257, 983894663308928,
                 176161768286818, 1126261115179708
 #else
@@ -7409,7 +7409,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1694030170963455, 502038567066200, 1691160065225467,
                 949628319562187, 275110186693066
 #else
@@ -7418,7 +7418,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1124515748676336, 1661673816593408, 1499640319059718,
                 1584929449166988, 558148594103306
 #else
@@ -7429,7 +7429,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1784525599998356, 1619698033617383, 2097300287550715,
                 258265458103756, 1905684794832758
 #else
@@ -7438,7 +7438,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1288941072872766, 931787902039402, 190731008859042,
                 2006859954667190, 1005931482221702
 #else
@@ -7447,7 +7447,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1465551264822703, 152905080555927, 680334307368453,
                 173227184634745, 666407097159852
 #else
@@ -7458,7 +7458,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2111017076203943, 1378760485794347, 1248583954016456,
                 1352289194864422, 1895180776543896
 #else
@@ -7467,7 +7467,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 171348223915638, 662766099800389, 462338943760497,
                 466917763340314, 656911292869115
 #else
@@ -7476,7 +7476,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 488623681976577, 866497561541722, 1708105560937768,
                 1673781214218839, 1506146329818807
 #else
@@ -7487,7 +7487,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 160425464456957, 950394373239689, 430497123340934,
                 711676555398832, 320964687779005
 #else
@@ -7496,7 +7496,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 988979367990485, 1359729327576302, 1301834257246029,
                 294141160829308, 29348272277475
 #else
@@ -7505,7 +7505,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1434382743317910, 100082049942065, 221102347892623,
                 186982837860588, 1305765053501834
 #else
@@ -7516,7 +7516,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 2205916462268190, 499863829790820, 961960554686616,
                 158062762756985, 1841471168298305
 #else
@@ -7525,7 +7525,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1191737341426592, 1847042034978363, 1382213545049056,
                 1039952395710448, 788812858896859
 #else
@@ -7534,7 +7534,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1346965964571152, 1291881610839830, 2142916164336056,
                 786821641205979, 1571709146321039
 #else
@@ -7545,7 +7545,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 787164375951248, 202869205373189, 1356590421032140,
                 1431233331032510, 786341368775957
 #else
@@ -7554,7 +7554,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 492448143532951, 304105152670757, 1761767168301056,
                 233782684697790, 1981295323106089
 #else
@@ -7563,7 +7563,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 665807507761866, 1343384868355425, 895831046139653,
                 439338948736892, 1986828765695105
 #else
@@ -7574,7 +7574,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 756096210874553, 1721699973539149, 258765301727885,
                 1390588532210645, 1212530909934781
 #else
@@ -7583,7 +7583,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 852891097972275, 1816988871354562, 1543772755726524,
                 1174710635522444, 202129090724628
 #else
@@ -7592,7 +7592,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1205281565824323, 22430498399418, 992947814485516,
                 1392458699738672, 688441466734558
 #else
@@ -7603,7 +7603,7 @@ static const ge_precomp k25519Precomp[32][8] = {
         },
         {
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1050627428414972, 1955849529137135, 2171162376368357,
                 91745868298214, 447733118757826
 #else
@@ -7612,7 +7612,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1287181461435438, 622722465530711, 880952150571872,
                 741035693459198, 311565274989772
 #else
@@ -7621,7 +7621,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 #endif
             }},
             {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
                 1003649078149734, 545233927396469, 1849786171789880,
                 1318943684880434, 280345687170552
 #else
@@ -7639,7 +7639,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 static const ge_precomp Bi[8] = {
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1288382639258501, 245678601348599, 269427782077623,
             1462984067271730, 137412439391563
 #else
@@ -7648,7 +7648,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             62697248952638, 204681361388450, 631292143396476, 338455783676468,
             1213667448819585
 #else
@@ -7657,7 +7657,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             301289933810280, 1259582250014073, 1422107436869536,
             796239922652654, 1953934009299142
 #else
@@ -7668,7 +7668,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1601611775252272, 1720807796594148, 1132070835939856,
             1260455018889551, 2147779492816911
 #else
@@ -7677,7 +7677,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             316559037616741, 2177824224946892, 1459442586438991,
             1461528397712656, 751590696113597
 #else
@@ -7686,7 +7686,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1850748884277385, 1200145853858453, 1068094770532492,
             672251375690438, 1586055907191707
 #else
@@ -7697,7 +7697,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             769950342298419, 132954430919746, 844085933195555, 974092374476333,
             726076285546016
 #else
@@ -7706,7 +7706,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             425251763115706, 608463272472562, 442562545713235, 837766094556764,
             374555092627893
 #else
@@ -7715,7 +7715,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1086255230780037, 274979815921559, 1960002765731872,
             929474102396301, 1190409889297339
 #else
@@ -7726,7 +7726,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             665000864555967, 2065379846933859, 370231110385876, 350988370788628,
             1233371373142985
 #else
@@ -7735,7 +7735,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             2019367628972465, 676711900706637, 110710997811333,
             1108646842542025, 517791959672113
 #else
@@ -7744,7 +7744,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             965130719900578, 247011430587952, 526356006571389, 91986625355052,
             2157223321444601
 #else
@@ -7755,7 +7755,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1802695059465007, 1664899123557221, 593559490740857,
             2160434469266659, 927570450755031
 #else
@@ -7764,7 +7764,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1725674970513508, 1933645953859181, 1542344539275782,
             1767788773573747, 1297447965928905
 #else
@@ -7773,7 +7773,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1381809363726107, 1430341051343062, 2061843536018959,
             1551778050872521, 2036394857967624
 #else
@@ -7784,7 +7784,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1970894096313054, 528066325833207, 1619374932191227,
             2207306624415883, 1169170329061080
 #else
@@ -7793,7 +7793,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             2070390218572616, 1458919061857835, 624171843017421,
             1055332792707765, 433987520732508
 #else
@@ -7802,7 +7802,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             893653801273833, 1168026499324677, 1242553501121234,
             1306366254304474, 1086752658510815
 #else
@@ -7813,7 +7813,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             213454002618221, 939771523987438, 1159882208056014, 317388369627517,
             621213314200687
 #else
@@ -7822,7 +7822,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1971678598905747, 338026507889165, 762398079972271, 655096486107477,
             42299032696322
 #else
@@ -7831,7 +7831,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             177130678690680, 1754759263300204, 1864311296286618,
             1180675631479880, 1292726903152791
 #else
@@ -7842,7 +7842,7 @@ static const ge_precomp Bi[8] = {
     },
     {
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1913163449625248, 460779200291993, 2193883288642314,
             1008900146920800, 1721983679009502
 #else
@@ -7851,7 +7851,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             1070401523076875, 1272492007800961, 1910153608563310,
             2075579521696771, 1191169788841221
 #else
@@ -7860,7 +7860,7 @@ static const ge_precomp Bi[8] = {
 #endif
         }},
         {{
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
             692896803108118, 500174642072499, 2068223309439677,
             1162190621851337, 1426986007309901
 #else
diff --git a/src/crypto/curve25519/internal.h b/src/crypto/curve25519/internal.h
index 76ff78fa..1420601b 100644
--- a/src/crypto/curve25519/internal.h
+++ b/src/crypto/curve25519/internal.h
@@ -32,11 +32,7 @@ void x25519_NEON(uint8_t out[32], const uint8_t scalar[32],
                  const uint8_t point[32]);
 #endif
 
-#if defined(BORINGSSL_HAS_UINT128)
-#define BORINGSSL_CURVE25519_64BIT
-#endif
-
-#if defined(BORINGSSL_CURVE25519_64BIT)
+#if defined(OPENSSL_64_BIT)
 // fe means field element. Here the field is \Z/(2^255-19). An element t,
 // entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153
 // t[3]+2^204 t[4].
diff --git a/src/crypto/curve25519/make_curve25519_tables.py b/src/crypto/curve25519/make_curve25519_tables.py
index 50dee2a9..c3cf12ab 100755
--- a/src/crypto/curve25519/make_curve25519_tables.py
+++ b/src/crypto/curve25519/make_curve25519_tables.py
@@ -110,7 +110,7 @@ def to_base_51(x):
     return ret
 
 def to_literal(x):
-    ret = "{{\n#if defined(BORINGSSL_CURVE25519_64BIT)\n"
+    ret = "{{\n#if defined(OPENSSL_64_BIT)\n"
     ret += ", ".join(map(str, to_base_51(x)))
     ret += "\n#else\n"
     ret += ", ".join(map(str, to_base_25_5(x)))
diff --git a/src/crypto/err/err_data_generate.go b/src/crypto/err/err_data_generate.go
index 332b4e15..d4a7c28a 100644
--- a/src/crypto/err/err_data_generate.go
+++ b/src/crypto/err/err_data_generate.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
@@ -115,23 +117,8 @@ func (st *stringList) Add(key uint32, value string) error {
 	return nil
 }
 
-// keySlice is a type that implements sorting of entries values.
-type keySlice []uint32
-
-func (ks keySlice) Len() int {
-	return len(ks)
-}
-
-func (ks keySlice) Less(i, j int) bool {
-	return (ks[i] >> 15) < (ks[j] >> 15)
-}
-
-func (ks keySlice) Swap(i, j int) {
-	ks[i], ks[j] = ks[j], ks[i]
-}
-
 func (st *stringList) buildList() []uint32 {
-	sort.Sort(keySlice(st.entries))
+	sort.Slice(st.entries, func(i, j int) bool { return (st.entries[i] >> 15) < (st.entries[j] >> 15) })
 	return st.entries
 }
 
diff --git a/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go b/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go
index 1e48df35..2915db5f 100644
--- a/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go
+++ b/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/crypto/fipsmodule/bn/check_bn_tests.go b/src/crypto/fipsmodule/bn/check_bn_tests.go
index dd1def80..032b9e32 100644
--- a/src/crypto/fipsmodule/bn/check_bn_tests.go
+++ b/src/crypto/fipsmodule/bn/check_bn_tests.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h
index 846431fd..3b6fa4a4 100644
--- a/src/crypto/fipsmodule/ec/internal.h
+++ b/src/crypto/fipsmodule/ec/internal.h
@@ -91,6 +91,8 @@ extern "C" {
 // be the largest fields anyone plausibly uses.
 #define EC_MAX_BYTES 66
 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES)
+#define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1)
+#define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1)
 
 static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS,
               "bn_*_small functions not usable");
@@ -119,8 +121,8 @@ OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out,
 // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over
 // group |group| to |out|. It returns one on success and zero if |in| is
 // invalid.
-int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
-                         const uint8_t *in, size_t len);
+OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
+                                        const uint8_t *in, size_t len);
 
 // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order.
 // |words| must be less than order^2. |num| must be at most twice the width of
@@ -279,8 +281,8 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
 //
 // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is
 // slightly faster.
-int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
-                          const EC_RAW_POINT *p);
+OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
+                                         const EC_RAW_POINT *p);
 
 // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian
 // coordinates to affine coordinates and writes the results to |out|. It returns
diff --git a/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go b/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go
index 169d226a..1d3896aa 100644
--- a/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go
+++ b/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
index 04a1a1c8..e10990b3 100644
--- a/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
+++ b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/crypto/fipsmodule/ec/make_tables.go b/src/crypto/fipsmodule/ec/make_tables.go
index 7fb9041c..120c40bd 100644
--- a/src/crypto/fipsmodule/ec/make_tables.go
+++ b/src/crypto/fipsmodule/ec/make_tables.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
@@ -151,7 +153,7 @@ func writeP256Table(path string) error {
 // Tables for other points have table[i] = iG for i in 0 .. 16.
 
 // fiat_p256_g_pre_comp is the table of precomputed base points
-#if defined(BORINGSSL_NISTP256_64BIT)
+#if defined(OPENSSL_64_BIT)
 static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = `
 	if _, err := f.WriteString(fileHeader); err != nil {
 		return err
diff --git a/src/crypto/fipsmodule/ec/p256.c b/src/crypto/fipsmodule/ec/p256.c
index d67f6c08..cd2b6fc0 100644
--- a/src/crypto/fipsmodule/ec/p256.c
+++ b/src/crypto/fipsmodule/ec/p256.c
@@ -31,8 +31,9 @@
 #include "./internal.h"
 
 #if defined(BORINGSSL_HAS_UINT128)
-#define BORINGSSL_NISTP256_64BIT 1
 #include "../../../third_party/fiat/p256_64.h"
+#elif defined(OPENSSL_64_BIT)
+#include "../../../third_party/fiat/p256_64_msvc.h"
 #else
 #include "../../../third_party/fiat/p256_32.h"
 #endif
@@ -40,7 +41,7 @@
 
 // utility functions, handwritten
 
-#if defined(BORINGSSL_NISTP256_64BIT)
+#if defined(OPENSSL_64_BIT)
 #define FIAT_P256_NLIMBS 4
 typedef uint64_t fiat_p256_limb_t;
 typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS];
@@ -748,5 +749,3 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
       ec_simple_scalar_to_montgomery_inv_vartime;
   out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate;
 }
-
-#undef BORINGSSL_NISTP256_64BIT
diff --git a/src/crypto/fipsmodule/ec/p256_table.h b/src/crypto/fipsmodule/ec/p256_table.h
index 14129a36..d823d37f 100644
--- a/src/crypto/fipsmodule/ec/p256_table.h
+++ b/src/crypto/fipsmodule/ec/p256_table.h
@@ -50,7 +50,7 @@
 // Tables for other points have table[i] = iG for i in 0 .. 16.
 
 // fiat_p256_g_pre_comp is the table of precomputed base points
-#if defined(BORINGSSL_NISTP256_64BIT)
+#if defined(OPENSSL_64_BIT)
 static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = {
     {{{0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510,
        0x18905f76a53755c6},
diff --git a/src/crypto/fipsmodule/self_check/fips.c b/src/crypto/fipsmodule/self_check/fips.c
index ce039576..31e11efd 100644
--- a/src/crypto/fipsmodule/self_check/fips.c
+++ b/src/crypto/fipsmodule/self_check/fips.c
@@ -31,7 +31,7 @@ int FIPS_mode_set(int on) { return on == FIPS_mode(); }
 const char *FIPS_module_name(void) { return "BoringCrypto"; }
 
 uint32_t FIPS_version(void) {
-  return 0;
+  return 2023042800;
 }
 
 int FIPS_query_algorithm_status(const char *algorithm) {
diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c
index 3b51e2fe..525cd169 100644
--- a/src/crypto/fipsmodule/self_check/self_check.c
+++ b/src/crypto/fipsmodule/self_check/self_check.c
@@ -26,6 +26,7 @@
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/ec_key.h>
+#include <openssl/hkdf.h>
 #include <openssl/hmac.h>
 #include <openssl/nid.h>
 #include <openssl/rsa.h>
diff --git a/src/crypto/fipsmodule/tls/kdf.c b/src/crypto/fipsmodule/tls/kdf.c
index 9c6cfaf0..c4f4976c 100644
--- a/src/crypto/fipsmodule/tls/kdf.c
+++ b/src/crypto/fipsmodule/tls/kdf.c
@@ -54,6 +54,7 @@
 
 #include <openssl/bytestring.h>
 #include <openssl/digest.h>
+#include <openssl/hkdf.h>
 #include <openssl/hmac.h>
 #include <openssl/mem.h>
 
diff --git a/src/crypto/kyber/kyber.c b/src/crypto/kyber/kyber.c
index f2ac30bd..010d9d4c 100644
--- a/src/crypto/kyber/kyber.c
+++ b/src/crypto/kyber/kyber.c
@@ -283,16 +283,23 @@ static void scalar_inner_product(scalar *out, const vector *lhs,
 // operates on public inputs.
 static void scalar_from_keccak_vartime(scalar *out,
                                        struct BORINGSSL_keccak_st *keccak_ctx) {
-  uint8_t bytes[3];
-  for (int i = 0; i < DEGREE;) {
-    BORINGSSL_keccak_squeeze(keccak_ctx, bytes, sizeof(bytes));
-    uint16_t d1 = bytes[0] + 256 * (bytes[1] % 16);
-    uint16_t d2 = bytes[1] / 16 + 16 * bytes[2];
-    if (d1 < kPrime) {
-      out->c[i++] = d1;
-    }
-    if (d2 < kPrime && i < DEGREE) {
-      out->c[i++] = d2;
+  assert(keccak_ctx->offset == 0);
+  assert(keccak_ctx->rate_bytes == 168);
+  static_assert(168 % 3 == 0, "block and coefficient boundaries do not align");
+
+  int done = 0;
+  while (done < DEGREE) {
+    uint8_t block[168];
+    BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block));
+    for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) {
+      uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);
+      uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];
+      if (d1 < kPrime) {
+        out->c[done++] = d1;
+      }
+      if (d2 < kPrime && done < DEGREE) {
+        out->c[done++] = d2;
+      }
     }
   }
 }
diff --git a/src/crypto/obj/objects.go b/src/crypto/obj/objects.go
index 1b9ded34..077a6e12 100644
--- a/src/crypto/obj/objects.go
+++ b/src/crypto/obj/objects.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
@@ -520,21 +522,8 @@ extern "C" {
 	return os.WriteFile(path, []byte(formatted), 0666)
 }
 
-// TODO(davidben): Replace this with sort.Slice once Go 1.8 is sufficiently
-// common.
-type nidSorter struct {
-	nids []int
-	objs *objects
-	cmp  func(a, b object) bool
-}
-
-func (a nidSorter) obj(i int) object   { return a.objs.byNID[a.nids[i]] }
-func (a nidSorter) Len() int           { return len(a.nids) }
-func (a nidSorter) Swap(i, j int)      { a.nids[i], a.nids[j] = a.nids[j], a.nids[i] }
-func (a nidSorter) Less(i, j int) bool { return a.cmp(a.obj(i), a.obj(j)) }
-
 func sortNIDs(nids []int, objs *objects, cmp func(a, b object) bool) {
-	sort.Sort(&nidSorter{nids, objs, cmp})
+	sort.Slice(nids, func(i, j int) bool { return cmp(objs.byNID[nids[i]], objs.byNID[nids[j]]) })
 }
 
 func writeData(path string, objs *objects) error {
diff --git a/src/crypto/trust_token/internal.h b/src/crypto/trust_token/internal.h
index e940565f..8fc5d6ea 100644
--- a/src/crypto/trust_token/internal.h
+++ b/src/crypto/trust_token/internal.h
@@ -239,6 +239,10 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count,
 int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
                     size_t num_requested, size_t num_to_issue,
                     uint8_t private_metadata);
+OPENSSL_EXPORT int voprf_pst1_sign_with_proof_scalar_for_testing(
+    const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested,
+    size_t num_to_issue, uint8_t private_metadata,
+    const uint8_t *proof_scalar_buf, size_t proof_scalar_len);
 STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind(
     const TRUST_TOKEN_CLIENT_KEY *key,
     const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
diff --git a/src/crypto/trust_token/trust_token_test.cc b/src/crypto/trust_token/trust_token_test.cc
index 376eacfe..df679b61 100644
--- a/src/crypto/trust_token/trust_token_test.cc
+++ b/src/crypto/trust_token/trust_token_test.cc
@@ -314,6 +314,295 @@ TEST(TrustTokenTest, HPST1) {
   EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
 }
 
+static int ec_point_uncompressed_from_compressed(
+    const EC_GROUP *group, uint8_t out[EC_MAX_UNCOMPRESSED], size_t *out_len,
+    const uint8_t *in, size_t len) {
+  bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group));
+  if (!point ||
+      !EC_POINT_oct2point(group, point.get(), in, len, nullptr)) {
+    return 0;
+  }
+
+  *out_len =
+      EC_POINT_point2oct(group, point.get(), POINT_CONVERSION_UNCOMPRESSED, out,
+                         EC_MAX_UNCOMPRESSED, nullptr);
+  return 1;
+}
+
+static bool setup_voprf_test_key(const EC_GROUP *group,
+                                 TRUST_TOKEN_ISSUER_KEY *out) {
+  static const uint8_t kPrivateKey[] = {
+      0x05, 0x16, 0x46, 0xb9, 0xe6, 0xe7, 0xa7, 0x1a, 0xe2, 0x7c, 0x1e, 0x1d,
+      0x0b, 0x87, 0xb4, 0x38, 0x1d, 0xb6, 0xd3, 0x59, 0x5e, 0xee, 0xb1, 0xad,
+      0xb4, 0x15, 0x79, 0xad, 0xbf, 0x99, 0x2f, 0x42, 0x78, 0xf9, 0x01, 0x6e,
+      0xaf, 0xc9, 0x44, 0xed, 0xaa, 0x2b, 0x43, 0x18, 0x35, 0x81, 0x77, 0x9d
+  };
+
+  static const uint8_t kPublicKey[] = {
+      0x03, 0x1d, 0x68, 0x96, 0x86, 0xc6, 0x11, 0x99, 0x1b, 0x55,
+      0xf1, 0xa1, 0xd8, 0xf4, 0x30, 0x5c, 0xcd, 0x6c, 0xb7, 0x19,
+      0x44, 0x6f, 0x66, 0x0a, 0x30, 0xdb, 0x61, 0xb7, 0xaa, 0x87,
+      0xb4, 0x6a, 0xcf, 0x59, 0xb7, 0xc0, 0xd4, 0xa9, 0x07, 0x7b,
+      0x3d, 0xa2, 0x1c, 0x25, 0xdd, 0x48, 0x22, 0x29, 0xa0
+  };
+
+  if (!ec_scalar_from_bytes(group, &out->xs, kPrivateKey,
+                            sizeof(kPrivateKey))) {
+    return false;
+  }
+
+  bssl::UniquePtr<EC_POINT> pub(EC_POINT_new(group));
+  return pub &&
+         EC_POINT_oct2point(group, pub.get(), kPublicKey, sizeof(kPublicKey),
+                            nullptr) &&
+         ec_jacobian_to_affine(group, &out->pubs, &pub->raw);
+}
+
+TEST(TrustTokenTest, PSTV1VOPRFTestVector1) {
+  const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
+  TRUST_TOKEN_ISSUER_KEY key;
+  ASSERT_TRUE(setup_voprf_test_key(group, &key));
+
+  static const uint8_t kBlindedElement[] = {
+      0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13,
+      0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7,
+      0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56,
+      0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99,
+      0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9
+  };
+
+  static const uint8_t kEvaluatedElement[] = {
+      0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1,
+      0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10,
+      0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee,
+      0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62,
+      0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6
+  };
+
+  static const uint8_t kProof[] = {
+      0xbf, 0xc6, 0xcf, 0x38, 0x59, 0x12, 0x7f, 0x5f, 0xe2, 0x55, 0x48, 0x85,
+      0x98, 0x56, 0xd6, 0xb7, 0xfa, 0x1c, 0x74, 0x59, 0xf0, 0xba, 0x57, 0x12,
+      0xa8, 0x06, 0xfc, 0x09, 0x1a, 0x30, 0x00, 0xc4, 0x2d, 0x8b, 0xa3, 0x4f,
+      0xf4, 0x5f, 0x32, 0xa5, 0x2e, 0x40, 0x53, 0x3e, 0xfd, 0x2a, 0x03, 0xbc,
+      0x87, 0xf3, 0xbf, 0x4f, 0x9f, 0x58, 0x02, 0x82, 0x97, 0xcc, 0xb9, 0xcc,
+      0xb1, 0x8a, 0xe7, 0x18, 0x2b, 0xcd, 0x1e, 0xf2, 0x39, 0xdf, 0x77, 0xe3,
+      0xbe, 0x65, 0xef, 0x14, 0x7f, 0x3a, 0xcf, 0x8b, 0xc9, 0xcb, 0xfc, 0x55,
+      0x24, 0xb7, 0x02, 0x26, 0x34, 0x14, 0xf0, 0x43, 0xe3, 0xb7, 0xca, 0x2e
+  };
+
+  static const uint8_t kProofScalar[] = {
+      0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3,
+      0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62,
+      0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d,
+      0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1
+  };
+
+  uint8_t blinded_buf[EC_MAX_UNCOMPRESSED];
+  size_t blinded_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, blinded_buf, &blinded_len, kBlindedElement,
+      sizeof(kBlindedElement)));
+
+  CBS sign_input;
+  CBS_init(&sign_input, blinded_buf, blinded_len);
+  bssl::ScopedCBB response;
+  ASSERT_TRUE(CBB_init(response.get(), 0));
+  ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
+      &key, response.get(), &sign_input, /*num_requested=*/1,
+      /*num_to_issue=*/1,
+      /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
+
+  uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED];
+  size_t evaluated_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, evaluated_buf, &evaluated_len, kEvaluatedElement,
+      sizeof(kEvaluatedElement)));
+
+  bssl::ScopedCBB expected_response;
+  ASSERT_TRUE(CBB_init(expected_response.get(), 0));
+  ASSERT_TRUE(
+      CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len));
+  ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
+  ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
+  ASSERT_TRUE(CBB_flush(expected_response.get()));
+
+  ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
+                  CBB_len(expected_response.get())),
+            Bytes(CBB_data(response.get()), CBB_len(response.get())));
+}
+
+TEST(TrustTokenTest, PSTV1VOPRFTestVector2) {
+  const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
+  TRUST_TOKEN_ISSUER_KEY key;
+  ASSERT_TRUE(setup_voprf_test_key(group, &key));
+
+  static const uint8_t kBlindedElement[] = {
+      0x02, 0xf2, 0x74, 0x69, 0xe0, 0x59, 0x88, 0x6f, 0x22, 0x1b,
+      0xe5, 0xf2, 0xcc, 0xa0, 0x3d, 0x2b, 0xdc, 0x61, 0xe5, 0x52,
+      0x21, 0x72, 0x1c, 0x3b, 0x3e, 0x56, 0xfc, 0x01, 0x2e, 0x36,
+      0xd3, 0x1a, 0xe5, 0xf8, 0xdc, 0x05, 0x81, 0x09, 0x59, 0x15,
+      0x56, 0xa6, 0xdb, 0xd3, 0xa8, 0xc6, 0x9c, 0x43, 0x3b
+  };
+
+  static const uint8_t kEvaluatedElement[] = {
+      0x03, 0xf1, 0x6f, 0x90, 0x39, 0x47, 0x03, 0x54, 0x00, 0xe9,
+      0x6b, 0x7f, 0x53, 0x1a, 0x38, 0xd4, 0xa0, 0x7a, 0xc8, 0x9a,
+      0x80, 0xf8, 0x9d, 0x86, 0xa1, 0xbf, 0x08, 0x9c, 0x52, 0x5a,
+      0x92, 0xc7, 0xf4, 0x73, 0x37, 0x29, 0xca, 0x30, 0xc5, 0x6c,
+      0xe7, 0x8b, 0x1a, 0xb4, 0xf7, 0xd9, 0x2d, 0xb8, 0xb4
+  };
+
+  static const uint8_t kProof[] = {
+      0xd0, 0x05, 0xd6, 0xda, 0xaa, 0xd7, 0x57, 0x14, 0x14, 0xc1, 0xe0,
+      0xc7, 0x5f, 0x7e, 0x57, 0xf2, 0x11, 0x3c, 0xa9, 0xf4, 0x60, 0x4e,
+      0x84, 0xbc, 0x90, 0xf9, 0xbe, 0x52, 0xda, 0x89, 0x6f, 0xff, 0x3b,
+      0xee, 0x49, 0x6d, 0xcd, 0xe2, 0xa5, 0x78, 0xae, 0x9d, 0xf3, 0x15,
+      0x03, 0x25, 0x85, 0xf8, 0x01, 0xfb, 0x21, 0xc6, 0x08, 0x0a, 0xc0,
+      0x56, 0x72, 0xb2, 0x91, 0xe5, 0x75, 0xa4, 0x02, 0x95, 0xb3, 0x06,
+      0xd9, 0x67, 0x71, 0x7b, 0x28, 0xe0, 0x8f, 0xcc, 0x8a, 0xd1, 0xca,
+      0xb4, 0x78, 0x45, 0xd1, 0x6a, 0xf7, 0x3b, 0x3e, 0x64, 0x3d, 0xdc,
+      0xc1, 0x91, 0x20, 0x8e, 0x71, 0xc6, 0x46, 0x30
+  };
+
+  static const uint8_t kProofScalar[] = {
+      0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3,
+      0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62,
+      0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d,
+      0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1
+  };
+
+  uint8_t blinded_buf[EC_MAX_UNCOMPRESSED];
+  size_t blinded_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, blinded_buf, &blinded_len, kBlindedElement,
+      sizeof(kBlindedElement)));
+
+  CBS sign_input;
+  CBS_init(&sign_input, blinded_buf, blinded_len);
+  bssl::ScopedCBB response;
+  ASSERT_TRUE(CBB_init(response.get(), 0));
+  ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
+      &key, response.get(), &sign_input, /*num_requested=*/1,
+      /*num_to_issue=*/1,
+      /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
+
+  uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED];
+  size_t evaluated_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, evaluated_buf, &evaluated_len, kEvaluatedElement,
+      sizeof(kEvaluatedElement)));
+
+  bssl::ScopedCBB expected_response;
+  ASSERT_TRUE(CBB_init(expected_response.get(), 0));
+  ASSERT_TRUE(
+      CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len));
+  ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
+  ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
+  ASSERT_TRUE(CBB_flush(expected_response.get()));
+
+  ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
+                  CBB_len(expected_response.get())),
+            Bytes(CBB_data(response.get()), CBB_len(response.get())));
+}
+
+TEST(TrustTokenTest, PSTV1VOPRFTestVector3) {
+  const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
+  TRUST_TOKEN_ISSUER_KEY key;
+  ASSERT_TRUE(setup_voprf_test_key(group, &key));
+
+  static const uint8_t kBlindedElement1[] = {
+      0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13,
+      0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7,
+      0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56,
+      0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99,
+      0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9
+  };
+  static const uint8_t kBlindedElement2[] = {
+      0x02, 0xfa, 0x02, 0x47, 0x0d, 0x7f, 0x15, 0x10, 0x18, 0xb4,
+      0x1e, 0x82, 0x22, 0x3c, 0x32, 0xfa, 0xd8, 0x24, 0xde, 0x6a,
+      0xd4, 0xb5, 0xce, 0x9f, 0x8e, 0x9f, 0x98, 0x08, 0x3c, 0x9a,
+      0x72, 0x6d, 0xe9, 0xa1, 0xfc, 0x39, 0xd7, 0xa0, 0xcb, 0x6f,
+      0x4f, 0x18, 0x8d, 0xd9, 0xce, 0xa0, 0x14, 0x74, 0xcd
+  };
+
+  static const uint8_t kEvaluatedElement1[] = {
+      0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1,
+      0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10,
+      0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee,
+      0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62,
+      0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6
+  };
+
+  static const uint8_t kEvaluatedElement2[] = {
+      0x02, 0x8e, 0x9e, 0x11, 0x56, 0x25, 0xff, 0x4c, 0x2f, 0x07,
+      0xbf, 0x87, 0xce, 0x3f, 0xd7, 0x3f, 0xc7, 0x79, 0x94, 0xa7,
+      0xa0, 0xc1, 0xdf, 0x03, 0xd2, 0xa6, 0x30, 0xa3, 0xd8, 0x45,
+      0x93, 0x0e, 0x2e, 0x63, 0xa1, 0x65, 0xb1, 0x14, 0xd9, 0x8f,
+      0xe3, 0x4e, 0x61, 0xb6, 0x8d, 0x23, 0xc0, 0xb5, 0x0a
+  };
+
+  static const uint8_t kProof[] = {
+      0x6d, 0x8d, 0xcb, 0xd2, 0xfc, 0x95, 0x55, 0x0a, 0x02, 0x21, 0x1f,
+      0xb7, 0x8a, 0xfd, 0x01, 0x39, 0x33, 0xf3, 0x07, 0xd2, 0x1e, 0x7d,
+      0x85, 0x5b, 0x0b, 0x1e, 0xd0, 0xaf, 0x78, 0x07, 0x6d, 0x81, 0x37,
+      0xad, 0x8b, 0x0a, 0x1b, 0xfa, 0x05, 0x67, 0x6d, 0x32, 0x52, 0x49,
+      0xc1, 0xdb, 0xb9, 0xa5, 0x2b, 0xd8, 0x1b, 0x1c, 0x2b, 0x7b, 0x0e,
+      0xfc, 0x77, 0xcf, 0x7b, 0x27, 0x8e, 0x1c, 0x94, 0x7f, 0x62, 0x83,
+      0xf1, 0xd4, 0xc5, 0x13, 0x05, 0x3f, 0xc0, 0xad, 0x19, 0xe0, 0x26,
+      0xfb, 0x0c, 0x30, 0x65, 0x4b, 0x53, 0xd9, 0xce, 0xa4, 0xb8, 0x7b,
+      0x03, 0x72, 0x71, 0xb5, 0xd2, 0xe2, 0xd0, 0xea
+  };
+
+  static const uint8_t kProofScalar[] = {
+      0xa0, 0x97, 0xe7, 0x22, 0xed, 0x24, 0x27, 0xde, 0x86, 0x96,
+      0x69, 0x10, 0xac, 0xba, 0x9f, 0x5c, 0x35, 0x0e, 0x80, 0x40,
+      0xf8, 0x28, 0xbf, 0x6c, 0xec, 0xa2, 0x74, 0x05, 0x42, 0x0c,
+      0xdf, 0x3d, 0x63, 0xcb, 0x3a, 0xef, 0x00, 0x5f, 0x40, 0xba,
+      0x51, 0x94, 0x3c, 0x80, 0x26, 0x87, 0x79, 0x63
+  };
+
+  uint8_t blinded_buf[2*EC_MAX_UNCOMPRESSED];
+  size_t blinded_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, blinded_buf, &blinded_len, kBlindedElement1,
+      sizeof(kBlindedElement1)));
+  size_t offset = blinded_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, blinded_buf + offset, &blinded_len, kBlindedElement2,
+      sizeof(kBlindedElement2)));
+
+  CBS sign_input;
+  CBS_init(&sign_input, blinded_buf, offset + blinded_len);
+  bssl::ScopedCBB response;
+  ASSERT_TRUE(CBB_init(response.get(), 0));
+  ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
+      &key, response.get(), &sign_input, /*num_requested=*/2,
+      /*num_to_issue=*/2,
+      /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
+
+  uint8_t evaluated_buf[2 * EC_MAX_UNCOMPRESSED];
+  size_t evaluated_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, evaluated_buf, &evaluated_len, kEvaluatedElement1,
+      sizeof(kEvaluatedElement1)));
+  offset = evaluated_len;
+  ASSERT_TRUE(ec_point_uncompressed_from_compressed(
+      group, evaluated_buf + offset, &evaluated_len, kEvaluatedElement2,
+      sizeof(kEvaluatedElement2)));
+
+  bssl::ScopedCBB expected_response;
+  ASSERT_TRUE(CBB_init(expected_response.get(), 0));
+  ASSERT_TRUE(CBB_add_bytes(expected_response.get(), evaluated_buf,
+                            offset + evaluated_len));
+  ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
+  ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
+  ASSERT_TRUE(CBB_flush(expected_response.get()));
+
+  ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
+                  CBB_len(expected_response.get())),
+            Bytes(CBB_data(response.get()), CBB_len(response.get())));
+}
+
 static std::vector<const TRUST_TOKEN_METHOD *> AllMethods() {
   return {
     TRUST_TOKEN_experiment_v1(),
diff --git a/src/crypto/trust_token/voprf.c b/src/crypto/trust_token/voprf.c
index d414bfd5..aa7df8ef 100644
--- a/src/crypto/trust_token/voprf.c
+++ b/src/crypto/trust_token/voprf.c
@@ -63,18 +63,24 @@ static int voprf_init_method(VOPRF_METHOD *method, int curve_nid,
 
 static int cbb_add_point(CBB *out, const EC_GROUP *group,
                          const EC_AFFINE *point) {
-  size_t len = ec_point_byte_len(group,  POINT_CONVERSION_UNCOMPRESSED);
-  if (len == 0) {
-    return 0;
-  }
-
   uint8_t *p;
+  size_t len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);
   return CBB_add_space(out, &p, len) &&
          ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,
                            len) == len &&
          CBB_flush(out);
 }
 
