Bug 1245053, landing NSS_3_23_BETA5, r=mt

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_23_BETA4
+NSS_3_23_BETA5

security/nss/circle.yml

@@ -5,15 +5,14 @@ checkout:
 test:
     override:
         - make nss_build_all
-        - cd tests; NSS_TESTS=ssl_gtests NSS_CYCLES=standard ./all.sh
+        - cd tests; NSS_TESTS="ssl_gtests pk11_gtests der_gtests" NSS_CYCLES=standard ./all.sh
         - BUILD_OPT=1 make nss_build_all
-        - cd tests; BUILD_OPT=1 NSS_TESTS=ssl_gtests NSS_CYCLES=standard ./all.sh
+        - cd tests; BUILD_OPT=1 NSS_TESTS="ssl_gtests pk11_gtests der_gtests" NSS_CYCLES=standard ./all.sh
 
 machine:
     environment:
         { USE_64: 1,
           NSS_ENABLE_TLS_1_3: 1,
-          NSS_BUILD_GTESTS: 1,
         }
     hosts:
 

security/nss/cmd/bltest/blapitest.c

@@ -613,6 +613,17 @@ typedef SECStatus (* bltestSymmCipherFn)(void *cx,
 					 const unsigned char *input,
 					 unsigned int inputLen);
 
+typedef SECStatus (* bltestAEADFn)(void *cx,
+                                   unsigned char *output,
+                                   unsigned int *outputLen,
+                                   unsigned int maxOutputLen,
+                                   const unsigned char *input,
+                                   unsigned int inputLen,
+                                   const unsigned char *nonce,
+                                   unsigned int nonceLen,
+                                   const unsigned char *ad,
+                                   unsigned int adLen);
+
 typedef SECStatus (* bltestPubKeyCipherFn)(void *key,
 					   SECItem *output,
 					   const SECItem *input);
@@ -646,6 +657,7 @@ typedef enum {
     bltestCAMELLIA_CBC,   /* .                     */
     bltestSEED_ECB,       /* SEED algorithm	   */
     bltestSEED_CBC,       /* SEED algorithm	   */
+    bltestCHACHA20,       /* ChaCha20 + Poly1305   */
     bltestRSA,            /* Public Key Ciphers    */
     bltestRSA_OAEP,       /* . (Public Key Enc.)   */
     bltestRSA_PSS,        /* . (Public Key Sig.)   */
@@ -685,6 +697,7 @@ static char *mode_strings[] =
     "camellia_cbc",
     "seed_ecb",
     "seed_cbc",
+    "chacha20_poly1305",
     "rsa",
     "rsa_oaep",
     "rsa_pss",
@@ -805,6 +818,7 @@ struct  bltestCipherInfoStr {
     /* Cipher function (encrypt/decrypt/sign/verify/hash) */
     union {
 	bltestSymmCipherFn   symmkeyCipher;
+	bltestAEADFn         aeadCipher;
 	bltestPubKeyCipherFn pubkeyCipher;
 	bltestHashCipherFn   hashCipher;
     } cipher;
@@ -826,26 +840,45 @@ is_symmkeyCipher(bltestCipherMode mode)
     return PR_FALSE;
 }
 
+PRBool
+is_aeadCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    switch (mode) {
+	case bltestCHACHA20:
+	    return PR_TRUE;
+	default:
+	    return PR_FALSE;
+    }
+}
+
 PRBool
 is_authCipher(bltestCipherMode mode)
 {
     /* change as needed! */
-    if (mode == bltestAES_GCM)
+    switch (mode) {
+	case bltestAES_GCM:
+	case bltestCHACHA20:
 	    return PR_TRUE;
+	default:
 	    return PR_FALSE;
     }
+}
 
 
 PRBool
 is_singleShotCipher(bltestCipherMode mode)
 {
     /* change as needed! */
-    if (mode == bltestAES_GCM)
-	return PR_TRUE;
-    if (mode == bltestAES_CTS)
+    switch (mode) {
+	case bltestAES_GCM:
+	case bltestAES_CTS:
+	case bltestCHACHA20:
 	    return PR_TRUE;
+	default:
 	    return PR_FALSE;
     }
+}
 
 PRBool
 is_pubkeyCipher(bltestCipherMode mode)
@@ -878,17 +911,25 @@ PRBool
 cipher_requires_IV(bltestCipherMode mode)
 {
     /* change as needed! */
-    if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC ||
-	mode == bltestRC2_CBC || 
+    switch (mode) {
+	case bltestDES_CBC:
+	case bltestDES_EDE_CBC:
+	case bltestRC2_CBC:
 #ifdef NSS_SOFTOKEN_DOES_RC5
-	mode == bltestRC5_CBC ||
+	case bltestRC5_CBC:
 #endif
-	mode == bltestAES_CBC || mode == bltestAES_CTS || 
-	mode == bltestAES_CTR || mode == bltestAES_GCM ||
-	mode == bltestCAMELLIA_CBC || mode == bltestSEED_CBC)
+	case bltestAES_CBC:
+	case bltestAES_CTS:
+	case bltestAES_CTR:
+	case bltestAES_GCM:
+	case bltestCAMELLIA_CBC:
+	case bltestSEED_CBC:
+	case bltestCHACHA20:
 	    return PR_TRUE;
+	default:
 	    return PR_FALSE;
     }
+}
 
 SECStatus finishIO(bltestIO *output, PRFileDesc *file);
 
@@ -1126,6 +1167,30 @@ aes_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
                        input, inputLen);
 }
 
+SECStatus
+chacha20_poly1305_Encrypt(void *cx, unsigned char *output,
+                         unsigned int *outputLen, unsigned int maxOutputLen,
+                         const unsigned char *input, unsigned int inputLen,
+                         const unsigned char *nonce, unsigned int nonceLen,
+                         const unsigned char *ad, unsigned int adLen)
+{
+    return ChaCha20Poly1305_Seal((ChaCha20Poly1305Context *)cx, output,
+                                 outputLen, maxOutputLen, input, inputLen,
+                                 nonce, nonceLen, ad, adLen);
+}
+
+SECStatus
+chacha20_poly1305_Decrypt(void *cx, unsigned char *output,
+                         unsigned int *outputLen, unsigned int maxOutputLen,
+                         const unsigned char *input, unsigned int inputLen,
+                         const unsigned char *nonce, unsigned int nonceLen,
+                         const unsigned char *ad, unsigned int adLen)
+{
+    return ChaCha20Poly1305_Open((ChaCha20Poly1305Context *)cx, output,
+                                 outputLen, maxOutputLen, input, inputLen,
+                                 nonce, nonceLen, ad, adLen);
+}
+
 SECStatus
 camellia_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
 		 unsigned int maxOutputLen, const unsigned char *input,
@@ -1575,6 +1640,21 @@ bltest_seed_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 	return SECSuccess;
 }
 
+SECStatus
+bltest_chacha20_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    const unsigned int tagLen = 16;
+    const bltestSymmKeyParams *sk = &cipherInfo->params.sk;
+    cipherInfo->cx = ChaCha20Poly1305_CreateContext(sk->key.buf.data,
+                                                    sk->key.buf.len, tagLen);
+
+    if (encrypt)
+	cipherInfo->cipher.aeadCipher = chacha20_poly1305_Encrypt;
+    else
+	cipherInfo->cipher.aeadCipher = chacha20_poly1305_Decrypt;
+    return SECSuccess;
+}
+
 SECStatus
 bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
@@ -2226,6 +2306,11 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
 			  cipherInfo->input.pBuf.len);
 	return bltest_seed_init(cipherInfo, encrypt);
 	break;
+    case bltestCHACHA20:
+	outlen = cipherInfo->input.pBuf.len + (encrypt ? 16 : 0);
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, outlen);
+	return bltest_chacha20_init(cipherInfo, encrypt);
+	break;
     case bltestRSA:
     case bltestRSA_OAEP:
     case bltestRSA_PSS:
@@ -2376,6 +2461,55 @@ cipherDoOp(bltestCipherInfo *cipherInfo)
             }
         }
         TIMEFINISH(cipherInfo->optime, 1.0);
+    } else if (is_aeadCipher(cipherInfo->mode)) {
+        const unsigned char *input = cipherInfo->input.pBuf.data;
+        unsigned int inputLen = cipherInfo->input.pBuf.len;
+        unsigned char *output = cipherInfo->output.pBuf.data;
+        unsigned int outputLen;
+        bltestSymmKeyParams *sk = &cipherInfo->params.sk;
+        bltestAuthSymmKeyParams *ask = &cipherInfo->params.ask;
+
+        TIMESTART();
+        rv = (*cipherInfo->cipher.aeadCipher)(
+                cipherInfo->cx,
+                output, &outputLen, maxLen,
+                input, inputLen,
+                sk->iv.buf.data, sk->iv.buf.len,
+                ask->aad.buf.data, ask->aad.buf.len);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->output.pBuf.len = outputLen;
+        TIMEFINISH(cipherInfo->optime, 1.0);
+
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom; i++,
+                     cipherInfo->repetitions++) {
+                rv = (*cipherInfo->cipher.aeadCipher)(
+                        cipherInfo->cx,
+                        output, &outputLen, maxLen,
+                        input, inputLen,
+                        sk->iv.buf.data, sk->iv.buf.len,
+                        ask->aad.buf.data, ask->aad.buf.len);
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    (*cipherInfo->cipher.aeadCipher)(
+                            cipherInfo->cx,
+                            output, &outputLen, maxLen,
+                            input, inputLen,
+                            sk->iv.buf.data, sk->iv.buf.len,
+                            ask->aad.buf.data, ask->aad.buf.len);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
     } else if (is_pubkeyCipher(cipherInfo->mode)) {
         TIMESTART();
         rv = (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx,
@@ -2477,6 +2611,10 @@ cipherFinish(bltestCipherInfo *cipherInfo)
     case bltestSEED_CBC:
 	SEED_DestroyContext((SEEDContext *)cipherInfo->cx, PR_TRUE);
 	break;
+    case bltestCHACHA20:
+	ChaCha20Poly1305_DestroyContext((ChaCha20Poly1305Context *)
+                                        cipherInfo->cx, PR_TRUE);
+	break;
     case bltestRC2_ECB:
     case bltestRC2_CBC:
 	RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE);
@@ -2808,6 +2946,7 @@ get_params(PLArenaPool *arena, bltestParams *params,
 #endif
     switch (mode) {
     case bltestAES_GCM:
+    case bltestCHACHA20:
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "aad", j);
 	load_file_data(arena, &params->ask.aad, filename, bltestBinary);
     case bltestDES_CBC:
@@ -3753,7 +3892,8 @@ print_usage:
         /* Set up an encryption key. */
         keysize = 0;
         file = NULL;
-        if (is_symmkeyCipher(cipherInfo->mode)) {
+        if (is_symmkeyCipher(cipherInfo->mode) ||
+	    is_aeadCipher(cipherInfo->mode)) {
             char *keystr = NULL;  /* if key is on command line */
             if (bltest.options[opt_Key].activated) {
                 if (bltest.options[opt_CmdLine].activated) {

security/nss/cmd/bltest/tests/chacha20_poly1305/aad0

@@ -0,0 +1 @@
+PQRSﾀﾁﾂﾃﾄﾅﾆﾇ

security/nss/cmd/bltest/tests/chacha20_poly1305/ciphertext0

@@ -0,0 +1 @@
+0xqNNGSOYNt7hq+8U+9+wqSt7VEpbgj+qeK1pzbuYtY9vqRejKlnEoL6+2naknKLGnHeCp4GCykF1qW2fs07NpLdvX8td4uMmAOu4ygJG1j6syTk+tZ1lFWFgItIMde8P/Te8I5Lep3ldtJlhs7GS2EWGuELWU8J4mp+kC7L0GAGkQ==

security/nss/cmd/bltest/tests/chacha20_poly1305/ciphertext1

@@ -0,0 +1 @@
+ZKCGFXWGGvRg8GLHm+ZDvV6AXP00XPOJ8QhnCsdsjLJMbPwYdV1D7qCe6U44LSawvbe3PDIbAQDU8Dt/NViUzzMvgw5xC5fOmMioSr0LlIEUrRduAI0zvWD5grH/N8hVl5egbvTw72HBhjJOKzUGODYGkHtqfAKw+fYVe1PIZ+S5Fmx2e4BNRqWbUhbN56TpkEDFpAQzIl7igqGwoGxSPq9FNNf4P6EVWwBHcYy8VGoNBysEs1ZO6htCInP1SCcaC7IxYFP6dpkZVevWMVlDTs67TkZtrloQc6ZydicJehBJ5hfZHTYQlPpo8P93mHEwMFvqui7aBN+Ze3FNbG8sKaatXLQCKwJwm+6tnWeJDLsiOSM2/qGFHzg=

security/nss/cmd/bltest/tests/chacha20_poly1305/key0

@@ -0,0 +1 @@
+€≠ヤ<EFBFBD>㊧炎旧克署葬灯楓利劒屆撼<EFBFBD>

security/nss/cmd/bltest/tests/chacha20_poly1305/key1

@@ -0,0 +1 @@
+<1C>@<40><>Uӊ<55>3<EFBFBD><33><04><><EFBFBD>G9<17>@+<2B>	<09><>\<5C> pu<70>

security/nss/cmd/bltest/tests/chacha20_poly1305/numtests

@@ -0,0 +1 @@
+2

security/nss/cmd/bltest/tests/chacha20_poly1305/plaintext0

@@ -0,0 +1 @@
+Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.

security/nss/cmd/bltest/tests/chacha20_poly1305/plaintext1

@@ -0,0 +1 @@
+Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as /“work in progress./”

security/nss/cmd/ssltap/ssltap.c

@@ -443,6 +443,10 @@ const char * V2CipherString(int cs_int)
   case 0x00C02C:    cs_str = "TLS/ECDHE-ECDSA/AES256-GCM/SHA384"; break;
   case 0x00C02F:    cs_str = "TLS/ECDHE-RSA/AES128-GCM/SHA256"; break;
 
+  case 0x00CCA8:    cs_str = "TLS/ECDHE-RSA/CHACHA20-POLY1305/SHA256"; break;
+  case 0x00CCA9:    cs_str = "TLS/ECDHE-ECDSA/CHACHA20-POLY1305/SHA256"; break;
+  case 0x00CCAA:    cs_str = "TLS/DHE-RSA/CHACHA20-POLY1305/SHA256"; break;
+
   case 0x00FEFF:    cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA";	break;
   case 0x00FEFE:    cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA";	break;
   case 0x00FFE1:    cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA";     break;

security/nss/coreconf/Werror.mk

@@ -7,6 +7,7 @@
 
 ifndef CC_IS_GCC
   CC_IS_GCC := $(shell $(CC) -x c -E -Wall -Werror /dev/null >/dev/null 2>&1 && echo 1)
+  # Export CC_IS_GCC to save a shell invocation when recursing.
   export CC_IS_GCC
 endif
 
@@ -16,9 +17,18 @@ ifndef CC_NAME
   else
     CC_NAME := $(notdir $(CC))
   endif
+  # Export CC_NAME to save a shell invocation when recursing.
   export CC_NAME
 endif
 
+ifndef GCC_VERSION
+  ifeq (1,$(CC_IS_GCC))
+    GCC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion || echo x.x.x))
+    # Export GCC_VERSION to save a shell invocation when recursing.
+    export GCC_VERSION
+  endif
+endif
+
 ifndef WARNING_CFLAGS
   ifneq (1,$(CC_IS_GCC))
     WARNING_CFLAGS = $(NULL)
@@ -55,20 +65,19 @@ ifndef WARNING_CFLAGS
         ifeq ($(CC_NAME),clang)
           # Clang reports its version as an older gcc, but it's OK
           NSS_ENABLE_WERROR = 1
-        else
-          CC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion))
-          ifneq (,$(filter 4.8 4.9,$(word 1,$(CC_VERSION)).$(word 2,$(CC_VERSION))))
+        else ifeq ($(CC_NAME),gcc)
+          ifneq (,$(filter 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
             NSS_ENABLE_WERROR = 1
           endif
-          ifeq (,$(filter 0 1 2 3 4,$(word 1,$(CC_VERSION))))
+          ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
             NSS_ENABLE_WERROR = 1
           endif
+        endif
         ifndef NSS_ENABLE_WERROR
           $(warning Unable to find gcc 4.8 or greater, disabling -Werror)
           NSS_ENABLE_WERROR = 0
         endif
       endif
-      endif
     endif #ndef NSS_ENABLE_WERROR
 
     ifeq ($(NSS_ENABLE_WERROR),1)

security/nss/coreconf/config.mk

@@ -166,6 +166,10 @@ ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif
 
+ifdef NSS_DISABLE_CHACHAPOLY
+DEFINES += -DNSS_DISABLE_CHACHAPOLY
+endif
+
 ifdef NSS_PKIX_NO_LDAP
 DEFINES += -DNSS_PKIX_NO_LDAP
 endif

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/external_tests/pk11_gtest/manifest.mn

