diff --git a/whitebox/WORKSPACE b/whitebox/WORKSPACE
index b5c0a42..07957e9 100644
--- a/whitebox/WORKSPACE
+++ b/whitebox/WORKSPACE
@@ -65,7 +65,7 @@ http_archive(
 new_git_repository(
     name = "odk_repo",
     build_file = "//external:odk.BUILD",
-    commit = "2bfd670424232fbff4e38f25d06cb28ee4c88b61",  # 17.1
+    commit = "74178f968f2188db27b6f56adcae60f377049f72",  # 18.3
     remote = "https://widevine-partner.googlesource.com/oemcrypto_core_message.git",
 )
 
diff --git a/whitebox/api/BUILD b/whitebox/api/BUILD
index b48cd16..b709ee8 100644
--- a/whitebox/api/BUILD
+++ b/whitebox/api/BUILD
@@ -17,7 +17,7 @@ cc_library(
         "//:is_old_api": [],
         "//:is_old_vmpra": [],
         "//conditions:default": [  # Chrome
-            # "HAS_PROVIDER_KEYS",
+            "HAS_PROVIDER_KEYS",
             "ENABLE_LICENSE_PROTOCOL_2_2",
             # Needed when talking to server SDKs [v16.3.3, v16.4.3] with license
             # protocol v2.2 enabled (b/177271059).
diff --git a/whitebox/api/license_whitebox_process_license_response_core_message_test.cc b/whitebox/api/license_whitebox_process_license_response_core_message_test.cc
index e67b38a..38a4546 100644
--- a/whitebox/api/license_whitebox_process_license_response_core_message_test.cc
+++ b/whitebox/api/license_whitebox_process_license_response_core_message_test.cc
@@ -82,7 +82,8 @@ INSTANTIATE_TEST_SUITE_P(
     ::testing::Combine(
         ::testing::Values(kNoSigningKey, Padding::kNone, Padding::kPKSC8),
         ::testing::Values(OdkVersion::kNone, OdkVersion::k16_3,
-                          OdkVersion::k16_5, OdkVersion::k17_1)));
+                          OdkVersion::k16_5, OdkVersion::k17_1,
+                          OdkVersion::k18_3)));
 
 // Failure tests
 
diff --git a/whitebox/api/test_license_builder.cc b/whitebox/api/test_license_builder.cc
index 4d0a671..35091f4 100644
--- a/whitebox/api/test_license_builder.cc
+++ b/whitebox/api/test_license_builder.cc
@@ -198,13 +198,15 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
   constexpr uint32_t nonce = 0xdeadbeef;
   ODK_NonceValues nonce_values{api_minor_version, api_major_version, nonce,
                                session_id};
+  ODK_MessageCounterInfo counters{};
 
   // Start by making a call to determine how big the core_message for the
   // request needs to be.
   size_t core_message_length = 0;
   auto odk_result = ODK_PrepareCoreLicenseRequest(
       reinterpret_cast<uint8_t*>(const_cast<char*>(serialized_request.data())),
-      serialized_request.size(), &core_message_length, &nonce_values);
+      serialized_request.size(), &core_message_length, &nonce_values,
+      &counters);
   CHECK_EQ(odk_result, OEMCrypto_ERROR_SHORT_BUFFER);
 
   // Now that we know the size, create |combined_request_message| with room
@@ -216,7 +218,8 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
   odk_result = ODK_PrepareCoreLicenseRequest(
       reinterpret_cast<uint8_t*>(
           const_cast<char*>(combined_request_message.data())),
-      combined_request_message.size(), &core_message_length, &nonce_values);
+      combined_request_message.size(), &core_message_length, &nonce_values,
+      &counters);
   CHECK_EQ(odk_result, OEMCrypto_SUCCESS);
 
   // As the core_message is the first part of |combined_request_message|,
@@ -513,6 +516,8 @@ uint16_t GetOdkMajorVersion(TestLicenseBuilder::OdkVersion odk_version) {
       return 16;
     case TestLicenseBuilder::OdkVersion::k17_1:
       return 17;
+    case TestLicenseBuilder::OdkVersion::k18_3:
+      return 18;
     case TestLicenseBuilder::OdkVersion::kNone:
       DCHECK(false);
       return 0;
@@ -525,6 +530,7 @@ uint16_t GetOdkMajorVersion(TestLicenseBuilder::OdkVersion odk_version) {
 uint16_t GetOdkMinorVersion(TestLicenseBuilder::OdkVersion odk_version) {
   switch (odk_version) {
     case TestLicenseBuilder::OdkVersion::k16_3:
+    case TestLicenseBuilder::OdkVersion::k18_3:
     case TestLicenseBuilder::OdkVersion::k99:
       return 3;
     case TestLicenseBuilder::OdkVersion::k16_5:
diff --git a/whitebox/api/test_license_builder.h b/whitebox/api/test_license_builder.h
index 26c9e1e..14dd144 100644
--- a/whitebox/api/test_license_builder.h
+++ b/whitebox/api/test_license_builder.h
@@ -57,6 +57,7 @@ class TestLicenseBuilder {
     k16_3,  // ODK version 16.3
     k16_5,  // ODK version 16.5
     k17_1,  // ODK version 17.1
+    k18_3,  // ODK version 18.3
 