+static int cbb_serialize_point(CBB *out, const EC_GROUP *group,
+                               const EC_AFFINE *point) {
+  uint8_t *p;
+  size_t len = ec_point_byte_len(group, POINT_CONVERSION_COMPRESSED);
+  return CBB_add_u16(out, len) && CBB_add_space(out, &p, len) &&
+         ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, p, len) ==
+             len &&
+         CBB_flush(out);
+}
+
 static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {
   CBS child;
   size_t plen = 1 + 2 * BN_num_bytes(&group->field);
@@ -299,6 +305,30 @@ err:
   return ok;
 }
 
+static int hash_to_scalar_challenge(const VOPRF_METHOD *method, EC_SCALAR *out,
+                                    const EC_AFFINE *Bm, const EC_AFFINE *a0,
+                                    const EC_AFFINE *a1, const EC_AFFINE *a2,
+                                    const EC_AFFINE *a3) {
+  static const uint8_t kChallengeLabel[] = "Challenge";
+
+  CBB cbb;
+  uint8_t transcript[5 * EC_MAX_COMPRESSED + 2 + sizeof(kChallengeLabel) - 1];
+  size_t len;
+  if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) ||
+      !cbb_serialize_point(&cbb, method->group, Bm) ||
+      !cbb_serialize_point(&cbb, method->group, a0) ||
+      !cbb_serialize_point(&cbb, method->group, a1) ||
+      !cbb_serialize_point(&cbb, method->group, a2) ||
+      !cbb_serialize_point(&cbb, method->group, a3) ||
+      !CBB_add_bytes(&cbb, kChallengeLabel, sizeof(kChallengeLabel) - 1) ||
+      !CBB_finish(&cbb, NULL, &len) ||
+      !method->hash_to_scalar(method->group, out, transcript, len)) {
+    return 0;
+  }
+
+  return 1;
+}
+
 static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out,
                                 const CBB *points, size_t index) {
   static const uint8_t kDLEQBatchLabel[] = "DLEQ BATCH";
@@ -455,9 +485,9 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,
   return 1;
 }
 
-static int voprf_sign(const VOPRF_METHOD *method,
-                      const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
-                      size_t num_requested, size_t num_to_issue) {
+static int voprf_sign_tt(const VOPRF_METHOD *method,
+                         const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
+                         size_t num_requested, size_t num_to_issue) {
   const EC_GROUP *group = method->group;
   if (num_requested < num_to_issue) {
     OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
@@ -553,7 +583,7 @@ err:
   return ret;
 }
 
-static STACK_OF(TRUST_TOKEN) *voprf_unblind(
+static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(
     const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key,
     const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
     uint32_t key_id) {
@@ -673,6 +703,397 @@ err:
   return ret;
 }
 
+static void sha384_update_u16(SHA512_CTX *ctx, uint16_t v) {
+  uint8_t buf[2] = {v >> 8, v & 0xff};
+  SHA384_Update(ctx, buf, 2);
+}
+
+static void sha384_update_point_with_length(
+     SHA512_CTX *ctx, const EC_GROUP *group, const EC_AFFINE *point) {
+  uint8_t buf[EC_MAX_COMPRESSED];
+  size_t len = ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED,
+                                 buf, sizeof(buf));
+  assert(len > 0);
+  sha384_update_u16(ctx, (uint16_t)len);
+  SHA384_Update(ctx, buf, len);
+}
+
+static int compute_composite_seed(const VOPRF_METHOD *method,
+                                  uint8_t out[SHA384_DIGEST_LENGTH],
+                                  const EC_AFFINE *pub) {
+  const EC_GROUP *group = method->group;
+  static const uint8_t kSeedDST[] = "Seed-OPRFV1-\x01-P384-SHA384";
+
+  SHA512_CTX hash_ctx;
+  SHA384_Init(&hash_ctx);
+  sha384_update_point_with_length(&hash_ctx, group, pub);
+  sha384_update_u16(&hash_ctx, sizeof(kSeedDST) - 1);
+  SHA384_Update(&hash_ctx, kSeedDST, sizeof(kSeedDST) - 1);
+  SHA384_Final(out, &hash_ctx);
+
+  return 1;
+}
+
+static int compute_composite_element(const VOPRF_METHOD *method,
+                                     uint8_t seed[SHA384_DIGEST_LENGTH],
+                                     EC_SCALAR *di, size_t index,
+                                     const EC_AFFINE *C, const EC_AFFINE *D) {
+  static const uint8_t kCompositeLabel[] = "Composite";
+  const EC_GROUP *group = method->group;
+
+  if (index > UINT16_MAX) {
+    return 0;
+  }
+
+  CBB cbb;
+  uint8_t transcript[2 + SHA384_DIGEST_LENGTH + 2 + 2 * EC_MAX_COMPRESSED +
+                     sizeof(kCompositeLabel) - 1];
+  size_t len;
+  if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) ||
+      !CBB_add_u16(&cbb, SHA384_DIGEST_LENGTH) ||
+      !CBB_add_bytes(&cbb, seed, SHA384_DIGEST_LENGTH) ||
+      !CBB_add_u16(&cbb, index) ||
+      !cbb_serialize_point(&cbb, group, C) ||
+      !cbb_serialize_point(&cbb, group, D) ||
+      !CBB_add_bytes(&cbb, kCompositeLabel,
+                     sizeof(kCompositeLabel) - 1) ||
+      !CBB_finish(&cbb, NULL, &len) ||
+      !method->hash_to_scalar(method->group, di, transcript, len)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+static int generate_proof(const VOPRF_METHOD *method, CBB *cbb,
+                          const TRUST_TOKEN_ISSUER_KEY *priv,
+                          const EC_SCALAR *r, const EC_RAW_POINT *M,
+                          const EC_RAW_POINT *Z) {
+  const EC_GROUP *group = method->group;
+
+  enum {
+    idx_M,
+    idx_Z,
+    idx_t2,
+    idx_t3,
+    num_idx,
+  };
+  EC_RAW_POINT jacobians[num_idx];
+
+  if (!ec_point_mul_scalar_base(group, &jacobians[idx_t2], r) ||
+      !ec_point_mul_scalar(group, &jacobians[idx_t3], M, r)) {
+    return 0;
+  }
+
+
+  EC_AFFINE affines[num_idx];
+  jacobians[idx_M] = *M;
+  jacobians[idx_Z] = *Z;
+  if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {
+    return 0;
+  }
+
+  EC_SCALAR c;
+  if (!hash_to_scalar_challenge(method, &c, &priv->pubs, &affines[idx_M],
+                                &affines[idx_Z], &affines[idx_t2],
+                                &affines[idx_t3])) {
+    return 0;
+  }
+
+  EC_SCALAR c_mont;
+  ec_scalar_to_montgomery(group, &c_mont, &c);
+
+  // s = r - c*xs
+  EC_SCALAR s;
+  ec_scalar_mul_montgomery(group, &s, &priv->xs, &c_mont);
+  ec_scalar_sub(group, &s, r, &s);
+
+  // Store DLEQ proof in transcript.
+  if (!scalar_to_cbb(cbb, group, &c) ||
+      !scalar_to_cbb(cbb, group, &s)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+static int verify_proof(const VOPRF_METHOD *method, CBS *cbs,
+                        const TRUST_TOKEN_CLIENT_KEY *pub,
+                        const EC_RAW_POINT *M, const EC_RAW_POINT *Z) {
+  const EC_GROUP *group = method->group;
+
+  enum {
+    idx_M,
+    idx_Z,
+    idx_t2,
+    idx_t3,
+    num_idx,
+  };
+  EC_RAW_POINT jacobians[num_idx];
+
+  EC_SCALAR c, s;
+  if (!scalar_from_cbs(cbs, group, &c) ||
+      !scalar_from_cbs(cbs, group, &s)) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
+    return 0;
+  }
+
+  EC_RAW_POINT pubs;
+  ec_affine_to_jacobian(group, &pubs, &pub->pubs);
+  if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs,
+                                  &c) ||
+      !mul_public_2(group, &jacobians[idx_t3], M, &s, Z, &c)) {
+    return 0;
+  }
+
+  EC_AFFINE affines[num_idx];
+  jacobians[idx_M] = *M;
+  jacobians[idx_Z] = *Z;
+  if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {
+    return 0;
+  }
+
+  EC_SCALAR expected_c;
+  if (!hash_to_scalar_challenge(method, &expected_c, &pub->pubs,
+                                &affines[idx_M], &affines[idx_Z],
+                                &affines[idx_t2], &affines[idx_t3])) {
+    return 0;
+  }
+
+  // c == expected_c
+  if (!ec_scalar_equal_vartime(group, &c, &expected_c)) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);
+    return 0;
+  }
+
+  return 1;
+}
+
+static int voprf_sign_impl(const VOPRF_METHOD *method,
+                           const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb,
+                           CBS *cbs, size_t num_requested, size_t num_to_issue,
+                           const EC_SCALAR *proof_scalar) {
+  const EC_GROUP *group = method->group;
+  if (num_requested < num_to_issue) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+      num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
+    return 0;
+  }
+
+  int ret = 0;
+  EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+  EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+  EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
+  if (!BTs || !Zs || !dis) {
+    goto err;
+  }
+
+  uint8_t seed[SHA384_DIGEST_LENGTH];
+  if (!compute_composite_seed(method, seed, &key->pubs)) {
+    goto err;
+  }
+
+  // This implements the BlindEvaluateBatch as defined in section 4 of
+  // draft-robert-privacypass-batched-tokens-01, based on the constructions
+  // in draft-irtf-cfrg-voprf-21. To optimize the computation of the proof,
+  // the computation of di is done during the token signing and passed into
+  // the proof generation.
+  for (size_t i = 0; i < num_to_issue; i++) {
+    EC_AFFINE BT_affine, Z_affine;
+    EC_RAW_POINT BT, Z;
+    if (!cbs_get_point(cbs, group, &BT_affine)) {
+      OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
+      goto err;
+    }
+    ec_affine_to_jacobian(group, &BT, &BT_affine);
+    if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) ||
+        !ec_jacobian_to_affine(group, &Z_affine, &Z) ||
+        !cbb_add_point(cbb, group, &Z_affine)) {
+      goto err;
+    }
+    BTs[i] = BT;
+    Zs[i] = Z;
+    if (!compute_composite_element(method, seed, &dis[i], i, &BT_affine,
+                                   &Z_affine)) {
+      goto err;
+    }
+
+    if (!CBB_flush(cbb)) {
+      goto err;
+    }
+  }
+
+  EC_RAW_POINT M, Z;
+  if (!ec_point_mul_scalar_public_batch(group, &M,
+                                        /*g_scalar=*/NULL, BTs, dis,
+                                        num_to_issue) ||
+      !ec_point_mul_scalar(group, &Z, &M, &key->xs)) {
+    goto err;
+  }
+
+  CBB proof;
+  if (!CBB_add_u16_length_prefixed(cbb, &proof) ||
+      !generate_proof(method, &proof, key, proof_scalar, &M, &Z) ||
+      !CBB_flush(cbb)) {
+    goto err;
+  }
+
+  // Skip over any unused requests.
+  size_t point_len = 1 + 2 * BN_num_bytes(&group->field);
+  if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
+    goto err;
+  }
+
+  ret = 1;
+
+err:
+  OPENSSL_free(BTs);
+  OPENSSL_free(Zs);
+  OPENSSL_free(dis);
+  return ret;
+}
+
+static int voprf_sign(const VOPRF_METHOD *method,
+                      const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
+                      size_t num_requested, size_t num_to_issue) {
+  EC_SCALAR proof_scalar;
+  if (!ec_random_nonzero_scalar(method->group, &proof_scalar,
+                                kDefaultAdditionalData)) {
+    return 0;
+  }
+
+  return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue,
+                         &proof_scalar);
+}
+
+static int voprf_sign_with_proof_scalar_for_testing(
+    const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb,
+    CBS *cbs, size_t num_requested, size_t num_to_issue,
+    const uint8_t *proof_scalar_buf, size_t proof_scalar_len) {
+  EC_SCALAR proof_scalar;
+  if (!ec_scalar_from_bytes(method->group, &proof_scalar, proof_scalar_buf,
+                            proof_scalar_len)) {
+    return 0;
+  }
+  return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue,
+                         &proof_scalar);
+}
+
+static STACK_OF(TRUST_TOKEN) *voprf_unblind(
+    const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key,
+    const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+    uint32_t key_id) {
+  const EC_GROUP *group = method->group;
+  if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
+    return NULL;
+  }
+
+  if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+      count > ((size_t)-1) / sizeof(EC_SCALAR)) {
+    OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
+    return NULL;
+  }
+
+  int ok = 0;
+  STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
+  EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+  EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+  EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR));
+  if (ret == NULL || !BTs || !Zs || !dis) {
+    goto err;
+  }
+
+  uint8_t seed[SHA384_DIGEST_LENGTH];
+  if (!compute_composite_seed(method, seed, &key->pubs)) {
+    goto err;
+  }
+
+  for (size_t i = 0; i < count; i++) {
+    const TRUST_TOKEN_PRETOKEN *pretoken =
+        sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i);
+
+    EC_AFFINE Z_affine;
+    if (!cbs_get_point(cbs, group, &Z_affine)) {
+      OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
+      goto err;
+    }
+
+    ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp);
+    ec_affine_to_jacobian(group, &Zs[i], &Z_affine);
+    if (!compute_composite_element(method, seed, &dis[i], i, &pretoken->Tp,
+                                   &Z_affine)) {
+      goto err;
+    }
+
+    // Unblind the token.
+    // pretoken->r is rinv.
+    EC_RAW_POINT N;
+    EC_AFFINE N_affine;
+    if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||
+        !ec_jacobian_to_affine(group, &N_affine, &N)) {
+      goto err;
+    }
+
+    // Serialize the token. Include |key_id| to avoid an extra copy in the layer
+    // above.
+    CBB token_cbb;
+    size_t point_len = 1 + 2 * BN_num_bytes(&group->field);
+    if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) ||
+        !CBB_add_u32(&token_cbb, key_id) ||
+        !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) ||
+        !cbb_add_point(&token_cbb, group, &N_affine) ||
+        !CBB_flush(&token_cbb)) {
+      CBB_cleanup(&token_cbb);
+      goto err;
+    }
+
+    TRUST_TOKEN *token =
+        TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb));
+    CBB_cleanup(&token_cbb);
+    if (token == NULL ||
+        !sk_TRUST_TOKEN_push(ret, token)) {
+      TRUST_TOKEN_free(token);
+      goto err;
+    }
+  }
+
+  EC_RAW_POINT M, Z;
+  if (!ec_point_mul_scalar_public_batch(group, &M,
+                                        /*g_scalar=*/NULL, BTs, dis,
+                                        count) ||
+      !ec_point_mul_scalar_public_batch(group, &Z,
+                                        /*g_scalar=*/NULL, Zs, dis,
+                                        count)) {
+    goto err;
+  }
+
+  CBS proof;
+  if (!CBS_get_u16_length_prefixed(cbs, &proof) ||
+      !verify_proof(method, &proof, key, &M, &Z) ||
+      CBS_len(&proof) != 0) {
+    goto err;
+  }
+
+  ok = 1;
+
+err:
+  OPENSSL_free(BTs);
+  OPENSSL_free(Zs);
+  OPENSSL_free(dis);
+  if (!ok) {
+    sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free);
+    ret = NULL;
+  }
+  return ret;
+}
+
 static int voprf_read(const VOPRF_METHOD *method,
                       const TRUST_TOKEN_ISSUER_KEY *key,
                       uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
@@ -804,8 +1225,8 @@ int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
   if (!voprf_exp2_init_method() || private_metadata != 0) {
     return 0;
   }
-  return voprf_sign(&voprf_exp2_method, key, cbb, cbs, num_requested,
-                    num_to_issue);
+  return voprf_sign_tt(&voprf_exp2_method, key, cbb, cbs, num_requested,
+                       num_to_issue);
 }
 
 STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind(
@@ -815,7 +1236,8 @@ STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind(
   if (!voprf_exp2_init_method()) {
     return NULL;
   }
-  return voprf_unblind(&voprf_exp2_method, key, pretokens, cbs, count, key_id);
+  return voprf_unblind_tt(&voprf_exp2_method, key, pretokens, cbs, count,
+                          key_id);
 }
 
 int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
@@ -834,16 +1256,17 @@ int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
 
 static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,
                                     const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
-  const uint8_t kHashTLabel[] = "TrustToken VOPRF PST V1 HashToGroup";
-  return ec_hash_to_curve_p384_xmd_sha384_sswu(
-      group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
+  const uint8_t kHashTLabel[] = "HashToGroup-OPRFV1-\x01-P384-SHA384";
+  return ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashTLabel,
+                                               sizeof(kHashTLabel) - 1, t,
+                                               TRUST_TOKEN_NONCE_SIZE);
 }
 
 static int voprf_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                              uint8_t *buf, size_t len) {
-  const uint8_t kHashCLabel[] = "TrustToken VOPRF PST V1 HashToScalar";
-  return ec_hash_to_scalar_p384_xmd_sha384(
-      group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);
+  const uint8_t kHashCLabel[] = "HashToScalar-OPRFV1-\x01-P384-SHA384";
+  return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel,
+                                           sizeof(kHashCLabel) - 1, buf, len);
 }
 
 static int voprf_pst1_ok = 0;
@@ -921,6 +1344,19 @@ int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
                     num_to_issue);
 }
 
+
+int voprf_pst1_sign_with_proof_scalar_for_testing(
+    const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested,
+    size_t num_to_issue, uint8_t private_metadata,
+    const uint8_t *proof_scalar_buf, size_t proof_scalar_len) {
+  if (!voprf_pst1_init_method() || private_metadata != 0) {
+    return 0;
+  }
+  return voprf_sign_with_proof_scalar_for_testing(
+      &voprf_pst1_method, key, cbb, cbs, num_requested, num_to_issue,
+      proof_scalar_buf, proof_scalar_len);
+}
+
 STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind(
     const TRUST_TOKEN_CLIENT_KEY *key,
     const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
diff --git a/src/crypto/x509/a_sign.c b/src/crypto/x509/a_sign.c
index 8ee47798..7f80e5b0 100644
--- a/src/crypto/x509/a_sign.c
+++ b/src/crypto/x509/a_sign.c
@@ -126,7 +126,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
   out = NULL;
   signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
   signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-  ret = 1;
+  ret = (int)out_len;
 
 err:
   EVP_MD_CTX_cleanup(ctx);
diff --git a/src/crypto/x509/name_print.c b/src/crypto/x509/name_print.c
index 29207ccb..5dc34dae 100644
--- a/src/crypto/x509/name_print.c
+++ b/src/crypto/x509/name_print.c
@@ -56,6 +56,7 @@
 
 #include <openssl/x509.h>
 
+#include <assert.h>
 #include <inttypes.h>
 #include <string.h>
 
@@ -84,8 +85,7 @@ static int do_indent(BIO *out, int indent) {
 
 static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
                       unsigned long flags) {
-  int i, prev = -1, orflags, cnt;
-  int fn_opt, fn_nid;
+  int prev = -1, orflags;
   char objtmp[80];
   const char *objbuf;
   int outlen, len;
@@ -142,10 +142,8 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
     sep_eq_len = 1;
   }
 
-  fn_opt = flags & XN_FLAG_FN_MASK;
-
-  cnt = X509_NAME_entry_count(n);
-  for (i = 0; i < cnt; i++) {
+  int cnt = X509_NAME_entry_count(n);
+  for (int i = 0; i < cnt; i++) {
     const X509_NAME_ENTRY *ent;
     if (flags & XN_FLAG_DN_REV) {
       ent = X509_NAME_get_entry(n, cnt - i - 1);
@@ -172,40 +170,20 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
     prev = X509_NAME_ENTRY_set(ent);
     const ASN1_OBJECT *fn = X509_NAME_ENTRY_get_object(ent);
     const ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
-    fn_nid = OBJ_obj2nid(fn);
-    if (fn_opt != XN_FLAG_FN_NONE) {
-      int objlen, fld_len;
-      if ((fn_opt == XN_FLAG_FN_OID) || (fn_nid == NID_undef)) {
-        OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
-        fld_len = 0;  // XXX: what should this be?
-        objbuf = objtmp;
-      } else {
-        if (fn_opt == XN_FLAG_FN_SN) {
-          fld_len = FN_WIDTH_SN;
-          objbuf = OBJ_nid2sn(fn_nid);
-        } else if (fn_opt == XN_FLAG_FN_LN) {
-          fld_len = FN_WIDTH_LN;
-          objbuf = OBJ_nid2ln(fn_nid);
-        } else {
-          fld_len = 0;  // XXX: what should this be?
-          objbuf = "";
-        }
-      }
-      objlen = strlen(objbuf);
-      if (!maybe_write(out, objbuf, objlen)) {
-        return -1;
-      }
-      if ((objlen < fld_len) && (flags & XN_FLAG_FN_ALIGN)) {
-        if (!do_indent(out, fld_len - objlen)) {
-          return -1;
-        }
-        outlen += fld_len - objlen;
-      }
-      if (!maybe_write(out, sep_eq, sep_eq_len)) {
-        return -1;
-      }
-      outlen += objlen + sep_eq_len;
+    assert((flags & XN_FLAG_FN_MASK) == XN_FLAG_FN_SN);
+    int fn_nid = OBJ_obj2nid(fn);
+    if (fn_nid == NID_undef) {
+      OBJ_obj2txt(objtmp, sizeof(objtmp), fn, 1);
+      objbuf = objtmp;
+    } else {
+      objbuf = OBJ_nid2sn(fn_nid);
+    }
+    int objlen = strlen(objbuf);
+    if (!maybe_write(out, objbuf, objlen) ||
+        !maybe_write(out, sep_eq, sep_eq_len)) {
+      return -1;
     }
+    outlen += objlen + sep_eq_len;
     // If the field name is unknown then fix up the DER dump flag. We
     // might want to limit this further so it will DER dump on anything
     // other than a few 'standard' fields.
diff --git a/src/crypto/x509/t_x509.c b/src/crypto/x509/t_x509.c
index 6694e3d1..1d71576c 100644
--- a/src/crypto/x509/t_x509.c
+++ b/src/crypto/x509/t_x509.c
@@ -91,14 +91,8 @@ int X509_print(BIO *bp, X509 *x) {
 
 int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
                   unsigned long cflag) {
-  long l;
-  int ret = 0, i;
-  char *m = NULL, mlch = ' ';
+  char mlch = ' ';
   int nmindent = 0;
-  X509_CINF *ci;
-  EVP_PKEY *pkey = NULL;
-  const char *neg;
-
   if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
     mlch = '\n';
     nmindent = 12;
@@ -108,26 +102,26 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
     nmindent = 16;
   }
 
-  ci = x->cert_info;
+  const X509_CINF *ci = x->cert_info;
   if (!(cflag & X509_FLAG_NO_HEADER)) {
     if (BIO_write(bp, "Certificate:\n", 13) <= 0) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "    Data:\n", 10) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_VERSION)) {
-    l = X509_get_version(x);
+    long l = X509_get_version(x);
     assert(X509_VERSION_1 <= l && l <= X509_VERSION_3);
     if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1,
                    (unsigned long)l) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_SERIAL)) {
     if (BIO_write(bp, "        Serial Number:", 22) <= 0) {
-      goto err;
+      return 0;
     }
 
     const ASN1_INTEGER *serial = X509_get0_serialNumber(x);
@@ -136,19 +130,20 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
       assert(serial->type != V_ASN1_NEG_INTEGER);
       if (BIO_printf(bp, " %" PRIu64 " (0x%" PRIx64 ")\n", serial_u64,
                      serial_u64) <= 0) {
-        goto err;
+        return 0;
       }
     } else {
       ERR_clear_error();  // Clear |ASN1_INTEGER_get_uint64|'s error.
-      neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
+      const char *neg =
+          (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
       if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) {
-        goto err;
+        return 0;
       }
 
-      for (i = 0; i < serial->length; i++) {
+      for (int i = 0; i < serial->length; i++) {
         if (BIO_printf(bp, "%02x%c", serial->data[i],
                        ((i + 1 == serial->length) ? '\n' : ':')) <= 0) {
-          goto err;
+          return 0;
         }
       }
     }
@@ -156,69 +151,69 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
 
   if (!(cflag & X509_FLAG_NO_SIGNAME)) {
     if (X509_signature_print(bp, ci->signature, NULL) <= 0) {
-      goto err;
+      return 0;
     }
   }
 
   if (!(cflag & X509_FLAG_NO_ISSUER)) {
     if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0) {
-      goto err;
+      return 0;
     }
     if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) <
         0) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "\n", 1) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_VALIDITY)) {
     if (BIO_write(bp, "        Validity\n", 17) <= 0) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "            Not Before: ", 24) <= 0) {
-      goto err;
+      return 0;
     }
     if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "\n            Not After : ", 25) <= 0) {
-      goto err;
+      return 0;
     }
     if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "\n", 1) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_SUBJECT)) {
     if (BIO_printf(bp, "        Subject:%c", mlch) <= 0) {
-      goto err;
+      return 0;
     }
     if (X509_NAME_print_ex(bp, X509_get_subject_name(x), nmindent, nmflags) <
         0) {
-      goto err;
+      return 0;
     }
     if (BIO_write(bp, "\n", 1) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_PUBKEY)) {
     if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0) {
-      goto err;
+      return 0;
     }
     if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) {
-      goto err;
+      return 0;
     }
     if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0) {
-      goto err;
+      return 0;
     }
     if (BIO_puts(bp, "\n") <= 0) {
-      goto err;
+      return 0;
     }
 
-    pkey = X509_get_pubkey(x);
+    EVP_PKEY *pkey = X509_get_pubkey(x);
     if (pkey == NULL) {
       BIO_printf(bp, "%12sUnable to load Public Key\n", "");
       ERR_print_errors(bp);
@@ -231,18 +226,18 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
   if (!(cflag & X509_FLAG_NO_IDS)) {
     if (ci->issuerUID) {
       if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) {
-        goto err;
+        return 0;
       }
       if (!X509_signature_dump(bp, ci->issuerUID, 12)) {
-        goto err;
+        return 0;
       }
     }
     if (ci->subjectUID) {
       if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) {
-        goto err;
+        return 0;
       }
       if (!X509_signature_dump(bp, ci->subjectUID, 12)) {
-        goto err;
+        return 0;
       }
     }
   }
@@ -253,20 +248,16 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
 
   if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
     if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0) {
-      goto err;
+      return 0;
     }
   }
   if (!(cflag & X509_FLAG_NO_AUX)) {
     if (!X509_CERT_AUX_print(bp, x->aux, 0)) {
-      goto err;
+      return 0;
     }
   }
-  ret = 1;
-err:
-  if (m != NULL) {
-    OPENSSL_free(m);
-  }
-  return ret;
+
+  return 1;
 }
 
 int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
diff --git a/src/crypto/x509/test/make_basic_constraints.go b/src/crypto/x509/test/make_basic_constraints.go
index 67f4b913..ea502b4c 100644
--- a/src/crypto/x509/test/make_basic_constraints.go
+++ b/src/crypto/x509/test/make_basic_constraints.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // make_basic_constraints.go generates self-signed certificates with the basic
 // constraints extension.
 package main
diff --git a/src/crypto/x509/test/make_invalid_extensions.go b/src/crypto/x509/test/make_invalid_extensions.go
index 884d9335..8287bf8d 100644
--- a/src/crypto/x509/test/make_invalid_extensions.go
+++ b/src/crypto/x509/test/make_invalid_extensions.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // make_invalid_extensions.go generates a number of certificate chains with
 // invalid extension encodings.
 package main
diff --git a/src/crypto/x509/test/make_many_constraints.go b/src/crypto/x509/test/make_many_constraints.go
index 07f2edc7..24a5c407 100644
--- a/src/crypto/x509/test/make_many_constraints.go
+++ b/src/crypto/x509/test/make_many_constraints.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // make_many_constraints.go generates test certificates many_constraints.pem,
 // many_names*.pem, and some_names*.pem for x509_test.cc
 package main
diff --git a/src/crypto/x509/test/make_policy_certs.go b/src/crypto/x509/test/make_policy_certs.go
index b1c5a60e..739d8ced 100644
--- a/src/crypto/x509/test/make_policy_certs.go
+++ b/src/crypto/x509/test/make_policy_certs.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // make_policy_certs.go generates certificates for testing policy handling.
 package main
 
diff --git a/src/crypto/x509/x509_att.c b/src/crypto/x509/x509_att.c
index 0dda757f..23e92f29 100644
--- a/src/crypto/x509/x509_att.c
+++ b/src/crypto/x509/x509_att.c
@@ -56,153 +56,13 @@
 
 #include <openssl/asn1.h>
 #include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/obj.h>
-#include <openssl/stack.h>
 #include <openssl/x509.h>
 
 #include "../asn1/internal.h"
 #include "internal.h"
 
 
-int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) {
-  return sk_X509_ATTRIBUTE_num(x);
-}
-
-int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
-                           int lastpos) {
-  const ASN1_OBJECT *obj = OBJ_nid2obj(nid);
-  if (obj == NULL) {
-    return -1;
-  }
-  return X509at_get_attr_by_OBJ(x, obj, lastpos);
-}
-
-int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
-                           const ASN1_OBJECT *obj, int lastpos) {
-  int n;
-  X509_ATTRIBUTE *ex;
-
-  if (sk == NULL) {
-    return -1;
-  }
-  lastpos++;
-  if (lastpos < 0) {
-    lastpos = 0;
-  }
-  n = sk_X509_ATTRIBUTE_num(sk);
-  for (; lastpos < n; lastpos++) {
-    ex = sk_X509_ATTRIBUTE_value(sk, lastpos);
-    if (OBJ_cmp(ex->object, obj) == 0) {
-      return lastpos;
-    }
-  }
-  return -1;
-}
-
-X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc) {
-  if (x == NULL || loc < 0 || sk_X509_ATTRIBUTE_num(x) <= (size_t)loc) {
-    return NULL;
-  } else {
-    return sk_X509_ATTRIBUTE_value(x, loc);
-  }
-}
-
-X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc) {
-  X509_ATTRIBUTE *ret;
-
-  if (x == NULL || loc < 0 || sk_X509_ATTRIBUTE_num(x) <= (size_t)loc) {
-    return NULL;
-  }
-  ret = sk_X509_ATTRIBUTE_delete(x, loc);
-  return ret;
-}
-
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
-                                           X509_ATTRIBUTE *attr) {
-  X509_ATTRIBUTE *new_attr = NULL;
-  STACK_OF(X509_ATTRIBUTE) *sk = NULL;
-
-  if (x == NULL) {
-    OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
-    goto err;
-  }
-
-  if (*x == NULL) {
-    if ((sk = sk_X509_ATTRIBUTE_new_null()) == NULL) {
-      goto err;
-    }
-  } else {
-    sk = *x;
-  }
-
-  if ((new_attr = X509_ATTRIBUTE_dup(attr)) == NULL) {
-    goto err;
-  }
-  if (!sk_X509_ATTRIBUTE_push(sk, new_attr)) {
-    goto err;
-  }
-  if (*x == NULL) {
-    *x = sk;
-  }
-  return sk;
-err:
-  if (new_attr != NULL) {
-    X509_ATTRIBUTE_free(new_attr);
-  }
-  if (sk != NULL) {
-    sk_X509_ATTRIBUTE_free(sk);
-  }
-  return NULL;
-}
-
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-                                                  const ASN1_OBJECT *obj,
-                                                  int type,
-                                                  const unsigned char *bytes,
-                                                  int len) {
-  X509_ATTRIBUTE *attr;
-  STACK_OF(X509_ATTRIBUTE) *ret;
-  attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
-  if (!attr) {
-    return 0;
-  }
-  ret = X509at_add1_attr(x, attr);
-  X509_ATTRIBUTE_free(attr);
-  return ret;
-}
-
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
-                                                  int nid, int type,
-                                                  const unsigned char *bytes,
-                                                  int len) {
-  X509_ATTRIBUTE *attr;
-  STACK_OF(X509_ATTRIBUTE) *ret;
-  attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
-  if (!attr) {
-    return 0;
-  }
-  ret = X509at_add1_attr(x, attr);
-  X509_ATTRIBUTE_free(attr);
-  return ret;
-}
-
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-                                                  const char *attrname,
-                                                  int type,
-                                                  const unsigned char *bytes,
-                                                  int len) {
-  X509_ATTRIBUTE *attr;
-  STACK_OF(X509_ATTRIBUTE) *ret;
-  attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
-  if (!attr) {
-    return 0;
-  }
-  ret = X509at_add1_attr(x, attr);
-  X509_ATTRIBUTE_free(attr);
-  return ret;
-}
-
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
                                              int attrtype, const void *data,
                                              int len) {
diff --git a/src/crypto/x509/x509_req.c b/src/crypto/x509/x509_req.c
index 8734897f..69eb63c2 100644
--- a/src/crypto/x509/x509_req.c
+++ b/src/crypto/x509/x509_req.c
@@ -160,62 +160,111 @@ int X509_REQ_add_extensions(X509_REQ *req,
   return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
 }
 
-// Request attribute functions
-
 int X509_REQ_get_attr_count(const X509_REQ *req) {
-  return X509at_get_attr_count(req->req_info->attributes);
+  return sk_X509_ATTRIBUTE_num(req->req_info->attributes);
 }
 
 int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) {
-  return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
+  const ASN1_OBJECT *obj = OBJ_nid2obj(nid);
+  if (obj == NULL) {
+    return -1;
+  }
+  return X509_REQ_get_attr_by_OBJ(req, obj, lastpos);
 }
 
 int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
                              int lastpos) {
-  return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
+  if (req->req_info->attributes == NULL) {
+    return -1;
+  }
+  lastpos++;
+  if (lastpos < 0) {
+    lastpos = 0;
+  }
+  int n = sk_X509_ATTRIBUTE_num(req->req_info->attributes);
+  for (; lastpos < n; lastpos++) {
+    const X509_ATTRIBUTE *attr =
+        sk_X509_ATTRIBUTE_value(req->req_info->attributes, lastpos);
+    if (OBJ_cmp(attr->object, obj) == 0) {
+      return lastpos;
+    }
+  }
+  return -1;
 }
 