@@ -7,6 +7,7 @@ DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
+      pk11_chacha20poly1305_unittest.cc \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_rsapss_unittest.cc \

security/nss/external_tests/pk11_gtest/pk11_chacha20poly1305_unittest.cc

@@ -0,0 +1,277 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// ChaCha20/Poly1305 Test Vector 1, RFC 7539
+// <http://tools.ietf.org/html/rfc7539#section-2.8.2>
+const uint8_t kTestVector1Data[] = {
+  0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65,
+  0x6e, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68,
+  0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39,
+  0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, 0x6f, 0x75, 0x6c, 0x64,
+  0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, 0x6e,
+  0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f,
+  0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c,
+  0x20, 0x73, 0x75, 0x6e, 0x73, 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+  0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, 0x74, 0x2e
+};
+const uint8_t kTestVector1AAD[] = {
+  0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7
+};
+const uint8_t kTestVector1Key[] = {
+  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c,
+  0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
+  0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+};
+const uint8_t kTestVector1IV[] = {
+  0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47
+};
+const uint8_t kTestVector1CT[] = {
+  0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc, 0x53,
+  0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, 0xa9, 0xe2,
+  0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67,
+  0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, 0x1a, 0x71, 0xde, 0x0a,
+  0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, 0x92,
+  0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09,
+  0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80,
+  0x8b, 0x48, 0x31, 0xd7, 0xbc, 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+  0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b,
+  0x59, 0x4f, 0x09, 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+};
+
+// ChaCha20/Poly1305 Test Vector 2, RFC 7539
+// <http://tools.ietf.org/html/rfc7539#appendix-A.5>
+const uint8_t kTestVector2Data[] = {
+  0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66,
+  0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66, 0x74, 0x20,
+  0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c,
+  0x69, 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20, 0x6d, 0x61, 0x78, 0x69,
+  0x6d, 0x75, 0x6d, 0x20, 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d, 0x6f,
+  0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20,
+  0x62, 0x65, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x2c, 0x20, 0x72,
+  0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
+  0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x6f,
+  0x74, 0x68, 0x65, 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74,
+  0x73, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65,
+  0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69, 0x6e, 0x61, 0x70, 0x70,
+  0x72, 0x6f, 0x70, 0x72, 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20, 0x75,
+  0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44,
+  0x72, 0x61, 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72, 0x65, 0x66, 0x65,
+  0x72, 0x65, 0x6e, 0x63, 0x65, 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
+  0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20, 0x63, 0x69, 0x74, 0x65, 0x20,
+  0x74, 0x68, 0x65, 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20, 0x74, 0x68,
+  0x61, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72,
+  0x6b, 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73,
+  0x2e, 0x2f, 0xe2, 0x80, 0x9d
+};
+const uint8_t kTestVector2AAD[] = {
+  0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x91
+};
+const uint8_t kTestVector2Key[] = {
+  0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, 0xf3, 0x33, 0x88, 0x86, 0x04,
+  0xf6, 0xb5, 0xf0, 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, 0x9d, 0xca,
+  0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+};
+const uint8_t kTestVector2IV[] = {
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+};
+const uint8_t kTestVector2CT[] = {
+  0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, 0x60, 0xf0, 0x62, 0xc7, 0x9b,
+  0xe6, 0x43, 0xbd, 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89, 0xf1, 0x08,
+  0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2, 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43,
+  0xee, 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0, 0xbd, 0xb7, 0xb7, 0x3c,
+  0x32, 0x1b, 0x01, 0x00, 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf, 0x33,
+  0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce, 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b,
+  0x94, 0x81, 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd, 0x60, 0xf9, 0x82,
+  0xb1, 0xff, 0x37, 0xc8, 0x55, 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
+  0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38, 0x36, 0x06, 0x90, 0x7b, 0x6a,
+  0x7c, 0x02, 0xb0, 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4, 0xb9, 0x16,
+  0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46, 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4,
+  0xe9, 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e, 0xe2, 0x82, 0xa1, 0xb0,
+  0xa0, 0x6c, 0x52, 0x3e, 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15, 0x5b,
+  0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a, 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56,
+  0x4e, 0xea, 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a, 0x0b, 0xb2, 0x31,
+  0x60, 0x53, 0xfa, 0x76, 0x99, 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
+  0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10, 0x73, 0xa6, 0x72, 0x76, 0x27,
+  0x09, 0x7a, 0x10, 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94, 0xfa, 0x68,
+  0xf0, 0xff, 0x77, 0x98, 0x71, 0x30, 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04,
+  0xdf, 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29, 0xa6, 0xad, 0x5c, 0xb4,
+  0x02, 0x2b, 0x02, 0x70, 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22,
+  0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38
+};
+
+class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
+ public:
+  void EncryptDecrypt(PK11SymKey* symKey,
+                      const uint8_t* data, size_t data_len,
+                      const uint8_t* aad, size_t aad_len,
+                      const uint8_t* iv, size_t iv_len,
+                      const uint8_t* ct = nullptr, size_t ct_len = 0)
+  {
+    // Prepare AEAD params.
+    CK_NSS_AEAD_PARAMS aead_params;
+    aead_params.pNonce = toUcharPtr(iv);
+    aead_params.ulNonceLen = iv_len;
+    aead_params.pAAD = toUcharPtr(aad);
+    aead_params.ulAADLen = aad_len;
+    aead_params.ulTagLen = 16;
+
+    SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+                       sizeof(aead_params) };
+
+    // Encrypt.
+    unsigned int outputLen = 0;
+    std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+    SECStatus rv = PK11_Encrypt(symKey, mech, &params, &output[0], &outputLen,
+                                output.size(), data, data_len);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Check ciphertext and tag.
+    if (ct) {
+      EXPECT_TRUE(!memcmp(ct, &output[0], outputLen));
+    }
+
+    // Decrypt.
+    unsigned int decryptedLen = 0;
+    std::vector<uint8_t> decrypted(data_len);
+    rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                      decrypted.size(), &output[0], outputLen);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Check the plaintext.
+    EXPECT_TRUE(!memcmp(data, &decrypted[0], decryptedLen));
+
+    // Decrypt with bogus data.
+    {
+      std::vector<uint8_t> bogusCiphertext(output);
+      bogusCiphertext[0] ^= 0xff;
+      rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                        decrypted.size(), &bogusCiphertext[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus tag.
+    {
+      std::vector<uint8_t> bogusTag(output);
+      bogusTag[outputLen - 1] ^= 0xff;
+      rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                        decrypted.size(), &bogusTag[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus IV.
+    {
+      SECItem bogusParams(params);
+      CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
+      bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
+
+      std::vector<uint8_t> bogusIV(iv, iv + iv_len);
+      bogusAeadParams.pNonce = toUcharPtr(&bogusIV[0]);
+      bogusIV[0] ^= 0xff;
+
+      rv = PK11_Decrypt(symKey, mech, &bogusParams, &decrypted[0],
+                        &decryptedLen, data_len, &output[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus additional data.
+    {
+      SECItem bogusParams(params);
+      CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
+      bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
+
+      std::vector<uint8_t> bogusAAD(aad, aad + aad_len);
+      bogusAeadParams.pAAD = toUcharPtr(&bogusAAD[0]);
+      bogusAAD[0] ^= 0xff;
+
+      rv = PK11_Decrypt(symKey, mech, &bogusParams, &decrypted[0],
+                        &decryptedLen, data_len, &output[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+  }
+
+  void EncryptDecrypt(const uint8_t* key, size_t key_len,
+                      const uint8_t* data, size_t data_len,
+                      const uint8_t* aad, size_t aad_len,
+                      const uint8_t* iv, size_t iv_len,
+                      const uint8_t* ct, size_t ct_len)
+  {
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    SECItem keyItem = { siBuffer, toUcharPtr(key),
+                        static_cast<unsigned int>(key_len) };
+
+    // Import key.
+    ScopedPK11SymKey symKey(PK11_ImportSymKey(slot.get(), mech,
+                                              PK11_OriginUnwrap, CKA_ENCRYPT,
+                                              &keyItem, nullptr));
+    EXPECT_TRUE(!!symKey);
+
+    // Check.
+    EncryptDecrypt(symKey.get(), data, data_len, aad, aad_len, iv, iv_len, ct,
+                   ct_len);
+  }
+
+ protected:
+  CK_MECHANISM_TYPE mech = CKM_NSS_CHACHA20_POLY1305;
+
+  unsigned char* toUcharPtr(const uint8_t* v) {
+    return const_cast<unsigned char*>(
+      static_cast<const unsigned char*>(v));
+  }
+};
+
+#define ENCRYPT_DECRYPT(v) \
+  EncryptDecrypt(v ## Key, sizeof(v ## Key), \
+                 v ## Data, sizeof(v ## Data), \
+                 v ## AAD, sizeof(v ## AAD), \
+                 v ## IV, sizeof(v ## IV), \
+                 v ## CT, sizeof(v ## CT));
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateEncryptDecrypt) {
+  // Generate a random key.
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  ScopedPK11SymKey symKey(PK11_KeyGen(slot.get(), mech, nullptr, 32, nullptr));
+  EXPECT_TRUE(!!symKey);
+
+  // Generate random data.
+  std::vector<uint8_t> data(512);
+  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), &data[0], data.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Generate random AAD.
+  std::vector<uint8_t> aad(16);
+  rv = PK11_GenerateRandomOnSlot(slot.get(), &aad[0], aad.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Generate random IV.
+  std::vector<uint8_t> iv(12);
+  rv = PK11_GenerateRandomOnSlot(slot.get(), &iv[0], iv.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Check.
+  EncryptDecrypt(symKey.get(), &data[0], data.size(), &aad[0], aad.size(),
+                 &iv[0], iv.size());
+}
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, CheckTestVector1) {
+  ENCRYPT_DECRYPT(kTestVector1);
+}
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, CheckTestVector2) {
+  ENCRYPT_DECRYPT(kTestVector2);
+}
+
+}  // namespace nss_test
+

security/nss/external_tests/ssl_gtest/libssl_internals.c

@@ -24,3 +24,24 @@ SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd)
 
     return SECSuccess;
 }
+
+PRUint32
+SSLInt_DetermineKEABits(PRUint16 serverKeyBits, SSLAuthType authAlgorithm) {
+    // For ECDSA authentication we expect a curve for key exchange with the
+    // same strength as the one used for the certificate's signature.
+    if (authAlgorithm == ssl_auth_ecdsa) {
+        return serverKeyBits;
+    }
+
+    PORT_Assert(authAlgorithm == ssl_auth_rsa);
+    PRUint32 minKeaBits;
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+    // P-192 is the smallest curve we want to use.
+    minKeaBits = 192U;
+#else
+    // P-256 is the smallest supported curve.
+    minKeaBits = 256U;
+#endif
+
+    return PR_MAX(SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyBits), minKeaBits);
+}

security/nss/external_tests/ssl_gtest/libssl_internals.h

@@ -9,9 +9,13 @@
 
 #include "prio.h"
 #include "seccomon.h"
+#include "sslt.h"
 
 SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd);
 
+PRUint32 SSLInt_DetermineKEABits(PRUint16 serverKeyBits,
+                                 SSLAuthType authAlgorithm);
+
 #endif
 
 

security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc

@@ -108,6 +108,29 @@ class TlsServerKeyExchangeEcdhe {
   DataBuffer public_key_;
 };
 
+class TlsChaCha20Poly1305Test : public TlsConnectTls12 {
+ public:
+  void ConnectSendReceive(PRUint32 cipher_suite)
+  {
+    // Disable all ciphers.
+    client_->DisableCiphersByKeyExchange(ssl_kea_rsa);
+    client_->DisableCiphersByKeyExchange(ssl_kea_dh);
+    client_->DisableCiphersByKeyExchange(ssl_kea_ecdh);
+
+    // Re-enable ChaCha20/Poly1305.
+    SECStatus rv = SSL_CipherPrefSet(client_->ssl_fd(), cipher_suite, PR_TRUE);
+    EXPECT_EQ(SECSuccess, rv);
+
+    Connect();
+    SendReceive();
+
+    // Check that we used the right cipher suite.
+    int16_t actual, expected = static_cast<int16_t>(cipher_suite);
+    EXPECT_TRUE(client_->cipher_suite(&actual) && actual == expected);
+    EXPECT_TRUE(server_->cipher_suite(&actual) && actual == expected);
+  }
+};
+
 TEST_P(TlsConnectGeneric, SetupOnly) {}
 
 TEST_P(TlsConnectGeneric, Connect) {
@@ -542,6 +565,19 @@ TEST_P(TlsConnectGeneric, ConnectSendReceive) {
   SendReceive();
 }
 
+TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305DheRsa) {
+  ConnectSendReceive(TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+}
+
+TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheRsa) {
+  ConnectSendReceive(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+}
+
+TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheEcdsa) {
+  ResetEcdsa();
+  ConnectSendReceive(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
+}
+
 // The next two tests takes advantage of the fact that we
 // automatically read the first 1024 bytes, so if
 // we provide 1200 bytes, they overrun the read buffer
@@ -946,6 +982,8 @@ INSTANTIATE_TEST_CASE_P(VersionsDatagram, TlsConnectDatagram,
                         TlsConnectTestBase::kTlsV11V12);
 INSTANTIATE_TEST_CASE_P(Variants12, TlsConnectTls12,
                         TlsConnectTestBase::kTlsModesAll);
+INSTANTIATE_TEST_CASE_P(Variants12, TlsChaCha20Poly1305Test,
+                        TlsConnectTestBase::kTlsModesAll);
 INSTANTIATE_TEST_CASE_P(Pre12Stream, TlsConnectPre12,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesStream,

security/nss/external_tests/ssl_gtest/tls_agent.cc

@@ -13,6 +13,11 @@
 #include "keyhi.h"
 #include "databuffer.h"
 
+extern "C" {
+// This is not something that should make you happy.
+#include "libssl_internals.h"
+}
+
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
@@ -195,6 +200,7 @@ void TlsAgent::DisableCiphersByKeyExchange(SSLKEAType kea) {
     SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i],
                                           &csinfo, sizeof(csinfo));
     ASSERT_EQ(SECSuccess, rv);
+    EXPECT_EQ(sizeof(csinfo), csinfo.length);
 
     if (csinfo.keaType == kea) {
       rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_FALSE);
@@ -291,9 +297,12 @@ void TlsAgent::CheckKEAType(SSLKEAType type) const {
   EXPECT_EQ(STATE_CONNECTED, state_);
   EXPECT_EQ(type, csinfo_.keaType);
 
+  PRUint32 ecKEAKeyBits = SSLInt_DetermineKEABits(server_key_bits_,
+                                                  csinfo_.authAlgorithm);
+
   switch (type) {
       case ssl_kea_ecdh:
-          EXPECT_EQ(256U, info_.keaKeyBits);
+          EXPECT_EQ(ecKEAKeyBits, info_.keaKeyBits);
           break;
       case ssl_kea_dh:
           EXPECT_EQ(2048U, info_.keaKeyBits);
@@ -378,6 +387,7 @@ void TlsAgent::CheckPreliminaryInfo() {
   SSLPreliminaryChannelInfo info;
   EXPECT_EQ(SECSuccess,
             SSL_GetPreliminaryChannelInfo(ssl_fd_, &info, sizeof(info)));
+  EXPECT_EQ(sizeof(info), info.length);
   EXPECT_TRUE(info.valuesSet & ssl_preinfo_version);
   EXPECT_TRUE(info.valuesSet & ssl_preinfo_cipher_suite);
 
@@ -423,6 +433,7 @@ void TlsAgent::Connected() {
 
   SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
   EXPECT_EQ(SECSuccess, rv);
+  EXPECT_EQ(sizeof(info_), info_.length);
 
   // Preliminary values are exposed through callbacks during the handshake.
   // If either expected values were set or the callbacks were called, check
@@ -432,6 +443,7 @@ void TlsAgent::Connected() {
 
   rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
   EXPECT_EQ(SECSuccess, rv);
+  EXPECT_EQ(sizeof(csinfo_), csinfo_.length);
 
   SetState(STATE_CONNECTED);
 }

security/nss/lib/freebl/Makefile

@@ -482,6 +482,33 @@ ifndef NSS_DISABLE_ECC
     endif
 endif
 
+# poly1305-donna-x64-sse2-incremental-source.c requires __int128 support
+# in GCC 4.6.0.
+ifeq ($(CC_NAME),clang)
+    HAVE_INT128_SUPPORT = 1
+else ifeq (1,$(CC_IS_GCC))
+    ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+        HAVE_INT128_SUPPORT = 1
+    endif
+    ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+        HAVE_INT128_SUPPORT = 1
+    endif
+endif
+
+ifndef NSS_DISABLE_CHACHAPOLY
+    ifeq ($(CPU_ARCH),x86_64)
+        ifdef HAVE_INT128_SUPPORT
+            EXTRA_SRCS += poly1305-donna-x64-sse2-incremental-source.c
+        else
+            EXTRA_SRCS += poly1305.c
+        endif
+        EXTRA_SRCS += chacha20_vec.c
+    else
+        EXTRA_SRCS += poly1305.c
+        EXTRA_SRCS += chacha20.c
+    endif # x86_64
+endif # NSS_DISABLE_CHACHAPOLY
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################

security/nss/lib/freebl/blapi.h

@@ -986,6 +986,35 @@ Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
 		 unsigned int *outputLen, unsigned int maxOutputLen,
 		 const unsigned char *input, unsigned int inputLen);
 
+/******************************************/
+/*
+** ChaCha20+Poly1305 AEAD
+*/
+
+extern SECStatus ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
+                                              const unsigned char *key,
+                                              unsigned int keyLen,
+                                              unsigned int tagLen);
+
+extern ChaCha20Poly1305Context *ChaCha20Poly1305_CreateContext(
+    const unsigned char *key, unsigned int keyLen, unsigned int tagLen);
+
+extern void ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx,
+                                            PRBool freeit);
+
+extern SECStatus ChaCha20Poly1305_Seal(
+    const ChaCha20Poly1305Context *ctx, unsigned char *output,
+    unsigned int *outputLen, unsigned int maxOutputLen,
+    const unsigned char *input, unsigned int inputLen,
+    const unsigned char *nonce, unsigned int nonceLen,
+    const unsigned char *ad, unsigned int adLen);
+
+extern SECStatus ChaCha20Poly1305_Open(
+    const ChaCha20Poly1305Context *ctx, unsigned char *output,
+    unsigned int *outputLen, unsigned int maxOutputLen,
+    const unsigned char *input, unsigned int inputLen,
+    const unsigned char *nonce, unsigned int nonceLen,
+    const unsigned char *ad, unsigned int adLen);
 
 /******************************************/
 /*

security/nss/lib/freebl/blapit.h

@@ -222,6 +222,7 @@ struct SHA256ContextStr     ;
 struct SHA512ContextStr     ;
 struct AESKeyWrapContextStr ;
 struct SEEDContextStr       ;	
+struct ChaCha20Poly1305ContextStr;
 
 typedef struct DESContextStr        DESContext;
 typedef struct RC2ContextStr        RC2Context;
@@ -240,6 +241,7 @@ typedef struct SHA512ContextStr     SHA512Context;
 typedef struct SHA512ContextStr     SHA384Context;
 typedef struct AESKeyWrapContextStr AESKeyWrapContext;
 typedef struct SEEDContextStr	    SEEDContext;	
+typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;
 