     k99,    // ODK 16.3, but with the version set to 99 (an arbitrary value).
   };
diff --git a/whitebox/crypto_utils/rsa_key.cc b/whitebox/crypto_utils/rsa_key.cc
index 47e50c7..49b7173 100644
--- a/whitebox/crypto_utils/rsa_key.cc
+++ b/whitebox/crypto_utils/rsa_key.cc
@@ -44,7 +44,7 @@ namespace {
 bool RsaKeyMatch(const RSA* key1, const RSA* key2) {
   if (!key1 || !key2)
     return false;
-  return BN_cmp(key1->n, key2->n) == 0;
+  return BN_cmp(RSA_get0_n(key1), RSA_get0_n(key2)) == 0;
 }
 
 std::string OpenSSLErrorString(uint32_t error) {
diff --git a/whitebox/crypto_utils/rsa_util.cc b/whitebox/crypto_utils/rsa_util.cc
index eae8cb6..96d147a 100644
--- a/whitebox/crypto_utils/rsa_util.cc
+++ b/whitebox/crypto_utils/rsa_util.cc
@@ -407,12 +407,12 @@ bool ConvertToCarmichaelTotient(RSA* rsa) {
   bssl::UniquePtr<BIGNUM> d(BN_new());
   // This calculates d = e^-1 (mod lcm(p-1, q-1)).
   // This is equivalent to what is used in RSA_generate_key in BoringSSL.
-  if (!BN_sub(pm1.get(), rsa->p, BN_value_one()) ||
-      !BN_sub(qm1.get(), rsa->q, BN_value_one()) ||
+  if (!BN_sub(pm1.get(), RSA_get0_p(rsa), BN_value_one()) ||
+      !BN_sub(qm1.get(), RSA_get0_q(rsa), BN_value_one()) ||
       !BN_mul(totient.get(), pm1.get(), qm1.get(), ctx.get()) ||
       !BN_gcd(gcd.get(), pm1.get(), qm1.get(), ctx.get()) ||
       !BN_div(totient.get(), nullptr, totient.get(), gcd.get(), ctx.get()) ||
-      !BN_mod_inverse(d.get(), rsa->e, totient.get(), ctx.get())) {
+      !BN_mod_inverse(d.get(), RSA_get0_e(rsa), totient.get(), ctx.get())) {
     return false;
   }
 
@@ -423,11 +423,10 @@ bool ConvertToCarmichaelTotient(RSA* rsa) {
     return false;
   }
 
-  // TODO(user): Replace this with |RSA_set0_key| once BoringSSL has
-  // finished transitioning to the OpenSSL 1.1.0 API.
-  BN_free(rsa->d);
-  rsa->d = d.release();
-
+  if (!RSA_set0_key(rsa, BN_dup(RSA_get0_n(rsa)), BN_dup(RSA_get0_e(rsa)),
+                    d.release())) {
+    return false;
+  }
   if (!RSA_check_key(rsa)) {
     return false;
   }
diff --git a/whitebox/reference/impl/odk.cc b/whitebox/reference/impl/odk.cc
index 1164c7a..20ffea8 100644
--- a/whitebox/reference/impl/odk.cc
+++ b/whitebox/reference/impl/odk.cc
@@ -28,6 +28,8 @@ WB_Result GetODKContext(const std::string& combined_message,
   // By using initial_license_load==false, ODK won't validate the nonce.
 #if ODK_MAJOR_VERSION == 16
   uint8_t request_hash[16];
+#elif ODK_MAJOR_VERSION == 18
+  uint64_t clock_value = 0;
 #endif
   for (bool usage_entry_present : {false, true}) {
     // Parse using both values for |usage_entry_present|, it needs to match the
@@ -40,8 +42,14 @@ WB_Result GetODKContext(const std::string& combined_message,
         /* initial_license_load= */ false, usage_entry_present,
 #if ODK_MAJOR_VERSION == 16
         request_hash,
+#elif ODK_MAJOR_VERSION == 18
+        clock_value,
 #endif
-        &timer, &clock, &nonce, &context->license);
+        &timer, &clock, &nonce, &context->license
+#if ODK_MAJOR_VERSION == 18
+        , &clock_value
+#endif
+        );
     if (result != ODK_ERROR_CORE_MESSAGE) break;
   }
   if (result != OEMCrypto_SUCCESS) {