 X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc) {
-  return X509at_get_attr(req->req_info->attributes, loc);
+  if (req->req_info->attributes == NULL || loc < 0 ||
+      sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) {
+    return NULL;
+  }
+  return sk_X509_ATTRIBUTE_value(req->req_info->attributes, loc);
 }
 
 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) {
-  return X509at_delete_attr(req->req_info->attributes, loc);
+  if (req->req_info->attributes == NULL || loc < 0 ||
+      sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) {
+    return NULL;
+  }
+  return sk_X509_ATTRIBUTE_delete(req->req_info->attributes, loc);
 }
 
-int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) {
-  if (X509at_add1_attr(&req->req_info->attributes, attr)) {
-    return 1;
+static int X509_REQ_add0_attr(X509_REQ *req, X509_ATTRIBUTE *attr) {
+  if (req->req_info->attributes == NULL) {
+    req->req_info->attributes = sk_X509_ATTRIBUTE_new_null();
   }
-  return 0;
+  if (req->req_info->attributes == NULL ||
+      !sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int X509_REQ_add1_attr(X509_REQ *req, const X509_ATTRIBUTE *attr) {
+  X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_dup(attr);
+  if (new_attr == NULL || !X509_REQ_add0_attr(req, new_attr)) {
+    X509_ATTRIBUTE_free(new_attr);
+    return 0;
+  }
+
+  return 1;
 }
 
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj,
                               int attrtype, const unsigned char *data,
                               int len) {
-  if (X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj, attrtype, data,
-                              len)) {
-    return 1;
+  X509_ATTRIBUTE *attr =
+      X509_ATTRIBUTE_create_by_OBJ(NULL, obj, attrtype, data, len);
+  if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {
+    X509_ATTRIBUTE_free(attr);
+    return 0;
   }
-  return 0;
+
+  return 1;
 }
 
 int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int attrtype,
                               const unsigned char *data, int len) {
-  if (X509at_add1_attr_by_NID(&req->req_info->attributes, nid, attrtype, data,
-                              len)) {
-    return 1;
+  X509_ATTRIBUTE *attr =
+      X509_ATTRIBUTE_create_by_NID(NULL, nid, attrtype, data, len);
+  if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {
+    X509_ATTRIBUTE_free(attr);
+    return 0;
   }
-  return 0;
+
+  return 1;
 }
 
 int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int attrtype,
                               const unsigned char *data, int len) {
-  if (X509at_add1_attr_by_txt(&req->req_info->attributes, attrname, attrtype,
-                              data, len)) {
-    return 1;
+  X509_ATTRIBUTE *attr =
+      X509_ATTRIBUTE_create_by_txt(NULL, attrname, attrtype, data, len);
+  if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {
+    X509_ATTRIBUTE_free(attr);
+    return 0;
   }
-  return 0;
+
+  return 1;
 }
 
 void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 530c24d5..404ce5ba 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -2048,7 +2048,12 @@ TEST(X509Test, SignCertificate) {
         ASSERT_TRUE(
             X509_set1_signature_value(cert.get(), sig.data(), sig.size()));
       } else {
-        ASSERT_TRUE(X509_sign(cert.get(), pkey.get(), EVP_sha384()));
+        int ret = X509_sign(cert.get(), pkey.get(), EVP_sha384());
+        ASSERT_GT(ret, 0);
+        // |X509_sign| returns the length of the signature on success.
+        const ASN1_BIT_STRING *sig;
+        X509_get0_signature(&sig, /*out_alg=*/nullptr, cert.get());
+        EXPECT_EQ(ret, ASN1_STRING_length(sig));
       }
 
       // Check the signature.
@@ -4702,50 +4707,35 @@ TEST(X509Test, NamePrint) {
        "CN = \"Common "
        "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\", "
        "CN = \" spaces \""},
-      // |XN_FLAG_MULTILINE| is an OpenSSL-specific multi-line format that tries
-      // to vertically align the equal sizes. The vertical alignment doesn't
-      // quite handle multi-valued RDNs right and uses a non-RFC-2253 escaping.
+      // Callers can also customize the output, with both |XN_FLAG_*| and
+      // |ASN1_STRFLGS_*|. |XN_FLAG_SEP_SPLUS_SPC| uses semicolon separators.
       {/*indent=*/0,
-       /*flags=*/XN_FLAG_MULTILINE,
-       "countryName               = US\n"
-       "stateOrProvinceName       = Some State + "
-       "stateOrProvinceName       = Some Other State \\U2603 + "
-       "stateOrProvinceName       = Another State \\U2603 + "
-       "1.2.840.113554.4.1.72585.2 = \\U2603\n"
-       "1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n"
-       "organizationName          = Org Name\n"
-       "commonName                = Common "
-       "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n"
-       "commonName                =  spaces "},
-      // The multiline format indents every line.
-      {/*indent=*/2,
-       /*flags=*/XN_FLAG_MULTILINE,
-       "  countryName               = US\n"
-       "  stateOrProvinceName       = Some State + "
-       "stateOrProvinceName       = Some Other State \\U2603 + "
-       "stateOrProvinceName       = Another State \\U2603 + "
-       "1.2.840.113554.4.1.72585.2 = \\U2603\n"
-       "  1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n"
-       "  organizationName          = Org Name\n"
-       "  commonName                = Common "
-       "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n"
-       "  commonName                =  spaces "},
-      // Callers can also customize the output, wuith both |XN_FLAG_*| and
-      // |ASN1_STRFLGS_*|. |XN_FLAG_SEP_SPLUS_SPC| uses semicolon separators and
-      // |XN_FLAG_FN_OID| forces OIDs.
-      {/*indent=*/0,
-       /*flags=*/XN_FLAG_SEP_SPLUS_SPC | XN_FLAG_FN_OID | ASN1_STRFLGS_RFC2253 |
+       /*flags=*/XN_FLAG_SEP_SPLUS_SPC | ASN1_STRFLGS_RFC2253 |
            ASN1_STRFLGS_ESC_QUOTE,
-       "2.5.4.6=US; "
-       "2.5.4.8=Some State + "
-       "2.5.4.8=Some Other State \\E2\\98\\83 + "
-       "2.5.4.8=Another State \\E2\\98\\83 + "
+       "C=US; "
+       "ST=Some State + "
+       "ST=Some Other State \\E2\\98\\83 + "
+       "ST=Another State \\E2\\98\\83 + "
        "1.2.840.113554.4.1.72585.2=\\E2\\98\\83; "
        "1.2.840.113554.4.1.72585.3=#3006020101020102; "
-       "2.5.4.10=Org Name; "
-       "2.5.4.3=\"Common "
+       "O=Org Name; "
+       "CN=\"Common "
        "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\"; "
-       "2.5.4.3=\" spaces \""},
+       "CN=\" spaces \""},
+      // Node uses these parameters.
+      {/*indent=*/0,
+       /*flags=*/ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL |
+           ASN1_STRFLGS_UTF8_CONVERT | XN_FLAG_SEP_MULTILINE | XN_FLAG_FN_SN,
+       "C=US\n"
+       "ST=Some State + "
+       "ST=Some Other State \xE2\x98\x83 + "
+       "ST=Another State \xE2\x98\x83 + "
+       "1.2.840.113554.4.1.72585.2=\xE2\x98\x83\n"
+       "1.2.840.113554.4.1.72585.3=0\\06\\02\\01\\01\\02\\01\\02\n"
+       "O=Org Name\n"
+       "CN=Common "
+       "Name/CN=A/CN=B\\,CN=A\\,CN=B\\+CN=A\\+CN=B\\;CN=A\\;CN=B\\0ACN=A\\0A\n"
+       "CN=\\ spaces\\ "},
       // |XN_FLAG_COMPAT| matches |X509_NAME_print|, rather than
       // |X509_NAME_print_ex|.
       //
diff --git a/src/crypto/x509v3/v3_lib.c b/src/crypto/x509v3/v3_lib.c
index 52528eac..61cbeea2 100644
--- a/src/crypto/x509v3/v3_lib.c
+++ b/src/crypto/x509v3/v3_lib.c
@@ -141,6 +141,7 @@ int X509V3_EXT_free(int nid, void *ext_data) {
 }
 
 int X509V3_EXT_add_alias(int nid_to, int nid_from) {
+OPENSSL_BEGIN_ALLOW_DEPRECATED
   const X509V3_EXT_METHOD *ext;
   X509V3_EXT_METHOD *tmpext;
 
@@ -159,6 +160,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from) {
     return 0;
   }
   return 1;
+OPENSSL_END_ALLOW_DEPRECATED
 }
 
 // Legacy function: we don't need to add standard extensions any more because
diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h
index 131cfecd..26338800 100644
--- a/src/include/openssl/aead.h
+++ b/src/include/openssl/aead.h
@@ -408,8 +408,6 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
 
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
-
 // EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS
 // 1.2 nonce construction.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index fb1815f8..80d18a78 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -221,6 +221,33 @@ extern "C" {
 
 #endif  // defined(BORINGSSL_SHARED_LIBRARY)
 
+#if defined(_MSC_VER)
+
+// OPENSSL_DEPRECATED is used to mark a function as deprecated. Use
+// of any functions so marked in caller code will produce a warning.
+// OPENSSL_BEGIN_ALLOW_DEPRECATED and OPENSSL_END_ALLOW_DEPRECATED
+// can be used to suppress the warning in regions of caller code.
+#define OPENSSL_DEPRECATED __declspec(deprecated)
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED \
+  __pragma(warning(push)) __pragma(warning(disable : 4996))
+#define OPENSSL_END_ALLOW_DEPRECATED __pragma(warning(pop))
+
+#elif defined(__GNUC__) || defined(__clang__)
+
+#define OPENSSL_DEPRECATED __attribute__((__deprecated__))
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED \
+  _Pragma("GCC diagnostic push")       \
+      _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
+#define OPENSSL_END_ALLOW_DEPRECATED _Pragma("GCC diagnostic pop")
+
+#else
+
+#define OPENSSL_DEPRECATED
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED
+#define OPENSSL_END_ALLOW_DEPRECATED
+
+#endif
+
 
 #if defined(__GNUC__) || defined(__clang__)
 // MinGW has two different printf implementations. Ensure the format macro
diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h
index abe7aec9..707a4b15 100644
--- a/src/include/openssl/bio.h
+++ b/src/include/openssl/bio.h
@@ -873,7 +873,6 @@ struct bio_st {
 #define BIO_C_GET_FILE_PTR 107
 #define BIO_C_SET_FILENAME 108
 #define BIO_C_SET_SSL 109
-#define BIO_C_GET_SSL 110
 #define BIO_C_SET_MD 111
 #define BIO_C_GET_MD 112
 #define BIO_C_GET_CIPHER_STATUS 113
@@ -887,9 +886,6 @@ struct bio_st {
 #define BIO_C_GET_PROXY_PARAM 121
 #define BIO_C_SET_BUFF_READ_DATA 122  // data to read first
 #define BIO_C_GET_ACCEPT 124
-#define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125
-#define BIO_C_GET_SSL_NUM_RENEGOTIATES 126
-#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127
 #define BIO_C_FILE_SEEK 128
 #define BIO_C_GET_CIPHER_CTX 129
 #define BIO_C_SET_BUF_MEM_EOF_RETURN 130  // return end of input value
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index da78d1a5..5b5e3feb 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -1449,9 +1449,6 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
 //
 //   |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1.
 //
-// Although implemented, authentication-only ciphers match no rules and must be
-// explicitly selected by name.
-//
 // Deprecated cipher rules:
 //
 //   |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
@@ -2410,21 +2407,51 @@ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);
 
 // SSL_CTX_set_verify configures certificate verification behavior. |mode| is
 // one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is
-// used to customize certificate verification. See the behavior of
-// |X509_STORE_CTX_set_verify_cb|.
+// used to customize certificate verification, but is deprecated. See
+// |X509_STORE_CTX_set_verify_cb| for details.
 //
 // The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
 // |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
+//
+// WARNING: |callback| should be NULL. This callback does not replace the
+// default certificate verification process and is, instead, called multiple
+// times in the course of that process. It is very difficult to implement this
+// callback safely, without inadvertently relying on implementation details or
+// making incorrect assumptions about when the callback is called.
+//
+// Instead, use |SSL_CTX_set_custom_verify| or
+// |SSL_CTX_set_cert_verify_callback| to customize certificate verification.
+// Those callbacks can inspect the peer-sent chain, call |X509_verify_cert| and
+// inspect the result, or perform other operations more straightforwardly.
+//
+// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but
+// haven't documented it yet. Later that will have a more detailed warning about
+// why one should not use this callback.
 OPENSSL_EXPORT void SSL_CTX_set_verify(
     SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
 
 // SSL_set_verify configures certificate verification behavior. |mode| is one of
 // the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to
-// customize certificate verification. See the behavior of
+// customize certificate verification, but is deprecated. See the behavior of
 // |X509_STORE_CTX_set_verify_cb|.
 //
 // The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
 // |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
+//
+// WARNING: |callback| should be NULL. This callback does not replace the
+// default certificate verification process and is, instead, called multiple
+// times in the course of that process. It is very difficult to implement this
+// callback safely, without inadvertently relying on implementation details or
+// making incorrect assumptions about when the callback is called.
+//
+// Instead, use |SSL_set_custom_verify| or |SSL_CTX_set_cert_verify_callback| to
+// customize certificate verification. Those callbacks can inspect the peer-sent
+// chain, call |X509_verify_cert| and inspect the result, or perform other
+// operations more straightforwardly.
+//
+// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but
+// haven't documented it yet. Later that will have a more detailed warning about
+// why one should not use this callback.
 OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode,
                                    int (*callback)(int ok,
                                                    X509_STORE_CTX *store_ctx));
@@ -5160,6 +5187,10 @@ OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
 // parameters of a TLS connection.
 
 enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
+  // ssl_compliance_policy_none does nothing. However, since setting this
+  // doesn't undo other policies it's an error to try and set it.
+  ssl_compliance_policy_none,
+
   // ssl_policy_fips_202205 configures a TLS connection to use:
   //   * TLS 1.2 or 1.3
   //   * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*.
@@ -5174,12 +5205,32 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
   // Note: this setting aids with compliance with NIST requirements but does not
   // guarantee it. Careful reading of SP 800-52r2 is recommended.
   ssl_compliance_policy_fips_202205,
+
+  // ssl_compliance_policy_wpa3_192_202304 configures a TLS connection to use:
+  //   * TLS 1.2 or 1.3.
+  //   * For TLS 1.2, only TLS_ECDHE_[ECDSA|RSA]_WITH_AES_256_GCM_SHA384.
+  //   * For TLS 1.3, only AES-256-GCM.
+  //   * P-384 for key agreement.
+  //   * For handshake signatures, only ECDSA with P-384 and SHA-384, or RSA
+  //     with SHA-384 or SHA-512.
+  //
+  // No limitations on the certificate chain nor leaf public key are imposed,
+  // other than by the supported signature algorithms. But WPA3's "192-bit"
+  // mode requires at least P-384 or 3072-bit along the chain. The caller must
+  // enforce this themselves on the verified chain using functions such as
+  // `X509_STORE_CTX_get0_chain`.
+  //
+  // Note that this setting is less secure than the default. The
+  // implementation risks of using a more obscure primitive like P-384
+  // dominate other considerations.
+  ssl_compliance_policy_wpa3_192_202304,
 };
 
 // SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on
 // the given policy requirements. Subsequently calling other functions that
 // configure |ctx| may override |policy|, or may not. This should be the final
-// configuration function called in order to have defined behaviour.
+// configuration function called in order to have defined behaviour. It's a
+// fatal error if |policy| is |ssl_compliance_policy_none|.
 OPENSSL_EXPORT int SSL_CTX_set_compliance_policy(
     SSL_CTX *ctx, enum ssl_compliance_policy_t policy);
 
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 2ab7564b..8deb767e 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -277,6 +277,12 @@ OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);
 // |i2d_re_X509_tbs| instead.
 OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
 
+// X509_verify checks that |x509| has a valid signature by |pkey|. It returns
+// one if the signature is valid and zero otherwise. Note this function only
+// checks the signature itself and does not perform a full certificate
+// validation.
+OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey);
+
 
 // Issuing certificates.
 //
@@ -342,16 +348,17 @@ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
 OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
 
 // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
-// signature fields. It returns one on success and zero on error. This function
-// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
-// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
+// signature fields. It returns the length of the signature on success and zero
+// on error. This function uses digest algorithm |md|, or |pkey|'s default if
+// NULL. Other signing parameters use |pkey|'s defaults. To customize them, use
+// |X509_sign_ctx|.
 OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
 
 // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
-// and signature fields. It returns one on success and zero on error. The
-// signature algorithm and parameters come from |ctx|, which must have been
-// initialized with |EVP_DigestSignInit|. The caller should configure the
-// corresponding |EVP_PKEY_CTX| before calling this function.
+// and signature fields. It returns the length of the signature on success and
+// zero on error. The signature algorithm and parameters come from |ctx|, which
+// must have been initialized with |EVP_DigestSignInit|. The caller should
+// configure the corresponding |EVP_PKEY_CTX| before calling this function.
 OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
 
 // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
@@ -576,6 +583,10 @@ OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
 // instead.
 OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
 
+// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns
+// one if the signature is valid and zero otherwise.
+OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey);
+
 
 // Issuing certificate revocation lists.
 //
@@ -624,18 +635,18 @@ OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,
                                     int loc);
 
 // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
-// and signature fields. It returns one on success and zero on error. This
-// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
-// signing parameters use |pkey|'s defaults. To customize them, use
-// |X509_CRL_sign_ctx|.
+// and signature fields. It returns the length of the signature on success and
+// zero on error. This function uses digest algorithm |md|, or |pkey|'s default
+// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,
+// use |X509_CRL_sign_ctx|.
 OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
                                  const EVP_MD *md);
 
 // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
-// and signature fields. It returns one on success and zero on error. The
-// signature algorithm and parameters come from |ctx|, which must have been
-// initialized with |EVP_DigestSignInit|. The caller should configure the
-// corresponding |EVP_PKEY_CTX| before calling this function.
+// and signature fields. It returns the length of the signature on success and
+// zero on error. The signature algorithm and parameters come from |ctx|, which
+// must have been initialized with |EVP_DigestSignInit|. The caller should
+// configure the corresponding |EVP_PKEY_CTX| before calling this function.
 OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
 
 // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
@@ -710,7 +721,6 @@ OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp,
 // mutated.
 OPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp);
 
-
 // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other
 // versions are defined.
 #define X509_REQ_VERSION_1 0
@@ -731,6 +741,46 @@ OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
 // |EVP_PKEY_free| when done.
 OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
 
+// X509_REQ_get_attr_count returns the number of attributes in |req|.
+OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req);
+
+// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if
+// out of bounds.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
+
+// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type
+// |nid|, or a negative number if not found. If found, callers can use
+// |X509_REQ_get_attr| to look up the attribute by index.
+//
+// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
+// can thus loop over all matching attributes by first passing -1 and then
+// passing the previously-returned value until no match is returned.
+OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
+                                            int lastpos);
+
+// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks
+// for attributes of type |obj|.
+OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req,
+                                            const ASN1_OBJECT *obj,
+                                            int lastpos);
+
+// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type
+// for carrying extensions and zero otherwise. The supported types are
+// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req|
+// (a Microsoft szOID_CERT_EXTENSIONS variant).
+OPENSSL_EXPORT int X509_REQ_extension_nid(int nid);
+
+// X509_REQ_get_extensions decodes the list of requested extensions in |req| and
+// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result.
+// It returns NULL on error, or if |req| did not request extensions.
+//
+// CSRs do not store extensions directly. Instead there are attribute types
+// which are defined to hold extensions. See |X509_REQ_extension_nid|. This
+// function supports both pkcs-9-at-extensionRequest from RFC 2985 and the
+// Microsoft szOID_CERT_EXTENSIONS variant. If both are present,
+// pkcs-9-at-extensionRequest is preferred.
+OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
+
 // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and
 // signature algorithm of |req|, respectively. Either output pointer may be NULL
 // to ignore the value.
@@ -743,6 +793,10 @@ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,
 // a known NID.
 OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);
 
+// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns
+// one if the signature is valid and zero otherwise.
+OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey);
+
 
 // Issuing certificate requests.
 //
@@ -770,19 +824,68 @@ OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
 // and internally copies and updates reference counts as needed.
 OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);
 
+// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It
+// returns the removed attribute to the caller, or NULL if |loc| was out of
+// bounds. If non-NULL, the caller must release the result with
+// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call
+// |X509_ATTRIBUTE_free| if the result is NULL.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+
+// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It
+// returns one on success and zero on error.
+OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req,
+                                      const X509_ATTRIBUTE *attr);
+
+// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|.
+// It returns one on success and zero on error. The value is determined by
+// |X509_ATTRIBUTE_set1_data|.
+//
+// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
+// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
+OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+                                             const ASN1_OBJECT *obj,
+                                             int attrtype,
+                                             const unsigned char *data,
+                                             int len);
+
+// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
+// attribute type is determined by |nid|.
+OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
+                                             int attrtype,
+                                             const unsigned char *data,
+                                             int len);
+
+// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
+// attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
+OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+                                             const char *attrname, int attrtype,
+                                             const unsigned char *data,
+                                             int len);
+
+// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to
+// request the certificate extensions in |exts|. It returns one on success and
+// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|.
+OPENSSL_EXPORT int X509_REQ_add_extensions_nid(
+    X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid);
+
+// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the
+// standard |NID_ext_req| for the attribute type.
+OPENSSL_EXPORT int X509_REQ_add_extensions(
+    X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);
+
 // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
-// and signature fields. It returns one on success and zero on error. This
-// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
-// signing parameters use |pkey|'s defaults. To customize them, use
-// |X509_REQ_sign_ctx|.
+// and signature fields. It returns the length of the signature on success and
+// zero on error. This function uses digest algorithm |md|, or |pkey|'s default
+// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,
+// use |X509_REQ_sign_ctx|.
 OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
                                  const EVP_MD *md);
 
 // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
-// and signature fields. It returns one on success and zero on error. The
-// signature algorithm and parameters come from |ctx|, which must have been
-// initialized with |EVP_DigestSignInit|. The caller should configure the
-// corresponding |EVP_PKEY_CTX| before calling this function.
+// and signature fields. It returns the length of the signature on success and
+// zero on error. The signature algorithm and parameters come from |ctx|, which
+// must have been initialized with |EVP_DigestSignInit|. The caller should
+// configure the corresponding |EVP_PKEY_CTX| before calling this function.
 OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
 
 // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
@@ -1296,11 +1399,442 @@ OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
 OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
 
 
+// Attributes.
+//
+// Unlike certificates and CRLs, CSRs use a separate Attribute structure (RFC
+// 2985, RFC 2986) for extensibility. This is represented by the library as
+// |X509_ATTRIBUTE|.
+
+DEFINE_STACK_OF(X509_ATTRIBUTE)
+
+// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and
+// C type is |X509_ATTRIBUTE*|.
+DECLARE_ASN1_ITEM(X509_ATTRIBUTE)
+
+// X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object,
+// or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing
+// it.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_new(void);
+
+// X509_ATTRIBUTE_dup returns a newly-allocated copy of |attr|, or NULL on
+// error. This function works by serializing the structure, so if |attr| is
+// incomplete, it may fail.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *attr);
+
+// X509_ATTRIBUTE_free releases memory associated with |attr|.
+OPENSSL_EXPORT void X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr);
+
+// d2i_X509_ATTRIBUTE parses up to |len| bytes from |*inp| as a DER-encoded
+// Attribute (RFC 2986), as described in |d2i_SAMPLE|.
+OPENSSL_EXPORT X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **out,
+                                                  const uint8_t **inp,
+                                                  long len);
+
+// i2d_X509_ATTRIBUTE marshals |alg| as a DER-encoded Attribute (RFC 2986), as
+// described in |i2d_SAMPLE|.
+OPENSSL_EXPORT int i2d_X509_ATTRIBUTE(const X509_ATTRIBUTE *alg,
+                                      uint8_t **outp);
+
+// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on
+// error. The attribute has type |nid| and contains a single value determined by
+// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note
+// this function takes ownership of |value|.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype,
+                                                     void *value);
+
+// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of
+// type |nid|, or NULL on error. The value is determined as in
+// |X509_ATTRIBUTE_set1_data|.
+//
+// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to
+// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is
+// reused instead of creating a new object.
+//
+// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
+// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
+//
+// WARNING: The object reuse form is deprecated and may be removed in the
+// future. It also currently incorrectly appends to the reused object's value
+// set rather than overwriting it.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(
+    X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len);
+
+// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID|
+// except the attribute's type is determined by |obj|.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(
+    X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype,
+    const void *data, int len);
+
+// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID|
+// except the attribute's type is determined by calling |OBJ_txt2obj| with
+// |attrname|.
+OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(
+    X509_ATTRIBUTE **attr, const char *attrname, int type,
+    const unsigned char *bytes, int len);
+
+// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on
+// success and zero on error.
+OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr,
+                                              const ASN1_OBJECT *obj);
+
+// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns
+// one on success or zero on error. The value is determined as follows:
+//
+// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The
+// string is determined by decoding |len| bytes from |data| in the encoding
+// specified by |attrtype|, and then re-encoding it in a form appropriate for
+// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See
+// |ASN1_STRING_set_by_NID| for details.
+//
+// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an
+// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the
+// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details.
+//
+// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED,
+// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function
+// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is
+// probably a bug. For now, do not use this form with negative values.
+//
+// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and
+// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value,
+// and |data| is cast to the corresponding pointer type.
+//
+// WARNING: Despite the name, this function appends to |attr|'s value set,
+// rather than overwriting it. To overwrite the value set, create a new
+// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|.
+//
+// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on
+// |strlen|. In particular, |strlen| will not behave correctly if the input is
+// |MBSTRING_BMP| or |MBSTRING_UNIV|.
+//
+// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an
+// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to
+// construct a value with a non-universal tag.
+OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
+                                            const void *data, int len);
+
+// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a
+// type-specific representation to |attrtype|, or NULL if out of bounds or the
+// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On
+// match, the return value uses the same representation as |ASN1_TYPE_set0|. See
+// |ASN1_TYPE| for details.
+OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+                                              int attrtype, void *unused);
+
+// X509_ATTRIBUTE_count returns the number of values in |attr|.
+OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
+
+// X509_ATTRIBUTE_get0_object returns the type of |attr|.
+OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
+
+// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out
+// of bounds. Note this function returns one of |attr|'s values, not the type.
+OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,
+                                                   int idx);
+
+
+// SignedPublicKeyAndChallenge structures.
+//
+// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request
+// certificates, primarily in the legacy <keygen> HTML tag. An SPKAC structure
+// is represented by a |NETSCAPE_SPKI| structure.
+//
+// The structure is described in
+// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
+
+// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a
+// SignedPublicKeyAndChallenge structure. Although this structure contains a
+// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the
+// entire structure, not the signed portion.
+struct Netscape_spki_st {
+  NETSCAPE_SPKAC *spkac;
+  X509_ALGOR *sig_algor;
+  ASN1_BIT_STRING *signature;
+} /* NETSCAPE_SPKI */;
+
+// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is
+// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|.
+DECLARE_ASN1_ITEM(NETSCAPE_SPKI)
+
+// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or
+// NULL on error.
+OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
+
+// NETSCAPE_SPKI_free releases memory associated with |spki|.
+OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki);
+
+// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded
+// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|.
+OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out,
+                                                const uint8_t **inp, long len);
+
+// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded
+// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|.
+OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp);
+
+// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It
+// returns one if the signature is valid and zero otherwise.
+OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey);
+
+// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded
+// SignedPublicKeyAndChallenge structure. It returns a newly-allocated
+// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or
+// negative, the length is calculated with |strlen| and |str| must be a
+// NUL-terminated C string.
+OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,
+                                                       ossl_ssize_t len);
+
+// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded
+// SignedPublicKeyAndChallenge structure. It returns a newly-allocated
+// NUL-terminated C string with the result, or NULL on error. The caller must
+// release the memory with |OPENSSL_free| when done.
+OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);
+
+// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an
+// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
+// pointer and must call |EVP_PKEY_free| when done.
+OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
+
+// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
+// on success or zero on error. This function does not take ownership of |pkey|,
+// so the caller may continue to manage its lifetime independently of |spki|.
+OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
+                                            EVP_PKEY *pkey);
+
+// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
+// algorithm and signature fields. It returns the length of the signature on
+// success and zero on error. This function uses digest algorithm |md|, or
+// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults.
+OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
+                                      const EVP_MD *md);
+
+// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge
+// structure. This type is misnamed. The full SPKAC includes the signature,
+// which is represented with the |NETSCAPE_SPKI| type.
+struct Netscape_spkac_st {
+  X509_PUBKEY *pubkey;
+  ASN1_IA5STRING *challenge;
+} /* NETSCAPE_SPKAC */;
+
+// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge
+// and C type is |NETSCAPE_SPKAC*|.
+DECLARE_ASN1_ITEM(NETSCAPE_SPKAC)
+
+// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object,
+// or NULL on error.
+OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void);
+
+// NETSCAPE_SPKAC_free releases memory associated with |spkac|.
+OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac);
+
+// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded
+// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|.
+OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out,
+                                                  const uint8_t **inp,
+                                                  long len);
+
+// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge
+// structure, as described in |i2d_SAMPLE|.
+OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac,
+                                      uint8_t **outp);
+
+
 // Printing functions.
 //
 // The following functions output human-readable representations of
 // X.509-related structures. They should only be used for debugging or logging
-// and not parsed programmatically.
+// and not parsed programmatically. In many cases, the outputs are ambiguous, so
+// attempting to parse them can lead to string injection vulnerabilities.
+
+// The following flags control |X509_print_ex| and |X509_REQ_print_ex|.
+
+// X509_FLAG_COMPAT disables all flags. It additionally causes names to be
+// printed with a 16-byte indent.
+#define X509_FLAG_COMPAT 0
+
+// X509_FLAG_NO_HEADER skips a header identifying the type of object printed.
+#define X509_FLAG_NO_HEADER 1L
+
+// X509_FLAG_NO_VERSION skips printing the X.509 version number.
+#define X509_FLAG_NO_VERSION (1L << 1)
+
+// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in
+// |X509_REQ_print_fp|.
+#define X509_FLAG_NO_SERIAL (1L << 2)
+
+// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the
+// TBSCertificate. It is ignored in |X509_REQ_print_fp|.
+#define X509_FLAG_NO_SIGNAME (1L << 3)
+
+// X509_FLAG_NO_ISSUER skips printing the issuer.
+#define X509_FLAG_NO_ISSUER (1L << 4)
+
+// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is
+// ignored in |X509_REQ_print_fp|.
+#define X509_FLAG_NO_VALIDITY (1L << 5)
+
+// X509_FLAG_NO_SUBJECT skips printing the subject.
+#define X509_FLAG_NO_SUBJECT (1L << 6)
+
+// X509_FLAG_NO_PUBKEY skips printing the public key.
+#define X509_FLAG_NO_PUBKEY (1L << 7)
+
+// X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in
+// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by
+// |X509_FLAG_NO_ATTRIBUTES|.
+#define X509_FLAG_NO_EXTENSIONS (1L << 8)
+
+// X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature
+// algorithm.
+#define X509_FLAG_NO_SIGDUMP (1L << 9)
+
+// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and
+// related functions.)
+#define X509_FLAG_NO_AUX (1L << 10)
+
+// X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for
+// certificates and CRLs.
+#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
+
+// X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a
+// certificate. It is ignored in |X509_REQ_print_fp|.
+#define X509_FLAG_NO_IDS (1L << 12)
+
+// X509_print_ex writes a human-readable representation of |x| to |bp|. It
+// returns one on success and zero on error. |nmflags| is the flags parameter
+// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should
+// be some combination of the |X509_FLAG_*| constants.
+OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
+                                 unsigned long cflag);
+
+// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|.
+OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,
+                                    unsigned long cflag);
+
+// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT|
+// flags.
+OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x);
+
+// X509_print_fp behaves like |X509_print| but writes to |fp|.
+OPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x);
+
+// X509_CRL_print writes a human-readable representation of |x| to |bp|. It
+// returns one on success and zero on error.
+OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x);
+
+// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|.
+OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x);
+
+// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It
+// returns one on success and zero on error. |nmflags| is the flags parameter
+// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some
+// combination of the |X509_FLAG_*| constants.
+OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
+                                     unsigned long cflag);
+
+// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and
+// |X509_FLAG_COMPAT| flags.
+OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req);
+
+// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|.
+OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req);
+
+// The following flags are control |X509_NAME_print_ex|. They must not collide
+// with |ASN1_STRFLGS_*|.
+//
+// TODO(davidben): This is far, far too many options and most of them are
+// useless. Trim this down.
+
+// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value
+// convention.
+#define XN_FLAG_COMPAT 0
+
+// XN_FLAG_SEP_MASK determines the separators to use between attributes.
+#define XN_FLAG_SEP_MASK (0xf << 16)
+
+// XN_FLAG_SEP_COMMA_PLUS separates RDNs with "," and attributes within an RDN
+// with "+", as in RFC 2253.
+#define XN_FLAG_SEP_COMMA_PLUS (1 << 16)
+
+// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces
+// between the separators.
+#define XN_FLAG_SEP_CPLUS_SPC (2 << 16)
+
+// XN_FLAG_SEP_SPLUS_SPC separates RDNs with "; " and attributes within an RDN
+// with " + ".
+#define XN_FLAG_SEP_SPLUS_SPC (3 << 16)
+
+// XN_FLAG_SEP_MULTILINE prints each attribute on one line.
+#define XN_FLAG_SEP_MULTILINE (4 << 16)
+
+// XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most
+// significant, as RFC 2253.
+#define XN_FLAG_DN_REV (1 << 20)
+
+// XN_FLAG_FN_MASK determines how attribute types are displayed.
+#define XN_FLAG_FN_MASK (0x3 << 21)
+
+// XN_FLAG_FN_SN uses the attribute type's short name, when available.
+#define XN_FLAG_FN_SN 0
+
+// XN_FLAG_SPC_EQ wraps the "=" operator with spaces when printing attributes.
+#define XN_FLAG_SPC_EQ (1 << 23)
+
+// XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in
+// hex, as in RFC 2253.
+#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
+
+// XN_FLAG_RFC2253 prints like RFC 2253.
+#define XN_FLAG_RFC2253                                             \
+  (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \
+   XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS)
+
+// XN_FLAG_ONELINE prints a one-line representation of the name.
+#define XN_FLAG_ONELINE                                                    \
+  (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \
+   XN_FLAG_SPC_EQ | XN_FLAG_FN_SN)
+
+// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|.
+// Each line of output is indented by |indent| spaces. It returns the number of
+// bytes written on success, and -1 on error. If |out| is NULL, it returns the
+// number of bytes it would have written but does not write anything. |flags|
+// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and
+// determines the output. If unsure, use |XN_FLAG_RFC2253|.
+//
+// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls
+// |X509_NAME_print| instead. In that case, it returns one on success, rather
+// than the output length.
+OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
+                                      unsigned long flags);
+
+// X509_NAME_print prints a human-readable representation of |name| to |bp|. It
+// returns one on success and zero on error. |obase| is ignored.
+//
+// This function outputs a legacy format that does not correctly handle string
+// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for
+// debugging purposes.
+OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
+
+// X509_NAME_oneline writes a human-readable representation to |name| to a
+// buffer as a NUL-terminated C string.
+//
+// If |buf| is NULL, returns a newly-allocated buffer containing the result on
+// success, or NULL on error. The buffer must be released with |OPENSSL_free|
+// when done.
+//
+// If |buf| is non-NULL, at most |size| bytes of output are written to |buf|
+// instead. |size| includes the trailing NUL. The function then returns |buf| on
+// success or NULL on error. If the output does not fit in |size| bytes, the
+// output is silently truncated at an attribute boundary.
+//
+// This function outputs a legacy format that does not correctly handle string
+// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for
+// debugging purposes.
+OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size);
+
+// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|.
+OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm,
+                                         int indent, unsigned long flags);
 