 /***************************************************************************
 ** RSA Public and Private Key structures

security/nss/lib/freebl/chacha20.c

@@ -0,0 +1,111 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Adopted from the public domain code in NaCl by djb. */
+
+#include <string.h>
+#include <stdio.h>
+
+#include "prtypes.h"
+#include "secport.h"
+#include "chacha20.h"
+
+#if defined(_MSC_VER)
+#pragma intrinsic(_lrotl)
+#define ROTL32(x, n) _lrotl(x, n)
+#else
+#define ROTL32(x, n) ((x << n) | (x >> ((8 * sizeof x) - n)))
+#endif
+
+#define ROTATE(v, c) ROTL32((v), (c))
+
+#define U32TO8_LITTLE(p, v)                                                    \
+    { (p)[0] = ((v)      ) & 0xff; (p)[1] = ((v) >>  8) & 0xff;                \
+      (p)[2] = ((v) >> 16) & 0xff; (p)[3] = ((v) >> 24) & 0xff; }
+#define U8TO32_LITTLE(p)                                                       \
+    (((PRUint32)((p)[0])      ) | ((PRUint32)((p)[1]) <<  8) |                 \
+     ((PRUint32)((p)[2]) << 16) | ((PRUint32)((p)[3]) << 24))
+
+#define QUARTERROUND(x, a, b, c, d)                                            \
+    x[a] = x[a] + x[b]; x[d] = ROTATE(x[d] ^ x[a], 16);                        \
+    x[c] = x[c] + x[d]; x[b] = ROTATE(x[b] ^ x[c], 12);                        \
+    x[a] = x[a] + x[b]; x[d] = ROTATE(x[d] ^ x[a],  8);                        \
+    x[c] = x[c] + x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);
+
+static void
+ChaChaCore(unsigned char output[64], const PRUint32 input[16], int num_rounds)
+{
+    PRUint32 x[16];
+    int i;
+
+    PORT_Memcpy(x, input, sizeof(PRUint32) * 16);
+    for (i = num_rounds; i > 0; i -= 2) {
+        QUARTERROUND(x, 0, 4, 8, 12)
+        QUARTERROUND(x, 1, 5, 9, 13)
+        QUARTERROUND(x, 2, 6, 10, 14)
+        QUARTERROUND(x, 3, 7, 11, 15)
+        QUARTERROUND(x, 0, 5, 10, 15)
+        QUARTERROUND(x, 1, 6, 11, 12)
+        QUARTERROUND(x, 2, 7, 8, 13)
+        QUARTERROUND(x, 3, 4, 9, 14)
+    }
+
+    for (i = 0; i < 16; ++i) {
+        x[i] = x[i] + input[i];
+    }
+    for (i = 0; i < 16; ++i) {
+        U32TO8_LITTLE(output + 4 * i, x[i]);
+    }
+}
+
+static const unsigned char sigma[16] = "expand 32-byte k";
+
+void
+ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inLen,
+            const unsigned char key[32], const unsigned char nonce[12],
+            uint32_t counter)
+{
+    unsigned char block[64];
+    PRUint32 input[16];
+    unsigned int i;
+
+    input[4] = U8TO32_LITTLE(key + 0);
+    input[5] = U8TO32_LITTLE(key + 4);
+    input[6] = U8TO32_LITTLE(key + 8);
+    input[7] = U8TO32_LITTLE(key + 12);
+
+    input[8] = U8TO32_LITTLE(key + 16);
+    input[9] = U8TO32_LITTLE(key + 20);
+    input[10] = U8TO32_LITTLE(key + 24);
+    input[11] = U8TO32_LITTLE(key + 28);
+
+    input[0] = U8TO32_LITTLE(sigma + 0);
+    input[1] = U8TO32_LITTLE(sigma + 4);
+    input[2] = U8TO32_LITTLE(sigma + 8);
+    input[3] = U8TO32_LITTLE(sigma + 12);
+
+    input[12] = counter;
+    input[13] = U8TO32_LITTLE(nonce + 0);
+    input[14] = U8TO32_LITTLE(nonce + 4);
+    input[15] = U8TO32_LITTLE(nonce + 8);
+
+    while (inLen >= 64) {
+        ChaChaCore(block, input, 20);
+        for (i = 0; i < 64; i++) {
+            out[i] = in[i] ^ block[i];
+        }
+
+        input[12]++;
+        inLen -= 64;
+        in += 64;
+        out += 64;
+    }
+
+    if (inLen > 0) {
+        ChaChaCore(block, input, 20);
+        for (i = 0; i < inLen; i++) {
+            out[i] = in[i] ^ block[i];
+        }
+    }
+}

security/nss/lib/freebl/chacha20.h

@@ -0,0 +1,26 @@
+/*
+ * chacha20.h - header file for ChaCha20 implementation.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef FREEBL_CHACHA20_H_
+#define FREEBL_CHACHA20_H_
+
+#if defined(_MSC_VER) && _MSC_VER < 1600
+#include "prtypes.h"
+typedef PRUint32 uint32_t;
+typedef PRUint64 uint64_t;
+#else
+#include <stdint.h>
+#endif
+
+/* ChaCha20XOR encrypts |inLen| bytes from |in| with the given key and
+ * nonce and writes the result to |out|, which may be equal to |in|. The
+ * initial block counter is specified by |counter|. */
+extern void ChaCha20XOR(unsigned char *out, const unsigned char *in,
+                        unsigned int inLen, const unsigned char key[32],
+                        const unsigned char nonce[12], uint32_t counter);
+
+#endif /* FREEBL_CHACHA20_H_ */

security/nss/lib/freebl/chacha20_vec.c

@@ -0,0 +1,278 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
+ * marked as public domain. It was been altered to allow for non-aligned inputs
+ * and to allow the block counter to be passed in specifically. */
+
+#include <string.h>
+
+#include "chacha20.h"
+
+#ifndef CHACHA_RNDS
+#define CHACHA_RNDS 20    /* 8 (high speed), 20 (conservative), 12 (middle) */
+#endif
+
+/* Architecture-neutral way to specify 16-byte vector of ints              */
+typedef unsigned vec __attribute__ ((vector_size (16)));
+
+/* This implementation is designed for Neon, SSE and AltiVec machines. The
+ * following specify how to do certain vector operations efficiently on
+ * each architecture, using intrinsics.
+ * This implementation supports parallel processing of multiple blocks,
+ * including potentially using general-purpose registers.
+ */
+#if __ARM_NEON__
+#include <arm_neon.h>
+#define GPR_TOO   1
+#define VBPI      2
+#define ONE       (vec)vsetq_lane_u32(1,vdupq_n_u32(0),0)
+#define LOAD(m)   (vec)(*((vec*)(m)))
+#define STORE(m,r) (*((vec*)(m))) = (r)
+#define ROTV1(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,1)
+#define ROTV2(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,2)
+#define ROTV3(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,3)
+#define ROTW16(x) (vec)vrev32q_u16((uint16x8_t)x)
+#if __clang__
+#define ROTW7(x)  (x << ((vec){ 7, 7, 7, 7})) ^ (x >> ((vec){25,25,25,25}))
+#define ROTW8(x)  (x << ((vec){ 8, 8, 8, 8})) ^ (x >> ((vec){24,24,24,24}))
+#define ROTW12(x) (x << ((vec){12,12,12,12})) ^ (x >> ((vec){20,20,20,20}))
+#else
+#define ROTW7(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,7),(uint32x4_t)x,25)
+#define ROTW8(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,8),(uint32x4_t)x,24)
+#define ROTW12(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,12),(uint32x4_t)x,20)
+#endif
+#elif __SSE2__
+#include <emmintrin.h>
+#define GPR_TOO   0
+#if __clang__
+#define VBPI      4
+#else
+#define VBPI      3
+#endif
+#define ONE       (vec)_mm_set_epi32(0,0,0,1)
+#define LOAD(m)   (vec)_mm_loadu_si128((__m128i*)(m))
+#define STORE(m,r) _mm_storeu_si128((__m128i*)(m), (__m128i) (r))
+#define ROTV1(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(0,3,2,1))
+#define ROTV2(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(1,0,3,2))
+#define ROTV3(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(2,1,0,3))
+#define ROTW7(x)  (vec)(_mm_slli_epi32((__m128i)x, 7) ^ _mm_srli_epi32((__m128i)x,25))
+#define ROTW12(x) (vec)(_mm_slli_epi32((__m128i)x,12) ^ _mm_srli_epi32((__m128i)x,20))
+#if __SSSE3__
+#include <tmmintrin.h>
+#define ROTW8(x)  (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))
+#define ROTW16(x) (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))
+#else
+#define ROTW8(x)  (vec)(_mm_slli_epi32((__m128i)x, 8) ^ _mm_srli_epi32((__m128i)x,24))
+#define ROTW16(x) (vec)(_mm_slli_epi32((__m128i)x,16) ^ _mm_srli_epi32((__m128i)x,16))
+#endif
+#else
+#error -- Implementation supports only machines with neon or SSE2
+#endif
+
+#ifndef REVV_BE
+#define REVV_BE(x)  (x)
+#endif
+
+#ifndef REVW_BE
+#define REVW_BE(x)  (x)
+#endif
+
+#define BPI      (VBPI + GPR_TOO)  /* Blocks computed per loop iteration   */
+
+#define DQROUND_VECTORS(a,b,c,d)                \
+    a += b; d ^= a; d = ROTW16(d);              \
+    c += d; b ^= c; b = ROTW12(b);              \
+    a += b; d ^= a; d = ROTW8(d);               \
+    c += d; b ^= c; b = ROTW7(b);               \
+    b = ROTV1(b); c = ROTV2(c);  d = ROTV3(d);  \
+    a += b; d ^= a; d = ROTW16(d);              \
+    c += d; b ^= c; b = ROTW12(b);              \
+    a += b; d ^= a; d = ROTW8(d);               \
+    c += d; b ^= c; b = ROTW7(b);               \
+    b = ROTV3(b); c = ROTV2(c); d = ROTV1(d);
+
+#define QROUND_WORDS(a,b,c,d) \
+  a = a+b; d ^= a; d = d<<16 | d>>16; \
+  c = c+d; b ^= c; b = b<<12 | b>>20; \
+  a = a+b; d ^= a; d = d<< 8 | d>>24; \
+  c = c+d; b ^= c; b = b<< 7 | b>>25;
+
+#define WRITE_XOR(in, op, d, v0, v1, v2, v3)                \
+    STORE(op + d + 0, LOAD(in + d + 0) ^ REVV_BE(v0));      \
+    STORE(op + d + 4, LOAD(in + d + 4) ^ REVV_BE(v1));      \
+    STORE(op + d + 8, LOAD(in + d + 8) ^ REVV_BE(v2));      \
+    STORE(op + d +12, LOAD(in + d +12) ^ REVV_BE(v3));
+
+void
+ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inlen,
+            const unsigned char key[32], const unsigned char nonce[12],
+            uint32_t counter)
+{
+    unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
+#if defined(__ARM_NEON__)
+    unsigned *np;
+#endif
+    vec s0, s1, s2, s3;
+#if !defined(__ARM_NEON__) && !defined(__SSE2__)
+    __attribute__ ((aligned (16))) unsigned key[8], nonce[4];
+#endif
+    __attribute__ ((aligned (16))) unsigned chacha_const[] =
+        {0x61707865,0x3320646E,0x79622D32,0x6B206574};
+#if defined(__ARM_NEON__) || defined(__SSE2__)
+    kp = (unsigned *)key;
+#else
+    ((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
+    ((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
+    ((unsigned *)nonce)[0] = REVW_BE(((unsigned *)nonce)[0]);
+    ((unsigned *)nonce)[1] = REVW_BE(((unsigned *)nonce)[1]);
+    ((unsigned *)nonce)[2] = REVW_BE(((unsigned *)nonce)[2]);
+    ((unsigned *)nonce)[3] = REVW_BE(((unsigned *)nonce)[3]);
+    kp = (unsigned *)key;
+    np = (unsigned *)nonce;
+#endif
+#if defined(__ARM_NEON__)
+    np = (unsigned*) nonce;
+#endif
+    s0 = LOAD(chacha_const);
+    s1 = LOAD(&((vec*)kp)[0]);
+    s2 = LOAD(&((vec*)kp)[1]);
+    s3 = (vec) {
+        counter,
+        ((uint32_t*)nonce)[0],
+        ((uint32_t*)nonce)[1],
+        ((uint32_t*)nonce)[2]
+    };
+
+    for (iters = 0; iters < inlen/(BPI*64); iters++) {
+#if GPR_TOO
+        register unsigned x0, x1, x2, x3, x4, x5, x6, x7, x8,
+                  x9, x10, x11, x12, x13, x14, x15;
+#endif
+#if VBPI > 2
+        vec v8,v9,v10,v11;
+#endif
+#if VBPI > 3
+        vec v12,v13,v14,v15;
+#endif
+
+        vec v0,v1,v2,v3,v4,v5,v6,v7;
+        v4 = v0 = s0; v5 = v1 = s1; v6 = v2 = s2; v3 = s3;
+        v7 = v3 + ONE;
+#if VBPI > 2
+        v8 = v4; v9 = v5; v10 = v6;
+        v11 =  v7 + ONE;
+#endif
+#if VBPI > 3
+        v12 = v8; v13 = v9; v14 = v10;
+        v15 = v11 + ONE;
+#endif
+#if GPR_TOO
+        x0 = chacha_const[0]; x1 = chacha_const[1];
+        x2 = chacha_const[2]; x3 = chacha_const[3];
+        x4 = kp[0]; x5 = kp[1]; x6  = kp[2]; x7  = kp[3];
+        x8 = kp[4]; x9 = kp[5]; x10 = kp[6]; x11 = kp[7];
+        x12 = counter+BPI*iters+(BPI-1); x13 = np[0];
+        x14 = np[1]; x15 = np[2];
+#endif
+        for (i = CHACHA_RNDS/2; i; i--) {
+            DQROUND_VECTORS(v0,v1,v2,v3)
+            DQROUND_VECTORS(v4,v5,v6,v7)
+#if VBPI > 2
+            DQROUND_VECTORS(v8,v9,v10,v11)
+#endif
+#if VBPI > 3
+            DQROUND_VECTORS(v12,v13,v14,v15)
+#endif
+#if GPR_TOO
+            QROUND_WORDS( x0, x4, x8,x12)
+            QROUND_WORDS( x1, x5, x9,x13)
+            QROUND_WORDS( x2, x6,x10,x14)
+            QROUND_WORDS( x3, x7,x11,x15)
+            QROUND_WORDS( x0, x5,x10,x15)
+            QROUND_WORDS( x1, x6,x11,x12)
+            QROUND_WORDS( x2, x7, x8,x13)
+            QROUND_WORDS( x3, x4, x9,x14)
+#endif
+        }
+
+        WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
+        s3 += ONE;
+        WRITE_XOR(ip, op, 16, v4+s0, v5+s1, v6+s2, v7+s3)
+        s3 += ONE;
+#if VBPI > 2
+        WRITE_XOR(ip, op, 32, v8+s0, v9+s1, v10+s2, v11+s3)
+        s3 += ONE;
+#endif
+#if VBPI > 3
+        WRITE_XOR(ip, op, 48, v12+s0, v13+s1, v14+s2, v15+s3)
+        s3 += ONE;
+#endif
+        ip += VBPI*16;
+        op += VBPI*16;
+#if GPR_TOO
+        op[0]  = REVW_BE(REVW_BE(ip[0])  ^ (x0  + chacha_const[0]));
+        op[1]  = REVW_BE(REVW_BE(ip[1])  ^ (x1  + chacha_const[1]));
+        op[2]  = REVW_BE(REVW_BE(ip[2])  ^ (x2  + chacha_const[2]));
+        op[3]  = REVW_BE(REVW_BE(ip[3])  ^ (x3  + chacha_const[3]));
+        op[4]  = REVW_BE(REVW_BE(ip[4])  ^ (x4  + kp[0]));
+        op[5]  = REVW_BE(REVW_BE(ip[5])  ^ (x5  + kp[1]));
+        op[6]  = REVW_BE(REVW_BE(ip[6])  ^ (x6  + kp[2]));
+        op[7]  = REVW_BE(REVW_BE(ip[7])  ^ (x7  + kp[3]));
+        op[8]  = REVW_BE(REVW_BE(ip[8])  ^ (x8  + kp[4]));
+        op[9]  = REVW_BE(REVW_BE(ip[9])  ^ (x9  + kp[5]));
+        op[10] = REVW_BE(REVW_BE(ip[10]) ^ (x10 + kp[6]));
+        op[11] = REVW_BE(REVW_BE(ip[11]) ^ (x11 + kp[7]));
+        op[12] = REVW_BE(REVW_BE(ip[12]) ^ (x12 + counter+BPI*iters+(BPI-1)));
+        op[13] = REVW_BE(REVW_BE(ip[13]) ^ (x13 + np[0]));
+        op[14] = REVW_BE(REVW_BE(ip[14]) ^ (x14 + np[1]));
+        op[15] = REVW_BE(REVW_BE(ip[15]) ^ (x15 + np[2]));
+        s3 += ONE;
+        ip += 16;
+        op += 16;
+#endif
+    }
+
+    for (iters = inlen%(BPI*64)/64; iters != 0; iters--) {
+        vec v0 = s0, v1 = s1, v2 = s2, v3 = s3;
+        for (i = CHACHA_RNDS/2; i; i--) {
+            DQROUND_VECTORS(v0,v1,v2,v3);
+        }
+        WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
+        s3 += ONE;
+        ip += 16;
+        op += 16;
+    }
+
+    inlen = inlen % 64;
+    if (inlen) {
+        __attribute__ ((aligned (16))) vec buf[4];
+        vec v0,v1,v2,v3;
+        v0 = s0; v1 = s1; v2 = s2; v3 = s3;
+        for (i = CHACHA_RNDS/2; i; i--) {
+            DQROUND_VECTORS(v0,v1,v2,v3);
+        }
+
+        if (inlen >= 16) {
+            STORE(op + 0, LOAD(ip + 0) ^ REVV_BE(v0 + s0));
+            if (inlen >= 32) {
+                STORE(op + 4, LOAD(ip + 4) ^ REVV_BE(v1 + s1));
+                if (inlen >= 48) {
+                    STORE(op + 8, LOAD(ip + 8) ^ REVV_BE(v2 + s2));
+                    buf[3] = REVV_BE(v3 + s3);
+                } else {
+                    buf[2] = REVV_BE(v2 + s2);
+                }
+            } else {
+                buf[1] = REVV_BE(v1 + s1);
+            }
+        } else {
+            buf[0] = REVV_BE(v0 + s0);
+        }
+
+        for (i=inlen & ~15; i<inlen; i++) {
+            ((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
+        }
+    }
+}

security/nss/lib/freebl/chacha20poly1305.c

@@ -0,0 +1,198 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "seccomon.h"
+#include "secerr.h"
+#include "blapit.h"
+
+#ifndef NSS_DISABLE_CHACHAPOLY
+#include "poly1305.h"
+#include "chacha20.h"
+#include "chacha20poly1305.h"
+#endif
+
+/* Poly1305Do writes the Poly1305 authenticator of the given additional data
+ * and ciphertext to |out|. */
+#ifndef NSS_DISABLE_CHACHAPOLY
+static void
+Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
+           const unsigned char *ciphertext, unsigned int ciphertextLen,
+           const unsigned char key[32])
+{
+    poly1305_state state;
+    unsigned int j;
+    unsigned char lengthBytes[8];
+    static const unsigned char zeros[15];
+    unsigned int i;
+
+    Poly1305Init(&state, key);
+    Poly1305Update(&state, ad, adLen);
+    if (adLen % 16 > 0) {
+        Poly1305Update(&state, zeros, 16 - adLen % 16);
+    }
+    Poly1305Update(&state, ciphertext, ciphertextLen);
+    if (ciphertextLen % 16 > 0) {
+        Poly1305Update(&state, zeros, 16 - ciphertextLen % 16);
+    }
+    j = adLen;
+    for (i = 0; i < sizeof(lengthBytes); i++) {
+        lengthBytes[i] = j;
+        j >>= 8;
+    }
+    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
+    j = ciphertextLen;
+    for (i = 0; i < sizeof(lengthBytes); i++) {
+        lengthBytes[i] = j;
+        j >>= 8;
+    }
+    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
+    Poly1305Finish(&state, out);
+}
+#endif
+
+SECStatus
+ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
+                             const unsigned char *key, unsigned int keyLen,
+                             unsigned int tagLen)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return SECFailure;
+#else
+    if (keyLen != 32) {
+        PORT_SetError(SEC_ERROR_BAD_KEY);
+        return SECFailure;
+    }
+    if (tagLen == 0 || tagLen > 16) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
+    ctx->tagLen = tagLen;
+
+    return SECSuccess;
+#endif
+}
+
+ChaCha20Poly1305Context *
+ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
+                               unsigned int tagLen)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return NULL;
+#else
+    ChaCha20Poly1305Context *ctx;
+
+    ctx = PORT_New(ChaCha20Poly1305Context);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) {
+        PORT_Free(ctx);
+        ctx = NULL;
+    }
+
+    return ctx;
+#endif
+}
+
+void
+ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
+{
+#ifndef NSS_DISABLE_CHACHAPOLY
+    PORT_Memset(ctx, 0, sizeof(*ctx));
+    if (freeit) {
+        PORT_Free(ctx);
+    }
+#endif
+}
+
+SECStatus
+ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output,
+                      unsigned int *outputLen, unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen,
+                      const unsigned char *nonce, unsigned int nonceLen,
+                      const unsigned char *ad, unsigned int adLen)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return SECFailure;
+#else
+    unsigned char block[64];
+    unsigned char tag[16];
+
+    if (nonceLen != 12) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    *outputLen = inputLen + ctx->tagLen;
+    if (maxOutputLen < *outputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    PORT_Memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
+    ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1);
+
+    Poly1305Do(tag, ad, adLen, output, inputLen, block);
+    PORT_Memcpy(output + inputLen, tag, ctx->tagLen);
+
+    return SECSuccess;
+#endif
+}
+
+SECStatus
+ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output,
+                      unsigned int *outputLen, unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen,
+                      const unsigned char *nonce, unsigned int nonceLen,
+                      const unsigned char *ad, unsigned int adLen)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return SECFailure;
+#else
+    unsigned char block[64];
+    unsigned char tag[16];
+    unsigned int ciphertextLen;
+
+    if (nonceLen != 12) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    if (inputLen < ctx->tagLen) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    ciphertextLen = inputLen - ctx->tagLen;
+    *outputLen = ciphertextLen;
+    if (maxOutputLen < *outputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    PORT_Memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
+    Poly1305Do(tag, ad, adLen, input, ciphertextLen, block);
+    if (NSS_SecureMemcmp(tag, &input[ciphertextLen], ctx->tagLen) != 0) {
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+
+    ChaCha20XOR(output, input, ciphertextLen, ctx->key, nonce, 1);
+
+    return SECSuccess;
+#endif
+}

security/nss/lib/freebl/chacha20poly1305.h

@@ -0,0 +1,15 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _CHACHA20_POLY1305_H_
+#define _CHACHA20_POLY1305_H_ 1
+
+/* ChaCha20Poly1305ContextStr saves the key and tag length for a
+ * ChaCha20+Poly1305 AEAD operation. */
+struct ChaCha20Poly1305ContextStr {
+    unsigned char key[32];
+    unsigned char tagLen;
+};
+
+#endif /* _CHACHA20_POLY1305_H_ */

security/nss/lib/freebl/intel-aes.s

@@ -7,6 +7,20 @@
 #define IV_OFFSET 16
 #define EXPANDED_KEY_OFFSET 48
 
+/*
+ * Warning: the length values used in this module are "unsigned int"
+ * in C, which is 32-bit.  When they're passed in registers, use only
+ * the low 32 bits, because the top half is unspecified.
+ *
+ * This is called from C code, so the contents of those bits can
+ * depend on the C compiler's optimization decisions.  This means that
+ * mistakes might not be obvious in testing if those bits happen to be
+ * zero in your build.
+ *
+ * Exception: 32-bit lea instructions use a 64-bit address because the
+ * address size doesn't affect the result, and that form is more
+ * compactly encoded and preferred by compilers over a 32-bit address.
+ */
 
 /* in %rdi : the key
    in %rsi : buffer for expanded key
@@ -119,10 +133,11 @@ key_expansion128:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_ecb_128,@function
@@ -135,11 +150,11 @@ intel_aes_encrypt_ecb_128:
 	movdqu	(%rdi), %xmm2
 	movdqu	160(%rdi), %xmm12
 	xor	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -260,11 +275,11 @@ intel_aes_encrypt_ecb_128:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -290,8 +305,8 @@ intel_aes_encrypt_ecb_128:
 	.byte 0x66,0x41,0x0f,0x38,0xdc,0xcb	/* aesenc	%xmm11, %xmm1 */
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xcc	/* aesenclast %xmm12, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -302,10 +317,11 @@ intel_aes_encrypt_ecb_128:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_ecb_128,@function
@@ -318,11 +334,11 @@ intel_aes_decrypt_ecb_128:
 	movdqu	(%rdi), %xmm2
 	movdqu	160(%rdi), %xmm12
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -443,11 +459,11 @@ intel_aes_decrypt_ecb_128:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -473,8 +489,8 @@ intel_aes_decrypt_ecb_128:
 	.byte 0x66,0x0f,0x38,0xde,0xcb	/* aesdec	%xmm7, %xmm1 */
 	.byte 0x66,0x0f,0x38,0xdf,0xca	/* aesdeclast %xmm2, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -485,17 +501,18 @@ intel_aes_decrypt_ecb_128:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_cbc_128,@function
 	.globl intel_aes_encrypt_cbc_128
 	.align	16
 intel_aes_encrypt_cbc_128:
-	testq	%r9, %r9
+	testl	%r9d, %r9d
 	je	2f
 
 //	leaq	IV_OFFSET(%rdi), %rdx
@@ -532,8 +549,8 @@ intel_aes_encrypt_cbc_128:
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xcc	/* aesenclast %xmm12, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
 	movdqa	%xmm1, %xmm0
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	1b
 
 	movdqu	%xmm0, (%rdx)
@@ -546,10 +563,11 @@ intel_aes_encrypt_cbc_128:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_cbc_128,@function
@@ -565,9 +583,9 @@ intel_aes_decrypt_cbc_128:
 	movdqu	(%rdi), %xmm2   /* first key block */
 	movdqu	160(%rdi), %xmm12 /* last key block */
 	xorl	%eax, %eax
-	cmpq	$128, %r9
+	cmpl	$128, %r9d
 	jb	1f
-	leaq	-128(%r9), %r11
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3 /* 1st data block */
 	movdqu	16(%r8, %rax), %xmm4 /* 2d data block */
 	movdqu	32(%r8, %rax), %xmm5
@@ -704,10 +722,10 @@ intel_aes_decrypt_cbc_128:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-	addq	$128, %rax
-	cmpq	%r11, %rax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -736,8 +754,8 @@ intel_aes_decrypt_cbc_128:
 	pxor	%xmm0, %xmm1
 	movdqu	%xmm1, (%rsi, %rax)
 	movdqa	%xmm13, %xmm0
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	movdqu	%xmm0, (%rdx)
@@ -873,10 +891,11 @@ key_expansion192:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_ecb_192,@function
@@ -889,11 +908,11 @@ intel_aes_encrypt_ecb_192:
 	movdqu	(%rdi), %xmm2
 	movdqu	192(%rdi), %xmm14
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -1033,11 +1052,11 @@ intel_aes_encrypt_ecb_192:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -1067,8 +1086,8 @@ intel_aes_encrypt_ecb_192:
 	.byte 0x66,0x41,0x0f,0x38,0xdc,0xcd	/* aesenc	%xmm13, %xmm1 */
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xce	/* aesenclast %xmm14, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -1079,10 +1098,11 @@ intel_aes_encrypt_ecb_192:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_ecb_192,@function
@@ -1095,11 +1115,11 @@ intel_aes_decrypt_ecb_192:
 	movdqu	(%rdi), %xmm2
 	movdqu	192(%rdi), %xmm14
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -1239,11 +1259,11 @@ intel_aes_decrypt_ecb_192:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -1273,8 +1293,8 @@ intel_aes_decrypt_ecb_192:
 	.byte 0x66,0x0f,0x38,0xde,0xcb	/* aesdec	%xmm3, %xmm1 */
 	.byte 0x66,0x0f,0x38,0xdf,0xca	/* aesdeclast %xmm2, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -1285,17 +1305,18 @@ intel_aes_decrypt_ecb_192:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_cbc_192,@function
 	.globl intel_aes_encrypt_cbc_192
 	.align	16
 intel_aes_encrypt_cbc_192:
-	testq	%r9, %r9
+	testl	%r9d, %r9d
 	je	2f
 
 //	leaq	IV_OFFSET(%rdi), %rdx
@@ -1336,8 +1357,8 @@ intel_aes_encrypt_cbc_192:
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xce	/* aesenclast %xmm14, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
 	movdqa	%xmm1, %xmm0
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	1b
 
 	movdqu	%xmm0, (%rdx)
@@ -1350,10 +1371,11 @@ intel_aes_encrypt_cbc_192:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %exx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_cbc_192,@function
@@ -1367,9 +1389,9 @@ intel_aes_decrypt_cbc_192:
 	movdqu	(%rdi), %xmm2
 	movdqu	192(%rdi), %xmm14
 	xorl	%eax, %eax
-	cmpq	$128, %r9
+	cmpl	$128, %r9d
 	jb	1f
-	leaq	-128(%r9), %r11
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -1525,10 +1547,10 @@ intel_aes_decrypt_cbc_192:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-	addq	$128, %rax
-	cmpq	%r11, %rax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm3
@@ -1561,8 +1583,8 @@ intel_aes_decrypt_cbc_192:
 	pxor	%xmm0, %xmm1
 	movdqu	%xmm1, (%rsi, %rax)
 	movdqa	%xmm15, %xmm0
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	movdqu	%xmm0, (%rdx)
@@ -1705,10 +1727,11 @@ key_expansion256:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_ecb_256,@function
@@ -1721,11 +1744,11 @@ intel_aes_encrypt_ecb_256:
 	movdqu	(%rdi), %xmm2
 	movdqu	224(%rdi), %xmm15
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -1884,11 +1907,11 @@ intel_aes_encrypt_ecb_256:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	(%rdi), %xmm8
@@ -1924,8 +1947,8 @@ intel_aes_encrypt_ecb_256:
 	.byte 0x66,0x41,0x0f,0x38,0xdc,0xce	/* aesenc	%xmm14, %xmm1 */
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xcf	/* aesenclast %xmm15, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -1936,10 +1959,11 @@ intel_aes_encrypt_ecb_256:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_ecb_256,@function
@@ -1952,11 +1976,11 @@ intel_aes_decrypt_ecb_256:
 	movdqu	(%rdi), %xmm2
 	movdqu	224(%rdi), %xmm15
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu	(%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -2115,11 +2139,11 @@ intel_aes_decrypt_ecb_256:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm2
@@ -2155,8 +2179,8 @@ intel_aes_decrypt_ecb_256:
 	.byte 0x66,0x41,0x0f,0x38,0xdf,0xc8	/* aesdeclast %xmm8, %xmm1 */
 	movdqu	112(%rdi), %xmm8
 	movdqu	%xmm1, (%rsi, %rax)
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	xor	%eax, %eax
@@ -2167,17 +2191,18 @@ intel_aes_decrypt_ecb_256:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_encrypt_cbc_256,@function
 	.globl intel_aes_encrypt_cbc_256
 	.align	16
 intel_aes_encrypt_cbc_256:
-	testq	%r9, %r9
+	testl	%r9d, %r9d
 	je	2f
 
 //	leaq	IV_OFFSET(%rdi), %rdx
@@ -2223,8 +2248,8 @@ intel_aes_encrypt_cbc_256:
 	.byte 0x66,0x41,0x0f,0x38,0xdd,0xcf	/* aesenclast %xmm15, %xmm1 */
 	movdqu	%xmm1, (%rsi, %rax)
 	movdqa	%xmm1, %xmm0
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	1b
 
 	movdqu	%xmm0, (%rdx)
@@ -2237,10 +2262,11 @@ intel_aes_encrypt_cbc_256:
 /* in %rdi : cx - context
    in %rsi : output - pointer to output buffer
    in %rdx : outputLen - pointer to variable for length of output
-             (filled by caller)
-   in %rcx : maxOutputLen - length of output buffer
+             (already filled in by caller)
+   in %ecx : maxOutputLen - length of output buffer
+             (already checked by caller)
    in %r8  : input - pointer to input buffer
-   in %r9  : inputLen - length of input buffer
+   in %r9d : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_cbc_256,@function
@@ -2256,11 +2282,11 @@ intel_aes_decrypt_cbc_256:
 	movdqu	(%rdi), %xmm2
 	movdqu	224(%rdi), %xmm15
 	xorl	%eax, %eax
-//	cmpq	$8*16, %r9
-	cmpq	$128, %r9
+//	cmpl	$8*16, %r9d
+	cmpl	$128, %r9d
 	jb	1f
-//	leaq	-8*16(%r9), %r11
-	leaq	-128(%r9), %r11
+//	leal	-8*16(%r9), %r11d
+	leal	-128(%r9), %r11d
 2:	movdqu  (%r8, %rax), %xmm3
 	movdqu	16(%r8, %rax), %xmm4
 	movdqu	32(%r8, %rax), %xmm5
@@ -2435,11 +2461,11 @@ intel_aes_decrypt_cbc_256:
 	movdqu	%xmm8, 80(%rsi, %rax)
 	movdqu	%xmm9, 96(%rsi, %rax)
 	movdqu	%xmm10, 112(%rsi, %rax)
-//	addq	$8*16, %rax
-	addq	$128, %rax
-	cmpq	%r11, %rax
+//	addl	$8*16, %eax
+	addl	$128, %eax
+	cmpl	%r11d, %eax
 	jbe	2b
-1:	cmpq	%rax, %r9
+1:	cmpl	%eax, %r9d
 	je	5f
 
 	movdqu	16(%rdi), %xmm2
@@ -2477,8 +2503,8 @@ intel_aes_decrypt_cbc_256:
 	pxor	%xmm0, %xmm1
 	movdqu	(%r8, %rax), %xmm0  /* fetch the IV before we store the block */
 	movdqu	%xmm1, (%rsi, %rax) /* in case input buf = output buf */
-	addq	$16, %rax
-	cmpq	%rax, %r9
+	addl	$16, %eax
+	cmpl	%eax, %r9d
 	jne	4b
 
 5:	movdqu	%xmm0, (%rdx)

security/nss/lib/freebl/ldvector.c

@@ -286,9 +286,17 @@ static const struct FREEBLVectorStr vector =
 
     EC_FillParams,
     EC_DecodeParams,
-    EC_CopyParams
+    EC_CopyParams,
 
     /* End of Version 3.017 */
+
+    ChaCha20Poly1305_InitContext,
+    ChaCha20Poly1305_CreateContext,
+    ChaCha20Poly1305_DestroyContext,
+    ChaCha20Poly1305_Seal,
+    ChaCha20Poly1305_Open
+
+    /* End of Version 3.018 */
 };
 
 const FREEBLVector *

security/nss/lib/freebl/loader.c

@@ -2128,3 +2128,59 @@ SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
   return (vector->p_EC_CopyParams)(arena, dstParams,  srcParams);
 }
 
+SECStatus
+ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
+                             const unsigned char *key, unsigned int keyLen,
+                             unsigned int tagLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ChaCha20Poly1305_InitContext)(ctx, key, keyLen, tagLen);
+}
+
+ChaCha20Poly1305Context *
+ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
+                               unsigned int tagLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_ChaCha20Poly1305_CreateContext)(key, keyLen, tagLen);
+}
+
+void
+ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_ChaCha20Poly1305_DestroyContext)(ctx, freeit);
+}
+
+SECStatus
+ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
+                      unsigned char *output, unsigned int *outputLen,
+                      unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen,
+                      const unsigned char *nonce, unsigned int nonceLen,
+                      const unsigned char *ad, unsigned int adLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ChaCha20Poly1305_Seal)(
+      ctx, output, outputLen, maxOutputLen, input, inputLen,
+      nonce, nonceLen, ad, adLen);
+}
+
+SECStatus
+ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
+                      unsigned char *output, unsigned int *outputLen,
+                      unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen,
+                      const unsigned char *nonce, unsigned int nonceLen,
+                      const unsigned char *ad, unsigned int adLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ChaCha20Poly1305_Open)(
+      ctx, output, outputLen, maxOutputLen, input, inputLen,
+      nonce, nonceLen, ad, adLen);
+}

security/nss/lib/freebl/loader.h

@@ -10,7 +10,7 @@
 
 #include "blapi.h"
 