 // X509_signature_dump writes a human-readable representation of |sig| to |bio|,
 // indented with |indent| spaces. It returns one on success and zero on error.
@@ -1459,6 +1993,39 @@ OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk,
 OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk,
                                           X509_NAME *name);
 
+// X509_cmp_time compares |s| against |*t|. On success, it returns a negative
+// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it
+// returns zero. If |t| is NULL, it uses the current time instead of |*t|.
+//
+// WARNING: Unlike most comparison functions, this function returns zero on
+// error, not equality.
+OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t);
+
+// X509_cmp_time_posix compares |s| against |t|. On success, it returns a
+// negative number if |s| <= |t| and a positive number if |s| > |t|. On error,
+// it returns zero.
+//
+// WARNING: Unlike most comparison functions, this function returns zero on
+// error, not equality.
+OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t);
+
+// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against
+// the current time.
+OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);
+
+// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero.
+OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec,
+                                        time_t *t);
+
+// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If
+// |t| is NULL, it uses the current time instead of |*t|.
+OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day,
+                                           long offset_sec, time_t *t);
+
+// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the
+// current time.
+OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec);
+
 
 // ex_data functions.
 //
@@ -1580,8 +2147,6 @@ struct X509_algor_st {
 #define X509v3_KU_DECIPHER_ONLY 0x8000
 #define X509v3_KU_UNDEF 0xffff
 
-DEFINE_STACK_OF(X509_ATTRIBUTE)
-
 // This stuff is certificate "auxiliary info"
 // it contains details which are useful in certificate
 // stores and databases. When used this is tagged onto
@@ -1631,74 +2196,6 @@ DEFINE_STACK_OF(X509_TRUST)
 #define X509_TRUST_REJECTED 2
 #define X509_TRUST_UNTRUSTED 3
 
-// Flags for X509_print_ex()
-
-#define X509_FLAG_COMPAT 0
-#define X509_FLAG_NO_HEADER 1L
-#define X509_FLAG_NO_VERSION (1L << 1)
-#define X509_FLAG_NO_SERIAL (1L << 2)
-#define X509_FLAG_NO_SIGNAME (1L << 3)
-#define X509_FLAG_NO_ISSUER (1L << 4)
-#define X509_FLAG_NO_VALIDITY (1L << 5)
-#define X509_FLAG_NO_SUBJECT (1L << 6)
-#define X509_FLAG_NO_PUBKEY (1L << 7)
-#define X509_FLAG_NO_EXTENSIONS (1L << 8)
-#define X509_FLAG_NO_SIGDUMP (1L << 9)
-#define X509_FLAG_NO_AUX (1L << 10)
-#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
-#define X509_FLAG_NO_IDS (1L << 12)
-
-// Flags specific to X509_NAME_print_ex(). These flags must not collide with
-// |ASN1_STRFLGS_*|.
-
-// The field separator information
-
-#define XN_FLAG_SEP_MASK (0xf << 16)
-
-#define XN_FLAG_COMPAT 0  // Traditional SSLeay: use old X509_NAME_print
-#define XN_FLAG_SEP_COMMA_PLUS (1 << 16)  // RFC 2253 ,+
-#define XN_FLAG_SEP_CPLUS_SPC (2 << 16)   // ,+ spaced: more readable
-#define XN_FLAG_SEP_SPLUS_SPC (3 << 16)   // ;+ spaced
-#define XN_FLAG_SEP_MULTILINE (4 << 16)   // One line per field
-
-#define XN_FLAG_DN_REV (1 << 20)  // Reverse DN order
-
-// How the field name is shown
-
-#define XN_FLAG_FN_MASK (0x3 << 21)
-
-#define XN_FLAG_FN_SN 0            // Object short name
-#define XN_FLAG_FN_LN (1 << 21)    // Object long name
-#define XN_FLAG_FN_OID (2 << 21)   // Always use OIDs
-#define XN_FLAG_FN_NONE (3 << 21)  // No field names
-
-#define XN_FLAG_SPC_EQ (1 << 23)  // Put spaces round '='
-
-// This determines if we dump fields we don't recognise:
-// RFC 2253 requires this.
-
-#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
-
-#define XN_FLAG_FN_ALIGN (1 << 25)  // Align field names to 20 characters
-
-// Complete set of RFC 2253 flags
-
-#define XN_FLAG_RFC2253                                             \
-  (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \
-   XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS)
-
-// readable oneline form
-
-#define XN_FLAG_ONELINE                                                    \
-  (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \
-   XN_FLAG_SPC_EQ | XN_FLAG_FN_SN)
-
-// readable multiline form
-
-#define XN_FLAG_MULTILINE                                                 \
-  (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \
-   XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN)
-
 DEFINE_STACK_OF(X509_REVOKED)
 
 DECLARE_STACK_OF(GENERAL_NAMES)
@@ -1734,20 +2231,6 @@ struct X509_info_st {
 
 DEFINE_STACK_OF(X509_INFO)
 
-// The next 2 structures and their 8 routines were sent to me by
-// Pat Richard <patr@x509.com> and are used to manipulate
-// Netscapes spki structures - useful if you are writing a CA web page
-struct Netscape_spkac_st {
-  X509_PUBKEY *pubkey;
-  ASN1_IA5STRING *challenge;  // challenge sent in atlas >= PR2
-} /* NETSCAPE_SPKAC */;
-
-struct Netscape_spki_st {
-  NETSCAPE_SPKAC *spkac;  // signed public key and challenge
-  X509_ALGOR *sig_algor;
-  ASN1_BIT_STRING *signature;
-} /* NETSCAPE_SPKI */;
-
 // X509_get_pathlen returns path length constraint from the basic constraints
 // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
 // constraint is not present, or if some extension in |x509| was invalid.
@@ -1773,99 +2256,11 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,
 // a default description.
 OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err);
 
-// X509_verify checks that |x509| has a valid signature by |pkey|. It returns
-// one if the signature is valid and zero otherwise. Note this function only
-// checks the signature itself and does not perform a full certificate
-// validation.
-OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey);
-
-// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns
-// one if the signature is valid and zero otherwise.
-OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey);
-
-// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns
-// one if the signature is valid and zero otherwise.
-OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey);
-
-// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It
-// returns one if the signature is valid and zero otherwise.
-OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey);
-
-// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded
-// Netscape signed public key and challenge (SPKAC) structure. It returns a
-// newly-allocated |NETSCAPE_SPKI| structure with the result, or NULL on error.
-// If |len| is 0 or negative, the length is calculated with |strlen| and |str|
-// must be a NUL-terminated C string.
-OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,
-                                                       ossl_ssize_t len);
-
-// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded Netscape signed
-// public key and challenge (SPKAC) structure. It returns a newly-allocated
-// NUL-terminated C string with the result, or NULL on error. The caller must
-// release the memory with |OPENSSL_free| when done.
-OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);
-
-// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an
-// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
-// pointer and must call |EVP_PKEY_free| when done.
-OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
-
-// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
-// on success or zero on error. This function does not take ownership of |pkey|,
-// so the caller may continue to manage its lifetime independently of |spki|.
-OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
-                                            EVP_PKEY *pkey);
-
-// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
-// algorithm and signature fields. It returns one on success and zero on error.
-// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
-// signing parameters use |pkey|'s defaults.
-OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
-                                      const EVP_MD *md);
-
-// X509_ATTRIBUTE_dup returns a newly-allocated copy of |xa|, or NULL on error.
-// This function works by serializing the structure, so if |xa| is incomplete,
-// it may fail.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *xa);
-
 // X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.
 // This function works by serializing the structure, so if |rev| is incomplete,
 // it may fail.
 OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);
 
-// X509_cmp_time compares |s| against |*t|. On success, it returns a negative
-// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it
-// returns zero. If |t| is NULL, it uses the current time instead of |*t|.
-//
-// WARNING: Unlike most comparison functions, this function returns zero on
-// error, not equality.
-OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t);
-
-// X509_cmp_time_posix compares |s| against |t|. On success, it returns a
-// negative number if |s| <= |t| and a positive number if |s| > |t|. On error,
-// it returns zero.
-//
-// WARNING: Unlike most comparison functions, this function returns zero on
-// error, not equality.
-OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t);
-
-// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against
-// the current time.
-OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);
-
-// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero.
-OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec,
-                                        time_t *t);
-
-// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If
-// |t| is NULL, it uses the current time instead of |*t|.
-OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day,
-                                           long offset_sec, time_t *t);
-
-// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the
-// current time.
-OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec);
-
 OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_file(void);
@@ -1888,15 +2283,6 @@ OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
 
 DECLARE_ASN1_FUNCTIONS_const(X509_SIG)
 
-DECLARE_ASN1_FUNCTIONS_const(X509_ATTRIBUTE)
-
-// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on
-// error. The attribute has type |nid| and contains a single value determined by
-// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note
-// this function takes ownership of |value|.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype,
-                                                     void *value);
-
 OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
 OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
 OPENSSL_EXPORT void X509_trust_clear(X509 *x);
@@ -1916,12 +2302,8 @@ OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret,
 OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void);
 OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a);
 
-DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKI)
-DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKAC)
-
 OPENSSL_EXPORT X509_INFO *X509_INFO_new(void);
 OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a);
-OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
 
 OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
                                unsigned char *md, unsigned int *len);
@@ -1944,93 +2326,6 @@ OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
                                       ASN1_BIT_STRING *signature, void *asn,
                                       EVP_MD_CTX *ctx);
 
-// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type
-// for carrying extensions and zero otherwise. The supported types are
-// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req|
-// (a Microsoft szOID_CERT_EXTENSIONS variant).
-OPENSSL_EXPORT int X509_REQ_extension_nid(int nid);
-
-// X509_REQ_get_extensions decodes the list of requested extensions in |req| and
-// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result.
-// It returns NULL on error, or if |req| did not request extensions.
-//
-// This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the
-// Microsoft szOID_CERT_EXTENSIONS variant.
-OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
-
-// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to
-// request the certificate extensions in |exts|. It returns one on success and
-// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|.
-OPENSSL_EXPORT int X509_REQ_add_extensions_nid(
-    X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid);
-
-// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the
-// standard |NID_ext_req| for the attribute type.
-OPENSSL_EXPORT int X509_REQ_add_extensions(
-    X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);
-
-// X509_REQ_get_attr_count returns the number of attributes in |req|.
-OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req);
-
-// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type
-// |nid|, or a negative number if not found. If found, callers can use
-// |X509_REQ_get_attr| to look up the attribute by index.
-//
-// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
-// can thus loop over all matching attributes by first passing -1 and then
-// passing the previously-returned value until no match is returned.
-OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
-                                            int lastpos);
-
-// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks
-// for attributes of type |obj|.
-OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req,
-                                            const ASN1_OBJECT *obj,
-                                            int lastpos);
-
-// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if
-// out of bounds.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
-
-// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It
-// returns the removed attribute to the caller, or NULL if |loc| was out of
-// bounds. If non-NULL, the caller must release the result with
-// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call
-// |X509_ATTRIBUTE_free| if the result is NULL.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
-
-// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It
-// returns one on success and zero on error.
-//
-// TODO(https://crbug.com/boringssl/407): |attr| should be const.
-OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
-
-// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|.
-// It returns one on success and zero on error. The value is determined by
-// |X509_ATTRIBUTE_set1_data|.
-//
-// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
-// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
-OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-                                             const ASN1_OBJECT *obj,
-                                             int attrtype,
-                                             const unsigned char *data,
-                                             int len);
-
-// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
-// attribute type is determined by |nid|.
-OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
-                                             int attrtype,
-                                             const unsigned char *data,
-                                             int len);
-
-// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
-// attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
-OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-                                             const char *attrname, int attrtype,
-                                             const unsigned char *data,
-                                             int len);
-
 OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
 
 // X509_REVOKED_get0_serialNumber returns the serial number of the certificate
@@ -2082,24 +2377,6 @@ OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x);
 
 OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag,
-                                    unsigned long cflag);
-OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x);
-OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x);
-OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req);
-OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm,
-                                         int indent, unsigned long flags);
-
-OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
-OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
-                                      unsigned long flags);
-OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
-                                 unsigned long cflag);
-OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x);
-OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x);
-OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
-                                     unsigned long cflag);
-OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req);
 
 // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
 // |x509|'s extension list.
@@ -2195,153 +2472,6 @@ OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
                                              void *value, int crit,
                                              unsigned long flags);
 
-// X509at_get_attr_count returns the number of attributes in |x|.
-OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
-
-// X509at_get_attr_by_NID returns the index of the attribute in |x| of type
-// |nid|, or a negative number if not found. If found, callers can use
-// |X509at_get_attr| to look up the attribute by index.
-//
-// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
-// can thus loop over all matching attributes by first passing -1 and then
-// passing the previously-returned value until no match is returned.
-OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x,
-                                          int nid, int lastpos);
-
-// X509at_get_attr_by_OBJ behaves like |X509at_get_attr_by_NID| but looks for
-// attributes of type |obj|.
-OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
-                                          const ASN1_OBJECT *obj, int lastpos);
-
-// X509at_get_attr returns the attribute at index |loc| in |x|, or NULL if
-// out of bounds.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr(
-    const STACK_OF(X509_ATTRIBUTE) *x, int loc);
-
-// X509at_delete_attr removes the attribute at index |loc| in |x|. It returns
-// the removed attribute to the caller, or NULL if |loc| was out of bounds. If
-// non-NULL, the caller must release the result with |X509_ATTRIBUTE_free| when
-// done. It is also safe, but not necessary, to call |X509_ATTRIBUTE_free| if
-// the result is NULL.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x,
-                                                  int loc);
-
-// X509at_add1_attr appends a copy of |attr| to the attribute list in |*x|. If
-// |*x| is NULL, it allocates a new |STACK_OF(X509_ATTRIBUTE)| to hold the copy
-// and sets |*x| to the new list. It returns |*x| on success and NULL on error.
-// The caller retains ownership of |attr| and can release it independently of
-// |*x|.
-OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(
-    STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr);
-
-// X509at_add1_attr_by_OBJ behaves like |X509at_add1_attr|, but adds an
-// attribute created by |X509_ATTRIBUTE_create_by_OBJ|.
-OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(
-    STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type,
-    const unsigned char *bytes, int len);
-
-// X509at_add1_attr_by_NID behaves like |X509at_add1_attr|, but adds an
-// attribute created by |X509_ATTRIBUTE_create_by_NID|.
-OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(
-    STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes,
-    int len);
-
-// X509at_add1_attr_by_txt behaves like |X509at_add1_attr|, but adds an
-// attribute created by |X509_ATTRIBUTE_create_by_txt|.
-OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(
-    STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type,
-    const unsigned char *bytes, int len);
-
-// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of
-// type |nid|, or NULL on error. The value is determined as in
-// |X509_ATTRIBUTE_set1_data|.
-//
-// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to
-// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is
-// reused instead of creating a new object.
-//
-// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
-// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
-//
-// WARNING: The object reuse form is deprecated and may be removed in the
-// future. It also currently incorrectly appends to the reused object's value
-// set rather than overwriting it.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(
-    X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len);
-
-// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID|
-// except the attribute's type is determined by |obj|.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(
-    X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype,
-    const void *data, int len);
-
-// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID|
-// except the attribute's type is determined by calling |OBJ_txt2obj| with
-// |attrname|.
-OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(
-    X509_ATTRIBUTE **attr, const char *attrname, int type,
-    const unsigned char *bytes, int len);
-
-// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on
-// success and zero on error.
-OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr,
-                                              const ASN1_OBJECT *obj);
-
-// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns
-// one on success or zero on error. The value is determined as follows:
-//
-// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The
-// string is determined by decoding |len| bytes from |data| in the encoding
-// specified by |attrtype|, and then re-encoding it in a form appropriate for
-// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See
-// |ASN1_STRING_set_by_NID| for details.
-//
-// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an
-// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the
-// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details.
-//
-// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED,
-// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function
-// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is
-// probably a bug. For now, do not use this form with negative values.
-//
-// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and
-// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value,
-// and |data| is cast to the corresponding pointer type.
-//
-// WARNING: Despite the name, this function appends to |attr|'s value set,
-// rather than overwriting it. To overwrite the value set, create a new
-// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|.
-//
-// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on
-// |strlen|. In particular, |strlen| will not behave correctly if the input is
-// |MBSTRING_BMP| or |MBSTRING_UNIV|.
-//
-// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an
-// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to
-// construct a value with a non-universal tag.
-OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
-                                            const void *data, int len);
-
-// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a
-// type-specific representation to |attrtype|, or NULL if out of bounds or the
-// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On
-// match, the return value uses the same representation as |ASN1_TYPE_set0|. See
-// |ASN1_TYPE| for details.
-OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
-                                              int attrtype, void *unused);
-
-// X509_ATTRIBUTE_count returns the number of values in |attr|.
-OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
-
-// X509_ATTRIBUTE_get0_object returns the type of |attr|.
-OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
-
-// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out
-// of bounds. Note this function returns one of |attr|'s values, not the type.
-OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,
-                                                   int idx);
-
 OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
 
 // PKCS#8 utilities
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index ee90f584..d9c862da 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -688,14 +688,15 @@ OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth,
 // callers should simply handle the custom extension with the byte-based
 // |X509_EXTENSION| APIs directly. Registering |ext| with the library has little
 // practical value.
-OPENSSL_EXPORT int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
 
 // X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The
 // corresponding ASN.1 type is copied from |nid_from|. It returns one on success
 // and zero on error.
 //
 // WARNING: Do not use this function. See |X509V3_EXT_add|.
-OPENSSL_EXPORT int X509V3_EXT_add_alias(int nid_to, int nid_from);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to,
+                                                           int nid_from);
 
 OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get(
     const X509_EXTENSION *ext);
diff --git a/src/rust/bssl-crypto/Cargo.toml b/src/rust/bssl-crypto/Cargo.toml
index 57a64401..c60e9ca2 100644
--- a/src/rust/bssl-crypto/Cargo.toml
+++ b/src/rust/bssl-crypto/Cargo.toml
@@ -6,6 +6,4 @@ publish = false
 license = "MIT"
 
 [dependencies]
-# the crate will need to be generated at this path by running this command at root
-# `mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja`
-bssl-sys = {path = "../../build/rust/bssl-sys"}
-\ No newline at end of file
+bssl-sys = {path = "../bssl-sys"}
diff --git a/src/rust/bssl-crypto/README.md b/src/rust/bssl-crypto/README.md
index 9e10fad8..dff669bc 100644
--- a/src/rust/bssl-crypto/README.md
+++ b/src/rust/bssl-crypto/README.md
@@ -1,14 +1,9 @@
 bssl-crypto
 ============
 
-rust bindings to boringssl which wrap bssl-sys, a low level autogenerated binding
-
-Before using this crate, first generate the bssl-sys bindings by running this command from the root of the repo:
-```
-mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja
-```
+Rust bindings to BoringSSL which wrap bssl-sys. Before using this crate, first [set up `bssl-sys`](../bssl-sys/README.md).
 