-#define FREEBL_VERSION 0x0311
+#define FREEBL_VERSION 0x0312
 
 struct FREEBLVectorStr {
 
@@ -707,6 +707,33 @@ struct FREEBLVectorStr {
 
   /* Version 3.017 came to here */
 
+ SECStatus (* p_ChaCha20Poly1305_InitContext)(ChaCha20Poly1305Context *ctx,
+                                              const unsigned char *key,
+                                              unsigned int keyLen,
+                                              unsigned int tagLen);
+
+ ChaCha20Poly1305Context *(* p_ChaCha20Poly1305_CreateContext)(
+     const unsigned char *key, unsigned int keyLen, unsigned int tagLen);
+
+ void (* p_ChaCha20Poly1305_DestroyContext)(ChaCha20Poly1305Context *ctx,
+                                            PRBool freeit);
+
+ SECStatus (* p_ChaCha20Poly1305_Seal)(
+     const ChaCha20Poly1305Context *ctx, unsigned char *output,
+     unsigned int *outputLen, unsigned int maxOutputLen,
+     const unsigned char *input, unsigned int inputLen,
+     const unsigned char *nonce, unsigned int nonceLen,
+     const unsigned char *ad, unsigned int adLen);
+
+ SECStatus (* p_ChaCha20Poly1305_Open)(
+     const ChaCha20Poly1305Context *ctx, unsigned char *output,
+     unsigned int *outputLen, unsigned int maxOutputLen,
+     const unsigned char *input, unsigned int inputLen,
+     const unsigned char *nonce, unsigned int nonceLen,
+     const unsigned char *ad, unsigned int adLen);
+
+  /* Version 3.018 came to here */
+
   /* Add new function pointers at the end of this struct and bump
    * FREEBL_VERSION at the beginning of this file. */
  };

security/nss/lib/freebl/manifest.mn

@@ -56,6 +56,7 @@ EXPORTS = \
 PRIVATE_EXPORTS = \
 	alghmac.h \
 	blapi.h \
+	chacha20poly1305.h \
 	hmacct.h \
 	secmpi.h \
 	secrng.h \
@@ -101,6 +102,7 @@ CSRCS = \
 	desblapi.c \
 	des.c \
 	drbg.c \
+	chacha20poly1305.c \
 	cts.c \
 	ctr.c \
 	gcm.c \

security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c

@@ -0,0 +1,623 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This implementation of poly1305 is by Andrew Moon
+ * (https://github.com/floodyberry/poly1305-donna) and released as public
+ * domain. It implements SIMD vectorization based on the algorithm described in
+ * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
+ * block size. */
+
+#include <emmintrin.h>
+#include <stdint.h>
+
+#include "poly1305.h"
+
+#define ALIGN(x) __attribute__((aligned(x)))
+#define INLINE inline
+#define U8TO64_LE(m) (*(uint64_t*)(m))
+#define U8TO32_LE(m) (*(uint32_t*)(m))
+#define U64TO8_LE(m,v) (*(uint64_t*)(m)) = v
+
+typedef __m128i xmmi;
+typedef unsigned __int128 uint128_t;
+
+static const uint32_t ALIGN(16) poly1305_x64_sse2_message_mask[4] = {(1 << 26) - 1, 0, (1 << 26) - 1, 0};
+static const uint32_t ALIGN(16) poly1305_x64_sse2_5[4] = {5, 0, 5, 0};
+static const uint32_t ALIGN(16) poly1305_x64_sse2_1shl128[4] = {(1 << 24), 0, (1 << 24), 0};
+
+static uint128_t INLINE
+add128(uint128_t a, uint128_t b) {
+	return a + b;
+}
+
+static uint128_t INLINE
+add128_64(uint128_t a, uint64_t b) {
+	return a + b;
+}
+
+static uint128_t INLINE
+mul64x64_128(uint64_t a, uint64_t b) {
+	return (uint128_t)a * b;
+}
+
+static uint64_t INLINE
+lo128(uint128_t a) {
+	return (uint64_t)a;
+}
+
+static uint64_t INLINE
+shr128(uint128_t v, const int shift) {
+	return (uint64_t)(v >> shift);
+}
+
+static uint64_t INLINE
+shr128_pair(uint64_t hi, uint64_t lo, const int shift) {
+	return (uint64_t)((((uint128_t)hi << 64) | lo) >> shift);
+}
+
+typedef struct poly1305_power_t {
+	union {
+		xmmi v;
+		uint64_t u[2];
+		uint32_t d[4];
+	} R20,R21,R22,R23,R24,S21,S22,S23,S24;
+} poly1305_power;
+
+typedef struct poly1305_state_internal_t {
+	poly1305_power P[2];     /* 288 bytes, top 32 bit halves unused = 144 bytes of free storage */
+	union {
+		xmmi H[5];           /*  80 bytes  */
+		uint64_t HH[10];
+	};
+	/* uint64_t r0,r1,r2;       [24 bytes] */
+	/* uint64_t pad0,pad1;      [16 bytes] */
+	uint64_t started;        /*   8 bytes  */
+	uint64_t leftover;       /*   8 bytes  */
+	uint8_t buffer[64];      /*  64 bytes  */
+} poly1305_state_internal;   /* 448 bytes total + 63 bytes for alignment = 511 bytes raw */
+
+static poly1305_state_internal INLINE
+*poly1305_aligned_state(poly1305_state *state) {
+	return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);
+}
+
+/* copy 0-63 bytes */
+static void INLINE
+poly1305_block_copy(uint8_t *dst, const uint8_t *src, size_t bytes) {
+	size_t offset = src - dst;
+	if (bytes & 32) {
+		_mm_storeu_si128((xmmi *)(dst + 0), _mm_loadu_si128((xmmi *)(dst + offset + 0)));
+		_mm_storeu_si128((xmmi *)(dst + 16), _mm_loadu_si128((xmmi *)(dst + offset + 16)));
+		dst += 32;
+	}
+	if (bytes & 16) { _mm_storeu_si128((xmmi *)dst, _mm_loadu_si128((xmmi *)(dst + offset))); dst += 16; }
+	if (bytes &  8) { *(uint64_t *)dst = *(uint64_t *)(dst + offset); dst += 8; }
+	if (bytes &  4) { *(uint32_t *)dst = *(uint32_t *)(dst + offset); dst += 4; }
+	if (bytes &  2) { *(uint16_t *)dst = *(uint16_t *)(dst + offset); dst += 2; }
+	if (bytes &  1) { *( uint8_t *)dst = *( uint8_t *)(dst + offset);           }
+}
+
+/* zero 0-15 bytes */
+static void INLINE
+poly1305_block_zero(uint8_t *dst, size_t bytes) {
+	if (bytes &  8) { *(uint64_t *)dst = 0; dst += 8; }
+	if (bytes &  4) { *(uint32_t *)dst = 0; dst += 4; }
+	if (bytes &  2) { *(uint16_t *)dst = 0; dst += 2; }
+	if (bytes &  1) { *( uint8_t *)dst = 0; }
+}
+
+static size_t INLINE
+poly1305_min(size_t a, size_t b) {
+	return (a < b) ? a : b;
+}
+
+void
+Poly1305Init(poly1305_state *state, const unsigned char key[32]) {
+	poly1305_state_internal *st = poly1305_aligned_state(state);
+	poly1305_power *p;
+	uint64_t r0,r1,r2;
+	uint64_t t0,t1;
+
+	/* clamp key */
+	t0 = U8TO64_LE(key + 0);
+	t1 = U8TO64_LE(key + 8);
+	r0 = t0 & 0xffc0fffffff; t0 >>= 44; t0 |= t1 << 20;
+	r1 = t0 & 0xfffffc0ffff; t1 >>= 24;
+	r2 = t1 & 0x00ffffffc0f;
+
+	/* store r in un-used space of st->P[1] */
+	p = &st->P[1];
+	p->R20.d[1] = (uint32_t)(r0      );
+	p->R20.d[3] = (uint32_t)(r0 >> 32);
+	p->R21.d[1] = (uint32_t)(r1      );
+	p->R21.d[3] = (uint32_t)(r1 >> 32);
+	p->R22.d[1] = (uint32_t)(r2      );
+	p->R22.d[3] = (uint32_t)(r2 >> 32);
+
+	/* store pad */
+	p->R23.d[1] = U8TO32_LE(key + 16);
+	p->R23.d[3] = U8TO32_LE(key + 20);
+	p->R24.d[1] = U8TO32_LE(key + 24);
+	p->R24.d[3] = U8TO32_LE(key + 28);
+
+	/* H = 0 */
+	st->H[0] = _mm_setzero_si128();
+	st->H[1] = _mm_setzero_si128();
+	st->H[2] = _mm_setzero_si128();
+	st->H[3] = _mm_setzero_si128();
+	st->H[4] = _mm_setzero_si128();
+
+	st->started = 0;
+	st->leftover = 0;
+}
+
+static void
+poly1305_first_block(poly1305_state_internal *st, const uint8_t *m) {
+	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
+	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
+	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
+	xmmi T5,T6;
+	poly1305_power *p;
+	uint128_t d[3];
+	uint64_t r0,r1,r2;
+	uint64_t r20,r21,r22,s22;
+	uint64_t pad0,pad1;
+	uint64_t c;
+	uint64_t i;
+
+	/* pull out stored info */
+	p = &st->P[1];
+
+	r0   = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
+	r1   = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
+	r2   = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
+	pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
+	pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
+
+	/* compute powers r^2,r^4 */
+	r20 = r0;
+	r21 = r1;
+	r22 = r2;
+	for (i = 0; i < 2; i++) {
+		s22 = r22 * (5 << 2);
+
+		d[0] = add128(mul64x64_128(r20, r20), mul64x64_128(r21 * 2, s22));
+		d[1] = add128(mul64x64_128(r22, s22), mul64x64_128(r20 * 2, r21));
+		d[2] = add128(mul64x64_128(r21, r21), mul64x64_128(r22 * 2, r20));
+
+		                           r20 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
+		d[1] = add128_64(d[1], c); r21 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
+		d[2] = add128_64(d[2], c); r22 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
+		r20 += c * 5; c = (r20 >> 44); r20 = r20 & 0xfffffffffff;
+		r21 += c;
+
+		p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)( r20                     ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
+		p->R21.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
+		p->R22.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 8)               ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
+		p->R23.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 34) | (r22 << 10)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
+		p->R24.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r22 >> 16)              )            ), _MM_SHUFFLE(1,0,1,0));
+		p->S21.v = _mm_mul_epu32(p->R21.v, FIVE);
+		p->S22.v = _mm_mul_epu32(p->R22.v, FIVE);
+		p->S23.v = _mm_mul_epu32(p->R23.v, FIVE);
+		p->S24.v = _mm_mul_epu32(p->R24.v, FIVE);
+		p--;
+	}
+
+	/* put saved info back */
+	p = &st->P[1];
+	p->R20.d[1] = (uint32_t)(r0        );
+	p->R20.d[3] = (uint32_t)(r0   >> 32);
+	p->R21.d[1] = (uint32_t)(r1        );
+	p->R21.d[3] = (uint32_t)(r1   >> 32);
+	p->R22.d[1] = (uint32_t)(r2        );
+	p->R22.d[3] = (uint32_t)(r2   >> 32);
+	p->R23.d[1] = (uint32_t)(pad0      );
+	p->R23.d[3] = (uint32_t)(pad0 >> 32);
+	p->R24.d[1] = (uint32_t)(pad1      );
+	p->R24.d[3] = (uint32_t)(pad1 >> 32);
+
+	/* H = [Mx,My] */
+	T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
+	T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
+	st->H[0] = _mm_and_si128(MMASK, T5);
+	st->H[1] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+	T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
+	st->H[2] = _mm_and_si128(MMASK, T5);
+	st->H[3] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+	st->H[4] = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
+}
+
+static void
+poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes) {
+	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
+	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
+	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
+
+	poly1305_power *p;
+	xmmi H0,H1,H2,H3,H4;
+	xmmi T0,T1,T2,T3,T4,T5,T6;
+	xmmi M0,M1,M2,M3,M4;
+	xmmi C1,C2;
+
+	H0 = st->H[0];
+	H1 = st->H[1];
+	H2 = st->H[2];
+	H3 = st->H[3];
+	H4 = st->H[4];
+
+	while (bytes >= 64) {
+		/* H *= [r^4,r^4] */
+		p = &st->P[0];
+		T0 = _mm_mul_epu32(H0, p->R20.v);
+		T1 = _mm_mul_epu32(H0, p->R21.v);
+		T2 = _mm_mul_epu32(H0, p->R22.v);
+		T3 = _mm_mul_epu32(H0, p->R23.v);
+		T4 = _mm_mul_epu32(H0, p->R24.v);
+		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
+
+		/* H += [Mx,My]*[r^2,r^2] */
+		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
+		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
+		M0 = _mm_and_si128(MMASK, T5);
+		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
+		M2 = _mm_and_si128(MMASK, T5);
+		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
+
+		p = &st->P[1];
+		T5 = _mm_mul_epu32(M0, p->R20.v); T6 = _mm_mul_epu32(M0, p->R21.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(M1, p->S24.v); T6 = _mm_mul_epu32(M1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(M2, p->S23.v); T6 = _mm_mul_epu32(M2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(M3, p->S22.v); T6 = _mm_mul_epu32(M3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(M4, p->S21.v); T6 = _mm_mul_epu32(M4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(M0, p->R22.v); T6 = _mm_mul_epu32(M0, p->R23.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(M1, p->R21.v); T6 = _mm_mul_epu32(M1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(M2, p->R20.v); T6 = _mm_mul_epu32(M2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(M3, p->S24.v); T6 = _mm_mul_epu32(M3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(M4, p->S23.v); T6 = _mm_mul_epu32(M4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(M0, p->R24.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(M1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(M2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(M3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(M4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
+
+		/* H += [Mx,My] */
+		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 32)), _mm_loadl_epi64((xmmi *)(m + 48)));
+		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 40)), _mm_loadl_epi64((xmmi *)(m + 56)));
+		M0 = _mm_and_si128(MMASK, T5);
+		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
+		M2 = _mm_and_si128(MMASK, T5);
+		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
+
+		T0 = _mm_add_epi64(T0, M0);
+		T1 = _mm_add_epi64(T1, M1);
+		T2 = _mm_add_epi64(T2, M2);
+		T3 = _mm_add_epi64(T3, M3);
+		T4 = _mm_add_epi64(T4, M4);
+
+		/* reduce */
+		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
+		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
+		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
+		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
+
+		/* H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My]) */
+		H0 = T0;
+		H1 = T1;
+		H2 = T2;
+		H3 = T3;
+		H4 = T4;
+
+		m += 64;
+		bytes -= 64;
+	}
+
+	st->H[0] = H0;
+	st->H[1] = H1;
+	st->H[2] = H2;
+	st->H[3] = H3;
+	st->H[4] = H4;
+}
+
+static size_t
+poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes) {
+	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
+	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
+	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
+
+	poly1305_power *p;
+	xmmi H0,H1,H2,H3,H4;
+	xmmi M0,M1,M2,M3,M4;
+	xmmi T0,T1,T2,T3,T4,T5,T6;
+	xmmi C1,C2;
+
+	uint64_t r0,r1,r2;
+	uint64_t t0,t1,t2,t3,t4;
+	uint64_t c;
+	size_t consumed = 0;
+
+	H0 = st->H[0];
+	H1 = st->H[1];
+	H2 = st->H[2];
+	H3 = st->H[3];
+	H4 = st->H[4];
+
+	/* p = [r^2,r^2] */
+	p = &st->P[1];
+
+	if (bytes >= 32) {
+		/* H *= [r^2,r^2] */
+		T0 = _mm_mul_epu32(H0, p->R20.v);
+		T1 = _mm_mul_epu32(H0, p->R21.v);
+		T2 = _mm_mul_epu32(H0, p->R22.v);
+		T3 = _mm_mul_epu32(H0, p->R23.v);
+		T4 = _mm_mul_epu32(H0, p->R24.v);
+		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
+		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
+
+		/* H += [Mx,My] */
+		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
+		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
+		M0 = _mm_and_si128(MMASK, T5);
+		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
+		M2 = _mm_and_si128(MMASK, T5);
+		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
+		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
+
+		T0 = _mm_add_epi64(T0, M0);
+		T1 = _mm_add_epi64(T1, M1);
+		T2 = _mm_add_epi64(T2, M2);
+		T3 = _mm_add_epi64(T3, M3);
+		T4 = _mm_add_epi64(T4, M4);
+
+		/* reduce */
+		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
+		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
+		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
+		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
+
+		/* H = (H*[r^2,r^2] + [Mx,My]) */
+		H0 = T0;
+		H1 = T1;
+		H2 = T2;
+		H3 = T3;
+		H4 = T4;
+
+		consumed = 32;
+	}
+
+	/* finalize, H *= [r^2,r] */
+	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
+	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
+	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
+
+	p->R20.d[2] = (uint32_t)( r0                    ) & 0x3ffffff;
+	p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff;
+	p->R22.d[2] = (uint32_t)((r1 >> 8)              ) & 0x3ffffff;
+	p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff;
+	p->R24.d[2] = (uint32_t)((r2 >> 16)             )            ;
+	p->S21.d[2] = p->R21.d[2] * 5;
+	p->S22.d[2] = p->R22.d[2] * 5;
+	p->S23.d[2] = p->R23.d[2] * 5;
+	p->S24.d[2] = p->R24.d[2] * 5;
+
+	/* H *= [r^2,r] */
+	T0 = _mm_mul_epu32(H0, p->R20.v);
+	T1 = _mm_mul_epu32(H0, p->R21.v);
+	T2 = _mm_mul_epu32(H0, p->R22.v);
+	T3 = _mm_mul_epu32(H0, p->R23.v);
+	T4 = _mm_mul_epu32(H0, p->R24.v);
+	T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+	T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+	T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+	T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
+	T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+	T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+	T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+	T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
+	T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
+	T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
+	T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
+	T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
+
+	C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
+	C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
+	C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
+	C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
+
+	/* H = H[0]+H[1] */
+	H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));
+	H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));
+	H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));
+	H3 = _mm_add_epi64(T3, _mm_srli_si128(T3, 8));
+	H4 = _mm_add_epi64(T4, _mm_srli_si128(T4, 8));
+
+	t0 = _mm_cvtsi128_si32(H0)    ; c = (t0 >> 26); t0 &= 0x3ffffff;
+	t1 = _mm_cvtsi128_si32(H1) + c; c = (t1 >> 26); t1 &= 0x3ffffff;
+	t2 = _mm_cvtsi128_si32(H2) + c; c = (t2 >> 26); t2 &= 0x3ffffff;
+	t3 = _mm_cvtsi128_si32(H3) + c; c = (t3 >> 26); t3 &= 0x3ffffff;
+	t4 = _mm_cvtsi128_si32(H4) + c; c = (t4 >> 26); t4 &= 0x3ffffff;
+	t0 =              t0 + (c * 5); c = (t0 >> 26); t0 &= 0x3ffffff;
+	t1 =              t1 + c;
+
+	st->HH[0] =  ((t0      ) | (t1 << 26)             ) & 0xfffffffffffull;
+	st->HH[1] =  ((t1 >> 18) | (t2 <<  8) | (t3 << 34)) & 0xfffffffffffull;
+	st->HH[2] =  ((t3 >> 10) | (t4 << 16)             ) & 0x3ffffffffffull;
+
+	return consumed;
+}
+
+void
+Poly1305Update(poly1305_state *state, const unsigned char *m, size_t bytes) {
+	poly1305_state_internal *st = poly1305_aligned_state(state);
+	size_t want;
+
+	/* need at least 32 initial bytes to start the accelerated branch */
+	if (!st->started) {
+		if ((st->leftover == 0) && (bytes > 32)) {
+			poly1305_first_block(st, m);
+			m += 32;
+			bytes -= 32;
+		} else {
+			want = poly1305_min(32 - st->leftover, bytes);
+			poly1305_block_copy(st->buffer + st->leftover, m, want);
+			bytes -= want;
+			m += want;
+			st->leftover += want;
+			if ((st->leftover < 32) || (bytes == 0))
+				return;
+			poly1305_first_block(st, st->buffer);
+			st->leftover = 0;
+		}
+		st->started = 1;
+	}
+
+	/* handle leftover */
+	if (st->leftover) {
+		want = poly1305_min(64 - st->leftover, bytes);
+		poly1305_block_copy(st->buffer + st->leftover, m, want);
+		bytes -= want;
+		m += want;
+		st->leftover += want;
+		if (st->leftover < 64)
+			return;
+		poly1305_blocks(st, st->buffer, 64);
+		st->leftover = 0;
+	}
+
+	/* process 64 byte blocks */
+	if (bytes >= 64) {
+		want = (bytes & ~63);
+		poly1305_blocks(st, m, want);
+		m += want;
+		bytes -= want;
+	}
+
+	if (bytes) {
+		poly1305_block_copy(st->buffer + st->leftover, m, bytes);
+		st->leftover += bytes;
+	}
+}
+
+void
+Poly1305Finish(poly1305_state *state, unsigned char mac[16]) {
+	poly1305_state_internal *st = poly1305_aligned_state(state);
+	size_t leftover = st->leftover;
+	uint8_t *m = st->buffer;
+	uint128_t d[3];
+	uint64_t h0,h1,h2;
+	uint64_t t0,t1;
+	uint64_t g0,g1,g2,c,nc;
+	uint64_t r0,r1,r2,s1,s2;
+	poly1305_power *p;
+
+	if (st->started) {
+		size_t consumed = poly1305_combine(st, m, leftover);
+		leftover -= consumed;
+		m += consumed;
+	}
+
+	/* st->HH will either be 0 or have the combined result */
+	h0 = st->HH[0];
+	h1 = st->HH[1];
+	h2 = st->HH[2];
+
+	p = &st->P[1];
+	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
+	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
+	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
+	s1 = r1 * (5 << 2);
+	s2 = r2 * (5 << 2);
+
+	if (leftover < 16)
+		goto poly1305_donna_atmost15bytes;
+
+poly1305_donna_atleast16bytes:
+	t0 = U8TO64_LE(m + 0);
+	t1 = U8TO64_LE(m + 8);
+	h0 += t0 & 0xfffffffffff;
+	t0 = shr128_pair(t1, t0, 44);
+	h1 += t0 & 0xfffffffffff;
+	h2 += (t1 >> 24) | ((uint64_t)1 << 40);
+
+poly1305_donna_mul:
+	d[0] = add128(add128(mul64x64_128(h0, r0), mul64x64_128(h1, s2)), mul64x64_128(h2, s1));
+	d[1] = add128(add128(mul64x64_128(h0, r1), mul64x64_128(h1, r0)), mul64x64_128(h2, s2));
+	d[2] = add128(add128(mul64x64_128(h0, r2), mul64x64_128(h1, r1)), mul64x64_128(h2, r0));
+	                           h0 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
+	d[1] = add128_64(d[1], c); h1 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
+	d[2] = add128_64(d[2], c); h2 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
+	h0   += c * 5;
+
+	m += 16;
+	leftover -= 16;
+	if (leftover >= 16) goto poly1305_donna_atleast16bytes;
+
+	/* final bytes */
+poly1305_donna_atmost15bytes:
+	if (!leftover) goto poly1305_donna_finish;
+
+	m[leftover++] = 1;
+	poly1305_block_zero(m + leftover, 16 - leftover);
+	leftover = 16;
+
+	t0 = U8TO64_LE(m+0);
+	t1 = U8TO64_LE(m+8);
+	h0 += t0 & 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
+	h1 += t0 & 0xfffffffffff;
+	h2 += (t1 >> 24);
+
+	goto poly1305_donna_mul;
+
+poly1305_donna_finish:
+	             c = (h0 >> 44); h0 &= 0xfffffffffff;
+	h1 += c;     c = (h1 >> 44); h1 &= 0xfffffffffff;
+	h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
+	h0 += c * 5;
+
+	g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
+	g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
+	g2 = h2 + c - ((uint64_t)1 << 42);
+
+	c = (g2 >> 63) - 1;
+	nc = ~c;
+	h0 = (h0 & nc) | (g0 & c);
+	h1 = (h1 & nc) | (g1 & c);
+	h2 = (h2 & nc) | (g2 & c);
+
+	/* pad */
+	t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
+	t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
+	h0 += (t0 & 0xfffffffffff)    ; c = (h0 >> 44); h0 &= 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
+	h1 += (t0 & 0xfffffffffff) + c; c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24);
+	h2 += (t1                ) + c;
+
+	U64TO8_LE(mac + 0, ((h0      ) | (h1 << 44)));
+	U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
+}

security/nss/lib/freebl/poly1305.c

@@ -0,0 +1,261 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This implementation of poly1305 is by Andrew Moon
+ * (https://github.com/floodyberry/poly1305-donna) and released as public
+ * domain. */
+
+#include <string.h>
+
+#include "poly1305.h"
+
+#if defined(_MSC_VER) && _MSC_VER < 1600
+#include "prtypes.h"
+typedef PRUint32 uint32_t;
+typedef PRUint64 uint64_t;
+#else
+#include <stdint.h>
+#endif
+
+#if defined(NSS_X86) || defined(NSS_X64)
+/* We can assume little-endian. */
+static uint32_t U8TO32_LE(const unsigned char *m) {
+	uint32_t r;
+	memcpy(&r, m, sizeof(r));
+	return r;
+}
+
+static void U32TO8_LE(unsigned char *m, uint32_t v) {
+	memcpy(m, &v, sizeof(v));
+}
+#else
+static uint32_t U8TO32_LE(const unsigned char *m) {
+	return (uint32_t)m[0] |
+	       (uint32_t)m[1] << 8 |
+	       (uint32_t)m[2] << 16 |
+	       (uint32_t)m[3] << 24;
+}
+
+static void U32TO8_LE(unsigned char *m, uint32_t v) {
+	m[0] = v;
+	m[1] = v >> 8;
+	m[2] = v >> 16;
+	m[3] = v >> 24;
+}
+#endif
+
+static uint64_t
+mul32x32_64(uint32_t a, uint32_t b) {
+	return (uint64_t)a * b;
+}
+
+struct poly1305_state_st {
+	uint32_t r0,r1,r2,r3,r4;
+	uint32_t s1,s2,s3,s4;
+	uint32_t h0,h1,h2,h3,h4;
+	unsigned char buf[16];
+	unsigned int buf_used;
+	unsigned char key[16];
+};
+
+/* update updates |state| given some amount of input data. This function may
+ * only be called with a |len| that is not a multiple of 16 at the end of the
+ * data. Otherwise the input must be buffered into 16 byte blocks. */
+static void update(struct poly1305_state_st *state, const unsigned char *in,
+		   size_t len) {
+	uint32_t t0,t1,t2,t3;
+	uint64_t t[5];
+	uint32_t b;
+	uint64_t c;
+	size_t j;
+	unsigned char mp[16];
+
+	if (len < 16)
+		goto poly1305_donna_atmost15bytes;
+
+poly1305_donna_16bytes:
+	t0 = U8TO32_LE(in);
+	t1 = U8TO32_LE(in+4);
+	t2 = U8TO32_LE(in+8);
+	t3 = U8TO32_LE(in+12);
+
+	in += 16;
+	len -= 16;
+
+	state->h0 += t0 & 0x3ffffff;
+	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+	state->h4 += (t3 >> 8) | (1 << 24);
+
+poly1305_donna_mul:
+	t[0] = mul32x32_64(state->h0,state->r0) +
+	       mul32x32_64(state->h1,state->s4) +
+	       mul32x32_64(state->h2,state->s3) +
+	       mul32x32_64(state->h3,state->s2) +
+	       mul32x32_64(state->h4,state->s1);
+	t[1] = mul32x32_64(state->h0,state->r1) +
+	       mul32x32_64(state->h1,state->r0) +
+	       mul32x32_64(state->h2,state->s4) +
+	       mul32x32_64(state->h3,state->s3) +
+	       mul32x32_64(state->h4,state->s2);
+	t[2] = mul32x32_64(state->h0,state->r2) +
+	       mul32x32_64(state->h1,state->r1) +
+	       mul32x32_64(state->h2,state->r0) +
+	       mul32x32_64(state->h3,state->s4) +
+	       mul32x32_64(state->h4,state->s3);
+	t[3] = mul32x32_64(state->h0,state->r3) +
+	       mul32x32_64(state->h1,state->r2) +
+	       mul32x32_64(state->h2,state->r1) +
+	       mul32x32_64(state->h3,state->r0) +
+	       mul32x32_64(state->h4,state->s4);
+	t[4] = mul32x32_64(state->h0,state->r4) +
+	       mul32x32_64(state->h1,state->r3) +
+	       mul32x32_64(state->h2,state->r2) +
+	       mul32x32_64(state->h3,state->r1) +
+	       mul32x32_64(state->h4,state->r0);
+
+	           state->h0 = (uint32_t)t[0] & 0x3ffffff; c =           (t[0] >> 26);
+	t[1] += c; state->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
+	t[2] += b; state->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
+	t[3] += b; state->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
+	t[4] += b; state->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
+	state->h0 += b * 5;
+
+	if (len >= 16)
+		goto poly1305_donna_16bytes;
+
+	/* final bytes */
+poly1305_donna_atmost15bytes:
+	if (!len)
+		return;
+
+	for (j = 0; j < len; j++)
+		mp[j] = in[j];
+	mp[j++] = 1;
+	for (; j < 16; j++)
+		mp[j] = 0;
+	len = 0;
+
+	t0 = U8TO32_LE(mp+0);
+	t1 = U8TO32_LE(mp+4);
+	t2 = U8TO32_LE(mp+8);
+	t3 = U8TO32_LE(mp+12);
+
+	state->h0 += t0 & 0x3ffffff;
+	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+	state->h4 += (t3 >> 8);
+
+	goto poly1305_donna_mul;
+}
+
+void Poly1305Init(poly1305_state *statep, const unsigned char key[32]) {
+	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
+	uint32_t t0,t1,t2,t3;
+
+	t0 = U8TO32_LE(key+0);
+	t1 = U8TO32_LE(key+4);
+	t2 = U8TO32_LE(key+8);
+	t3 = U8TO32_LE(key+12);
+
+	/* precompute multipliers */
+	state->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
+	state->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
+	state->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
+	state->r3 = t2 & 0x3f03fff; t3 >>= 8;
+	state->r4 = t3 & 0x00fffff;
+
+	state->s1 = state->r1 * 5;
+	state->s2 = state->r2 * 5;
+	state->s3 = state->r3 * 5;
+	state->s4 = state->r4 * 5;
+
+	/* init state */
+	state->h0 = 0;
+	state->h1 = 0;
+	state->h2 = 0;
+	state->h3 = 0;
+	state->h4 = 0;
+
+	state->buf_used = 0;
+	memcpy(state->key, key + 16, sizeof(state->key));
+}
+
+void Poly1305Update(poly1305_state *statep, const unsigned char *in,
+		     size_t in_len) {
+	unsigned int i;
+	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
+
+	if (state->buf_used) {
+		unsigned int todo = 16 - state->buf_used;
+		if (todo > in_len)
+			todo = in_len;
+		for (i = 0; i < todo; i++)
+			state->buf[state->buf_used + i] = in[i];
+		state->buf_used += todo;
+		in_len -= todo;
+		in += todo;
+
+		if (state->buf_used == 16) {
+			update(state, state->buf, 16);
+			state->buf_used = 0;
+		}
+	}
+
+	if (in_len >= 16) {
+		size_t todo = in_len & ~0xf;
+		update(state, in, todo);
+		in += todo;
+		in_len &= 0xf;
+	}
+
+	if (in_len) {
+		for (i = 0; i < in_len; i++)
+			state->buf[i] = in[i];
+		state->buf_used = in_len;
+	}
+}
+
+void Poly1305Finish(poly1305_state *statep, unsigned char mac[16]) {
+	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
+	uint64_t f0,f1,f2,f3;
+	uint32_t g0,g1,g2,g3,g4;
+	uint32_t b, nb;
+
+	if (state->buf_used)
+		update(state, state->buf, state->buf_used);
+
+	                    b = state->h0 >> 26; state->h0 = state->h0 & 0x3ffffff;
+	state->h1 +=     b; b = state->h1 >> 26; state->h1 = state->h1 & 0x3ffffff;
+	state->h2 +=     b; b = state->h2 >> 26; state->h2 = state->h2 & 0x3ffffff;
+	state->h3 +=     b; b = state->h3 >> 26; state->h3 = state->h3 & 0x3ffffff;
+	state->h4 +=     b; b = state->h4 >> 26; state->h4 = state->h4 & 0x3ffffff;
+	state->h0 += b * 5;
+
+	g0 = state->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
+	g1 = state->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
+	g2 = state->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
+	g3 = state->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
+	g4 = state->h4 + b - (1 << 26);
+
+	b = (g4 >> 31) - 1;
+	nb = ~b;
+	state->h0 = (state->h0 & nb) | (g0 & b);
+	state->h1 = (state->h1 & nb) | (g1 & b);
+	state->h2 = (state->h2 & nb) | (g2 & b);
+	state->h3 = (state->h3 & nb) | (g3 & b);
+	state->h4 = (state->h4 & nb) | (g4 & b);
+
+	f0 = ((state->h0      ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
+	f1 = ((state->h1 >>  6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
+	f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
+	f3 = ((state->h3 >> 18) | (state->h4 <<  8)) + (uint64_t)U8TO32_LE(&state->key[12]);
+
+	U32TO8_LE(&mac[ 0], (uint32_t)f0); f1 += (f0 >> 32);
+	U32TO8_LE(&mac[ 4], (uint32_t)f1); f2 += (f1 >> 32);
+	U32TO8_LE(&mac[ 8], (uint32_t)f2); f3 += (f2 >> 32);
+	U32TO8_LE(&mac[12], (uint32_t)f3);
+}

security/nss/lib/freebl/poly1305.h

@@ -0,0 +1,28 @@
+/*
+ * poly1305.h - header file for Poly1305 implementation.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef FREEBL_POLY1305_H_
+#define FREEBL_POLY1305_H_
+
+typedef unsigned char poly1305_state[512];
+
+/* Poly1305Init sets up |state| so that it can be used to calculate an
+ * authentication tag with the one-time key |key|. Note that |key| is a
+ * one-time key and therefore there is no `reset' method because that would
+ * enable several messages to be authenticated with the same key. */
+extern void Poly1305Init(poly1305_state* state, const unsigned char key[32]);
+
+/* Poly1305Update processes |in_len| bytes from |in|. It can be called zero or
+ * more times after poly1305_init. */
+extern void Poly1305Update(poly1305_state* state, const unsigned char* in,
+                           size_t inLen);
+
+/* Poly1305Finish completes the poly1305 calculation and writes a 16 byte
+ * authentication tag to |mac|. */
+extern void Poly1305Finish(poly1305_state* state, unsigned char mac[16]);
+
+#endif /* FREEBL_POLY1305_H_ */

security/nss/lib/pk11wrap/pk11mech.c

@@ -152,6 +152,8 @@ PK11_GetKeyMechanism(CK_KEY_TYPE type)
 	return CKM_SEED_CBC;
     case CKK_CAMELLIA:
 	return CKM_CAMELLIA_CBC;
+    case CKK_NSS_CHACHA20:
+	return CKM_NSS_CHACHA20_POLY1305;
     case CKK_AES:
 	return CKM_AES_CBC;
     case CKK_DES:
@@ -219,6 +221,9 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
     case CKM_CAMELLIA_CBC_PAD:
     case CKM_CAMELLIA_KEY_GEN:
 	return CKK_CAMELLIA;
+    case CKM_NSS_CHACHA20_POLY1305:
+    case CKM_NSS_CHACHA20_KEY_GEN:
+	return CKK_NSS_CHACHA20;
     case CKM_AES_ECB:
     case CKM_AES_CBC:
     case CKM_AES_CCM:
@@ -431,6 +436,8 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
     case CKM_CAMELLIA_CBC_PAD:
     case CKM_CAMELLIA_KEY_GEN:
 	return CKM_CAMELLIA_KEY_GEN;
+    case CKM_NSS_CHACHA20_POLY1305:
+	return CKM_NSS_CHACHA20_KEY_GEN;
     case CKM_AES_ECB:
     case CKM_AES_CBC:
     case CKM_AES_CCM:

security/nss/lib/pk11wrap/pk11pars.c

@@ -354,6 +354,7 @@ static const oidValDef algOptList[] = {
     {CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL},
     {CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL},
     {CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL},
+    {CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN_SSL},
     {CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL},
     {CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL},
     {CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL},

security/nss/lib/pkcs7/p7local.c

@@ -711,7 +711,7 @@ sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
     }
 
     if (final) {
-	padlen = padsize - (pcount % padsize);
+	padlen = padsize ? padsize - (pcount % padsize) : 0;
 	PORT_Memset (pbuf + pcount, padlen, padlen);
 	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
 			    pbuf, pcount+padlen);

security/nss/lib/softoken/pkcs11.c

@@ -370,6 +370,11 @@ static const struct mechanismList mechanisms[] = {
      {CKM_SEED_MAC,		{16, 16, CKF_SN_VR},		PR_TRUE},
      {CKM_SEED_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_TRUE},
      {CKM_SEED_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE},
+#ifndef NSS_DISABLE_CHACHAPOLY
+     /* ------------------------- ChaCha20 Operations ---------------------- */
+     {CKM_NSS_CHACHA20_KEY_GEN,	{32, 32, CKF_GENERATE},		PR_TRUE},
+     {CKM_NSS_CHACHA20_POLY1305,{32, 32, CKF_EN_DE},		PR_TRUE},
+#endif /* NSS_DISABLE_CHACHAPOLY */
      /* ------------------------- Hashing Operations ----------------------- */
      {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
      {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},

security/nss/lib/softoken/pkcs11c.c

@@ -665,6 +665,97 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
     return rv;
 }
 