 Then to run all tests:
 ```
 cd rust/bssl-crypto && cargo clippy && cargo deny check && cargo test
-```
-\ No newline at end of file
+```
diff --git a/src/rust/bssl-sys/CMakeLists.txt b/src/rust/bssl-sys/CMakeLists.txt
index 05f03f45..d17a8f10 100644
--- a/src/rust/bssl-sys/CMakeLists.txt
+++ b/src/rust/bssl-sys/CMakeLists.txt
@@ -2,37 +2,48 @@
 add_library(rust_wrapper STATIC rust_wrapper.c)
 target_link_libraries(rust_wrapper crypto)
 
+# Generate architecture-specific wrappers. bindgen must be called from
+# ${CMAKE_BINARY_DIR}, with the output path as a relative path. bindgen writes
+# the depfile using the same syntax as the command-line argument, and ninja
+# requires a path relative to the top-level build directory.
+set(wrapper wrapper_${RUST_BINDINGS}.rs)
+binary_dir_relative_path(${wrapper} wrapper_relative)
+binary_dir_relative_path(${wrapper}.d depfile_relative)
 
-# Generate architecture-specific wrappers.
-set(WRAPPER_TARGET ${CMAKE_BINARY_DIR}/rust/bssl-sys/src/wrapper_${RUST_BINDINGS}.rs)
-set(COMMAND ${BINDGEN_EXECUTABLE} "wrapper.h"
-            -o ${WRAPPER_TARGET}
-            --no-derive-default
-            --enable-function-attribute-detection
-            --use-core
-            --size_t-is-usize
-            --default-macro-constant-type="signed"
-            --rustified-enum="point_conversion_form_t"
-            --allowlist-file=".*/include/openssl/.*\\.h"
-            --allowlist-file=".*/rust_wrapper\\.h"
-            -- # these are LLVM arg passthroughs
-            -I../../include
-            # https://doc.rust-lang.org/nightly/rustc/platform-support.html
-            --target=${RUST_BINDINGS})
-
-add_custom_target(
-  bindgen_rust_${RUST_BINDINGS}
-  ALL
-  ${COMMAND}
-  BYPRODUCTS ${WRAPPER_TARGET}
-  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+add_custom_command(
+  OUTPUT ${wrapper}
+  COMMAND ${BINDGEN_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/wrapper.h
+          -o ${wrapper_relative}
+          --depfile=${depfile_relative}
+          --no-derive-default
+          --enable-function-attribute-detection
+          --use-core
+          --default-macro-constant-type=signed
+          --rustified-enum=point_conversion_form_t
+          # These regexes need to accept both / and \ to handle Windows file
+          # path differences, due a bindgen issue. See
+          # https://crbug.com/boringssl/595. Ideally, we would write [/\\], but
+          # there are many layers of escaping here. First, CMake interprets
+          # backslashes. Then CMake generates a Ninja or Make file. That, in
+          # turn, uses the shell on POSIX, and does something else on Windows.
+          #
+          # It is unlikely that every layer here has sufficiently well-defined
+          # escaping and correctly handled the next layer's escaping. On top of
+          # that, we'd likely need to detect Windows vs POSIX hosts and change
+          # the input. Instead, just use [[:punct:]] which is more permissive
+          # than necessary, but we only need to exclude unwanted libc headers.
+          #
+          # If bindgen ever supports some file-based config (see
+          # https://github.com/rust-lang/rust-bindgen/issues/2508), we can
+          # switch to that.
+          --allowlist-file=".*[[:punct:]]include[[:punct:]]openssl[[:punct:]].*\\.h"
+          --allowlist-file=".*[[:punct:]]rust_wrapper\\.h"
+          -- # these are LLVM arg passthroughs
+          -I${PROJECT_SOURCE_DIR}/include
+          # https://doc.rust-lang.org/nightly/rustc/platform-support.html
+          --target=${RUST_BINDINGS}
+  DEPENDS wrapper.h
+  DEPFILE ${CMAKE_CURRENT_BINARY_DIR}/${wrapper}.d
+  WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
 )
-
-# move files into build directory
-configure_file("src/lib.rs" "src/lib.rs")
-
-if(NOT BUILD_SHARED_LIBS)
-  configure_file("build.rs" "build.rs" COPYONLY)
-endif()
-
-configure_file("Cargo.toml" "Cargo.toml" COPYONLY)
-\ No newline at end of file
+add_custom_target(bssl_sys ALL DEPENDS ${wrapper})
diff --git a/src/rust/bssl-sys/README.md b/src/rust/bssl-sys/README.md
index fb5230a8..e2efd6c4 100644
--- a/src/rust/bssl-sys/README.md
+++ b/src/rust/bssl-sys/README.md
@@ -4,10 +4,9 @@ bssl-sys
 A low-level binding crate for Rust that moves in lockstop with BoringSSL. BoringSSL explicitly does not have a stable ABI, `bssl-sys` is the solution for preventing subtle-memory corruption bugs due to version skew.
 
 ### How it works
-`bssl-sys` uses `bindgen` as part of the cmake build process to generate Rust compatibility shims for the targeted platform. It is important to generate it for the correct platform because `bindgen` uses LLVM information for alignment which varies depending on architecture. These files are then packaged into a Rust crate.
+`bssl-sys` uses `bindgen` as part of the cmake build process to generate Rust compatibility shims for the targeted platform. It is important to generate it for the correct platform because `bindgen` uses LLVM information for alignment which varies depending on architecture.
 
 ### To Use
-Build `boringssl` with `-DRUST_BINDINGS=<rust-triple>` and ensure that you have `bindgen` installed.
-
-The `rust-triple` option should be one of the supported targets at https://doc.rust-lang.org/nightly/rustc/platform-support.html.
+Build `boringssl` with `-DRUST_BINDINGS=<rust-triple>` and ensure that you have `bindgen` installed. The `rust-triple` option should match the [Rust target triple](https://doc.rust-lang.org/nightly/rustc/platform-support.html) when building `bssl-sys`.
 
+From there, the `bssl-sys` crate can be built. By default, it looks for `bindgen` output and BoringSSL static libraries in the `build` directory. This can be reconfigured with `BORINGSSL_BUILD_DIR` environment variable. Note the environment variable is evaluated relative to `rust/bssl-sys/src`, so using an absolute path may be more convenient.
diff --git a/src/rust/bssl-sys/build.rs b/src/rust/bssl-sys/build.rs
index c2b7358a..2d7461ab 100644
--- a/src/rust/bssl-sys/build.rs
+++ b/src/rust/bssl-sys/build.rs
@@ -15,38 +15,43 @@
 
 use std::env;
 use std::path::Path;
+use std::path::PathBuf;
+
+fn get_bssl_build_dir() -> PathBuf {
+    println!("cargo:rerun-if-env-changed=BORINGSSL_BUILD_DIR");
+    if let Some(build_dir) = env::var_os("BORINGSSL_BUILD_DIR") {
+        return PathBuf::from(build_dir);
+    }
+
+    let crate_dir = env::var_os("CARGO_MANIFEST_DIR").unwrap();
+    return Path::new(&crate_dir).join("../../build");
+}
 
 fn main() {
-    let dir = env::var("CARGO_MANIFEST_DIR").unwrap();
-    let crate_path = Path::new(&dir);
+    let bssl_build_dir = get_bssl_build_dir();
+    let bssl_sys_build_dir = bssl_build_dir.join("rust/bssl-sys");
+    let target = env::var("TARGET").unwrap();
 
     // Find the bindgen generated target platform bindings file and set BINDGEN_RS_FILE
-    let bindgen_file = crate_path
-        .join("src")
-        .read_dir()
-        .unwrap()
-        .map(|file| file.unwrap().file_name().into_string().unwrap())
-        .find(|file| file.starts_with("wrapper_"))
-        .unwrap();
-    println!("cargo:rustc-env=BINDGEN_RS_FILE={}", bindgen_file);
-
-    // building bssl-sys with: `mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja`
-    // outputs this crate to /build/rust/bssl-sys/ so need to go up 3 levels to the root of the repo
-    let repo_root = crate_path.parent().unwrap().parent().unwrap();
+    let bindgen_file = bssl_sys_build_dir.join(format!("wrapper_{}.rs", target));
+    println!("cargo:rustc-env=BINDGEN_RS_FILE={}", bindgen_file.display());
 
     // Statically link libraries.
     println!(
         "cargo:rustc-link-search=native={}",
-        repo_root.join("crypto").display()
+        bssl_build_dir.join("crypto").display()
     );
     println!("cargo:rustc-link-lib=static=crypto");
 
     println!(
         "cargo:rustc-link-search=native={}",
-        repo_root.join("ssl").display()
+        bssl_build_dir.join("ssl").display()
     );
     println!("cargo:rustc-link-lib=static=ssl");
 
-    println!("cargo:rustc-link-search=native={}", crate_path.display());
+    println!(
+        "cargo:rustc-link-search=native={}",
+        bssl_sys_build_dir.display()
+    );
     println!("cargo:rustc-link-lib=static=rust_wrapper");
 }
diff --git a/src/rust/bssl-sys/wrapper.h b/src/rust/bssl-sys/wrapper.h
index 101b455d..bd740495 100644
--- a/src/rust/bssl-sys/wrapper.h
+++ b/src/rust/bssl-sys/wrapper.h
@@ -1,79 +1,79 @@
-#include "../../include/openssl/aes.h"
-#include "../../include/openssl/asn1.h"
-#include "../../include/openssl/asn1_mac.h"
-#include "../../include/openssl/asn1t.h"
-#include "../../include/openssl/base.h"
-#include "../../include/openssl/base64.h"
-#include "../../include/openssl/bio.h"
-#include "../../include/openssl/blake2.h"
-#include "../../include/openssl/blowfish.h"
-#include "../../include/openssl/bn.h"
-#include "../../include/openssl/buf.h"
-#include "../../include/openssl/buffer.h"
-#include "../../include/openssl/bytestring.h"
-#include "../../include/openssl/cast.h"
-#include "../../include/openssl/chacha.h"
-#include "../../include/openssl/cipher.h"
-#include "../../include/openssl/cmac.h"
-#include "../../include/openssl/conf.h"
-#include "../../include/openssl/cpu.h"
-#include "../../include/openssl/crypto.h"
-#include "../../include/openssl/ctrdrbg.h"
-#include "../../include/openssl/curve25519.h"
-#include "../../include/openssl/des.h"
-#include "../../include/openssl/dh.h"
-#include "../../include/openssl/digest.h"
-#include "../../include/openssl/dsa.h"
-#include "../../include/openssl/dtls1.h"
-#include "../../include/openssl/e_os2.h"
-#include "../../include/openssl/ec.h"
-#include "../../include/openssl/ec_key.h"
-#include "../../include/openssl/ecdh.h"
-#include "../../include/openssl/ecdsa.h"
-#include "../../include/openssl/engine.h"
-#include "../../include/openssl/err.h"
-#include "../../include/openssl/evp.h"
-#include "../../include/openssl/evp_errors.h"
-#include "../../include/openssl/ex_data.h"
-#include "../../include/openssl/hkdf.h"
-#include "../../include/openssl/hmac.h"
-#include "../../include/openssl/hpke.h"
-#include "../../include/openssl/hrss.h"
-#include "../../include/openssl/is_boringssl.h"
-#include "../../include/openssl/kdf.h"
-#include "../../include/openssl/lhash.h"
-#include "../../include/openssl/md4.h"
-#include "../../include/openssl/md5.h"
-#include "../../include/openssl/mem.h"
-#include "../../include/openssl/obj.h"
-#include "../../include/openssl/obj_mac.h"
-#include "../../include/openssl/objects.h"
-#include "../../include/openssl/opensslconf.h"
-#include "../../include/openssl/opensslv.h"
-#include "../../include/openssl/ossl_typ.h"
-#include "../../include/openssl/pem.h"
-#include "../../include/openssl/pkcs12.h"
-#include "../../include/openssl/pkcs7.h"
-#include "../../include/openssl/pkcs8.h"
-#include "../../include/openssl/poly1305.h"
-#include "../../include/openssl/pool.h"
-#include "../../include/openssl/rand.h"
-#include "../../include/openssl/rc4.h"
-#include "../../include/openssl/ripemd.h"
-#include "../../include/openssl/rsa.h"
-#include "../../include/openssl/safestack.h"
-#include "../../include/openssl/sha.h"
-#include "../../include/openssl/siphash.h"
-#include "../../include/openssl/span.h"
-#include "../../include/openssl/srtp.h"
-#include "../../include/openssl/ssl.h"
-#include "../../include/openssl/ssl3.h"
-#include "../../include/openssl/stack.h"
-#include "../../include/openssl/thread.h"
-#include "../../include/openssl/tls1.h"
-#include "../../include/openssl/trust_token.h"
-#include "../../include/openssl/x509.h"
-#include "../../include/openssl/x509_vfy.h"
-#include "../../include/openssl/x509v3.h"
+#include <openssl/aes.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
+#include <openssl/base.h>
+#include <openssl/base64.h>
+#include <openssl/bio.h>
+#include <openssl/blake2.h>
+#include <openssl/blowfish.h>
+#include <openssl/bn.h>
+#include <openssl/buf.h>
+#include <openssl/buffer.h>
+#include <openssl/bytestring.h>
+#include <openssl/cast.h>
+#include <openssl/chacha.h>
+#include <openssl/cipher.h>
+#include <openssl/cmac.h>
+#include <openssl/conf.h>
+#include <openssl/cpu.h>
+#include <openssl/crypto.h>
+#include <openssl/ctrdrbg.h>
+#include <openssl/curve25519.h>
+#include <openssl/des.h>
+#include <openssl/dh.h>
+#include <openssl/digest.h>
+#include <openssl/dsa.h>
+#include <openssl/dtls1.h>
+#include <openssl/e_os2.h>
+#include <openssl/ec.h>
+#include <openssl/ec_key.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/evp_errors.h>
+#include <openssl/ex_data.h>
+#include <openssl/hkdf.h>
+#include <openssl/hmac.h>
+#include <openssl/hpke.h>
+#include <openssl/hrss.h>
+#include <openssl/is_boringssl.h>
+#include <openssl/kdf.h>
+#include <openssl/lhash.h>
+#include <openssl/md4.h>
+#include <openssl/md5.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/obj_mac.h>
+#include <openssl/objects.h>
+#include <openssl/opensslconf.h>
+#include <openssl/opensslv.h>
+#include <openssl/ossl_typ.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pkcs8.h>
+#include <openssl/poly1305.h>
+#include <openssl/pool.h>
+#include <openssl/rand.h>
+#include <openssl/rc4.h>
+#include <openssl/ripemd.h>
+#include <openssl/rsa.h>
+#include <openssl/safestack.h>
+#include <openssl/sha.h>
+#include <openssl/siphash.h>
+#include <openssl/span.h>
+#include <openssl/srtp.h>
+#include <openssl/ssl.h>
+#include <openssl/ssl3.h>
+#include <openssl/stack.h>
+#include <openssl/thread.h>
+#include <openssl/tls1.h>
+#include <openssl/trust_token.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
 
 #include "rust_wrapper.h"
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index 7fe2a2b5..971ebd0b 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -215,6 +215,14 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
   }
 }
 
+static bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id,
+                                 ssl_compliance_policy_t policy) {
+  if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) {
+    return CBB_add_u16(cbb, cipher_id);
+  }
+  return true;
+}
+
 static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
                                          ssl_client_hello_type_t type) {
   const SSL *const ssl = hs->ssl;
@@ -235,26 +243,22 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
   // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
   // hardware support.
   if (hs->max_version >= TLS1_3_VERSION) {
-    const bool include_chacha20 = ssl_tls13_cipher_meets_policy(
-        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-        ssl->config->only_fips_cipher_suites_in_tls13);
-
     const bool has_aes_hw = ssl->config->aes_hw_override
                                 ? ssl->config->aes_hw_override_value
                                 : EVP_has_aes_hardware();
 
-    if (!has_aes_hw &&       //
-        include_chacha20 &&  //
-        !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
-      return false;
-    }
-    if (!CBB_add_u16(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff) ||
-        !CBB_add_u16(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff)) {
-      return false;
-    }
-    if (has_aes_hw &&        //
-        include_chacha20 &&  //
-        !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
+    if ((!has_aes_hw &&  //
+         !ssl_add_tls13_cipher(&child,
+                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+                               ssl->config->tls13_cipher_policy)) ||
+        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+                              ssl->config->tls13_cipher_policy) ||
+        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+                              ssl->config->tls13_cipher_policy) ||
+        (has_aes_hw &&  //
+         !ssl_add_tls13_cipher(&child,
+                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+                               ssl->config->tls13_cipher_policy))) {
       return false;
     }
   }
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index 15ad6c21..01decb03 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -547,8 +547,7 @@ BSSL_NAMESPACE_BEGIN
 #define SSL_AES256 0x00000004u
 #define SSL_AES128GCM 0x00000008u
 #define SSL_AES256GCM 0x00000010u
-#define SSL_eNULL 0x00000020u
-#define SSL_CHACHA20POLY1305 0x00000040u
+#define SSL_CHACHA20POLY1305 0x00000020u
 
 #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
 
@@ -661,17 +660,17 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
 
 // ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best
 // available from |cipher_suites| compatible with |version|, |group_id|, and
-// |only_fips|. It returns NULL if there isn't a compatible cipher. |has_aes_hw|
+// |policy|. It returns NULL if there isn't a compatible cipher. |has_aes_hw|
 // indicates if the choice should be made as if support for AES in hardware
 // is available.
 const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
                                           uint16_t version, uint16_t group_id,
-                                          bool only_fips);
+                                          enum ssl_compliance_policy_t policy);
 
 // ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given
-// |only_fips|. (For now there's only a single policy and so the policy argument
-// is just a bool.)
-bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips);
+// |policy|.
+bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
+                                   enum ssl_compliance_policy_t policy);
 
 
 // Transcript layer.
@@ -3064,6 +3063,10 @@ struct SSL_CONFIG {
   // structure for the client to use when negotiating ECH.
   Array<uint8_t> client_ech_config_list;
 
+  // tls13_cipher_policy limits the set of ciphers that can be selected when
+  // negotiating a TLS 1.3 connection.
+  enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
+
   // verify_mode is a bitmask of |SSL_VERIFY_*| values.
   uint8_t verify_mode = SSL_VERIFY_NONE;
 
@@ -3113,10 +3116,6 @@ struct SSL_CONFIG {
   // permute_extensions is whether to permute extensions when sending messages.
   bool permute_extensions : 1;
 
-  // only_fips_cipher_suites_in_tls13 constrains the selection of cipher suites
-  // in TLS 1.3 such that only FIPS approved ones will be selected.
-  bool only_fips_cipher_suites_in_tls13 : 1;
-
   // aes_hw_override if set indicates we should override checking for aes
   // hardware support, and use the value in aes_hw_override_value instead.
   bool aes_hw_override : 1;
@@ -3685,6 +3684,10 @@ struct ssl_ctx_st {
   int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr;
   void *legacy_ocsp_callback_arg = nullptr;
 
+  // tls13_cipher_policy limits the set of ciphers that can be selected when
+  // negotiating a TLS 1.3 connection.
+  enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
+
   // verify_sigalgs, if not empty, is the set of signature algorithms
   // accepted from the peer in decreasing order of preference.
   bssl::Array<uint16_t> verify_sigalgs;
@@ -3732,10 +3735,6 @@ struct ssl_ctx_st {
   // If enable_early_data is true, early data can be sent and accepted.
   bool enable_early_data : 1;
 
-  // only_fips_cipher_suites_in_tls13 constrains the selection of cipher suites
-  // in TLS 1.3 such that only FIPS approved ones will be selected.
-  bool only_fips_cipher_suites_in_tls13 : 1;
-
   // aes_hw_override if set indicates we should override checking for AES
   // hardware support, and use the value in aes_hw_override_value instead.
   bool aes_hw_override : 1;
diff --git a/src/ssl/s3_both.cc b/src/ssl/s3_both.cc
index f8352f3d..6d33c6d7 100644
--- a/src/ssl/s3_both.cc
+++ b/src/ssl/s3_both.cc
@@ -685,26 +685,44 @@ class CipherScorer {
   const bool aes_is_fine_;
 };
 
-bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips) {
-  if (!only_fips) {
-    return true;
-  }
-
-  switch (cipher_id) {
-    case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
-    case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
+bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
+                                   enum ssl_compliance_policy_t policy) {
+  switch (policy) {
+    case ssl_compliance_policy_none:
       return true;
-    case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:
-      return false;
-    default:
-      assert(false);
-      return false;
+
+    case ssl_compliance_policy_fips_202205:
+      switch (cipher_id) {
+        case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
+        case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
+          return true;
+        case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:
+          return false;
+        default:
+          assert(false);
+          return false;
+      }
+
+    case ssl_compliance_policy_wpa3_192_202304:
+      switch (cipher_id) {
+        case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
+          return true;
+        case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
+        case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:
+          return false;
+        default:
+          assert(false);
+          return false;
+      }
   }
+
+  assert(false);
+  return false;
 }
 
 const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
                                           uint16_t version, uint16_t group_id,
-                                          bool only_fips) {
+                                          enum ssl_compliance_policy_t policy) {
   if (CBS_len(&cipher_suites) % 2 != 0) {
     return nullptr;
   }
@@ -728,7 +746,7 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
     }
 
     if (!ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(candidate),
-                                       only_fips)) {
+                                       policy)) {
       continue;
     }
 
diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc
index 73564b39..f6259b24 100644
--- a/src/ssl/ssl_cipher.cc
+++ b/src/ssl/ssl_cipher.cc
@@ -157,17 +157,6 @@ BSSL_NAMESPACE_BEGIN
 
 static constexpr SSL_CIPHER kCiphers[] = {
     // The RSA ciphers
-    // Cipher 02
-    {
-     SSL3_TXT_RSA_NULL_SHA,
-     "TLS_RSA_WITH_NULL_SHA",
-     SSL3_CK_RSA_NULL_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_eNULL,
-     SSL_SHA1,
-     SSL_HANDSHAKE_MAC_DEFAULT,
-    },
 
     // Cipher 0A
     {
@@ -466,6 +455,16 @@ Span<const SSL_CIPHER> AllCiphers() {
   return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
 }
 
+static constexpr size_t NumTLS13Ciphers() {
+  size_t num = 0;
+  for (const auto &cipher : kCiphers) {
+    if (cipher.algorithm_mkey == SSL_kGENERIC) {
+      num++;
+    }
+  }
+  return num;
+}
+
 #define CIPHER_ADD 1
 #define CIPHER_KILL 2
 #define CIPHER_DEL 3
@@ -498,7 +497,6 @@ typedef struct cipher_alias_st {
 } CIPHER_ALIAS;
 
 static const CIPHER_ALIAS kCipherAliases[] = {
-    // "ALL" doesn't include eNULL. It must be explicitly enabled.
     {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
 
     // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
@@ -599,9 +597,7 @@ bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
       *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
     }
   } else if (cipher->algorithm_mac == SSL_SHA1) {
-    if (cipher->algorithm_enc == SSL_eNULL) {
-      *out_aead = EVP_aead_null_sha1_tls();
-    } else if (cipher->algorithm_enc == SSL_3DES) {
+    if (cipher->algorithm_enc == SSL_3DES) {
       if (version == TLS1_VERSION) {
         *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
         *out_fixed_iv_len = 8;
@@ -703,54 +699,6 @@ static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
   *head = curr;
 }
 
-static bool ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> *out_co_list,
-                                       CIPHER_ORDER **out_head,
-                                       CIPHER_ORDER **out_tail) {
-  Array<CIPHER_ORDER> co_list;
-  if (!co_list.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
-    return false;
-  }
-
-  size_t co_list_num = 0;
-  for (const SSL_CIPHER &cipher : kCiphers) {
-    // TLS 1.3 ciphers do not participate in this mechanism.
-    if (cipher.algorithm_mkey != SSL_kGENERIC) {
-      co_list[co_list_num].cipher = &cipher;
-      co_list[co_list_num].next = NULL;
-      co_list[co_list_num].prev = NULL;
-      co_list[co_list_num].active = false;
-      co_list[co_list_num].in_group = false;
-      co_list_num++;
-    }
-  }
-
-  // Prepare linked list from list entries.
-  if (co_list_num > 0) {
-    co_list[0].prev = NULL;
-
-    if (co_list_num > 1) {
-      co_list[0].next = &co_list[1];
-
-      for (size_t i = 1; i < co_list_num - 1; i++) {
-        co_list[i].prev = &co_list[i - 1];
-        co_list[i].next = &co_list[i + 1];
-      }
-
-      co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
-    }
-
-    co_list[co_list_num - 1].next = NULL;
-
-    *out_head = &co_list[0];
-    *out_tail = &co_list[co_list_num - 1];
-  } else {
-    *out_head = nullptr;
-    *out_tail = nullptr;
-  }
-  *out_co_list = std::move(co_list);
-  return true;
-}
-
 SSLCipherPreferenceList::~SSLCipherPreferenceList() {
   OPENSSL_free(in_group_flags);
 }
@@ -866,9 +814,7 @@ static void ssl_cipher_apply_rule(
           !(alg_auth & cp->algorithm_auth) ||
           !(alg_enc & cp->algorithm_enc) ||
           !(alg_mac & cp->algorithm_mac) ||
-          (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) ||
-          // The NULL cipher must be selected explicitly.
-          cp->algorithm_enc == SSL_eNULL) {
+          (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
         continue;
       }
     }
@@ -1155,67 +1101,79 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
     return false;
   }
 
-  // Now we have to collect the available ciphers from the compiled in ciphers.
-  // We cannot get more than the number compiled in, so it is used for
-  // allocation.
-  Array<CIPHER_ORDER> co_list;
-  CIPHER_ORDER *head = nullptr, *tail = nullptr;
-  if (!ssl_cipher_collect_ciphers(&co_list, &head, &tail)) {
-    return false;
+  // We prefer ECDHE ciphers over non-PFS ciphers. Then we prefer AEAD over
+  // non-AEAD. The constants are masked by 0xffff to remove the vestigial 0x03
+  // byte from SSL 2.0.
+  static const uint16_t kAESCiphers[] = {
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
+  };
+  static const uint16_t kChaChaCiphers[] = {
+      TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
+  };
+  static const uint16_t kLegacyCiphers[] = {
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff,
+      TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff,
+      TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
+      TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
+      TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,
+      TLS1_CK_PSK_WITH_AES_128_CBC_SHA & 0xffff,
+      TLS1_CK_RSA_WITH_AES_256_SHA & 0xffff,
+      TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff,
+      SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
+  };
+
+  // Set up a linked list of ciphers.
+  CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) +
+                       OPENSSL_ARRAY_SIZE(kChaChaCiphers) +
+                       OPENSSL_ARRAY_SIZE(kLegacyCiphers)];
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) {
+    co_list[i].next =
+        i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr;
+    co_list[i].prev = i == 0 ? nullptr : &co_list[i - 1];
+    co_list[i].active = false;
+    co_list[i].in_group = false;
   }
-
-  // Now arrange all ciphers by preference:
-  // TODO(davidben): Compute this order once and copy it.
-
-  // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
-  // key exchange mechanisms
-  ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
-                        false, &head, &tail);
-  ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false,
-                        &head, &tail);
-  ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
-                        &tail);
-
-  // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
-  // CHACHA20 unless there is hardware support for fast and constant-time
-  // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
-  // old one.
+  CIPHER_ORDER *head = &co_list[0];
+  CIPHER_ORDER *tail = &co_list[OPENSSL_ARRAY_SIZE(co_list) - 1];
+
+  // Order AES ciphers vs ChaCha ciphers based on whether we have AES hardware.
+  //
+  // TODO(crbug.com/boringssl/29): We should also set up equipreference groups
+  // as a server.
+  size_t num = 0;
   if (has_aes_hw) {
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
-                          false, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
-                          false, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
-                          -1, false, &head, &tail);
-  } else {
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
-                          -1, false, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
-                          false, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
-                          false, &head, &tail);
-  }
-
-  // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
-  // 3DES_EDE_CBC_SHA.
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false,
-                        &head, &tail);
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false,
-                        &head, &tail);
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false,
-                        &head, &tail);
-
-  // Temporarily enable everything else for sorting
-  ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head,
-                        &tail);
-
-  // Move ciphers without forward secrecy to the end.
-  ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD,
-                        -1, false, &head, &tail);
-
-  // Now disable everything (maintaining the ordering!)
-  ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
-                        &tail);
+    for (uint16_t id : kAESCiphers) {
+      co_list[num++].cipher = SSL_get_cipher_by_value(id);
+      assert(co_list[num - 1].cipher != nullptr);
+    }
+  }
+  for (uint16_t id : kChaChaCiphers) {
+    co_list[num++].cipher = SSL_get_cipher_by_value(id);
+    assert(co_list[num - 1].cipher != nullptr);
+  }
+  if (!has_aes_hw) {
+    for (uint16_t id : kAESCiphers) {
+      co_list[num++].cipher = SSL_get_cipher_by_value(id);
+      assert(co_list[num - 1].cipher != nullptr);
+    }
+  }
+  for (uint16_t id : kLegacyCiphers) {
+    co_list[num++].cipher = SSL_get_cipher_by_value(id);
+    assert(co_list[num - 1].cipher != nullptr);
+  }
+  assert(num == OPENSSL_ARRAY_SIZE(co_list));
+  static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() ==
+                    OPENSSL_ARRAY_SIZE(kCiphers),
+                "Not all ciphers are included in the cipher order");
 
   // If the rule_string begins with DEFAULT, apply the default rule before
   // using the (possibly available) additional rules.
@@ -1383,8 +1341,6 @@ int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
 
 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
   switch (cipher->algorithm_enc) {
-    case SSL_eNULL:
-      return NID_undef;
     case SSL_3DES:
       return NID_des_ede3_cbc;
     case SSL_AES128:
@@ -1457,8 +1413,7 @@ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
 }
 
 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
-  return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
-      cipher->algorithm_mac != SSL_AEAD;
+  return cipher->algorithm_mac != SSL_AEAD;
 }
 
 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
@@ -1557,11 +1512,6 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
       strength_bits = 112;
       break;
 
-    case SSL_eNULL:
-      alg_bits = 0;
-      strength_bits = 0;
-      break;
-
     default:
       assert(0);
       alg_bits = 0;
@@ -1652,10 +1602,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
       enc = "ChaCha20-Poly1305";
       break;
 
-    case SSL_eNULL:
-      enc="None";
-      break;
-
     default:
       enc = "unknown";
       break;
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 6b454963..838761af 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -536,7 +536,6 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
       false_start_allowed_without_alpn(false),
       handoff(false),
       enable_early_data(false),
-      only_fips_cipher_suites_in_tls13(false),
       aes_hw_override(false),
       aes_hw_override_value(false) {
   CRYPTO_MUTEX_init(&lock);
@@ -658,10 +657,9 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->config->retain_only_sha256_of_client_certs =
       ctx->retain_only_sha256_of_client_certs;
   ssl->config->permute_extensions = ctx->permute_extensions;
-  ssl->config->only_fips_cipher_suites_in_tls13 =
-      ctx->only_fips_cipher_suites_in_tls13;
   ssl->config->aes_hw_override = ctx->aes_hw_override;
   ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
+  ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
 
   if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
       !ssl->config->alpn_client_proto_list.CopyFrom(
@@ -3175,7 +3173,7 @@ static const char kTLS12Ciphers[] =
     "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
 
 static int Configure(SSL_CTX *ctx) {
-  ctx->only_fips_cipher_suites_in_tls13 = true;
+  ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
 
   return
       // Section 3.1:
@@ -3198,7 +3196,7 @@ static int Configure(SSL_CTX *ctx) {
 }
 
 static int Configure(SSL *ssl) {
-  ssl->config->only_fips_cipher_suites_in_tls13 = true;
+  ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
 
   // See |Configure(SSL_CTX)|, above, for reasoning.
   return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
@@ -3213,11 +3211,59 @@ static int Configure(SSL *ssl) {
 
 }  // namespace fips202205
 
+namespace wpa202304 {
+
+// See WPA version 3.1, section 3.5.
+
+static const int kCurves[] = {NID_secp384r1};
+
+static const uint16_t kSigAlgs[] = {
+    SSL_SIGN_RSA_PKCS1_SHA384,        //
+    SSL_SIGN_RSA_PKCS1_SHA512,        //
+    SSL_SIGN_ECDSA_SECP384R1_SHA384,  //
+    SSL_SIGN_RSA_PSS_RSAE_SHA384,     //
+    SSL_SIGN_RSA_PSS_RSAE_SHA512,     //
+};
+
+static const char kTLS12Ciphers[] =
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:"
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+
+static int Configure(SSL_CTX *ctx) {
+  ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
+
+  return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
+         SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
+         SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&
+         SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
+         SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,
+                                             OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
+         SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,
+                                            OPENSSL_ARRAY_SIZE(kSigAlgs));
+}
+
+static int Configure(SSL *ssl) {
+  ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
+
+  return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
+         SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
+         SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&
+         SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
+         SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,
+                                         OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
+         SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,
+                                        OPENSSL_ARRAY_SIZE(kSigAlgs));
+}
+
+}  // namespace wpa202304
+
 int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
                                   enum ssl_compliance_policy_t policy) {
   switch (policy) {
     case ssl_compliance_policy_fips_202205:
       return fips202205::Configure(ctx);
+    case ssl_compliance_policy_wpa3_192_202304:
+      return wpa202304::Configure(ctx);
     default:
       return 0;
   }
@@ -3227,6 +3273,8 @@ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
   switch (policy) {
     case ssl_compliance_policy_fips_202205:
       return fips202205::Configure(ssl);
+    case ssl_compliance_policy_wpa3_192_202304:
+      return wpa202304::Configure(ssl);
     default:
       return 0;
   }
diff --git a/src/ssl/test/fuzzer.h b/src/ssl/test/fuzzer.h
index 8f73fc01..e18a8205 100644
--- a/src/ssl/test/fuzzer.h
+++ b/src/ssl/test/fuzzer.h
@@ -414,7 +414,7 @@ class TLSFuzzer {
     SSL_CTX_enable_ocsp_stapling(ctx_.get());
 
     // Enable versions and ciphers that are off by default.
-    if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:NULL-SHA")) {
+    if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL")) {
       return false;
     }
 
diff --git a/src/ssl/test/runner/cipher_suites.go b/src/ssl/test/runner/cipher_suites.go
index 5db57498..b86f515f 100644
--- a/src/ssl/test/runner/cipher_suites.go
+++ b/src/ssl/test/runner/cipher_suites.go
@@ -127,11 +127,6 @@ var cipherSuites = []*cipherSuite{
 	{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
 	{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
 	{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
-	{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil},
-}
-
-func noIV(vers uint16) int {
-	return 0
 }
 
 func ivLenChaCha20Poly1305(vers uint16) int {
@@ -364,7 +359,6 @@ func cipherSuiteFromID(id uint16) *cipherSuite {
 // A list of the possible cipher suite ids. Taken from
 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 const (
-	TLS_RSA_WITH_NULL_SHA                         uint16 = 0x0002
 	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
 	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
 	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index ce06779b..cb974989 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -222,9 +222,13 @@ const (
 // algorithms.
 var supportedSignatureAlgorithms = []signatureAlgorithm{
 	signatureRSAPSSWithSHA256,
+	signatureRSAPSSWithSHA384,
 	signatureRSAPKCS1WithSHA256,
 	signatureECDSAWithP256AndSHA256,
+	signatureECDSAWithP384AndSHA384,
 	signatureRSAPKCS1WithSHA1,
+	signatureRSAPKCS1WithSHA256,
+	signatureRSAPKCS1WithSHA384,
 	signatureECDSAWithSHA1,
 	signatureEd25519,
 }
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index dde60dfd..b361e195 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -65,6 +65,7 @@ var (
 	allowHintMismatch  = flag.String("allow-hint-mismatch", "", "Semicolon-separated patterns of tests where hints may mismatch")
 	numWorkersFlag     = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
 	shimPath           = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
+	shimExtraFlags     = flag.String("shim-extra-flags", "", "Semicolon-separated extra flags to pass to the shim binary on each invocation.")
 	handshakerPath     = flag.String("handshaker-path", "../../../build/ssl/test/handshaker", "The location of the handshaker binary.")
 	resourceDir        = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
 	fuzzer             = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
@@ -1433,6 +1434,9 @@ func runTest(statusChan chan statusMsg, test *testCase, shimPath string, mallocN
 	}()
 
 	var flags []string
+	if len(*shimExtraFlags) > 0 {
+		flags = strings.Split(*shimExtraFlags, ";")
+	}
 	if test.testType == serverTest {
 		flags = append(flags, "-server")
 
@@ -1850,7 +1854,6 @@ var testCipherSuites = []testCipherSuite{
 	{"CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256},
 	{"AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256},
 	{"AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384},
-	{"RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA},
 }
 
 func hasComponent(suiteName, component string) bool {
@@ -1878,7 +1881,12 @@ func bigFromHex(hex string) *big.Int {
 
 func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase, err error) {
 	var stdout bytes.Buffer
-	shim := exec.Command(*shimPath, "-is-handshaker-supported")
+	var flags []string
+	if len(*shimExtraFlags) > 0 {
+		flags = strings.Split(*shimExtraFlags, ";")
+	}
+	flags = append(flags, "-is-handshaker-supported")
+	shim := exec.Command(*shimPath, flags...)
 	shim.Stdout = &stdout
 	if err := shim.Run(); err != nil {
 		return nil, err
@@ -3673,10 +3681,6 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
 			"-psk", psk,
 			"-psk-identity", pskIdentity)
 	}
-	if hasComponent(suite.name, "NULL") {
-		// NULL ciphers must be explicitly enabled.
-		flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
-	}
 
 	var shouldFail bool
 	if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
@@ -9720,26 +9724,29 @@ var testSignatureAlgorithms = []struct {
 	name string
 	id   signatureAlgorithm
 	cert testCert
+	// If non-zero, the curve that must be supported in TLS 1.2 for cert to be
+	// accepted.
+	curve CurveID
 }{
-	{"RSA_PKCS1_SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
-	{"RSA_PKCS1_SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
-	{"RSA_PKCS1_SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
-	{"RSA_PKCS1_SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
-	{"ECDSA_SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
+	{"RSA_PKCS1_SHA1", signatureRSAPKCS1WithSHA1, testCertRSA, 0},
+	{"RSA_PKCS1_SHA256", signatureRSAPKCS1WithSHA256, testCertRSA, 0},
+	{"RSA_PKCS1_SHA384", signatureRSAPKCS1WithSHA384, testCertRSA, 0},
+	{"RSA_PKCS1_SHA512", signatureRSAPKCS1WithSHA512, testCertRSA, 0},
+	{"ECDSA_SHA1", signatureECDSAWithSHA1, testCertECDSAP256, CurveP256},
 	// The “P256” in the following line is not a mistake. In TLS 1.2 the
 	// hash function doesn't have to match the curve and so the same
 	// signature algorithm works with P-224.
-	{"ECDSA_P224_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
-	{"ECDSA_P256_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
-	{"ECDSA_P384_SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
-	{"ECDSA_P521_SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
-	{"RSA_PSS_SHA256", signatureRSAPSSWithSHA256, testCertRSA},
-	{"RSA_PSS_SHA384", signatureRSAPSSWithSHA384, testCertRSA},
-	{"RSA_PSS_SHA512", signatureRSAPSSWithSHA512, testCertRSA},
-	{"Ed25519", signatureEd25519, testCertEd25519},
+	{"ECDSA_P224_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224, CurveP224},
+	{"ECDSA_P256_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256, CurveP256},
+	{"ECDSA_P384_SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384, CurveP384},
+	{"ECDSA_P521_SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521, CurveP521},
+	{"RSA_PSS_SHA256", signatureRSAPSSWithSHA256, testCertRSA, 0},
+	{"RSA_PSS_SHA384", signatureRSAPSSWithSHA384, testCertRSA, 0},
+	{"RSA_PSS_SHA512", signatureRSAPSSWithSHA512, testCertRSA, 0},
+	{"Ed25519", signatureEd25519, testCertEd25519, 0},
 	// Tests for key types prior to TLS 1.2.
-	{"RSA", 0, testCertRSA},
-	{"ECDSA", 0, testCertECDSAP256},
+	{"RSA", 0, testCertRSA, 0},
+	{"ECDSA", 0, testCertECDSAP256, CurveP256},
 }
 
 const fakeSigAlg1 signatureAlgorithm = 0x2a01
@@ -9791,6 +9798,14 @@ func addSignatureAlgorithmTests() {
 				rejectByDefault = true
 			}
 
+			var curveFlags []string
+			if alg.curve != 0 && ver.version <= VersionTLS12 {
+				// In TLS 1.2, the ECDH curve list also constrains ECDSA keys. Ensure the
+				// corresponding curve is enabled on the shim. Also include X25519 to
+				// ensure the shim and runner have something in common for ECDH.
+				curveFlags = flagInts("-curves", []int{int(CurveX25519), int(alg.curve)})
+			}
+
 			var signError, signLocalError, verifyError, verifyLocalError, defaultError, defaultLocalError string
 			if shouldFail {
 				signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
@@ -9829,7 +9844,7 @@ func addSignatureAlgorithmTests() {
 							"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
 							"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
 						},
-						flagInts("-curves", shimConfig.AllCurves)...,
+						curveFlags...,
 					),
 					shouldFail:         shouldFail,
 					expectedError:      signError,
@@ -9853,7 +9868,7 @@ func addSignatureAlgorithmTests() {
 							"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
 							"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
 						},
-						flagInts("-curves", shimConfig.AllCurves)...,
+						curveFlags...,
 					),
 					expectations: connectionExpectations{
 						peerSignatureAlgorithm: alg.id,
@@ -9894,7 +9909,7 @@ func addSignatureAlgorithmTests() {
 							IgnorePeerSignatureAlgorithmPreferences: shouldFail,
 						},
 					},
-					flags: flagInts("-curves", shimConfig.AllCurves),
+					flags: curveFlags,
 					// Resume the session to assert the peer signature
 					// algorithm is reported on both handshakes.
 					resumeSession:      !shouldFail,
@@ -9927,7 +9942,7 @@ func addSignatureAlgorithmTests() {
 					},
 					flags: append(
 						[]string{"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id))},
-						flagInts("-curves", shimConfig.AllCurves)...,
+						curveFlags...,
 					),
 					// Resume the session to assert the peer signature
 					// algorithm is reported on both handshakes.
@@ -9951,7 +9966,7 @@ func addSignatureAlgorithmTests() {
 							InvalidSignature: true,
 						},
 					},
-					flags:         flagInts("-curves", shimConfig.AllCurves),
+					flags:         curveFlags,
 					shouldFail:    true,
 					expectedError: ":BAD_SIGNATURE:",
 				}
@@ -19179,13 +19194,21 @@ func addCompliancePolicyTests() {
 				isFIPSCipherSuite = true
 			}
 
+			var isWPACipherSuite bool
+			switch suite.id {
+			case TLS_AES_256_GCM_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+				isWPACipherSuite = true
+			}
+
 			var certFile string
 			var keyFile string
 			var certs []Certificate
 			if hasComponent(suite.name, "ECDSA") {
-				certFile = ecdsaP256CertificateFile
-				keyFile = ecdsaP256KeyFile
-				certs = []Certificate{ecdsaP256Certificate}
+				certFile = ecdsaP384CertificateFile
+				keyFile = ecdsaP384KeyFile
+				certs = []Certificate{ecdsaP384Certificate}
 			} else {
 				certFile = rsaCertificateFile
 				keyFile = rsaKeyFile
@@ -19200,38 +19223,48 @@ func addCompliancePolicyTests() {
 				maxVersion = VersionTLS12
 			}
 
-			testCases = append(testCases, testCase{
-				testType: serverTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Server-" + suite.name,
-				config: Config{
-					MinVersion:   VersionTLS12,
-					MaxVersion:   maxVersion,
-					CipherSuites: []uint16{suite.id},
-				},
-				certFile: certFile,
-				keyFile:  keyFile,
-				flags: []string{
-					"-fips-202205",
-				},
-				shouldFail: !isFIPSCipherSuite,
-			})
+			policies := []struct {
+				flag          string
+				cipherSuiteOk bool
+			}{
+				{"-fips-202205", isFIPSCipherSuite},
+				{"-wpa-202304", isWPACipherSuite},
+			}
 
-			testCases = append(testCases, testCase{
-				testType: clientTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Client-" + suite.name,
-				config: Config{
-					MinVersion:   VersionTLS12,
-					MaxVersion:   maxVersion,
-					CipherSuites: []uint16{suite.id},
-					Certificates: certs,
-				},
-				flags: []string{
-					"-fips-202205",
-				},
-				shouldFail: !isFIPSCipherSuite,
-			})
+			for _, policy := range policies {
+				testCases = append(testCases, testCase{
+					testType: serverTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + suite.name,
+					config: Config{
+						MinVersion:   VersionTLS12,
+						MaxVersion:   maxVersion,
+						CipherSuites: []uint16{suite.id},
+					},
+					certFile: certFile,
+					keyFile:  keyFile,
+					flags: []string{
+						policy.flag,
+					},
+					shouldFail: !policy.cipherSuiteOk,
+				})
+
+				testCases = append(testCases, testCase{
+					testType: clientTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + suite.name,
+					config: Config{
+						MinVersion:   VersionTLS12,
+						MaxVersion:   maxVersion,
+						CipherSuites: []uint16{suite.id},
+						Certificates: certs,
+					},
+					flags: []string{
+						policy.flag,
+					},
+					shouldFail: !policy.cipherSuiteOk,
+				})
+			}
 		}
 
 		// Check that a TLS 1.3 client won't accept ChaCha20 even if the server
@@ -19261,35 +19294,51 @@ func addCompliancePolicyTests() {
 				isFIPSCurve = true
 			}
 
-			testCases = append(testCases, testCase{
-				testType: serverTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Server-" + curve.name,
-				config: Config{
-					MinVersion:       VersionTLS12,
-					MaxVersion:       VersionTLS13,
-					CurvePreferences: []CurveID{curve.id},
-				},
-				flags: []string{
-					"-fips-202205",
-				},
-				shouldFail: !isFIPSCurve,
-			})
+			var isWPACurve bool
+			switch curve.id {
+			case CurveP384:
+				isWPACurve = true
+			}
 
-			testCases = append(testCases, testCase{
-				testType: clientTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Client-" + curve.name,
-				config: Config{
-					MinVersion:       VersionTLS12,
-					MaxVersion:       VersionTLS13,
-					CurvePreferences: []CurveID{curve.id},
-				},
-				flags: []string{
-					"-fips-202205",
-				},
-				shouldFail: !isFIPSCurve,
-			})
+			policies := []struct {
+				flag    string
+				curveOk bool
+			}{
+				{"-fips-202205", isFIPSCurve},
+				{"-wpa-202304", isWPACurve},
+			}
+
+			for _, policy := range policies {
+				testCases = append(testCases, testCase{
+					testType: serverTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + curve.name,
+					config: Config{
+						MinVersion:       VersionTLS12,
+						MaxVersion:       VersionTLS13,
+						CurvePreferences: []CurveID{curve.id},
+					},
+					flags: []string{
+						policy.flag,
+					},
+					shouldFail: !policy.curveOk,
+				})
+
+				testCases = append(testCases, testCase{
+					testType: clientTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + curve.name,
+					config: Config{
+						MinVersion:       VersionTLS12,
+						MaxVersion:       VersionTLS13,
+						CurvePreferences: []CurveID{curve.id},
+					},
+					flags: []string{
+						policy.flag,
+					},
+					shouldFail: !policy.curveOk,
+				})
+			}
 		}
 
 		for _, sigalg := range testSignatureAlgorithms {
@@ -19306,6 +19355,16 @@ func addCompliancePolicyTests() {
 				isFIPSSigAlg = true
 			}
 
+			var isWPASigAlg bool
+			switch sigalg.id {
+			case signatureRSAPKCS1WithSHA384,
+				signatureRSAPKCS1WithSHA512,
+				signatureECDSAWithP384AndSHA384,
+				signatureRSAPSSWithSHA384,
+				signatureRSAPSSWithSHA512:
+				isWPASigAlg = true
+			}
+
 			if sigalg.cert == testCertECDSAP224 {
 				// This can work in TLS 1.2, but not with TLS 1.3.
 				// For consistency it's not permitted in FIPS mode.
@@ -19320,38 +19379,48 @@ func addCompliancePolicyTests() {
 				maxVersion = VersionTLS12
 			}
 
-			testCases = append(testCases, testCase{
-				testType: serverTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Server-" + sigalg.name,
-				config: Config{
-					MinVersion:                VersionTLS12,
-					MaxVersion:                maxVersion,
-					VerifySignatureAlgorithms: []signatureAlgorithm{sigalg.id},
-				},
-				flags: []string{
-					"-fips-202205",
-					"-cert-file", path.Join(*resourceDir, getShimCertificate(sigalg.cert)),
-					"-key-file", path.Join(*resourceDir, getShimKey(sigalg.cert)),
-				},
-				shouldFail: !isFIPSSigAlg,
-			})
+			policies := []struct {
+				flag     string
+				sigAlgOk bool
+			}{
+				{"-fips-202205", isFIPSSigAlg},
+				{"-wpa-202304", isWPASigAlg},
+			}
 
-			testCases = append(testCases, testCase{
-				testType: clientTest,
-				protocol: protocol,
-				name:     "Compliance-fips202205-" + protocol.String() + "-Client-" + sigalg.name,
-				config: Config{
-					MinVersion:              VersionTLS12,
-					MaxVersion:              maxVersion,
-					SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id},
-					Certificates:            []Certificate{getRunnerCertificate(sigalg.cert)},
-				},
-				flags: []string{
-					"-fips-202205",
-				},
-				shouldFail: !isFIPSSigAlg,
-			})
+			for _, policy := range policies {
+				testCases = append(testCases, testCase{
+					testType: serverTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + sigalg.name,
+					config: Config{
+						MinVersion:                VersionTLS12,
+						MaxVersion:                maxVersion,
+						VerifySignatureAlgorithms: []signatureAlgorithm{sigalg.id},
+					},
+					flags: []string{
+						policy.flag,
+						"-cert-file", path.Join(*resourceDir, getShimCertificate(sigalg.cert)),
+						"-key-file", path.Join(*resourceDir, getShimKey(sigalg.cert)),
+					},
+					shouldFail: !policy.sigAlgOk,
+				})
+
+				testCases = append(testCases, testCase{
+					testType: clientTest,
+					protocol: protocol,
+					name:     "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + sigalg.name,
+					config: Config{
+						MinVersion:              VersionTLS12,
+						MaxVersion:              maxVersion,
+						SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id},
+						Certificates:            []Certificate{getRunnerCertificate(sigalg.cert)},
+					},
+					flags: []string{
+						policy.flag,
+					},
+					shouldFail: !policy.sigAlgOk,
+				})
+			}
 		}
 	}
 }
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index ba10a331..0ee5580e 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -390,6 +390,7 @@ std::vector<Flag> SortedFlags() {
       IntFlag("-early-write-after-message",
               &TestConfig::early_write_after_message),
       BoolFlag("-fips-202205", &TestConfig::fips_202205),
+      BoolFlag("-wpa-202304", &TestConfig::wpa_202304),
   };
   std::sort(flags.begin(), flags.end(), [](const Flag &a, const Flag &b) {
     return strcmp(a.name, b.name) < 0;
@@ -1765,11 +1766,20 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL(
   if (enable_ech_grease) {
     SSL_set_enable_ech_grease(ssl.get(), 1);
   }
+  if (static_cast<int>(fips_202205) + static_cast<int>(wpa_202304) > 1) {
+    fprintf(stderr, "Multiple policy options given\n");
+    return nullptr;
+  }
   if (fips_202205 && !SSL_set_compliance_policy(
                          ssl.get(), ssl_compliance_policy_fips_202205)) {
     fprintf(stderr, "SSL_set_compliance_policy failed\n");
     return nullptr;
   }
+  if (wpa_202304 && !SSL_set_compliance_policy(
+                         ssl.get(), ssl_compliance_policy_wpa3_192_202304)) {
+    fprintf(stderr, "SSL_set_compliance_policy failed\n");
+    return nullptr;
+  }
   if (!ech_config_list.empty() &&
       !SSL_set1_ech_config_list(
           ssl.get(), reinterpret_cast<const uint8_t *>(ech_config_list.data()),
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index 5cc59264..e8c473a1 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -195,6 +195,7 @@ struct TestConfig {
   std::string quic_early_data_context;
   int early_write_after_message = 0;
   bool fips_202205 = false;
+  bool wpa_202304 = false;
 
   int argc;
   char **argv;
diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc
index 92e26f22..1971596c 100644
--- a/src/ssl/tls13_client.cc
+++ b/src/ssl/tls13_client.cc
@@ -200,7 +200,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
       !ssl_tls13_cipher_meets_policy(
           SSL_CIPHER_get_value(cipher),
-          ssl->config->only_fips_cipher_suites_in_tls13)) {
+          ssl->config->tls13_cipher_policy)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return ssl_hs_error;
diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
index c97e3f55..9d26f4e0 100644
--- a/src/ssl/tls13_server.cc
+++ b/src/ssl/tls13_server.cc
@@ -120,7 +120,7 @@ static const SSL_CIPHER *choose_tls13_cipher(
       cipher_suites,
       ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value
                                    : EVP_has_aes_hardware(),
-      version, group_id, ssl->config->only_fips_cipher_suites_in_tls13);
+      version, group_id, ssl->config->tls13_cipher_policy);
 }
 
 static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
diff --git a/src/third_party/fiat/curve25519_64_msvc.h b/src/third_party/fiat/curve25519_64_msvc.h
new file mode 100644
index 00000000..d20ec853
--- /dev/null
+++ b/src/third_party/fiat/curve25519_64_msvc.h
@@ -0,0 +1,1281 @@
+/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier --no-wide-int 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */
+/* curve description: 25519 */
+/* machine_wordsize = 64 (from "64") */
+/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */
+/* n = 5 (from "(auto)") */
+/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
+/* tight_bounds_multiplier = 1 (from "") */
+/*  */
+/* Computed values: */
+/*   carry_chain = [0, 1, 2, 3, 4, 0, 1] */
+/*   eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
+/*   bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
+/*   balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
+
+#include <stdint.h>
+#include <intrin.h>
+#if defined(_M_X64)
+#include <immintrin.h>
+#endif
+
+typedef unsigned char fiat_25519_uint1;
+typedef signed char fiat_25519_int1;
+
+#define FIAT_25519_FIAT_INLINE inline
+
+/* The type fiat_25519_loose_field_element is a field element with loose bounds. */
+/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
+typedef uint64_t fiat_25519_loose_field_element[5];
+
+/* The type fiat_25519_tight_field_element is a field element with tight bounds. */
+/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
+typedef uint64_t fiat_25519_tight_field_element[5];
+
+#if (-1 & 3) != 3
+#error "This code only works on a two's complement system"
+#endif
+
+#define fiat_25519_value_barrier_u64(x) (x)
+
+/*
+ * The function fiat_25519_addcarryx_u64 is an addition with carry.
+ *
+ * Postconditions:
+ *   out1 = (arg1 + arg2 + arg3) mod 2^64
+ *   out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+// NOTE: edited after generation
+#if defined(_M_X64)
+  *out2 = _addcarry_u64(arg1, arg2, arg3, out1);
+#else
+  arg2 += arg1;
+  arg1 = arg2 < arg1;
+  arg3 += arg2;
+  arg1 += arg3 < arg2;
+  *out1 = arg3;
+  *out2 = arg1;
+#endif
+}
+
+/*
+ * The function fiat_25519_subborrowx_u64 is a subtraction with borrow.
+ *
+ * Postconditions:
+ *   out1 = (-arg1 + arg2 + -arg3) mod 2^64
+ *   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+#if defined(_M_X64)
+  *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation
+#else
+  *out1 = arg2 - arg3 - arg1;
+  *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1);
+#endif
+}
+
+/*
+ * The function fiat_25519_addcarryx_u51 is an addition with carry.
+ *
+ * Postconditions:
+ *   out1 = (arg1 + arg2 + arg3) mod 2^51
+ *   out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0x7ffffffffffff]
+ *   arg3: [0x0 ~> 0x7ffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0x7ffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+  uint64_t x1;
+  uint64_t x2;
+  fiat_25519_uint1 x3;
+  x1 = ((arg1 + arg2) + arg3);
+  x2 = (x1 & UINT64_C(0x7ffffffffffff));
+  x3 = (fiat_25519_uint1)(x1 >> 51);
+  *out1 = x2;
+  *out2 = x3;
+}
+
+/*
+ * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
+ *
+ * Postconditions:
+ *   out1 = (-arg1 + arg2 + -arg3) mod 2^51
+ *   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0x7ffffffffffff]
+ *   arg3: [0x0 ~> 0x7ffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0x7ffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+  int64_t x1;
+  fiat_25519_int1 x2;
+  uint64_t x3;
+  x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3);
+  x2 = (fiat_25519_int1)(x1 >> 51);
+  x3 = (x1 & UINT64_C(0x7ffffffffffff));
+  *out1 = x3;
+  *out2 = (fiat_25519_uint1)(0x0 - x2);
+}
+
+/*
+ * The function fiat_25519_mulx_u64 is a multiplication, returning the full double-width result.
+ *
+ * Postconditions:
+ *   out1 = (arg1 * arg2) mod 2^64
+ *   out2 = ⌊arg1 * arg2 / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0xffffffffffffffff]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0xffffffffffffffff]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
+// NOTE: edited after generation
+#if defined(_M_X64)
+  *out1 = _umul128(arg1, arg2, out2);
+#elif defined(_M_ARM64)
+  *out1 = arg1 * arg2;
+  *out2 = __umulh(arg1, arg2);
+#else
+#error "This file is intended for MSVC on X64 or ARM64"
+#endif
+}
+
+/*
+ * The function fiat_25519_cmovznz_u64 is a single-word conditional move.
+ *
+ * Postconditions:
+ *   out1 = (if arg1 = 0 then arg2 else arg3)
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+  fiat_25519_uint1 x1;
+  uint64_t x2;
+  uint64_t x3;
+  x1 = (!(!arg1));
+  x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));
+  x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));
+  *out1 = x3;
+}
+
+/*
+ * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
+ *
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 * eval arg2) mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  uint64_t x14;
+  uint64_t x15;
+  uint64_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  uint64_t x29;
+  uint64_t x30;
+  uint64_t x31;
+  uint64_t x32;
+  uint64_t x33;
+  uint64_t x34;
+  uint64_t x35;
+  uint64_t x36;
+  uint64_t x37;
+  uint64_t x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  uint64_t x46;
+  uint64_t x47;
+  uint64_t x48;
+  uint64_t x49;
+  uint64_t x50;
+  uint64_t x51;
+  fiat_25519_uint1 x52;
+  uint64_t x53;
+  fiat_25519_uint1 x54;
+  uint64_t x55;
+  fiat_25519_uint1 x56;
+  uint64_t x57;
+  fiat_25519_uint1 x58;
+  uint64_t x59;
+  fiat_25519_uint1 x60;
+  uint64_t x61;
+  fiat_25519_uint1 x62;
+  uint64_t x63;
+  fiat_25519_uint1 x64;
+  uint64_t x65;
+  fiat_25519_uint1 x66;
+  uint64_t x67;
+  uint64_t x68;
+  uint64_t x69;
+  fiat_25519_uint1 x70;
+  uint64_t x71;
+  fiat_25519_uint1 x72;
+  uint64_t x73;
+  fiat_25519_uint1 x74;
+  uint64_t x75;
+  fiat_25519_uint1 x76;
+  uint64_t x77;
+  fiat_25519_uint1 x78;
+  uint64_t x79;
+  fiat_25519_uint1 x80;
+  uint64_t x81;
+  fiat_25519_uint1 x82;
+  uint64_t x83;
+  fiat_25519_uint1 x84;
+  uint64_t x85;
+  fiat_25519_uint1 x86;
+  uint64_t x87;
+  fiat_25519_uint1 x88;
+  uint64_t x89;
+  fiat_25519_uint1 x90;
+  uint64_t x91;
+  fiat_25519_uint1 x92;
+  uint64_t x93;
+  fiat_25519_uint1 x94;
+  uint64_t x95;
+  fiat_25519_uint1 x96;
+  uint64_t x97;
+  fiat_25519_uint1 x98;
+  uint64_t x99;
+  fiat_25519_uint1 x100;
+  uint64_t x101;
+  fiat_25519_uint1 x102;
+  uint64_t x103;
+  fiat_25519_uint1 x104;
+  uint64_t x105;
+  fiat_25519_uint1 x106;
+  uint64_t x107;
+  fiat_25519_uint1 x108;
+  uint64_t x109;
+  fiat_25519_uint1 x110;
+  uint64_t x111;
+  fiat_25519_uint1 x112;
+  uint64_t x113;
+  fiat_25519_uint1 x114;
+  uint64_t x115;
+  fiat_25519_uint1 x116;
+  uint64_t x117;
+  fiat_25519_uint1 x118;
+  uint64_t x119;
+  fiat_25519_uint1 x120;
+  uint64_t x121;
+  fiat_25519_uint1 x122;
+  uint64_t x123;
+  fiat_25519_uint1 x124;
+  uint64_t x125;
+  fiat_25519_uint1 x126;
+  uint64_t x127;
+  fiat_25519_uint1 x128;
+  uint64_t x129;
+  fiat_25519_uint1 x130;
+  uint64_t x131;
+  fiat_25519_uint1 x132;
+  uint64_t x133;
+  fiat_25519_uint1 x134;
+  uint64_t x135;
+  uint64_t x136;
+  uint64_t x137;
+  uint64_t x138;
+  fiat_25519_uint1 x139;
+  uint64_t x140;
+  uint64_t x141;
+  uint64_t x142;
+  uint64_t x143;
+  fiat_25519_uint1 x144;
+  uint64_t x145;
+  uint64_t x146;
+  uint64_t x147;
+  uint64_t x148;
+  fiat_25519_uint1 x149;
+  uint64_t x150;
+  uint64_t x151;
+  uint64_t x152;
+  uint64_t x153;
+  uint64_t x154;
+  uint64_t x155;
+  uint64_t x156;
+  uint64_t x157;
+  fiat_25519_uint1 x158;
+  uint64_t x159;
+  uint64_t x160;
+  fiat_25519_mulx_u64(&x1, &x2, (arg1[4]), ((arg2[4]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x3, &x4, (arg1[4]), ((arg2[3]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x5, &x6, (arg1[4]), ((arg2[2]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x7, &x8, (arg1[4]), ((arg2[1]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x9, &x10, (arg1[3]), ((arg2[4]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), ((arg2[3]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), ((arg2[2]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), ((arg2[4]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), ((arg2[3]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x19, &x20, (arg1[1]), ((arg2[4]) * UINT8_C(0x13)));
+  fiat_25519_mulx_u64(&x21, &x22, (arg1[4]), (arg2[0]));
+  fiat_25519_mulx_u64(&x23, &x24, (arg1[3]), (arg2[1]));
+  fiat_25519_mulx_u64(&x25, &x26, (arg1[3]), (arg2[0]));
+  fiat_25519_mulx_u64(&x27, &x28, (arg1[2]), (arg2[2]));
+  fiat_25519_mulx_u64(&x29, &x30, (arg1[2]), (arg2[1]));
+  fiat_25519_mulx_u64(&x31, &x32, (arg1[2]), (arg2[0]));
+  fiat_25519_mulx_u64(&x33, &x34, (arg1[1]), (arg2[3]));
+  fiat_25519_mulx_u64(&x35, &x36, (arg1[1]), (arg2[2]));
+  fiat_25519_mulx_u64(&x37, &x38, (arg1[1]), (arg2[1]));
+  fiat_25519_mulx_u64(&x39, &x40, (arg1[1]), (arg2[0]));
+  fiat_25519_mulx_u64(&x41, &x42, (arg1[0]), (arg2[4]));
+  fiat_25519_mulx_u64(&x43, &x44, (arg1[0]), (arg2[3]));
+  fiat_25519_mulx_u64(&x45, &x46, (arg1[0]), (arg2[2]));
+  fiat_25519_mulx_u64(&x47, &x48, (arg1[0]), (arg2[1]));
+  fiat_25519_mulx_u64(&x49, &x50, (arg1[0]), (arg2[0]));
+  fiat_25519_addcarryx_u64(&x51, &x52, 0x0, x13, x7);
+  fiat_25519_addcarryx_u64(&x53, &x54, x52, x14, x8);
+  fiat_25519_addcarryx_u64(&x55, &x56, 0x0, x17, x51);
+  fiat_25519_addcarryx_u64(&x57, &x58, x56, x18, x53);
+  fiat_25519_addcarryx_u64(&x59, &x60, 0x0, x19, x55);
+  fiat_25519_addcarryx_u64(&x61, &x62, x60, x20, x57);
+  fiat_25519_addcarryx_u64(&x63, &x64, 0x0, x49, x59);
+  fiat_25519_addcarryx_u64(&x65, &x66, x64, x50, x61);
+  x67 = ((x63 >> 51) | ((x65 << 13) & UINT64_C(0xffffffffffffffff)));
+  x68 = (x63 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x23, x21);
+  fiat_25519_addcarryx_u64(&x71, &x72, x70, x24, x22);
+  fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x27, x69);
+  fiat_25519_addcarryx_u64(&x75, &x76, x74, x28, x71);
+  fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x33, x73);
+  fiat_25519_addcarryx_u64(&x79, &x80, x78, x34, x75);
+  fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x41, x77);
+  fiat_25519_addcarryx_u64(&x83, &x84, x82, x42, x79);
+  fiat_25519_addcarryx_u64(&x85, &x86, 0x0, x25, x1);
+  fiat_25519_addcarryx_u64(&x87, &x88, x86, x26, x2);
+  fiat_25519_addcarryx_u64(&x89, &x90, 0x0, x29, x85);
+  fiat_25519_addcarryx_u64(&x91, &x92, x90, x30, x87);
+  fiat_25519_addcarryx_u64(&x93, &x94, 0x0, x35, x89);
+  fiat_25519_addcarryx_u64(&x95, &x96, x94, x36, x91);
+  fiat_25519_addcarryx_u64(&x97, &x98, 0x0, x43, x93);
+  fiat_25519_addcarryx_u64(&x99, &x100, x98, x44, x95);
+  fiat_25519_addcarryx_u64(&x101, &x102, 0x0, x9, x3);
+  fiat_25519_addcarryx_u64(&x103, &x104, x102, x10, x4);
+  fiat_25519_addcarryx_u64(&x105, &x106, 0x0, x31, x101);
+  fiat_25519_addcarryx_u64(&x107, &x108, x106, x32, x103);
+  fiat_25519_addcarryx_u64(&x109, &x110, 0x0, x37, x105);
+  fiat_25519_addcarryx_u64(&x111, &x112, x110, x38, x107);
+  fiat_25519_addcarryx_u64(&x113, &x114, 0x0, x45, x109);
+  fiat_25519_addcarryx_u64(&x115, &x116, x114, x46, x111);
+  fiat_25519_addcarryx_u64(&x117, &x118, 0x0, x11, x5);
+  fiat_25519_addcarryx_u64(&x119, &x120, x118, x12, x6);
+  fiat_25519_addcarryx_u64(&x121, &x122, 0x0, x15, x117);
+  fiat_25519_addcarryx_u64(&x123, &x124, x122, x16, x119);
+  fiat_25519_addcarryx_u64(&x125, &x126, 0x0, x39, x121);
+  fiat_25519_addcarryx_u64(&x127, &x128, x126, x40, x123);
+  fiat_25519_addcarryx_u64(&x129, &x130, 0x0, x47, x125);
+  fiat_25519_addcarryx_u64(&x131, &x132, x130, x48, x127);
+  fiat_25519_addcarryx_u64(&x133, &x134, 0x0, x67, x129);
+  x135 = (x134 + x131);
+  x136 = ((x133 >> 51) | ((x135 << 13) & UINT64_C(0xffffffffffffffff)));
+  x137 = (x133 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x138, &x139, 0x0, x136, x113);
+  x140 = (x139 + x115);
+  x141 = ((x138 >> 51) | ((x140 << 13) & UINT64_C(0xffffffffffffffff)));
+  x142 = (x138 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x143, &x144, 0x0, x141, x97);
+  x145 = (x144 + x99);
+  x146 = ((x143 >> 51) | ((x145 << 13) & UINT64_C(0xffffffffffffffff)));
+  x147 = (x143 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x148, &x149, 0x0, x146, x81);
+  x150 = (x149 + x83);
+  x151 = ((x148 >> 51) | ((x150 << 13) & UINT64_C(0xffffffffffffffff)));
+  x152 = (x148 & UINT64_C(0x7ffffffffffff));
+  x153 = (x151 * UINT8_C(0x13));
+  x154 = (x68 + x153);
+  x155 = (x154 >> 51);
+  x156 = (x154 & UINT64_C(0x7ffffffffffff));
+  x157 = (x155 + x137);
+  x158 = (fiat_25519_uint1)(x157 >> 51);
+  x159 = (x157 & UINT64_C(0x7ffffffffffff));
+  x160 = (x158 + x142);
+  out1[0] = x156;
+  out1[1] = x159;
+  out1[2] = x160;
+  out1[3] = x147;
+  out1[4] = x152;
+}
+
+/*
+ * The function fiat_25519_carry_square squares a field element and reduces the result.
+ *
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 * eval arg1) mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  uint64_t x14;
+  uint64_t x15;
+  uint64_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  uint64_t x29;
+  uint64_t x30;
+  uint64_t x31;
+  uint64_t x32;
+  uint64_t x33;
+  uint64_t x34;
+  uint64_t x35;
+  uint64_t x36;
+  uint64_t x37;
+  uint64_t x38;
+  uint64_t x39;
+  fiat_25519_uint1 x40;
+  uint64_t x41;
+  fiat_25519_uint1 x42;
+  uint64_t x43;
+  fiat_25519_uint1 x44;
+  uint64_t x45;
+  fiat_25519_uint1 x46;
+  uint64_t x47;
+  uint64_t x48;
+  uint64_t x49;
+  fiat_25519_uint1 x50;
+  uint64_t x51;
+  fiat_25519_uint1 x52;
+  uint64_t x53;
+  fiat_25519_uint1 x54;
+  uint64_t x55;
+  fiat_25519_uint1 x56;
+  uint64_t x57;
+  fiat_25519_uint1 x58;
+  uint64_t x59;
+  fiat_25519_uint1 x60;
+  uint64_t x61;
+  fiat_25519_uint1 x62;
+  uint64_t x63;
+  fiat_25519_uint1 x64;
+  uint64_t x65;
+  fiat_25519_uint1 x66;
+  uint64_t x67;
+  fiat_25519_uint1 x68;
+  uint64_t x69;
+  fiat_25519_uint1 x70;
+  uint64_t x71;
+  fiat_25519_uint1 x72;
+  uint64_t x73;
+  fiat_25519_uint1 x74;
+  uint64_t x75;
+  fiat_25519_uint1 x76;
+  uint64_t x77;
+  fiat_25519_uint1 x78;
+  uint64_t x79;
+  fiat_25519_uint1 x80;
+  uint64_t x81;
+  fiat_25519_uint1 x82;
+  uint64_t x83;
+  uint64_t x84;
+  uint64_t x85;
+  uint64_t x86;
+  fiat_25519_uint1 x87;
+  uint64_t x88;
+  uint64_t x89;
+  uint64_t x90;
+  uint64_t x91;
+  fiat_25519_uint1 x92;
+  uint64_t x93;
+  uint64_t x94;
+  uint64_t x95;
+  uint64_t x96;
+  fiat_25519_uint1 x97;
+  uint64_t x98;
+  uint64_t x99;
+  uint64_t x100;
+  uint64_t x101;
+  uint64_t x102;
+  uint64_t x103;
+  uint64_t x104;
+  uint64_t x105;
+  fiat_25519_uint1 x106;
+  uint64_t x107;
+  uint64_t x108;
+  x1 = ((arg1[4]) * UINT8_C(0x13));
+  x2 = (x1 * 0x2);
+  x3 = ((arg1[4]) * 0x2);
+  x4 = ((arg1[3]) * UINT8_C(0x13));
+  x5 = (x4 * 0x2);
+  x6 = ((arg1[3]) * 0x2);
+  x7 = ((arg1[2]) * 0x2);
+  x8 = ((arg1[1]) * 0x2);
+  fiat_25519_mulx_u64(&x9, &x10, (arg1[4]), x1);
+  fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), x2);
+  fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), x4);
+  fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), x2);
+  fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), x5);
+  fiat_25519_mulx_u64(&x19, &x20, (arg1[2]), (arg1[2]));
+  fiat_25519_mulx_u64(&x21, &x22, (arg1[1]), x2);
+  fiat_25519_mulx_u64(&x23, &x24, (arg1[1]), x6);
+  fiat_25519_mulx_u64(&x25, &x26, (arg1[1]), x7);
+  fiat_25519_mulx_u64(&x27, &x28, (arg1[1]), (arg1[1]));
+  fiat_25519_mulx_u64(&x29, &x30, (arg1[0]), x3);
+  fiat_25519_mulx_u64(&x31, &x32, (arg1[0]), x6);
+  fiat_25519_mulx_u64(&x33, &x34, (arg1[0]), x7);
+  fiat_25519_mulx_u64(&x35, &x36, (arg1[0]), x8);
+  fiat_25519_mulx_u64(&x37, &x38, (arg1[0]), (arg1[0]));
+  fiat_25519_addcarryx_u64(&x39, &x40, 0x0, x21, x17);
+  fiat_25519_addcarryx_u64(&x41, &x42, x40, x22, x18);
+  fiat_25519_addcarryx_u64(&x43, &x44, 0x0, x37, x39);
+  fiat_25519_addcarryx_u64(&x45, &x46, x44, x38, x41);
+  x47 = ((x43 >> 51) | ((x45 << 13) & UINT64_C(0xffffffffffffffff)));
+  x48 = (x43 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x49, &x50, 0x0, x23, x19);
+  fiat_25519_addcarryx_u64(&x51, &x52, x50, x24, x20);
+  fiat_25519_addcarryx_u64(&x53, &x54, 0x0, x29, x49);
+  fiat_25519_addcarryx_u64(&x55, &x56, x54, x30, x51);
+  fiat_25519_addcarryx_u64(&x57, &x58, 0x0, x25, x9);
+  fiat_25519_addcarryx_u64(&x59, &x60, x58, x26, x10);
+  fiat_25519_addcarryx_u64(&x61, &x62, 0x0, x31, x57);
+  fiat_25519_addcarryx_u64(&x63, &x64, x62, x32, x59);
+  fiat_25519_addcarryx_u64(&x65, &x66, 0x0, x27, x11);
+  fiat_25519_addcarryx_u64(&x67, &x68, x66, x28, x12);
+  fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x33, x65);
+  fiat_25519_addcarryx_u64(&x71, &x72, x70, x34, x67);
+  fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x15, x13);
+  fiat_25519_addcarryx_u64(&x75, &x76, x74, x16, x14);
+  fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x35, x73);
+  fiat_25519_addcarryx_u64(&x79, &x80, x78, x36, x75);
+  fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x47, x77);
+  x83 = (x82 + x79);
+  x84 = ((x81 >> 51) | ((x83 << 13) & UINT64_C(0xffffffffffffffff)));
+  x85 = (x81 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x86, &x87, 0x0, x84, x69);
+  x88 = (x87 + x71);
+  x89 = ((x86 >> 51) | ((x88 << 13) & UINT64_C(0xffffffffffffffff)));
+  x90 = (x86 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x91, &x92, 0x0, x89, x61);
+  x93 = (x92 + x63);
+  x94 = ((x91 >> 51) | ((x93 << 13) & UINT64_C(0xffffffffffffffff)));
+  x95 = (x91 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x96, &x97, 0x0, x94, x53);
+  x98 = (x97 + x55);
+  x99 = ((x96 >> 51) | ((x98 << 13) & UINT64_C(0xffffffffffffffff)));
+  x100 = (x96 & UINT64_C(0x7ffffffffffff));
+  x101 = (x99 * UINT8_C(0x13));
+  x102 = (x48 + x101);
+  x103 = (x102 >> 51);
+  x104 = (x102 & UINT64_C(0x7ffffffffffff));
+  x105 = (x103 + x85);
+  x106 = (fiat_25519_uint1)(x105 >> 51);