+static SFTKChaCha20Poly1305Info *
+sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key,
+                                    unsigned int keyLen,
+                                    const CK_NSS_AEAD_PARAMS *params)
+{
+    SFTKChaCha20Poly1305Info *ctx;
+
+    if (params->ulNonceLen != sizeof(ctx->nonce)) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return NULL;
+    }
+
+    ctx = PORT_New(SFTKChaCha20Poly1305Info);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ChaCha20Poly1305_InitContext(&ctx->freeblCtx, key, keyLen,
+                                     params->ulTagLen) != SECSuccess) {
+        PORT_Free(ctx);
+        return NULL;
+    }
+
+    PORT_Memcpy(ctx->nonce, params->pNonce, sizeof(ctx->nonce));
+
+    if (params->ulAADLen > sizeof(ctx->ad)) {
+        /* Need to allocate an overflow buffer for the additional data. */
+        ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen);
+        if (!ctx->adOverflow) {
+            PORT_Free(ctx);
+            return NULL;
+        }
+        PORT_Memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen);
+    } else {
+        ctx->adOverflow = NULL;
+        PORT_Memcpy(ctx->ad, params->pAAD, params->ulAADLen);
+    }
+    ctx->adLen = params->ulAADLen;
+
+    return ctx;
+}
+
+static void
+sftk_ChaCha20Poly1305_DestroyContext(SFTKChaCha20Poly1305Info *ctx,
+                                     PRBool freeit)
+{
+    ChaCha20Poly1305_DestroyContext(&ctx->freeblCtx, PR_FALSE);
+    if (ctx->adOverflow != NULL) {
+        PORT_Free(ctx->adOverflow);
+        ctx->adOverflow = NULL;
+    }
+    ctx->adLen = 0;
+    if (freeit) {
+        PORT_Free(ctx);
+    }
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Encrypt(const SFTKChaCha20Poly1305Info *ctx,
+                              unsigned char *output, unsigned int *outputLen,
+                              unsigned int maxOutputLen,
+                              const unsigned char *input, unsigned int inputLen)
+{
+    const unsigned char *ad = ctx->adOverflow;
+
+    if (ad == NULL) {
+        ad = ctx->ad;
+    }
+
+    return ChaCha20Poly1305_Seal(&ctx->freeblCtx, output, outputLen,
+                                 maxOutputLen, input, inputLen, ctx->nonce,
+                                 sizeof(ctx->nonce), ad, ctx->adLen);
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Decrypt(const SFTKChaCha20Poly1305Info *ctx,
+                              unsigned char *output, unsigned int *outputLen,
+                              unsigned int maxOutputLen,
+                              const unsigned char *input, unsigned int inputLen)
+{
+    const unsigned char *ad = ctx->adOverflow;
+
+    if (ad == NULL) {
+        ad = ctx->ad;
+    }
+
+    return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen,
+                                 maxOutputLen, input, inputLen, ctx->nonce,
+                                 sizeof(ctx->nonce), ad, ctx->adLen);
+}
+
 /** NSC_CryptInit initializes an encryption/Decryption operation.
  *
  * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
@@ -882,7 +973,6 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	    break;
 	}
 	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
-	if (crv != CKR_OK) break;
 	goto finish_des;
     case CKM_DES_ECB:
 	if (key_type != CKK_DES) {
@@ -1058,6 +1148,34 @@ finish_des:
 	context->destroy = (SFTKDestroy) AES_DestroyContext;
 	break;
 
+    case CKM_NSS_CHACHA20_POLY1305:
+	if (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS)) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	if (key_type != CKK_NSS_CHACHA20) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = sftk_ChaCha20Poly1305_CreateContext(
+		(unsigned char*) att->attrib.pValue, att->attrib.ulValueLen,
+		(CK_NSS_AEAD_PARAMS*) pMechanism->pParameter);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = sftk_MapCryptError(PORT_GetError());
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? sftk_ChaCha20Poly1305_Encrypt :
+					sftk_ChaCha20Poly1305_Decrypt);
+	context->destroy = (SFTKDestroy) sftk_ChaCha20Poly1305_DestroyContext;
+	break;
+
     case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
     	context->doPad = PR_TRUE;
 	/* fall thru */
@@ -3655,6 +3773,10 @@ nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
 	*key_type = CKK_AES;
 	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
 	break;
+    case CKM_NSS_CHACHA20_KEY_GEN:
+	*key_type = CKK_NSS_CHACHA20;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
     default:
 	PORT_Assert(0);
 	crv = CKR_MECHANISM_INVALID;
@@ -3916,6 +4038,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
     case CKM_SEED_KEY_GEN:
     case CKM_CAMELLIA_KEY_GEN:
     case CKM_AES_KEY_GEN:
+    case CKM_NSS_CHACHA20_KEY_GEN:
 #if NSS_SOFTOKEN_DOES_RC5
     case CKM_RC5_KEY_GEN:
 #endif
@@ -4057,14 +4180,15 @@ jpake1:
      */
     crv = sftk_handleObject(key,session);
     sftk_FreeSession(session);
-    if (sftk_isTrue(key,CKA_SENSITIVE)) {
-	sftk_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
+    if (crv == CKR_OK && sftk_isTrue(key,CKA_SENSITIVE)) {
+	crv = sftk_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
     }
-    if (!sftk_isTrue(key,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
+    if (crv == CKR_OK && !sftk_isTrue(key,CKA_EXTRACTABLE)) {
+	crv = sftk_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
     }
-
+    if (crv == CKR_OK) {
 	*phKey = key->handle;
+    }
     sftk_FreeObject(key);
     return crv;
 }
@@ -4863,30 +4987,27 @@ ecgn_done:
 	return crv;
     }
     if (sftk_isTrue(privateKey,CKA_SENSITIVE)) {
-	sftk_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
+	crv = sftk_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
 						&cktrue,sizeof(CK_BBOOL));
     }
-    if (sftk_isTrue(publicKey,CKA_SENSITIVE)) {
-	sftk_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
+    if (crv == CKR_OK && sftk_isTrue(publicKey,CKA_SENSITIVE)) {
+	crv = sftk_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
 						&cktrue,sizeof(CK_BBOOL));
     }
-    if (!sftk_isTrue(privateKey,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
+    if (crv == CKR_OK && !sftk_isTrue(privateKey,CKA_EXTRACTABLE)) {
+	crv = sftk_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
 						&cktrue,sizeof(CK_BBOOL));
     }
-    if (!sftk_isTrue(publicKey,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
+    if (crv == CKR_OK && !sftk_isTrue(publicKey,CKA_EXTRACTABLE)) {
+	crv = sftk_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
 						&cktrue,sizeof(CK_BBOOL));
     }
 
+    if (crv == CKR_OK) {
 	/* Perform FIPS 140-2 pairwise consistency check. */
 	crv = sftk_PairwiseConsistencyCheck(hSession,
 					    publicKey, privateKey, key_type);
 	if (crv != CKR_OK) {
-	NSC_DestroyObject(hSession,publicKey->handle);
-	sftk_FreeObject(publicKey);
-	NSC_DestroyObject(hSession,privateKey->handle);
-	sftk_FreeObject(privateKey);
 	    if (sftk_audit_enabled) {
 		char msg[128];
 		PR_snprintf(msg,sizeof msg,
@@ -4899,6 +5020,14 @@ ecgn_done:
 	    }
 	    return crv;
 	}
+    }
+
+    if (crv != CKR_OK) {
+	NSC_DestroyObject(hSession,publicKey->handle);
+	sftk_FreeObject(publicKey);
+	NSC_DestroyObject(hSession,privateKey->handle);
+	sftk_FreeObject(privateKey);
+    }
 
     *phPrivateKey = privateKey->handle;
     *phPublicKey = publicKey->handle;

security/nss/lib/softoken/pkcs11i.h

@@ -14,6 +14,7 @@
 #include "pkcs11t.h"
 
 #include "sftkdbt.h" 
+#include "chacha20poly1305.h"
 #include "hasht.h"
 
 /* 
@@ -104,6 +105,7 @@ typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
 typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
 typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
 typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
+typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info;
 typedef struct SFTKItemTemplateStr SFTKItemTemplate;
 
 /* define function pointer typdefs for pointer tables */
@@ -399,6 +401,16 @@ struct SFTKSSLMACInfoStr {
     unsigned int	keySize;
 };
 
+/* SFTKChaCha20Poly1305Info saves the key, tag length, nonce,
+ * and additional data for a ChaCha20+Poly1305 AEAD operation. */
+struct SFTKChaCha20Poly1305InfoStr {
+    ChaCha20Poly1305Context freeblCtx;
+    unsigned char nonce[12];
+    unsigned char ad[16];
+    unsigned char *adOverflow;
+    unsigned int adLen;
+};
+
 /*
  * Template based on SECItems, suitable for passing as arrays
  */

security/nss/lib/ssl/SSLerrs.h

@@ -50,7 +50,6 @@ ER3(SSL_ERROR_POST_WARNING,				SSL_ERROR_BASE + 13,
 ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14),
     "Peer only supports SSL version 2, which is locally disabled.")
 
-
 ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15),
     "SSL received a record with an incorrect Message Authentication Code.")
 
@@ -220,7 +219,6 @@ ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT        , (SSL_ERROR_BASE + 63),
 ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT, (SSL_ERROR_BASE + 64),
     "SSL peer had some unspecified issue with the certificate it received.")
 
-
 ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE, (SSL_ERROR_BASE + 65),
     "SSL experienced a failure of its random number generator.")
 
@@ -454,7 +452,7 @@ ER3(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE, (SSL_ERROR_BASE + 141),
     "SSL received a malformed DHE key share handshake extension.")
 
 ER3(SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS, (SSL_ERROR_BASE + 142),
-"SSL received a malformed Encrypted Extensions handshake message.")
+    "SSL received an unexpected Encrypted Extensions handshake message.")
 
 ER3(SSL_ERROR_MISSING_EXTENSION_ALERT, (SSL_ERROR_BASE + 143),
     "SSL received a missing_extenson alert.")
@@ -464,3 +462,6 @@ ER3(SSL_ERROR_KEY_EXCHANGE_FAILURE, (SSL_ERROR_BASE + 144),
 
 ER3(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, (SSL_ERROR_BASE + 145),
     "SSL received an extension that is not permitted for this version.")
+
+ER3(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, (SSL_ERROR_BASE + 146),
+    "SSL received a malformed Encrypted Extensions handshake message.")

security/nss/lib/ssl/authcert.c

@@ -45,11 +45,13 @@ NSS_GetClientAuthData(void *                       arg,
             privkey = PK11_FindKeyByAnyCert(cert, proto_win);
             if (privkey) {
                 rv = SECSuccess;
-      } else {
+            }
+            else {
                 CERT_DestroyCertificate(cert);
             }
         }
-  } else { /* no name given, automatically find the right cert. */
+    }
+    else { /* no name given, automatically find the right cert. */
         CERTCertNicknames *names;
         int i;
 
@@ -70,7 +72,8 @@ NSS_GetClientAuthData(void *                       arg,
                 }
                 rv = NSS_CmpCertChainWCANames(cert, caNames);
                 if (rv == SECSuccess) {
-	  privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+                    privkey =
+                        PK11_FindKeyByAnyCert(cert, proto_win);
                     if (privkey)
                         break;
                 }
@@ -86,4 +89,3 @@ NSS_GetClientAuthData(void *                       arg,
     }
     return rv;
 }
-

security/nss/lib/ssl/cmpcert.c

@@ -52,7 +52,8 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
         if (rv == SECSuccess) {
             compatIssuerName.data = &issuerName.data[headerlen];
             compatIssuerName.len = issuerName.len - headerlen;
-    } else {
+        }
+        else {
             compatIssuerName.data = NULL;
             compatIssuerName.len = 0;
         }
@@ -63,21 +64,23 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
-      } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
+            }
+            else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
             }
         }
         if ((depth <= 20) &&
-	 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
-	   != SECEqual ) ) {
+            (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) !=
+             SECEqual)) {
             oldcert = curcert;
             curcert = CERT_FindCertByName(curcert->dbhandle,
                                           &curcert->derIssuer);
             CERT_DestroyCertificate(oldcert);
             depth++;
-    } else {
+        }
+        else {
             CERT_DestroyCertificate(curcert);
             curcert = NULL;
         }
@@ -87,4 +90,3 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
 done:
     return rv;
 }
-

security/nss/lib/ssl/derive.c

@@ -62,7 +62,6 @@ static const char * const mixers[NUM_MIXERS] = {
     "IIIIIIIII"
 };
 
-
 SECStatus
 ssl3_KeyAndMacDeriveBypass(
     ssl3CipherSpec *pwSpec,
@@ -161,7 +160,8 @@ ssl3_KeyAndMacDeriveBypass(
         if (isTLS12) {
             status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem,
                                 "key expansion", &srcr, &keyblk, isFIPS);
-	} else {
+        }
+        else {
             status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
                              isFIPS);
         }
@@ -169,7 +169,8 @@ ssl3_KeyAndMacDeriveBypass(
             goto key_and_mac_derive_fail;
         }
         block_bytes = keyblk.len;
-    } else {
+    }
+    else {
        /* key_block =
         *     MD5(master_secret + SHA('A' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
@@ -235,7 +236,8 @@ ssl3_KeyAndMacDeriveBypass(
                     "Client Write IV (MAC only)");
         buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, \
                     "Server Write IV (MAC only)");
-    } else if (!isExport) {
+    }
+    else if (!isExport) {
         /*
         ** Generate Domestic write keys and IVs.
         ** client_write_key[CipherSpec.key_material]
@@ -261,7 +263,8 @@ ssl3_KeyAndMacDeriveBypass(
                 buildSSLKey(&zero_block[0], IVSize, \
                             &pwSpec->server.write_iv_item, \
                             "Domestic Server Write IV");
-	    } else {
+            }
+            else {
                 /*
                 ** client_write_IV[CipherSpec.IV_size]
                 */
@@ -280,7 +283,8 @@ ssl3_KeyAndMacDeriveBypass(
             }
         }
         PORT_Assert(i <= block_bytes);
-    } else if (!isTLS) { 
+    }
+    else if (!isTLS) {
         /*
         ** Generate SSL3 Export write keys and IVs.
         */
@@ -340,7 +344,8 @@ ssl3_KeyAndMacDeriveBypass(
         }
 
         PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
-    } else {
+    }
+    else {
         /*
         ** Generate TLS Export write keys and IVs.
         */
@@ -425,7 +430,6 @@ key_and_mac_derive_fail:
     return rv;
 }
 
-
 /* derive the Master Secret from the PMS */
 /* Presently, this is only done wtih RSA PMS, and only on the server side,
  * so isRSA is always true.
@@ -481,13 +485,15 @@ ssl3_MasterSecretDeriveBypass(
         if (isTLS12) {
             rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr,
                             &master, isFIPS);
-	} else {
+        }
+        else {
             rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
         }
         if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         }
-    } else {
+    }
+    else {
         int i;
         unsigned int made = 0;
         for (i = 0; i < 3; i++) {
@@ -523,7 +529,8 @@ ssl3_MasterSecretDeriveBypass(
 
 static SECStatus
 ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp)
-{   SECStatus	      rv;
+{
+    SECStatus rv;
     PK11SymKey *ms = NULL;
     SECItem params = { siBuffer, NULL, 0 };
     CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
@@ -539,13 +546,18 @@ ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp)
     PORT_Memset(rand, 0, SSL3_RANDOM_LENGTH);
 
     if (isTLS) {
-	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
-	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
+        if (isDH)
+            master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
+        else
+            master_derive = CKM_TLS_MASTER_KEY_DERIVE;
         key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
         keyFlags = CKF_SIGN | CKF_VERIFY;
-    } else {
-	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
-	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
+    }
+    else {
+        if (isDH)
+            master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+        else
+            master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
         key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
         keyFlags = 0;
     }
@@ -569,7 +581,6 @@ ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp)
     PK11_FreeSymKey(ms);
 
     return (rv);
-
 }
 #endif /* !NO_PKCS11_BYPASS */
 
@@ -639,8 +650,8 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
      */
     for (i = 0; i < nsuites && (suite = *ciphersuites++) != 0; i++) {
         /* skip SSL2 cipher suites and ones NSS doesn't support */
-	if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess
-	    || SSL_IS_SSL2_CIPHER(suite) )
+        if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess ||
+            SSL_IS_SSL2_CIPHER(suite))
             continue;
         switch (csdef.keaType) {
             case ssl_kea_rsa:
@@ -678,7 +689,8 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
         if (protocolmask & SSL_CBP_SSL3) {
             isTLS = PR_FALSE;
             protocolmask ^= SSL_CBP_SSL3;
-	} else {
+        }
+        else {
             isTLS = PR_TRUE;
             protocolmask ^= SSL_CBP_TLS1_0;
         }
@@ -688,7 +700,8 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
                 *pcanbypass = PR_FALSE;
                 rv = SECSuccess;
                 break;
-	    } else
+            }
+            else
                 testrsa = PR_TRUE;
         }
         for (; privKeytype == rsaKey && testrsa;) {
@@ -768,7 +781,8 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
             if (privKeytype == ecKey && testecdhe) {
                 /* TLS_ECDHE_ECDSA */
                 pecParams = &srvPubkey->u.ec.DEREncodedParams;
-	    } else if (privKeytype == rsaKey && testecdhe) {
+            }
+            else if (privKeytype == rsaKey && testecdhe) {
                 /* TLS_ECDHE_RSA */
                 ECName ec_curve;
                 int serverKeyStrengthInBits;
@@ -816,7 +830,8 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
                     rv = SECFailure;
                     break;
                 }
-	    } else {
+            }
+            else {
                 /* TLS_ECDH_ECDSA */
                 keapub = srvPubkey;
                 keapriv = srvPrivkey;
@@ -889,8 +904,6 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
         srvPubkey = NULL;
     }
 