+  x107 = (x105 & UINT64_C(0x7ffffffffffff));
+  x108 = (x106 + x90);
+  out1[0] = x104;
+  out1[1] = x107;
+  out1[2] = x108;
+  out1[3] = x95;
+  out1[4] = x100;
+}
+
+/*
+ * The function fiat_25519_carry reduces a field element.
+ *
+ * Postconditions:
+ *   eval out1 mod m = eval arg1 mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  x1 = (arg1[0]);
+  x2 = ((x1 >> 51) + (arg1[1]));
+  x3 = ((x2 >> 51) + (arg1[2]));
+  x4 = ((x3 >> 51) + (arg1[3]));
+  x5 = ((x4 >> 51) + (arg1[4]));
+  x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));
+  x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));
+  x8 = (x6 & UINT64_C(0x7ffffffffffff));
+  x9 = (x7 & UINT64_C(0x7ffffffffffff));
+  x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));
+  x11 = (x4 & UINT64_C(0x7ffffffffffff));
+  x12 = (x5 & UINT64_C(0x7ffffffffffff));
+  out1[0] = x8;
+  out1[1] = x9;
+  out1[2] = x10;
+  out1[3] = x11;
+  out1[4] = x12;
+}
+
+/*
+ * The function fiat_25519_add adds two field elements.
+ *
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 + eval arg2) mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  x1 = ((arg1[0]) + (arg2[0]));
+  x2 = ((arg1[1]) + (arg2[1]));
+  x3 = ((arg1[2]) + (arg2[2]));
+  x4 = ((arg1[3]) + (arg2[3]));
+  x5 = ((arg1[4]) + (arg2[4]));
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+  out1[4] = x5;
+}
+
+/*
+ * The function fiat_25519_sub subtracts two field elements.
+ *
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 - eval arg2) mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));
+  x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));
+  x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));
+  x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));
+  x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+  out1[4] = x5;
+}
+
+/*
+ * The function fiat_25519_opp negates a field element.
+ *
+ * Postconditions:
+ *   eval out1 mod m = -eval arg1 mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));
+  x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));
+  x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));
+  x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));
+  x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+  out1[4] = x5;
+}
+
+/*
+ * The function fiat_25519_selectznz is a multi-limb conditional select.
+ *
+ * Postconditions:
+ *   out1 = (if arg1 = 0 then arg2 else arg3)
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));
+  fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));
+  fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));
+  fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));
+  fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+  out1[4] = x5;
+}
+
+/*
+ * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
+ *
+ * Postconditions:
+ *   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
+ *
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
+  uint64_t x1;
+  fiat_25519_uint1 x2;
+  uint64_t x3;
+  fiat_25519_uint1 x4;
+  uint64_t x5;
+  fiat_25519_uint1 x6;
+  uint64_t x7;
+  fiat_25519_uint1 x8;
+  uint64_t x9;
+  fiat_25519_uint1 x10;
+  uint64_t x11;
+  uint64_t x12;
+  fiat_25519_uint1 x13;
+  uint64_t x14;
+  fiat_25519_uint1 x15;
+  uint64_t x16;
+  fiat_25519_uint1 x17;
+  uint64_t x18;
+  fiat_25519_uint1 x19;
+  uint64_t x20;
+  fiat_25519_uint1 x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint8_t x26;
+  uint64_t x27;
+  uint8_t x28;
+  uint64_t x29;
+  uint8_t x30;
+  uint64_t x31;
+  uint8_t x32;
+  uint64_t x33;
+  uint8_t x34;
+  uint64_t x35;
+  uint8_t x36;
+  uint8_t x37;
+  uint64_t x38;
+  uint8_t x39;
+  uint64_t x40;
+  uint8_t x41;
+  uint64_t x42;
+  uint8_t x43;
+  uint64_t x44;
+  uint8_t x45;
+  uint64_t x46;
+  uint8_t x47;
+  uint64_t x48;
+  uint8_t x49;
+  uint8_t x50;
+  uint64_t x51;
+  uint8_t x52;
+  uint64_t x53;
+  uint8_t x54;
+  uint64_t x55;
+  uint8_t x56;
+  uint64_t x57;
+  uint8_t x58;
+  uint64_t x59;
+  uint8_t x60;
+  uint64_t x61;
+  uint8_t x62;
+  uint64_t x63;
+  uint8_t x64;
+  fiat_25519_uint1 x65;
+  uint64_t x66;
+  uint8_t x67;
+  uint64_t x68;
+  uint8_t x69;
+  uint64_t x70;
+  uint8_t x71;
+  uint64_t x72;
+  uint8_t x73;
+  uint64_t x74;
+  uint8_t x75;
+  uint64_t x76;
+  uint8_t x77;
+  uint8_t x78;
+  uint64_t x79;
+  uint8_t x80;
+  uint64_t x81;
+  uint8_t x82;
+  uint64_t x83;
+  uint8_t x84;
+  uint64_t x85;
+  uint8_t x86;
+  uint64_t x87;
+  uint8_t x88;
+  uint64_t x89;
+  uint8_t x90;
+  uint8_t x91;
+  fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));
+  fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));
+  fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));
+  fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));
+  fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));
+  fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));
+  fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));
+  fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));
+  fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));
+  fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));
+  fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));
+  x22 = (x20 << 4);
+  x23 = (x18 * (uint64_t)0x2);
+  x24 = (x16 << 6);
+  x25 = (x14 << 3);
+  x26 = (uint8_t)(x12 & UINT8_C(0xff));
+  x27 = (x12 >> 8);
+  x28 = (uint8_t)(x27 & UINT8_C(0xff));
+  x29 = (x27 >> 8);
+  x30 = (uint8_t)(x29 & UINT8_C(0xff));
+  x31 = (x29 >> 8);
+  x32 = (uint8_t)(x31 & UINT8_C(0xff));
+  x33 = (x31 >> 8);
+  x34 = (uint8_t)(x33 & UINT8_C(0xff));
+  x35 = (x33 >> 8);
+  x36 = (uint8_t)(x35 & UINT8_C(0xff));
+  x37 = (uint8_t)(x35 >> 8);
+  x38 = (x25 + (uint64_t)x37);
+  x39 = (uint8_t)(x38 & UINT8_C(0xff));
+  x40 = (x38 >> 8);
+  x41 = (uint8_t)(x40 & UINT8_C(0xff));
+  x42 = (x40 >> 8);
+  x43 = (uint8_t)(x42 & UINT8_C(0xff));
+  x44 = (x42 >> 8);
+  x45 = (uint8_t)(x44 & UINT8_C(0xff));
+  x46 = (x44 >> 8);
+  x47 = (uint8_t)(x46 & UINT8_C(0xff));
+  x48 = (x46 >> 8);
+  x49 = (uint8_t)(x48 & UINT8_C(0xff));
+  x50 = (uint8_t)(x48 >> 8);
+  x51 = (x24 + (uint64_t)x50);
+  x52 = (uint8_t)(x51 & UINT8_C(0xff));
+  x53 = (x51 >> 8);
+  x54 = (uint8_t)(x53 & UINT8_C(0xff));
+  x55 = (x53 >> 8);
+  x56 = (uint8_t)(x55 & UINT8_C(0xff));
+  x57 = (x55 >> 8);
+  x58 = (uint8_t)(x57 & UINT8_C(0xff));
+  x59 = (x57 >> 8);
+  x60 = (uint8_t)(x59 & UINT8_C(0xff));
+  x61 = (x59 >> 8);
+  x62 = (uint8_t)(x61 & UINT8_C(0xff));
+  x63 = (x61 >> 8);
+  x64 = (uint8_t)(x63 & UINT8_C(0xff));
+  x65 = (fiat_25519_uint1)(x63 >> 8);
+  x66 = (x23 + (uint64_t)x65);
+  x67 = (uint8_t)(x66 & UINT8_C(0xff));
+  x68 = (x66 >> 8);
+  x69 = (uint8_t)(x68 & UINT8_C(0xff));
+  x70 = (x68 >> 8);
+  x71 = (uint8_t)(x70 & UINT8_C(0xff));
+  x72 = (x70 >> 8);
+  x73 = (uint8_t)(x72 & UINT8_C(0xff));
+  x74 = (x72 >> 8);
+  x75 = (uint8_t)(x74 & UINT8_C(0xff));
+  x76 = (x74 >> 8);
+  x77 = (uint8_t)(x76 & UINT8_C(0xff));
+  x78 = (uint8_t)(x76 >> 8);
+  x79 = (x22 + (uint64_t)x78);
+  x80 = (uint8_t)(x79 & UINT8_C(0xff));
+  x81 = (x79 >> 8);
+  x82 = (uint8_t)(x81 & UINT8_C(0xff));
+  x83 = (x81 >> 8);
+  x84 = (uint8_t)(x83 & UINT8_C(0xff));
+  x85 = (x83 >> 8);
+  x86 = (uint8_t)(x85 & UINT8_C(0xff));
+  x87 = (x85 >> 8);
+  x88 = (uint8_t)(x87 & UINT8_C(0xff));
+  x89 = (x87 >> 8);
+  x90 = (uint8_t)(x89 & UINT8_C(0xff));
+  x91 = (uint8_t)(x89 >> 8);
+  out1[0] = x26;
+  out1[1] = x28;
+  out1[2] = x30;
+  out1[3] = x32;
+  out1[4] = x34;
+  out1[5] = x36;
+  out1[6] = x39;
+  out1[7] = x41;
+  out1[8] = x43;
+  out1[9] = x45;
+  out1[10] = x47;
+  out1[11] = x49;
+  out1[12] = x52;
+  out1[13] = x54;
+  out1[14] = x56;
+  out1[15] = x58;
+  out1[16] = x60;
+  out1[17] = x62;
+  out1[18] = x64;
+  out1[19] = x67;
+  out1[20] = x69;
+  out1[21] = x71;
+  out1[22] = x73;
+  out1[23] = x75;
+  out1[24] = x77;
+  out1[25] = x80;
+  out1[26] = x82;
+  out1[27] = x84;
+  out1[28] = x86;
+  out1[29] = x88;
+  out1[30] = x90;
+  out1[31] = x91;
+}
+
+/*
+ * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
+ *
+ * Postconditions:
+ *   eval out1 mod m = bytes_eval arg1 mod m
+ *
+ * Input Bounds:
+ *   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  uint64_t x14;
+  uint64_t x15;
+  uint64_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  uint64_t x29;
+  uint64_t x30;
+  uint64_t x31;
+  uint8_t x32;
+  uint64_t x33;
+  uint64_t x34;
+  uint64_t x35;
+  uint64_t x36;
+  uint64_t x37;
+  uint64_t x38;
+  uint64_t x39;
+  uint8_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  uint64_t x46;
+  uint64_t x47;
+  uint8_t x48;
+  uint64_t x49;
+  uint64_t x50;
+  uint64_t x51;
+  uint64_t x52;
+  uint64_t x53;
+  uint64_t x54;
+  uint64_t x55;
+  uint64_t x56;
+  uint8_t x57;
+  uint64_t x58;
+  uint64_t x59;
+  uint64_t x60;
+  uint64_t x61;
+  uint64_t x62;
+  uint64_t x63;
+  uint64_t x64;
+  uint8_t x65;
+  uint64_t x66;
+  uint64_t x67;
+  uint64_t x68;
+  uint64_t x69;
+  uint64_t x70;
+  uint64_t x71;
+  x1 = ((uint64_t)(arg1[31]) << 44);
+  x2 = ((uint64_t)(arg1[30]) << 36);
+  x3 = ((uint64_t)(arg1[29]) << 28);
+  x4 = ((uint64_t)(arg1[28]) << 20);
+  x5 = ((uint64_t)(arg1[27]) << 12);
+  x6 = ((uint64_t)(arg1[26]) << 4);
+  x7 = ((uint64_t)(arg1[25]) << 47);
+  x8 = ((uint64_t)(arg1[24]) << 39);
+  x9 = ((uint64_t)(arg1[23]) << 31);
+  x10 = ((uint64_t)(arg1[22]) << 23);
+  x11 = ((uint64_t)(arg1[21]) << 15);
+  x12 = ((uint64_t)(arg1[20]) << 7);
+  x13 = ((uint64_t)(arg1[19]) << 50);
+  x14 = ((uint64_t)(arg1[18]) << 42);
+  x15 = ((uint64_t)(arg1[17]) << 34);
+  x16 = ((uint64_t)(arg1[16]) << 26);
+  x17 = ((uint64_t)(arg1[15]) << 18);
+  x18 = ((uint64_t)(arg1[14]) << 10);
+  x19 = ((uint64_t)(arg1[13]) << 2);
+  x20 = ((uint64_t)(arg1[12]) << 45);
+  x21 = ((uint64_t)(arg1[11]) << 37);
+  x22 = ((uint64_t)(arg1[10]) << 29);
+  x23 = ((uint64_t)(arg1[9]) << 21);
+  x24 = ((uint64_t)(arg1[8]) << 13);
+  x25 = ((uint64_t)(arg1[7]) << 5);
+  x26 = ((uint64_t)(arg1[6]) << 48);
+  x27 = ((uint64_t)(arg1[5]) << 40);
+  x28 = ((uint64_t)(arg1[4]) << 32);
+  x29 = ((uint64_t)(arg1[3]) << 24);
+  x30 = ((uint64_t)(arg1[2]) << 16);
+  x31 = ((uint64_t)(arg1[1]) << 8);
+  x32 = (arg1[0]);
+  x33 = (x31 + (uint64_t)x32);
+  x34 = (x30 + x33);
+  x35 = (x29 + x34);
+  x36 = (x28 + x35);
+  x37 = (x27 + x36);
+  x38 = (x26 + x37);
+  x39 = (x38 & UINT64_C(0x7ffffffffffff));
+  x40 = (uint8_t)(x38 >> 51);
+  x41 = (x25 + (uint64_t)x40);
+  x42 = (x24 + x41);
+  x43 = (x23 + x42);
+  x44 = (x22 + x43);
+  x45 = (x21 + x44);
+  x46 = (x20 + x45);
+  x47 = (x46 & UINT64_C(0x7ffffffffffff));
+  x48 = (uint8_t)(x46 >> 51);
+  x49 = (x19 + (uint64_t)x48);
+  x50 = (x18 + x49);
+  x51 = (x17 + x50);
+  x52 = (x16 + x51);
+  x53 = (x15 + x52);
+  x54 = (x14 + x53);
+  x55 = (x13 + x54);
+  x56 = (x55 & UINT64_C(0x7ffffffffffff));
+  x57 = (uint8_t)(x55 >> 51);
+  x58 = (x12 + (uint64_t)x57);
+  x59 = (x11 + x58);
+  x60 = (x10 + x59);
+  x61 = (x9 + x60);
+  x62 = (x8 + x61);
+  x63 = (x7 + x62);
+  x64 = (x63 & UINT64_C(0x7ffffffffffff));
+  x65 = (uint8_t)(x63 >> 51);
+  x66 = (x6 + (uint64_t)x65);
+  x67 = (x5 + x66);
+  x68 = (x4 + x67);
+  x69 = (x3 + x68);
+  x70 = (x2 + x69);
+  x71 = (x1 + x70);
+  out1[0] = x39;
+  out1[1] = x47;
+  out1[2] = x56;
+  out1[3] = x64;
+  out1[4] = x71;
+}
+
+/*
+ * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
+ *
+ * Postconditions:
+ *   out1 = arg1
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  x1 = (arg1[0]);
+  x2 = (arg1[1]);
+  x3 = (arg1[2]);
+  x4 = (arg1[3]);
+  x5 = (arg1[4]);
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+  out1[4] = x5;
+}
+
+/*
+ * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
+ *
+ * Postconditions:
+ *   eval out1 mod m = (121666 * eval arg1) mod m
+ *
+ */
+static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  fiat_25519_uint1 x14;
+  uint64_t x15;
+  uint64_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  fiat_25519_uint1 x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  fiat_25519_uint1 x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  fiat_25519_uint1 x29;
+  uint64_t x30;
+  uint64_t x31;
+  uint64_t x32;
+  uint64_t x33;
+  uint64_t x34;
+  fiat_25519_uint1 x35;
+  uint64_t x36;
+  uint64_t x37;
+  fiat_25519_uint1 x38;
+  uint64_t x39;
+  uint64_t x40;
+  fiat_25519_mulx_u64(&x1, &x2, UINT32_C(0x1db42), (arg1[4]));
+  fiat_25519_mulx_u64(&x3, &x4, UINT32_C(0x1db42), (arg1[3]));
+  fiat_25519_mulx_u64(&x5, &x6, UINT32_C(0x1db42), (arg1[2]));
+  fiat_25519_mulx_u64(&x7, &x8, UINT32_C(0x1db42), (arg1[1]));
+  fiat_25519_mulx_u64(&x9, &x10, UINT32_C(0x1db42), (arg1[0]));
+  x11 = ((x9 >> 51) | ((x10 << 13) & UINT64_C(0xffffffffffffffff)));
+  x12 = (x9 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x13, &x14, 0x0, x11, x7);
+  x15 = (x14 + x8);
+  x16 = ((x13 >> 51) | ((x15 << 13) & UINT64_C(0xffffffffffffffff)));
+  x17 = (x13 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x18, &x19, 0x0, x16, x5);
+  x20 = (x19 + x6);
+  x21 = ((x18 >> 51) | ((x20 << 13) & UINT64_C(0xffffffffffffffff)));
+  x22 = (x18 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x23, &x24, 0x0, x21, x3);
+  x25 = (x24 + x4);
+  x26 = ((x23 >> 51) | ((x25 << 13) & UINT64_C(0xffffffffffffffff)));
+  x27 = (x23 & UINT64_C(0x7ffffffffffff));
+  fiat_25519_addcarryx_u64(&x28, &x29, 0x0, x26, x1);
+  x30 = (x29 + x2);
+  x31 = ((x28 >> 51) | ((x30 << 13) & UINT64_C(0xffffffffffffffff)));
+  x32 = (x28 & UINT64_C(0x7ffffffffffff));
+  x33 = (x31 * UINT8_C(0x13));
+  x34 = (x12 + x33);
+  x35 = (fiat_25519_uint1)(x34 >> 51);
+  x36 = (x34 & UINT64_C(0x7ffffffffffff));
+  x37 = (x35 + x17);
+  x38 = (fiat_25519_uint1)(x37 >> 51);
+  x39 = (x37 & UINT64_C(0x7ffffffffffff));
+  x40 = (x38 + x22);
+  out1[0] = x36;
+  out1[1] = x39;
+  out1[2] = x40;
+  out1[3] = x27;
+  out1[4] = x32;
+}
diff --git a/src/third_party/fiat/p256_64_msvc.h b/src/third_party/fiat/p256_64_msvc.h
new file mode 100644
index 00000000..8b65a373
--- /dev/null
+++ b/src/third_party/fiat/p256_64_msvc.h
@@ -0,0 +1,2002 @@
+/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier --no-wide-int p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */
+/* curve description: p256 */
+/* machine_wordsize = 64 (from "64") */
+/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */
+/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */
+/*                                                                    */
+/* NOTE: In addition to the bounds specified above each function, all */
+/*   functions synthesized for this Montgomery arithmetic require the */
+/*   input to be strictly less than the prime modulus (m), and also   */
+/*   require the input to be in the unique saturated representation.  */
+/*   All functions also ensure that these two properties are true of  */
+/*   return values.                                                   */
+/*  */
+/* Computed values: */
+/*   eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
+/*   bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
+/*   twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */
+/*                            if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
+
+#include <stdint.h>
+#include <intrin.h>
+#if defined(_M_X64)
+#include <immintrin.h>
+#endif
+
+typedef unsigned char fiat_p256_uint1;
+typedef signed char fiat_p256_int1;
+
+#define FIAT_P256_FIAT_INLINE inline
+
+/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */
+/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
+typedef uint64_t fiat_p256_montgomery_domain_field_element[4];
+
+/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
+/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
+typedef uint64_t fiat_p256_non_montgomery_domain_field_element[4];
+
+#if (-1 & 3) != 3
+#error "This code only works on a two's complement system"
+#endif
+
+#define fiat_p256_value_barrier_u64(x) (x)
+
+
+/*
+ * The function fiat_p256_addcarryx_u64 is an addition with carry.
+ *
+ * Postconditions:
+ *   out1 = (arg1 + arg2 + arg3) mod 2^64
+ *   out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+#if defined(_M_X64)
+  *out2 = _addcarry_u64(arg1, arg2, arg3, out1);
+#else
+  arg2 += arg1;
+  arg1 = arg2 < arg1;
+  arg3 += arg2;
+  arg1 += arg3 < arg2;
+  *out1 = arg3;
+  *out2 = arg1;
+#endif
+}
+
+/*
+ * The function fiat_p256_subborrowx_u64 is a subtraction with borrow.
+ *
+ * Postconditions:
+ *   out1 = (-arg1 + arg2 + -arg3) mod 2^64
+ *   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0x1]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+#if defined(_M_X64)
+  *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation
+#else
+  *out1 = arg2 - arg3 - arg1;
+  *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1);
+#endif
+}
+
+/*
+ * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result.
+ *
+ * Postconditions:
+ *   out1 = (arg1 * arg2) mod 2^64
+ *   out2 = ⌊arg1 * arg2 / 2^64⌋
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0xffffffffffffffff]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [0x0 ~> 0xffffffffffffffff]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
+// NOTE: edited after generation
+#if defined(_M_X64)
+  *out1 = _umul128(arg1, arg2, out2);
+#elif defined(_M_ARM64)
+  *out1 = arg1 * arg2;
+  *out2 = __umulh(arg1, arg2);
+#else
+#error "This file is intended for MSVC on X64 or ARM64"
+#endif
+}
+
+/*
+ * The function fiat_p256_cmovznz_u64 is a single-word conditional move.
+ *
+ * Postconditions:
+ *   out1 = (if arg1 = 0 then arg2 else arg3)
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [0x0 ~> 0xffffffffffffffff]
+ *   arg3: [0x0 ~> 0xffffffffffffffff]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
+  fiat_p256_uint1 x1;
+  uint64_t x2;
+  uint64_t x3;
+  x1 = (!(!arg1));
+  x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));
+  x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2));
+  *out1 = x3;
+}
+
+/*
+ * The function fiat_p256_mul multiplies two field elements in the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ *   0 ≤ eval arg2 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  fiat_p256_uint1 x14;
+  uint64_t x15;
+  fiat_p256_uint1 x16;
+  uint64_t x17;
+  fiat_p256_uint1 x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  fiat_p256_uint1 x27;
+  uint64_t x28;
+  uint64_t x29;
+  fiat_p256_uint1 x30;
+  uint64_t x31;
+  fiat_p256_uint1 x32;
+  uint64_t x33;
+  fiat_p256_uint1 x34;
+  uint64_t x35;
+  fiat_p256_uint1 x36;
+  uint64_t x37;
+  fiat_p256_uint1 x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  uint64_t x46;
+  uint64_t x47;
+  fiat_p256_uint1 x48;
+  uint64_t x49;
+  fiat_p256_uint1 x50;
+  uint64_t x51;
+  fiat_p256_uint1 x52;
+  uint64_t x53;
+  uint64_t x54;
+  fiat_p256_uint1 x55;
+  uint64_t x56;
+  fiat_p256_uint1 x57;
+  uint64_t x58;
+  fiat_p256_uint1 x59;
+  uint64_t x60;
+  fiat_p256_uint1 x61;
+  uint64_t x62;
+  fiat_p256_uint1 x63;
+  uint64_t x64;
+  uint64_t x65;
+  uint64_t x66;
+  uint64_t x67;
+  uint64_t x68;
+  uint64_t x69;
+  uint64_t x70;
+  fiat_p256_uint1 x71;
+  uint64_t x72;
+  uint64_t x73;
+  fiat_p256_uint1 x74;
+  uint64_t x75;
+  fiat_p256_uint1 x76;
+  uint64_t x77;
+  fiat_p256_uint1 x78;
+  uint64_t x79;
+  fiat_p256_uint1 x80;
+  uint64_t x81;
+  fiat_p256_uint1 x82;
+  uint64_t x83;
+  uint64_t x84;
+  uint64_t x85;
+  uint64_t x86;
+  uint64_t x87;
+  uint64_t x88;
+  uint64_t x89;
+  uint64_t x90;
+  uint64_t x91;
+  uint64_t x92;
+  fiat_p256_uint1 x93;
+  uint64_t x94;
+  fiat_p256_uint1 x95;
+  uint64_t x96;
+  fiat_p256_uint1 x97;
+  uint64_t x98;
+  uint64_t x99;
+  fiat_p256_uint1 x100;
+  uint64_t x101;
+  fiat_p256_uint1 x102;
+  uint64_t x103;
+  fiat_p256_uint1 x104;
+  uint64_t x105;
+  fiat_p256_uint1 x106;
+  uint64_t x107;
+  fiat_p256_uint1 x108;
+  uint64_t x109;
+  uint64_t x110;
+  uint64_t x111;
+  uint64_t x112;
+  uint64_t x113;
+  uint64_t x114;
+  uint64_t x115;
+  fiat_p256_uint1 x116;
+  uint64_t x117;
+  uint64_t x118;
+  fiat_p256_uint1 x119;
+  uint64_t x120;
+  fiat_p256_uint1 x121;
+  uint64_t x122;
+  fiat_p256_uint1 x123;
+  uint64_t x124;
+  fiat_p256_uint1 x125;
+  uint64_t x126;
+  fiat_p256_uint1 x127;
+  uint64_t x128;
+  uint64_t x129;
+  uint64_t x130;
+  uint64_t x131;
+  uint64_t x132;
+  uint64_t x133;
+  uint64_t x134;
+  uint64_t x135;
+  uint64_t x136;
+  uint64_t x137;
+  fiat_p256_uint1 x138;
+  uint64_t x139;
+  fiat_p256_uint1 x140;
+  uint64_t x141;
+  fiat_p256_uint1 x142;
+  uint64_t x143;
+  uint64_t x144;
+  fiat_p256_uint1 x145;
+  uint64_t x146;
+  fiat_p256_uint1 x147;
+  uint64_t x148;
+  fiat_p256_uint1 x149;
+  uint64_t x150;
+  fiat_p256_uint1 x151;
+  uint64_t x152;
+  fiat_p256_uint1 x153;
+  uint64_t x154;
+  uint64_t x155;
+  uint64_t x156;
+  uint64_t x157;
+  uint64_t x158;
+  uint64_t x159;
+  uint64_t x160;
+  fiat_p256_uint1 x161;
+  uint64_t x162;
+  uint64_t x163;
+  fiat_p256_uint1 x164;
+  uint64_t x165;
+  fiat_p256_uint1 x166;
+  uint64_t x167;
+  fiat_p256_uint1 x168;
+  uint64_t x169;
+  fiat_p256_uint1 x170;
+  uint64_t x171;
+  fiat_p256_uint1 x172;
+  uint64_t x173;
+  uint64_t x174;
+  fiat_p256_uint1 x175;
+  uint64_t x176;
+  fiat_p256_uint1 x177;
+  uint64_t x178;
+  fiat_p256_uint1 x179;
+  uint64_t x180;
+  fiat_p256_uint1 x181;
+  uint64_t x182;
+  fiat_p256_uint1 x183;
+  uint64_t x184;
+  uint64_t x185;
+  uint64_t x186;
+  uint64_t x187;
+  x1 = (arg1[1]);
+  x2 = (arg1[2]);
+  x3 = (arg1[3]);
+  x4 = (arg1[0]);
+  fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3]));
+  fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2]));
+  fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1]));
+  fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0]));
+  fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);
+  fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);
+  fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);
+  x19 = (x18 + x6);
+  fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);
+  x28 = (x27 + x23);
+  fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);
+  fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);
+  fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);
+  fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);
+  fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);
+  fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3]));
+  fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2]));
+  fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1]));
+  fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0]));
+  fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);
+  fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);
+  fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);
+  x53 = (x52 + x40);
+  fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);
+  fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);
+  fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);
+  fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);
+  fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);
+  fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);
+  x72 = (x71 + x67);
+  fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);
+  fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);
+  fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);
+  fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);
+  fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);
+  x83 = ((uint64_t)x82 + x63);
+  fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3]));
+  fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2]));
+  fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1]));
+  fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0]));
+  fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);
+  fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);
+  fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);
+  x98 = (x97 + x85);
+  fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);
+  fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);
+  fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);
+  fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);
+  fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);
+  fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);
+  x117 = (x116 + x112);
+  fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);
+  fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);
+  fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);
+  fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);
+  fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);
+  x128 = ((uint64_t)x127 + x108);
+  fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3]));
+  fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2]));
+  fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1]));
+  fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0]));
+  fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);
+  fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);
+  fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);
+  x143 = (x142 + x130);
+  fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);
+  fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);
+  fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);
+  fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);
+  fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);
+  fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);
+  x162 = (x161 + x157);
+  fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);
+  fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);
+  fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);
+  fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);
+  fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);
+  x173 = ((uint64_t)x172 + x153);
+  fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);
+  fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);
+  fiat_p256_cmovznz_u64(&x184, x183, x174, x165);
+  fiat_p256_cmovznz_u64(&x185, x183, x176, x167);
+  fiat_p256_cmovznz_u64(&x186, x183, x178, x169);
+  fiat_p256_cmovznz_u64(&x187, x183, x180, x171);
+  out1[0] = x184;
+  out1[1] = x185;
+  out1[2] = x186;
+  out1[3] = x187;
+}
+
+/*
+ * The function fiat_p256_square squares a field element in the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  fiat_p256_uint1 x14;
+  uint64_t x15;
+  fiat_p256_uint1 x16;
+  uint64_t x17;
+  fiat_p256_uint1 x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  fiat_p256_uint1 x27;
+  uint64_t x28;
+  uint64_t x29;
+  fiat_p256_uint1 x30;
+  uint64_t x31;
+  fiat_p256_uint1 x32;
+  uint64_t x33;
+  fiat_p256_uint1 x34;
+  uint64_t x35;
+  fiat_p256_uint1 x36;
+  uint64_t x37;
+  fiat_p256_uint1 x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  uint64_t x46;
+  uint64_t x47;
+  fiat_p256_uint1 x48;
+  uint64_t x49;
+  fiat_p256_uint1 x50;
+  uint64_t x51;
+  fiat_p256_uint1 x52;
+  uint64_t x53;
+  uint64_t x54;
+  fiat_p256_uint1 x55;
+  uint64_t x56;
+  fiat_p256_uint1 x57;
+  uint64_t x58;
+  fiat_p256_uint1 x59;
+  uint64_t x60;
+  fiat_p256_uint1 x61;
+  uint64_t x62;
+  fiat_p256_uint1 x63;
+  uint64_t x64;
+  uint64_t x65;
+  uint64_t x66;
+  uint64_t x67;
+  uint64_t x68;
+  uint64_t x69;
+  uint64_t x70;
+  fiat_p256_uint1 x71;
+  uint64_t x72;
+  uint64_t x73;
+  fiat_p256_uint1 x74;
+  uint64_t x75;
+  fiat_p256_uint1 x76;
+  uint64_t x77;
+  fiat_p256_uint1 x78;
+  uint64_t x79;
+  fiat_p256_uint1 x80;
+  uint64_t x81;
+  fiat_p256_uint1 x82;
+  uint64_t x83;
+  uint64_t x84;
+  uint64_t x85;
+  uint64_t x86;
+  uint64_t x87;
+  uint64_t x88;
+  uint64_t x89;
+  uint64_t x90;
+  uint64_t x91;
+  uint64_t x92;
+  fiat_p256_uint1 x93;
+  uint64_t x94;
+  fiat_p256_uint1 x95;
+  uint64_t x96;
+  fiat_p256_uint1 x97;
+  uint64_t x98;
+  uint64_t x99;
+  fiat_p256_uint1 x100;
+  uint64_t x101;
+  fiat_p256_uint1 x102;
+  uint64_t x103;
+  fiat_p256_uint1 x104;
+  uint64_t x105;
+  fiat_p256_uint1 x106;
+  uint64_t x107;
+  fiat_p256_uint1 x108;
+  uint64_t x109;
+  uint64_t x110;
+  uint64_t x111;
+  uint64_t x112;
+  uint64_t x113;
+  uint64_t x114;
+  uint64_t x115;
+  fiat_p256_uint1 x116;
+  uint64_t x117;
+  uint64_t x118;
+  fiat_p256_uint1 x119;
+  uint64_t x120;
+  fiat_p256_uint1 x121;
+  uint64_t x122;
+  fiat_p256_uint1 x123;
+  uint64_t x124;
+  fiat_p256_uint1 x125;
+  uint64_t x126;
+  fiat_p256_uint1 x127;
+  uint64_t x128;
+  uint64_t x129;
+  uint64_t x130;
+  uint64_t x131;
+  uint64_t x132;
+  uint64_t x133;
+  uint64_t x134;
+  uint64_t x135;
+  uint64_t x136;
+  uint64_t x137;
+  fiat_p256_uint1 x138;
+  uint64_t x139;
+  fiat_p256_uint1 x140;
+  uint64_t x141;
+  fiat_p256_uint1 x142;
+  uint64_t x143;
+  uint64_t x144;
+  fiat_p256_uint1 x145;
+  uint64_t x146;
+  fiat_p256_uint1 x147;
+  uint64_t x148;
+  fiat_p256_uint1 x149;
+  uint64_t x150;
+  fiat_p256_uint1 x151;
+  uint64_t x152;
+  fiat_p256_uint1 x153;
+  uint64_t x154;
+  uint64_t x155;
+  uint64_t x156;
+  uint64_t x157;
+  uint64_t x158;
+  uint64_t x159;
+  uint64_t x160;
+  fiat_p256_uint1 x161;
+  uint64_t x162;
+  uint64_t x163;
+  fiat_p256_uint1 x164;
+  uint64_t x165;
+  fiat_p256_uint1 x166;
+  uint64_t x167;
+  fiat_p256_uint1 x168;
+  uint64_t x169;
+  fiat_p256_uint1 x170;
+  uint64_t x171;
+  fiat_p256_uint1 x172;
+  uint64_t x173;
+  uint64_t x174;
+  fiat_p256_uint1 x175;
+  uint64_t x176;
+  fiat_p256_uint1 x177;
+  uint64_t x178;
+  fiat_p256_uint1 x179;
+  uint64_t x180;
+  fiat_p256_uint1 x181;
+  uint64_t x182;
+  fiat_p256_uint1 x183;
+  uint64_t x184;
+  uint64_t x185;
+  uint64_t x186;
+  uint64_t x187;
+  x1 = (arg1[1]);
+  x2 = (arg1[2]);
+  x3 = (arg1[3]);
+  x4 = (arg1[0]);
+  fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3]));
+  fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2]));
+  fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1]));
+  fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0]));
+  fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);
+  fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);
+  fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);
+  x19 = (x18 + x6);
+  fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);
+  x28 = (x27 + x23);
+  fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);
+  fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);
+  fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);
+  fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);
+  fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);
+  fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3]));
+  fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2]));
+  fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1]));
+  fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0]));
+  fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);
+  fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);
+  fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);
+  x53 = (x52 + x40);
+  fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);
+  fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);
+  fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);
+  fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);
+  fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);
+  fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);
+  x72 = (x71 + x67);
+  fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);
+  fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);
+  fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);
+  fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);
+  fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);
+  x83 = ((uint64_t)x82 + x63);
+  fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3]));
+  fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2]));
+  fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1]));
+  fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0]));
+  fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);
+  fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);
+  fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);
+  x98 = (x97 + x85);
+  fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);
+  fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);
+  fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);
+  fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);
+  fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);
+  fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);
+  x117 = (x116 + x112);
+  fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);
+  fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);
+  fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);
+  fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);
+  fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);
+  x128 = ((uint64_t)x127 + x108);
+  fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3]));
+  fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2]));
+  fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1]));
+  fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0]));
+  fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);
+  fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);
+  fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);
+  x143 = (x142 + x130);
+  fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);
+  fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);
+  fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);
+  fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);
+  fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);
+  fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);
+  x162 = (x161 + x157);
+  fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);
+  fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);
+  fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);
+  fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);
+  fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);
+  x173 = ((uint64_t)x172 + x153);
+  fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);
+  fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);
+  fiat_p256_cmovznz_u64(&x184, x183, x174, x165);
+  fiat_p256_cmovznz_u64(&x185, x183, x176, x167);
+  fiat_p256_cmovznz_u64(&x186, x183, x178, x169);
+  fiat_p256_cmovznz_u64(&x187, x183, x180, x171);
+  out1[0] = x184;
+  out1[1] = x185;
+  out1[2] = x186;
+  out1[3] = x187;
+}
+
+/*
+ * The function fiat_p256_add adds two field elements in the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ *   0 ≤ eval arg2 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
+  uint64_t x1;
+  fiat_p256_uint1 x2;
+  uint64_t x3;
+  fiat_p256_uint1 x4;
+  uint64_t x5;
+  fiat_p256_uint1 x6;
+  uint64_t x7;
+  fiat_p256_uint1 x8;
+  uint64_t x9;
+  fiat_p256_uint1 x10;
+  uint64_t x11;
+  fiat_p256_uint1 x12;
+  uint64_t x13;
+  fiat_p256_uint1 x14;
+  uint64_t x15;
+  fiat_p256_uint1 x16;
+  uint64_t x17;
+  fiat_p256_uint1 x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));
+  fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));
+  fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));
+  fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));
+  fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0);
+  fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0);
+  fiat_p256_cmovznz_u64(&x19, x18, x9, x1);
+  fiat_p256_cmovznz_u64(&x20, x18, x11, x3);
+  fiat_p256_cmovznz_u64(&x21, x18, x13, x5);
+  fiat_p256_cmovznz_u64(&x22, x18, x15, x7);
+  out1[0] = x19;
+  out1[1] = x20;
+  out1[2] = x21;
+  out1[3] = x22;
+}
+
+/*
+ * The function fiat_p256_sub subtracts two field elements in the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ *   0 ≤ eval arg2 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
+  uint64_t x1;
+  fiat_p256_uint1 x2;
+  uint64_t x3;
+  fiat_p256_uint1 x4;
+  uint64_t x5;
+  fiat_p256_uint1 x6;
+  uint64_t x7;
+  fiat_p256_uint1 x8;
+  uint64_t x9;
+  uint64_t x10;
+  fiat_p256_uint1 x11;
+  uint64_t x12;
+  fiat_p256_uint1 x13;
+  uint64_t x14;
+  fiat_p256_uint1 x15;
+  uint64_t x16;
+  fiat_p256_uint1 x17;
+  fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));
+  fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));
+  fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));
+  fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));
+  fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);
+  fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));
+  fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);
+  fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));
+  out1[0] = x10;
+  out1[1] = x12;
+  out1[2] = x14;
+  out1[3] = x16;
+}
+
+/*
+ * The function fiat_p256_opp negates a field element in the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
+  uint64_t x1;
+  fiat_p256_uint1 x2;
+  uint64_t x3;
+  fiat_p256_uint1 x4;
+  uint64_t x5;
+  fiat_p256_uint1 x6;
+  uint64_t x7;
+  fiat_p256_uint1 x8;
+  uint64_t x9;
+  uint64_t x10;
+  fiat_p256_uint1 x11;
+  uint64_t x12;
+  fiat_p256_uint1 x13;
+  uint64_t x14;
+  fiat_p256_uint1 x15;
+  uint64_t x16;
+  fiat_p256_uint1 x17;
+  fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0]));
+  fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1]));
+  fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2]));
+  fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3]));
+  fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);
+  fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));
+  fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);
+  fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));
+  out1[0] = x10;
+  out1[1] = x12;
+  out1[2] = x14;
+  out1[3] = x16;
+}
+
+/*
+ * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  fiat_p256_uint1 x9;
+  uint64_t x10;
+  fiat_p256_uint1 x11;
+  uint64_t x12;
+  fiat_p256_uint1 x13;
+  uint64_t x14;
+  fiat_p256_uint1 x15;
+  uint64_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  fiat_p256_uint1 x23;
+  uint64_t x24;
+  fiat_p256_uint1 x25;
+  uint64_t x26;
+  fiat_p256_uint1 x27;
+  uint64_t x28;
+  fiat_p256_uint1 x29;
+  uint64_t x30;
+  fiat_p256_uint1 x31;
+  uint64_t x32;
+  fiat_p256_uint1 x33;
+  uint64_t x34;
+  fiat_p256_uint1 x35;
+  uint64_t x36;
+  fiat_p256_uint1 x37;
+  uint64_t x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  fiat_p256_uint1 x45;
+  uint64_t x46;
+  fiat_p256_uint1 x47;
+  uint64_t x48;
+  fiat_p256_uint1 x49;
+  uint64_t x50;
+  fiat_p256_uint1 x51;
+  uint64_t x52;
+  fiat_p256_uint1 x53;
+  uint64_t x54;
+  fiat_p256_uint1 x55;
+  uint64_t x56;
+  fiat_p256_uint1 x57;
+  uint64_t x58;
+  fiat_p256_uint1 x59;
+  uint64_t x60;
+  uint64_t x61;
+  uint64_t x62;
+  uint64_t x63;
+  uint64_t x64;
+  uint64_t x65;
+  uint64_t x66;
+  fiat_p256_uint1 x67;
+  uint64_t x68;
+  fiat_p256_uint1 x69;
+  uint64_t x70;
+  fiat_p256_uint1 x71;
+  uint64_t x72;
+  fiat_p256_uint1 x73;
+  uint64_t x74;
+  fiat_p256_uint1 x75;
+  uint64_t x76;
+  uint64_t x77;
+  fiat_p256_uint1 x78;
+  uint64_t x79;
+  fiat_p256_uint1 x80;
+  uint64_t x81;
+  fiat_p256_uint1 x82;
+  uint64_t x83;
+  fiat_p256_uint1 x84;
+  uint64_t x85;
+  fiat_p256_uint1 x86;
+  uint64_t x87;
+  uint64_t x88;
+  uint64_t x89;
+  uint64_t x90;
+  x1 = (arg1[0]);
+  fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4);
+  fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6);
+  fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8);
+  fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1]));
+  fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18);
+  fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20);
+  fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22);
+  fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19));
+  fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16);
+  fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2]));
+  fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0);
+  fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0);
+  fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40);
+  fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42);
+  fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44);
+  fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41));
+  fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38);
+  fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3]));
+  fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0);
+  fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0);
+  fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62);
+  fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64);
+  fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66);
+  fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63));
+  fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60);
+  x76 = (x75 + x61);
+  fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0);
+  fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0);
+  fiat_p256_cmovznz_u64(&x87, x86, x77, x70);
+  fiat_p256_cmovznz_u64(&x88, x86, x79, x72);
+  fiat_p256_cmovznz_u64(&x89, x86, x81, x74);
+  fiat_p256_cmovznz_u64(&x90, x86, x83, x76);
+  out1[0] = x87;
+  out1[1] = x88;
+  out1[2] = x89;
+  out1[3] = x90;
+}
+
+/*
+ * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = eval arg1 mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  fiat_p256_uint1 x14;
+  uint64_t x15;
+  fiat_p256_uint1 x16;
+  uint64_t x17;
+  fiat_p256_uint1 x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  fiat_p256_uint1 x26;
+  uint64_t x27;
+  fiat_p256_uint1 x28;
+  uint64_t x29;
+  fiat_p256_uint1 x30;
+  uint64_t x31;
+  fiat_p256_uint1 x32;
+  uint64_t x33;
+  fiat_p256_uint1 x34;
+  uint64_t x35;
+  fiat_p256_uint1 x36;
+  uint64_t x37;
+  uint64_t x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  fiat_p256_uint1 x46;
+  uint64_t x47;
+  fiat_p256_uint1 x48;
+  uint64_t x49;
+  fiat_p256_uint1 x50;
+  uint64_t x51;
+  fiat_p256_uint1 x52;
+  uint64_t x53;
+  fiat_p256_uint1 x54;
+  uint64_t x55;
+  fiat_p256_uint1 x56;
+  uint64_t x57;
+  fiat_p256_uint1 x58;
+  uint64_t x59;
+  uint64_t x60;
+  uint64_t x61;
+  uint64_t x62;
+  uint64_t x63;
+  uint64_t x64;
+  uint64_t x65;
+  fiat_p256_uint1 x66;
+  uint64_t x67;
+  fiat_p256_uint1 x68;
+  uint64_t x69;
+  fiat_p256_uint1 x70;
+  uint64_t x71;
+  fiat_p256_uint1 x72;
+  uint64_t x73;
+  fiat_p256_uint1 x74;
+  uint64_t x75;
+  fiat_p256_uint1 x76;
+  uint64_t x77;
+  uint64_t x78;
+  uint64_t x79;
+  uint64_t x80;
+  uint64_t x81;
+  uint64_t x82;
+  uint64_t x83;
+  uint64_t x84;
+  uint64_t x85;
+  fiat_p256_uint1 x86;
+  uint64_t x87;
+  fiat_p256_uint1 x88;
+  uint64_t x89;
+  fiat_p256_uint1 x90;
+  uint64_t x91;
+  fiat_p256_uint1 x92;
+  uint64_t x93;
+  fiat_p256_uint1 x94;
+  uint64_t x95;
+  fiat_p256_uint1 x96;
+  uint64_t x97;
+  fiat_p256_uint1 x98;
+  uint64_t x99;
+  uint64_t x100;
+  uint64_t x101;
+  uint64_t x102;
+  uint64_t x103;
+  uint64_t x104;
+  uint64_t x105;
+  fiat_p256_uint1 x106;
+  uint64_t x107;
+  fiat_p256_uint1 x108;
+  uint64_t x109;
+  fiat_p256_uint1 x110;
+  uint64_t x111;
+  fiat_p256_uint1 x112;
+  uint64_t x113;
+  fiat_p256_uint1 x114;
+  uint64_t x115;
+  fiat_p256_uint1 x116;
+  uint64_t x117;
+  uint64_t x118;
+  uint64_t x119;
+  uint64_t x120;
+  uint64_t x121;
+  uint64_t x122;
+  uint64_t x123;
+  uint64_t x124;
+  uint64_t x125;
+  fiat_p256_uint1 x126;
+  uint64_t x127;
+  fiat_p256_uint1 x128;
+  uint64_t x129;
+  fiat_p256_uint1 x130;
+  uint64_t x131;
+  fiat_p256_uint1 x132;
+  uint64_t x133;
+  fiat_p256_uint1 x134;
+  uint64_t x135;
+  fiat_p256_uint1 x136;
+  uint64_t x137;
+  fiat_p256_uint1 x138;
+  uint64_t x139;
+  uint64_t x140;
+  uint64_t x141;
+  uint64_t x142;
+  uint64_t x143;
+  uint64_t x144;
+  uint64_t x145;
+  fiat_p256_uint1 x146;
+  uint64_t x147;
+  fiat_p256_uint1 x148;
+  uint64_t x149;
+  fiat_p256_uint1 x150;
+  uint64_t x151;
+  fiat_p256_uint1 x152;
+  uint64_t x153;
+  fiat_p256_uint1 x154;
+  uint64_t x155;
+  fiat_p256_uint1 x156;
+  uint64_t x157;
+  fiat_p256_uint1 x158;
+  uint64_t x159;
+  fiat_p256_uint1 x160;
+  uint64_t x161;
+  fiat_p256_uint1 x162;
+  uint64_t x163;
+  fiat_p256_uint1 x164;
+  uint64_t x165;
+  fiat_p256_uint1 x166;
+  uint64_t x167;
+  uint64_t x168;
+  uint64_t x169;
+  uint64_t x170;
+  x1 = (arg1[1]);
+  x2 = (arg1[2]);
+  x3 = (arg1[3]);
+  x4 = (arg1[0]);
+  fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd));
+  fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe));
+  fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff));
+  fiat_p256_mulx_u64(&x11, &x12, x4, 0x3);
+  fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);
+  fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);
+  fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);
+  fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21);
+  fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23);
+  fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25);
+  fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22));
+  fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19);
+  fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20);
+  fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd));
+  fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe));
+  fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff));
+  fiat_p256_mulx_u64(&x43, &x44, x1, 0x3);
+  fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41);
+  fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39);
+  fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37);
+  fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43);
+  fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45);
+  fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47);
+  fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49);
+  fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61);
+  fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63);
+  fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65);
+  fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62));
+  fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59);
+  fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60);
+  fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd));
+  fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe));
+  fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff));
+  fiat_p256_mulx_u64(&x83, &x84, x2, 0x3);
+  fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81);
+  fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79);
+  fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77);
+  fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83);
+  fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85);
+  fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87);
+  fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89);
+  fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101);
+  fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103);
+  fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105);
+  fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102));
+  fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99);
+  fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100);
+  fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd));
+  fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe));
+  fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff));
+  fiat_p256_mulx_u64(&x123, &x124, x3, 0x3);
+  fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121);
+  fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119);
+  fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117);
+  fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123);
+  fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125);
+  fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127);
+  fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129);
+  fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001));
+  fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff));
+  fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141);
+  fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143);
+  fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145);
+  fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142));
+  fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139);
+  fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140);
+  fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0);
+  fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0);
+  fiat_p256_cmovznz_u64(&x167, x166, x157, x149);
+  fiat_p256_cmovznz_u64(&x168, x166, x159, x151);
+  fiat_p256_cmovznz_u64(&x169, x166, x161, x153);
+  fiat_p256_cmovznz_u64(&x170, x166, x163, x155);
+  out1[0] = x167;
+  out1[1] = x168;
+  out1[2] = x169;
+  out1[3] = x170;
+}
+
+/*
+ * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0
+ *
+ * Input Bounds:
+ *   arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) {
+  uint64_t x1;
+  x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3]))));
+  *out1 = x1;
+}
+
+/*
+ * The function fiat_p256_selectznz is a multi-limb conditional select.
+ *
+ * Postconditions:
+ *   out1 = (if arg1 = 0 then arg2 else arg3)
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0x1]
+ *   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));
+  fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));
+  fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));
+  fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));
+  out1[0] = x1;
+  out1[1] = x2;
+  out1[2] = x3;
+  out1[3] = x4;
+}
+
+/*
+ * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg1 < m
+ * Postconditions:
+ *   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
+ *
+ * Input Bounds:
+ *   arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint8_t x5;
+  uint64_t x6;
+  uint8_t x7;
+  uint64_t x8;
+  uint8_t x9;
+  uint64_t x10;
+  uint8_t x11;
+  uint64_t x12;
+  uint8_t x13;
+  uint64_t x14;
+  uint8_t x15;
+  uint64_t x16;
+  uint8_t x17;
+  uint8_t x18;
+  uint8_t x19;
+  uint64_t x20;
+  uint8_t x21;
+  uint64_t x22;
+  uint8_t x23;
+  uint64_t x24;
+  uint8_t x25;
+  uint64_t x26;
+  uint8_t x27;
+  uint64_t x28;
+  uint8_t x29;
+  uint64_t x30;
+  uint8_t x31;
+  uint8_t x32;
+  uint8_t x33;
+  uint64_t x34;
+  uint8_t x35;
+  uint64_t x36;
+  uint8_t x37;
+  uint64_t x38;
+  uint8_t x39;
+  uint64_t x40;
+  uint8_t x41;
+  uint64_t x42;
+  uint8_t x43;
+  uint64_t x44;
+  uint8_t x45;
+  uint8_t x46;
+  uint8_t x47;
+  uint64_t x48;
+  uint8_t x49;
+  uint64_t x50;
+  uint8_t x51;
+  uint64_t x52;
+  uint8_t x53;
+  uint64_t x54;
+  uint8_t x55;
+  uint64_t x56;
+  uint8_t x57;
+  uint64_t x58;
+  uint8_t x59;
+  uint8_t x60;
+  x1 = (arg1[3]);
+  x2 = (arg1[2]);
+  x3 = (arg1[1]);
+  x4 = (arg1[0]);
+  x5 = (uint8_t)(x4 & UINT8_C(0xff));
+  x6 = (x4 >> 8);
+  x7 = (uint8_t)(x6 & UINT8_C(0xff));
+  x8 = (x6 >> 8);
+  x9 = (uint8_t)(x8 & UINT8_C(0xff));
+  x10 = (x8 >> 8);
+  x11 = (uint8_t)(x10 & UINT8_C(0xff));
+  x12 = (x10 >> 8);
+  x13 = (uint8_t)(x12 & UINT8_C(0xff));
+  x14 = (x12 >> 8);
+  x15 = (uint8_t)(x14 & UINT8_C(0xff));
+  x16 = (x14 >> 8);
+  x17 = (uint8_t)(x16 & UINT8_C(0xff));
+  x18 = (uint8_t)(x16 >> 8);
+  x19 = (uint8_t)(x3 & UINT8_C(0xff));
+  x20 = (x3 >> 8);
+  x21 = (uint8_t)(x20 & UINT8_C(0xff));
+  x22 = (x20 >> 8);
+  x23 = (uint8_t)(x22 & UINT8_C(0xff));
+  x24 = (x22 >> 8);
+  x25 = (uint8_t)(x24 & UINT8_C(0xff));
+  x26 = (x24 >> 8);
+  x27 = (uint8_t)(x26 & UINT8_C(0xff));
+  x28 = (x26 >> 8);
+  x29 = (uint8_t)(x28 & UINT8_C(0xff));
+  x30 = (x28 >> 8);
+  x31 = (uint8_t)(x30 & UINT8_C(0xff));
+  x32 = (uint8_t)(x30 >> 8);
+  x33 = (uint8_t)(x2 & UINT8_C(0xff));
+  x34 = (x2 >> 8);
+  x35 = (uint8_t)(x34 & UINT8_C(0xff));
+  x36 = (x34 >> 8);
+  x37 = (uint8_t)(x36 & UINT8_C(0xff));
+  x38 = (x36 >> 8);
+  x39 = (uint8_t)(x38 & UINT8_C(0xff));
+  x40 = (x38 >> 8);
+  x41 = (uint8_t)(x40 & UINT8_C(0xff));
+  x42 = (x40 >> 8);
+  x43 = (uint8_t)(x42 & UINT8_C(0xff));
+  x44 = (x42 >> 8);
+  x45 = (uint8_t)(x44 & UINT8_C(0xff));
+  x46 = (uint8_t)(x44 >> 8);
+  x47 = (uint8_t)(x1 & UINT8_C(0xff));
+  x48 = (x1 >> 8);
+  x49 = (uint8_t)(x48 & UINT8_C(0xff));
+  x50 = (x48 >> 8);
+  x51 = (uint8_t)(x50 & UINT8_C(0xff));
+  x52 = (x50 >> 8);
+  x53 = (uint8_t)(x52 & UINT8_C(0xff));
+  x54 = (x52 >> 8);
+  x55 = (uint8_t)(x54 & UINT8_C(0xff));
+  x56 = (x54 >> 8);
+  x57 = (uint8_t)(x56 & UINT8_C(0xff));
+  x58 = (x56 >> 8);
+  x59 = (uint8_t)(x58 & UINT8_C(0xff));
+  x60 = (uint8_t)(x58 >> 8);
+  out1[0] = x5;
+  out1[1] = x7;
+  out1[2] = x9;
+  out1[3] = x11;
+  out1[4] = x13;
+  out1[5] = x15;
+  out1[6] = x17;
+  out1[7] = x18;
+  out1[8] = x19;
+  out1[9] = x21;
+  out1[10] = x23;
+  out1[11] = x25;
+  out1[12] = x27;
+  out1[13] = x29;
+  out1[14] = x31;
+  out1[15] = x32;
+  out1[16] = x33;
+  out1[17] = x35;
+  out1[18] = x37;
+  out1[19] = x39;
+  out1[20] = x41;
+  out1[21] = x43;
+  out1[22] = x45;
+  out1[23] = x46;
+  out1[24] = x47;
+  out1[25] = x49;
+  out1[26] = x51;
+  out1[27] = x53;
+  out1[28] = x55;
+  out1[29] = x57;
+  out1[30] = x59;
+  out1[31] = x60;
+}
+
+/*
+ * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
+ *
+ * Preconditions:
+ *   0 ≤ bytes_eval arg1 < m
+ * Postconditions:
+ *   eval out1 mod m = bytes_eval arg1 mod m
+ *   0 ≤ eval out1 < m
+ *
+ * Input Bounds:
+ *   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) {
+  uint64_t x1;
+  uint64_t x2;
+  uint64_t x3;
+  uint64_t x4;
+  uint64_t x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint8_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  uint64_t x13;
+  uint64_t x14;
+  uint64_t x15;
+  uint8_t x16;
+  uint64_t x17;
+  uint64_t x18;
+  uint64_t x19;
+  uint64_t x20;
+  uint64_t x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint8_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  uint64_t x29;
+  uint64_t x30;
+  uint64_t x31;
+  uint8_t x32;
+  uint64_t x33;
+  uint64_t x34;
+  uint64_t x35;
+  uint64_t x36;
+  uint64_t x37;
+  uint64_t x38;
+  uint64_t x39;
+  uint64_t x40;
+  uint64_t x41;
+  uint64_t x42;
+  uint64_t x43;
+  uint64_t x44;
+  uint64_t x45;
+  uint64_t x46;
+  uint64_t x47;
+  uint64_t x48;
+  uint64_t x49;
+  uint64_t x50;
+  uint64_t x51;
+  uint64_t x52;
+  uint64_t x53;
+  uint64_t x54;
+  uint64_t x55;
+  uint64_t x56;
+  uint64_t x57;
+  uint64_t x58;
+  uint64_t x59;
+  uint64_t x60;
+  x1 = ((uint64_t)(arg1[31]) << 56);
+  x2 = ((uint64_t)(arg1[30]) << 48);
+  x3 = ((uint64_t)(arg1[29]) << 40);
+  x4 = ((uint64_t)(arg1[28]) << 32);
+  x5 = ((uint64_t)(arg1[27]) << 24);
+  x6 = ((uint64_t)(arg1[26]) << 16);
+  x7 = ((uint64_t)(arg1[25]) << 8);
+  x8 = (arg1[24]);
+  x9 = ((uint64_t)(arg1[23]) << 56);
+  x10 = ((uint64_t)(arg1[22]) << 48);
+  x11 = ((uint64_t)(arg1[21]) << 40);
+  x12 = ((uint64_t)(arg1[20]) << 32);
+  x13 = ((uint64_t)(arg1[19]) << 24);
+  x14 = ((uint64_t)(arg1[18]) << 16);
+  x15 = ((uint64_t)(arg1[17]) << 8);
+  x16 = (arg1[16]);
+  x17 = ((uint64_t)(arg1[15]) << 56);
+  x18 = ((uint64_t)(arg1[14]) << 48);
+  x19 = ((uint64_t)(arg1[13]) << 40);
+  x20 = ((uint64_t)(arg1[12]) << 32);
+  x21 = ((uint64_t)(arg1[11]) << 24);
+  x22 = ((uint64_t)(arg1[10]) << 16);
+  x23 = ((uint64_t)(arg1[9]) << 8);
+  x24 = (arg1[8]);
+  x25 = ((uint64_t)(arg1[7]) << 56);
+  x26 = ((uint64_t)(arg1[6]) << 48);
+  x27 = ((uint64_t)(arg1[5]) << 40);
+  x28 = ((uint64_t)(arg1[4]) << 32);
+  x29 = ((uint64_t)(arg1[3]) << 24);
+  x30 = ((uint64_t)(arg1[2]) << 16);
+  x31 = ((uint64_t)(arg1[1]) << 8);
+  x32 = (arg1[0]);
+  x33 = (x31 + (uint64_t)x32);
+  x34 = (x30 + x33);
+  x35 = (x29 + x34);
+  x36 = (x28 + x35);
+  x37 = (x27 + x36);
+  x38 = (x26 + x37);
+  x39 = (x25 + x38);
+  x40 = (x23 + (uint64_t)x24);
+  x41 = (x22 + x40);
+  x42 = (x21 + x41);
+  x43 = (x20 + x42);
+  x44 = (x19 + x43);
+  x45 = (x18 + x44);
+  x46 = (x17 + x45);
+  x47 = (x15 + (uint64_t)x16);
+  x48 = (x14 + x47);
+  x49 = (x13 + x48);
+  x50 = (x12 + x49);
+  x51 = (x11 + x50);
+  x52 = (x10 + x51);
+  x53 = (x9 + x52);
+  x54 = (x7 + (uint64_t)x8);
+  x55 = (x6 + x54);
+  x56 = (x5 + x55);
+  x57 = (x4 + x56);
+  x58 = (x3 + x57);
+  x59 = (x2 + x58);
+  x60 = (x1 + x59);
+  out1[0] = x39;
+  out1[1] = x46;
+  out1[2] = x53;
+  out1[3] = x60;
+}
+
+/*
+ * The function fiat_p256_set_one returns the field element one in the Montgomery domain.
+ *
+ * Postconditions:
+ *   eval (from_montgomery out1) mod m = 1 mod m
+ *   0 ≤ eval out1 < m
+ *
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {
+  out1[0] = 0x1;
+  out1[1] = UINT64_C(0xffffffff00000000);
+  out1[2] = UINT64_C(0xffffffffffffffff);
+  out1[3] = UINT32_C(0xfffffffe);
+}
+
+/*
+ * The function fiat_p256_msat returns the saturated representation of the prime modulus.
+ *
+ * Postconditions:
+ *   twos_complement_eval out1 = m
+ *   0 ≤ eval out1 < m
+ *
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) {
+  out1[0] = UINT64_C(0xffffffffffffffff);
+  out1[1] = UINT32_C(0xffffffff);
+  out1[2] = 0x0;
+  out1[3] = UINT64_C(0xffffffff00000001);
+  out1[4] = 0x0;
+}
+
+/*
+ * The function fiat_p256_divstep computes a divstep.
+ *
+ * Preconditions:
+ *   0 ≤ eval arg4 < m
+ *   0 ≤ eval arg5 < m
+ * Postconditions:
+ *   out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)
+ *   twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)
+ *   twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)
+ *   eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)
+ *   eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)
+ *   0 ≤ eval out5 < m
+ *   0 ≤ eval out5 < m
+ *   0 ≤ eval out2 < m
+ *   0 ≤ eval out3 < m
+ *
+ * Input Bounds:
+ *   arg1: [0x0 ~> 0xffffffffffffffff]
+ *   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ * Output Bounds:
+ *   out1: [0x0 ~> 0xffffffffffffffff]
+ *   out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ *   out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) {
+  uint64_t x1;
+  fiat_p256_uint1 x2;
+  fiat_p256_uint1 x3;
+  uint64_t x4;
+  fiat_p256_uint1 x5;
+  uint64_t x6;
+  uint64_t x7;
+  uint64_t x8;
+  uint64_t x9;
+  uint64_t x10;
+  uint64_t x11;
+  uint64_t x12;
+  fiat_p256_uint1 x13;
+  uint64_t x14;
+  fiat_p256_uint1 x15;
+  uint64_t x16;
+  fiat_p256_uint1 x17;
+  uint64_t x18;
+  fiat_p256_uint1 x19;
+  uint64_t x20;
+  fiat_p256_uint1 x21;
+  uint64_t x22;
+  uint64_t x23;
+  uint64_t x24;
+  uint64_t x25;
+  uint64_t x26;
+  uint64_t x27;
+  uint64_t x28;
+  uint64_t x29;
+  uint64_t x30;
+  uint64_t x31;
+  fiat_p256_uint1 x32;
+  uint64_t x33;
+  fiat_p256_uint1 x34;
+  uint64_t x35;
+  fiat_p256_uint1 x36;
+  uint64_t x37;
+  fiat_p256_uint1 x38;
+  uint64_t x39;
+  fiat_p256_uint1 x40;
+  uint64_t x41;
+  fiat_p256_uint1 x42;
+  uint64_t x43;
+  fiat_p256_uint1 x44;
+  uint64_t x45;
+  fiat_p256_uint1 x46;
+  uint64_t x47;
+  fiat_p256_uint1 x48;
+  uint64_t x49;
+  uint64_t x50;
+  uint64_t x51;
+  uint64_t x52;
+  uint64_t x53;
+  fiat_p256_uint1 x54;
+  uint64_t x55;
+  fiat_p256_uint1 x56;
+  uint64_t x57;
+  fiat_p256_uint1 x58;
+  uint64_t x59;
+  fiat_p256_uint1 x60;
+  uint64_t x61;
+  uint64_t x62;
+  fiat_p256_uint1 x63;
+  uint64_t x64;
+  fiat_p256_uint1 x65;
+  uint64_t x66;
+  fiat_p256_uint1 x67;
+  uint64_t x68;
+  fiat_p256_uint1 x69;
+  uint64_t x70;
+  uint64_t x71;
+  uint64_t x72;
+  uint64_t x73;
+  fiat_p256_uint1 x74;
+  uint64_t x75;
+  uint64_t x76;
+  uint64_t x77;
+  uint64_t x78;
+  uint64_t x79;
+  uint64_t x80;
+  fiat_p256_uint1 x81;
+  uint64_t x82;
+  fiat_p256_uint1 x83;
+  uint64_t x84;
+  fiat_p256_uint1 x85;
+  uint64_t x86;
+  fiat_p256_uint1 x87;
+  uint64_t x88;
+  fiat_p256_uint1 x89;
+  uint64_t x90;
+  uint64_t x91;
+  uint64_t x92;
+  uint64_t x93;
+  uint64_t x94;
+  fiat_p256_uint1 x95;
+  uint64_t x96;
+  fiat_p256_uint1 x97;
+  uint64_t x98;
+  fiat_p256_uint1 x99;
+  uint64_t x100;
+  fiat_p256_uint1 x101;
+  uint64_t x102;
+  fiat_p256_uint1 x103;
+  uint64_t x104;
+  fiat_p256_uint1 x105;
+  uint64_t x106;
+  fiat_p256_uint1 x107;
+  uint64_t x108;
+  fiat_p256_uint1 x109;
+  uint64_t x110;
+  fiat_p256_uint1 x111;
+  uint64_t x112;
+  fiat_p256_uint1 x113;
+  uint64_t x114;
+  uint64_t x115;
+  uint64_t x116;
+  uint64_t x117;
+  uint64_t x118;
+  uint64_t x119;
+  uint64_t x120;
+  uint64_t x121;
+  uint64_t x122;
+  uint64_t x123;
+  uint64_t x124;
+  uint64_t x125;
+  uint64_t x126;
+  fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1);
+  x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1));
+  fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1);
+  fiat_p256_cmovznz_u64(&x6, x3, arg1, x4);
+  fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0]));
+  fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1]));
+  fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2]));
+  fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3]));
+  fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4]));
+  fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0])));
+  fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1])));
+  fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2])));
+  fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3])));
+  fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4])));
+  fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12);
+  fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14);
+  fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16);
+  fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18);
+  fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20);
+  fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0]));
+  fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1]));
+  fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2]));
+  fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3]));
+  fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27);
+  fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28);
+  fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29);
+  fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30);
+  fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0);
+  fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0);
+  x49 = (arg4[3]);
+  x50 = (arg4[2]);
+  x51 = (arg4[1]);
+  x52 = (arg4[0]);
+  fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52);
+  fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51);
+  fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50);
+  fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49);
+  fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff));
+  fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61);
+  fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff)));
+  fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0);
+  fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001)));
+  fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62);
+  fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64);
+  fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66);
+  fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68);
+  x74 = (fiat_p256_uint1)(x22 & 0x1);
+  fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7);
+  fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8);
+  fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9);
+  fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10);
+  fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11);
+  fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75);
+  fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76);
+  fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77);
+  fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78);
+  fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79);
+  fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27);
+  fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28);
+  fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29);
+  fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30);
+  fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90);
+  fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91);
+  fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92);
+  fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93);
+  fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff));
+  fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff));
+  fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0);
+  fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001));
+  fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0);
+  fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1);
+  x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff)));
+  x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff)));
+  x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff)));
+  x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff)));
+  x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1));
+  fiat_p256_cmovznz_u64(&x119, x48, x39, x31);
+  fiat_p256_cmovznz_u64(&x120, x48, x41, x33);
+  fiat_p256_cmovznz_u64(&x121, x48, x43, x35);
+  fiat_p256_cmovznz_u64(&x122, x48, x45, x37);
+  fiat_p256_cmovznz_u64(&x123, x111, x102, x94);
+  fiat_p256_cmovznz_u64(&x124, x111, x104, x96);
+  fiat_p256_cmovznz_u64(&x125, x111, x106, x98);
+  fiat_p256_cmovznz_u64(&x126, x111, x108, x100);
+  *out1 = x112;
+  out2[0] = x7;
+  out2[1] = x8;
+  out2[2] = x9;
+  out2[3] = x10;
+  out2[4] = x11;
+  out3[0] = x114;
+  out3[1] = x115;
+  out3[2] = x116;
+  out3[3] = x117;
+  out3[4] = x118;
+  out4[0] = x119;
+  out4[1] = x120;
+  out4[2] = x121;
+  out4[3] = x122;
+  out5[0] = x123;
+  out5[1] = x124;
+  out5[2] = x125;
+  out5[3] = x126;
+}
+
+/*
+ * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
+ *
+ * Postconditions:
+ *   eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
+ *   0 ≤ eval out1 < m
+ *
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+ */
+static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) {
+  out1[0] = UINT64_C(0x67ffffffb8000000);
+  out1[1] = UINT64_C(0xc000000038000000);
+  out1[2] = UINT64_C(0xd80000007fffffff);
+  out1[3] = UINT64_C(0x2fffffffffffffff);
+}
diff --git a/src/util/all_tests.go b/src/util/all_tests.go
index 8d81463e..c0dceba5 100644
--- a/src/util/all_tests.go
+++ b/src/util/all_tests.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/util/check_filenames.go b/src/util/check_filenames.go
index 886c3f60..384c19f5 100644
--- a/src/util/check_filenames.go
+++ b/src/util/check_filenames.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // check_filenames.go checks that filenames are unique. Some of our consumers do
 // not support multiple files with the same name in the same build target, even
 // if they are in different directories.
diff --git a/src/util/check_imported_libraries.go b/src/util/check_imported_libraries.go
index 187e5144..f3803f1c 100644
--- a/src/util/check_imported_libraries.go
+++ b/src/util/check_imported_libraries.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // check_imported_libraries.go checks that each of its arguments only imports
 // allowed libraries. This is used to avoid accidental dependencies on
 // libstdc++.so.
diff --git a/src/util/check_stack.go b/src/util/check_stack.go
index b718ea4a..ad763e65 100644
--- a/src/util/check_stack.go
+++ b/src/util/check_stack.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // check_stack.go checks that each of its arguments has a non-executable stack.
 // See https://www.airs.com/blog/archives/518 for details.
 package main
diff --git a/src/util/compare_benchmarks.go b/src/util/compare_benchmarks.go
index d631f832..05e1b5db 100644
--- a/src/util/compare_benchmarks.go
+++ b/src/util/compare_benchmarks.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // compare_benchmarks takes the JSON-formatted output of bssl speed and
 // compares it against a baseline output.
 package main
diff --git a/src/util/convert_comments.go b/src/util/convert_comments.go
index 917f29c8..df9e3d3a 100644
--- a/src/util/convert_comments.go
+++ b/src/util/convert_comments.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/util/convert_wycheproof.go b/src/util/convert_wycheproof/convert_wycheproof.go
index a7dfc818..076f8e48 100644
--- a/src/util/convert_wycheproof.go
+++ b/src/util/convert_wycheproof/convert_wycheproof.go
@@ -12,8 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-// convert_wycheproof.go converts Wycheproof test vectors into a format more
-// easily consumed by BoringSSL.
+// convert_wycheproof converts Wycheproof test vectors into a format more easily
+// consumed by BoringSSL.
 package main
 
 import (
diff --git a/src/util/diff_asm.go b/src/util/diff_asm.go
index 27c0aa20..5ac1c04b 100644
--- a/src/util/diff_asm.go
+++ b/src/util/diff_asm.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/util/doc.go b/src/util/doc.go
index e7f1b591..4fb73ca0 100644
--- a/src/util/doc.go
+++ b/src/util/doc.go
@@ -1,3 +1,5 @@
+//go:build ignore
+
 // doc generates HTML files from the comments in header files.
 //
 // doc expects to be given the path to a JSON file via the --config option.
diff --git a/src/util/embed_test_data.go b/src/util/embed_test_data.go
index 0a0d1e3f..ae7135fa 100644
--- a/src/util/embed_test_data.go
+++ b/src/util/embed_test_data.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // embed_test_data generates a C++ source file which exports a function,
 // GetTestData, which looks up the specified data files.
 package main
diff --git a/src/util/fetch_ech_config_list.go b/src/util/fetch_ech_config_list.go
index 8f09e66b..732d0d3b 100644
--- a/src/util/fetch_ech_config_list.go
+++ b/src/util/fetch_ech_config_list.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/util/fipstools/acvp/acvptool/test/check_expected.go b/src/util/fipstools/acvp/acvptool/test/check_expected.go
index c5dc0f67..d02f2729 100644
--- a/src/util/fipstools/acvp/acvptool/test/check_expected.go
+++ b/src/util/fipstools/acvp/acvptool/test/check_expected.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
diff --git a/src/util/fipstools/acvp/acvptool/test/trim_vectors.go b/src/util/fipstools/acvp/acvptool/test/trim_vectors.go
index 53e970e0..703f75fd 100644
--- a/src/util/fipstools/acvp/acvptool/test/trim_vectors.go
+++ b/src/util/fipstools/acvp/acvptool/test/trim_vectors.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // trimvectors takes an ACVP vector set file and discards all but a single test
 // from each test group. This hope is that this achieves good coverage without
 // having to check in megabytes worth of JSON files.
diff --git a/src/util/fipstools/break-hash.go b/src/util/fipstools/break-hash.go
index e37da752..a4ab8083 100644
--- a/src/util/fipstools/break-hash.go
+++ b/src/util/fipstools/break-hash.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // break-hash parses an ELF binary containing the FIPS module and corrupts the
 // first byte of the module. This should cause the integrity check to fail.
 package main
diff --git a/src/util/fipstools/break-kat.go b/src/util/fipstools/break-kat.go
index c412d0e2..e4d323ab 100644
--- a/src/util/fipstools/break-kat.go
+++ b/src/util/fipstools/break-kat.go
@@ -1,3 +1,5 @@
+//go:build
+
 // break-kat corrupts a known-answer-test input in a binary and writes the
 // corrupted binary to stdout. This is used to demonstrate that the KATs in the
 // binary notice the error.
diff --git a/src/util/godeps.go b/src/util/godeps.go
index 960faa46..56be5594 100644
--- a/src/util/godeps.go
+++ b/src/util/godeps.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // godeps prints out dependencies of a package in either CMake or Make depfile
 // format, for incremental rebuilds.
 //
diff --git a/src/util/make_errors.go b/src/util/make_errors.go
index 4e2718b8..874a001b 100644
--- a/src/util/make_errors.go
+++ b/src/util/make_errors.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
@@ -188,28 +190,13 @@ type assignment struct {
 	value int
 }
 
-type assignmentsSlice []assignment
-
-func (a assignmentsSlice) Len() int {
-	return len(a)
-}
-
-func (a assignmentsSlice) Less(i, j int) bool {
-	return a[i].value < a[j].value
-}
-
-func (a assignmentsSlice) Swap(i, j int) {
-	a[i], a[j] = a[j], a[i]
-}
-
 func outputAssignments(w io.Writer, assignments map[string]int) {
-	var sorted assignmentsSlice
-
+	sorted := make([]assignment, 0, len(assignments))
 	for key, value := range assignments {
 		sorted = append(sorted, assignment{key, value})
 	}
 
-	sort.Sort(sorted)
+	sort.Slice(sorted, func(i, j int) bool { return sorted[i].value < sorted[j].value })
 
 	for _, assignment := range sorted {
 		fmt.Fprintf(w, "#define %s %d\n", assignment.key, assignment.value)
diff --git a/src/util/make_prefix_headers.go b/src/util/make_prefix_headers.go
index b39e4ec7..8787654b 100644
--- a/src/util/make_prefix_headers.go
+++ b/src/util/make_prefix_headers.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // This program takes a file containing newline-separated symbols, and generates
 // boringssl_prefix_symbols.h, boringssl_prefix_symbols_asm.h, and
 // boringssl_prefix_symbols_nasm.inc. These header files can be used to build
diff --git a/src/util/read_symbols.go b/src/util/read_symbols.go
index b407ecb1..ab2184c0 100644
--- a/src/util/read_symbols.go
+++ b/src/util/read_symbols.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 // read_symbols scans one or more .a files and, for each object contained in
 // the .a files, reads the list of symbols in that object file.
 package main
diff --git a/src/util/run_android_tests.go b/src/util/run_android_tests.go
index 67a13e7e..ce878195 100644
--- a/src/util/run_android_tests.go
+++ b/src/util/run_android_tests.go
@@ -12,6 +12,8 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+//go:build ignore
+
 package main
 
 import (
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-05-11 23:05:36 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-05-11 23:05:36 +0000
commit	306dcf52e8808de3e3c604a7df2e3384885aa8b2 (patch)
tree	6277566361af6eb7fe6ee64cf862329996d3bff2
parent	3d20bdc0fee053343fc76e7c4fc0ad1f59e3db20 (diff)
parent	1997a4293128d24fb5bbedb83a1dae1f503aedc1 (diff)
download	boringssl-android14-d1-s6-release.tar.gz