-
     return rv;
 #endif /* NO_PKCS11_BYPASS */
 }
-

security/nss/lib/ssl/dtlscon.c

@@ -263,9 +263,9 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
          * If it's the complete next message we accept it right away.
          * This is the common case for short messages
          */
-        if ((message_seq == ss->ssl3.hs.recvMessageSeq)
-            && (fragment_offset == 0)
-            && (fragment_length == message_length)) {
+        if ((message_seq == ss->ssl3.hs.recvMessageSeq) &&
+            (fragment_offset == 0) &&
+            (fragment_length == message_length)) {
             /* Complete next message. Process immediately */
             ss->ssl3.hs.msg_type = (SSL3HandshakeType)type;
             ss->ssl3.hs.msg_len = message_length;
@@ -287,13 +287,15 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                 /* Do not attempt to process rest of messages in this record */
                 break;
             }
-        } else {
+        }
+        else {
             if (message_seq < ss->ssl3.hs.recvMessageSeq) {
                 /* Case 3: we do an immediate retransmit if we're
                  * in a waiting state*/
                 if (ss->ssl3.hs.rtTimerCb == NULL) {
                     /* Ignore */
-                } else if (ss->ssl3.hs.rtTimerCb ==
+                }
+                else if (ss->ssl3.hs.rtTimerCb ==
                          dtls_RetransmitTimerExpiredCb) {
                     SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected",
                                  SSL_GETPID(), ss->fd));
@@ -314,14 +316,16 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                         dtls_RetransmitTimerExpiredCb(ss);
                         rv = SECSuccess;
                         break;
-                        } else {
+                    }
+                    else {
                         SSL_TRC(30,
                                 ("%d: SSL3[%d]: We just retransmitted. Ignoring.",
                                  SSL_GETPID(), ss->fd));
                         rv = SECSuccess;
                         break;
                     }
-                } else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
+                }
+                else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
                     /* Retransmit the messages and re-arm the timer
                      * Note that we are not backing off the timer here.
                      * The spec isn't clear and my reasoning is that this
@@ -336,7 +340,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                         return rv;
                     break;
                 }
-            } else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
+            }
+            else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
                 /* Case 2
                  *
                  * Ignore this message. This means we don't handle out of
@@ -345,7 +350,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                  *
                  * XXX OK for now. Maybe do something smarter at some point?
                  */
-            } else {
+            }
+            else {
                 /* Case 1
                  *
                  * Buffer the fragment for reassembly
@@ -404,7 +410,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                      * fragment */
                     ss->ssl3.hs.recvdHighWater = fragment_offset +
                                                  fragment_length;
-                } else {
+                }
+                else {
                     for (offset = fragment_offset;
                          offset < fragment_offset + fragment_length;
                          offset++) {
@@ -422,7 +429,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                     if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] &
                         OFFSET_MASK(offset)) {
                         ss->ssl3.hs.recvdHighWater++;
-                    } else {
+                    }
+                    else {
                         break;
                     }
                 }
@@ -468,7 +476,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
  *              dtls_StageHandshakeMessage()
  *              ssl3_SendChangeCipherSpecs()
  */
-SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+SECStatus
+dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
                   const SSL3Opaque *pIn, PRInt32 nIn)
 {
     SECStatus rv = SECSuccess;
@@ -482,7 +491,8 @@ SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
     if (!msg) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         rv = SECFailure;
-    } else {
+    }
+    else {
         PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight);
     }
 
@@ -649,7 +659,8 @@ dtls_TransmitMessageFlight(sslSocket *ss)
             }
 
             room_left = ss->ssl3.mtu - ss->pendingBuf.len;
-        } else {
+        }
+        else {
             /* The message will not fit, so fragment.
              *
              * XXX OK for now. Arrange to coalesce the last fragment
@@ -752,8 +763,8 @@ dtls_TransmitMessageFlight(sslSocket *ss)
  *
  * Called from dtls_TransmitMessageFlight()
  */
-static
-SECStatus dtls_SendSavedWriteData(sslSocket *ss)
+static SECStatus
+dtls_SendSavedWriteData(sslSocket *ss)
 {
     PRInt32 sent;
 
@@ -814,7 +825,8 @@ dtls_CompressMACEncryptRecord(sslSocket *        ss,
             cwSpec = ss->ssl3.pwSpec;
         else
             cwSpec = NULL;
-    } else {
+    }
+    else {
         cwSpec = ss->ssl3.cwSpec;
     }
 
@@ -823,10 +835,12 @@ dtls_CompressMACEncryptRecord(sslSocket *        ss,
             rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE,
                                                PR_FALSE, type, pIn, contentLen,
                                                wrBuf);
-        } else {
+        }
+        else {
             rv = tls13_ProtectRecord(ss, type, pIn, contentLen, wrBuf);
         }
-    } else {
+    }
+    else {
         PR_NOT_REACHED("Couldn't find a cipher spec matching epoch");
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     }
@@ -1017,7 +1031,6 @@ dtls_HandleHelloVerifyRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     PORT_Memcpy(ss->ssl3.hs.cookie, cookie.data, cookie.len);
     ss->ssl3.hs.cookieLen = cookie.len;
 
-
     ssl_GetXmitBufLock(ss); /*******************************/
 
     /* Now re-send the client hello */
@@ -1147,7 +1160,8 @@ DTLS_GetHandshakeTimeout(PRFileDesc *socket, PRIntervalTime *timeout)
     if (elapsed > desired) {
         /* Timer expired */
         *timeout = PR_INTERVAL_NO_WAIT;
-    } else {
+    }
+    else {
         *timeout = desired - elapsed;
     }
 
@@ -1175,7 +1189,8 @@ dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *crSpec,
 
     if (crSpec->epoch != epoch) {
         SSL_DBG(("%d: SSL3[%d]: dtls_IsRelevant, received packet "
-                 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
+                 "from irrelevant epoch %d",
+                 SSL_GETPID(), ss->fd, epoch));
         return PR_FALSE;
     }
 
@@ -1184,7 +1199,8 @@ dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *crSpec,
 
     if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) {
         SSL_DBG(("%d: SSL3[%d]: dtls_IsRelevant, rejecting "
-                 "potentially replayed packet", SSL_GETPID(), ss->fd));
+                 "potentially replayed packet",
+                 SSL_GETPID(), ss->fd));
         return PR_FALSE;
     }
 

security/nss/lib/ssl/os2_err.c

@@ -15,7 +15,6 @@
 #include "prlog.h"
 #include <errno.h>
 
-
 /*
  * Based on win32err.c
  * OS2TODO Stub everything for now to build. HCT
@@ -24,79 +23,94 @@
 /* forward declaration. */
 void nss_MD_os2_map_default_error(PRInt32 err);
 
-void nss_MD_os2_map_opendir_error(PRInt32 err)
+void
+nss_MD_os2_map_opendir_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_closedir_error(PRInt32 err)
+void
+nss_MD_os2_map_closedir_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_readdir_error(PRInt32 err)
+void
+nss_MD_os2_map_readdir_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_delete_error(PRInt32 err)
+void
+nss_MD_os2_map_delete_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
 /* The error code for stat() is in errno. */
-void nss_MD_os2_map_stat_error(PRInt32 err)
+void
+nss_MD_os2_map_stat_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_fstat_error(PRInt32 err)
+void
+nss_MD_os2_map_fstat_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_rename_error(PRInt32 err)
+void
+nss_MD_os2_map_rename_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
 /* The error code for access() is in errno. */
-void nss_MD_os2_map_access_error(PRInt32 err)
+void
+nss_MD_os2_map_access_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_mkdir_error(PRInt32 err)
+void
+nss_MD_os2_map_mkdir_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_rmdir_error(PRInt32 err)
+void
+nss_MD_os2_map_rmdir_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_read_error(PRInt32 err)
+void
+nss_MD_os2_map_read_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_transmitfile_error(PRInt32 err)
+void
+nss_MD_os2_map_transmitfile_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_write_error(PRInt32 err)
+void
+nss_MD_os2_map_write_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_lseek_error(PRInt32 err)
+void
+nss_MD_os2_map_lseek_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_fsync_error(PRInt32 err)
+void
+nss_MD_os2_map_fsync_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
@@ -104,132 +118,164 @@ void nss_MD_os2_map_fsync_error(PRInt32 err)
 /*
  * For both CloseHandle() and closesocket().
  */
-void nss_MD_os2_map_close_error(PRInt32 err)
+void
+nss_MD_os2_map_close_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_socket_error(PRInt32 err)
+void
+nss_MD_os2_map_socket_error(PRInt32 err)
 {
     //  PR_ASSERT(err != WSANOTINITIALISED);
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_recv_error(PRInt32 err)
+void
+nss_MD_os2_map_recv_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_recvfrom_error(PRInt32 err)
+void
+nss_MD_os2_map_recvfrom_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_send_error(PRInt32 err)
+void
+nss_MD_os2_map_send_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
       //     case WSAEMSGSIZE:  prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_sendto_error(PRInt32 err)
+void
+nss_MD_os2_map_sendto_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAEMSGSIZE:     prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_accept_error(PRInt32 err)
+void
+nss_MD_os2_map_accept_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
         //    case WSAEINVAL:   prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_acceptex_error(PRInt32 err)
+void
+nss_MD_os2_map_acceptex_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_connect_error(PRInt32 err)
+void
+nss_MD_os2_map_connect_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
         //    case WSAEINVAL:   prError = PR_ALREADY_INITIATED_ERROR; break;
         //    case WSAETIMEDOUT:    prError = PR_IO_TIMEOUT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_bind_error(PRInt32 err)
+void
+nss_MD_os2_map_bind_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //  case WSAEINVAL:     prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_listen_error(PRInt32 err)
+void
+nss_MD_os2_map_listen_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
         //    case WSAEINVAL:   prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_shutdown_error(PRInt32 err)
+void
+nss_MD_os2_map_shutdown_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_getsockname_error(PRInt32 err)
+void
+nss_MD_os2_map_getsockname_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAEINVAL:   prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_getpeername_error(PRInt32 err)
+void
+nss_MD_os2_map_getpeername_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_getsockopt_error(PRInt32 err)
+void
+nss_MD_os2_map_getsockopt_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_setsockopt_error(PRInt32 err)
+void
+nss_MD_os2_map_setsockopt_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_open_error(PRInt32 err)
+void
+nss_MD_os2_map_open_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-void nss_MD_os2_map_gethostname_error(PRInt32 err)
+void
+nss_MD_os2_map_gethostname_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
@@ -237,24 +283,27 @@ void nss_MD_os2_map_gethostname_error(PRInt32 err)
 /* Win32 select() only works on sockets.  So in this
 ** context, WSAENOTSOCK is equivalent to EBADF on Unix.
 */
-void nss_MD_os2_map_select_error(PRInt32 err)
+void
+nss_MD_os2_map_select_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
         //    case WSAENOTSOCK: prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
+        default:
+            nss_MD_os2_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_os2_map_lockf_error(PRInt32 err)
+void
+nss_MD_os2_map_lockf_error(PRInt32 err)
 {
     nss_MD_os2_map_default_error(err);
 }
 
-
-
-void nss_MD_os2_map_default_error(PRInt32 err)
+void
+nss_MD_os2_map_default_error(PRInt32 err)
 {
     PRErrorCode prError;
 
@@ -273,8 +322,9 @@ void nss_MD_os2_map_default_error(PRInt32 err)
 #if ERROR_FILE_NOT_FOUND != ENOENT
 //    case ERROR_FILE_NOT_FOUND:    prError = PR_FILE_NOT_FOUND_ERROR; break;
 #endif
-    default: 			prError = PR_UNKNOWN_ERROR; break;
+        default:
+            prError = PR_UNKNOWN_ERROR;
+            break;
     }
     PR_SetError(prError, err);
 }
-

security/nss/lib/ssl/preenc.h

@@ -59,16 +59,18 @@ struct PERSAKeyHeaderStr {
 
 #define PEFIXED_Label(header) (header->data)
 #define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
-#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\
-						+GetInt2(header->keyIDLen)])
-#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen)\
-			+GetInt2(header->keyIDLen)+GetInt2(header->keyLen)])
+#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen) + \
+                                          GetInt2(header->keyIDLen)])
+#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen) + \
+                                           GetInt2(header->keyIDLen) + \
+                                           GetInt2(header->keyLen)])
 #define PERSA_Issuer(header) (header->data)
 #define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
-#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen)\
-						+GetInt2(header->serialLen)])
-#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\
-			+GetInt2(header->serialLen)+GetInt2(header->keyLen)])
+#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen) + \
+                                        GetInt2(header->serialLen)])
+#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen) + \
+                                         GetInt2(header->serialLen) + \
+                                         GetInt2(header->keyLen)])
 struct PEHeaderStr {
     unsigned char magic[2];
     unsigned char len[2];
@@ -88,10 +90,9 @@ struct PEHeaderStr {
 
 #define PRE_BLOCK_SIZE 8
 
-
 #define GetInt2(c) ((c[0] << 8) | c[1])
-#define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\
-			|((unsigned long)c[2] << 8)| ((unsigned long)c[3]))
+#define GetInt4(c) (((unsigned long)c[0] << 24) | ((unsigned long)c[1] << 16) | \
+                    ((unsigned long)c[2] << 8) | ((unsigned long)c[3]))
 #define PutInt2(c, i) ((c[1] = (i)&0xff), (c[0] = ((i) >> 8) & 0xff))
 #define PutInt4(c, i) ((c[0] = ((i) >> 24) & 0xff), (c[1] = ((i) >> 16) & 0xff), \
                        (c[2] = ((i) >> 8) & 0xff), (c[3] = (i)&0xff))
@@ -110,4 +111,3 @@ PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
 
 PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
                                        int *headerSize);
-

security/nss/lib/ssl/prelib.c

@@ -17,18 +17,18 @@
 #include "preenc.h"
 #include "pk11func.h"
 
-PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, 
+PEHeader *
+SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader,
                              int *headerSize)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return NULL;
 }
 
-PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, 
+PEHeader *
+SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header,
                              int *headerSize)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return NULL;
 }
-
-

security/nss/lib/ssl/ssl.def

@@ -194,3 +194,9 @@ SSL_SetSignedCertTimestamps;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.23 {    # NSS 3.23 release
+;+    global:
+SSL_SetDowngradeCheckVersion;
+;+    local:
+;+*;
+;+};

security/nss/lib/ssl/ssl.h

@@ -189,7 +189,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_REUSE_SERVER_ECDHE_KEY 27
 
-#define SSL_ENABLE_FALLBACK_SCSV       28 /* Send fallback SCSV in
+#define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in \
                                      * handshakes. */
 
 /* SSL_ENABLE_SERVER_DHE controls whether DHE is enabled for the server socket.
@@ -679,7 +679,6 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
 SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
                                                SSLGetClientAuthData f, void *a);
 
-
 /*
 ** SNI extension processing callback function.
 ** It is called when SSL socket receives SNI extension in ClientHello message.
@@ -897,7 +896,6 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
                                                 PRBool flushCache,
                                                 PRIntervalTime timeout);
 
-
 #ifdef SSL_DEPRECATED_FUNCTION
 /* deprecated!
 ** For the server, request a new handshake.  For the client, begin a new
@@ -1031,7 +1029,9 @@ SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
 SSL_IMPORT SSL3Statistics *SSL_GetStatistics(void);
 
 /* Report more information than SSL_SecurityStatus.
- * Caller supplies the info struct.  This function fills it in.
+ * Caller supplies the info struct.  This function fills it in.  Caller should
+ * pass sizeof(SSLChannelInfo) as the |len| argument.
+ *
  * The information here will be zeroed prior to details being confirmed.  The
  * details are confirmed either when a Finished message is received, or - for a
  * client - when the second flight of messages have been sent.  This function
@@ -1041,8 +1041,9 @@ SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
 SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
                                         PRUintn len);
 /* Get preliminary information about a channel.
- * This function can be called prior to handshake details being confirmed (see
- * SSL_GetChannelInfo above for what that means).  Thus, information provided by
+ * Caller supplies the info struct.  This function fills it in.  Caller should
+ * pass sizeof(SSLPreliminaryChannelInfo) as the |len| argument.
+ *
  * this function is available to SSLAuthCertificate, SSLGetClientAuthData,
  * SSLSNISocketConfig, and other callbacks that might be called during the
  * processing of the first flight of client of server handshake messages.
@@ -1052,6 +1053,10 @@ SSL_IMPORT SECStatus
 SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
                               SSLPreliminaryChannelInfo *info,
                               PRUintn len);
+/* Get information about cipher suite with id of |cipherSuite|.
+ * Caller supplies the info struct.  This function fills it in.  Caller should
+ * pass sizeof(SSLCipherSuiteInfo) as the |len| argument.
+ */
 SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
                                             SSLCipherSuiteInfo *info, PRUintn len);
 

security/nss/lib/ssl/ssl3ecc.c

@@ -34,21 +34,21 @@
 #ifndef NSS_DISABLE_ECC
 
 #ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-                (x)->pValue=(v); (x)->ulValueLen = (l);
+#define PK11_SETATTRS(x, id, v, l) \
+    (x)->type = (id);              \
+    (x)->pValue = (v);             \
+    (x)->ulValueLen = (l);
 #endif
 
 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type)                                          \
-    (ss->serverCerts[type].serverKeyPair ? \
-    ss->serverCerts[type].serverKeyPair->pubKey : NULL)
+    (ss->serverCerts[type].serverKeyPair ? ss->serverCerts[type].serverKeyPair->pubKey \
+                                         : NULL)
 
 #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
     ((curveName > ec_noName) &&                      \
      (curveName < ec_pastLastName) &&                \
      ((1UL << curveName) & curvemsk) != 0)
 
-
-
 static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
 
 #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
@@ -170,8 +170,9 @@ ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params)
         return SECFailure;
     }
 
-    if ( (NSS_GetAlgorithmPolicy(ecName2OIDTag[curve], &policyFlags) 
-		== SECSuccess) && !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
+    if ((NSS_GetAlgorithmPolicy(ecName2OIDTag[curve], &policyFlags) ==
+         SECSuccess) &&
+        !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
         return SECFailure;
     }
@@ -210,12 +211,15 @@ ssl3_PubKey2ECName(SECKEYPublicKey *pubKey)
      * representing a named curve. Here, we strip away everything
      * before the actual OID and use the OID to look up a named curve.
      */
-    if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
+    if (params->data[0] != SEC_ASN1_OBJECT_ID)
+        return ec_noName;
     oid.len = params->len - 2;
     oid.data = params->data + 2;
-    if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
-    if ((NSS_GetAlgorithmPolicy(oidData->offset, &policyFlags)
-		== SECSuccess) && !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
+    if ((oidData = SECOID_FindOID(&oid)) == NULL)
+        return ec_noName;
+    if ((NSS_GetAlgorithmPolicy(oidData->offset, &policyFlags) ==
+         SECSuccess) &&
+        !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
         return ec_noName;
     }
     for (i = ec_noName + 1; i < ec_pastLastName; i++) {
@@ -248,7 +252,8 @@ ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
     bufLen = 2 * SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
     if (bufLen <= sizeof buf) {
         hashBuf = buf;
-    } else {
+    }
+    else {
         hashBuf = PORT_Alloc(bufLen);
         if (!hashBuf) {
             return SECFailure;
@@ -281,7 +286,6 @@ ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
     return rv;
 }
 
-
 /* Called from ssl3_SendClientKeyExchange(). */
 SECStatus
 ssl3_SendECDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey)
@@ -318,9 +322,11 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
 
     if (isTLS12) {
         target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
-    } else if (isTLS) {
+    }
+    else if (isTLS) {
         target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-    } else {
+    }
+    else {
         target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
     }
 
@@ -356,7 +362,8 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
     }
 
     rv = ssl3_InitPendingCipherSpec(ss, pms);
-    PK11_FreeSymKey(pms); pms = NULL;
+    PK11_FreeSymKey(pms);
+    pms = NULL;
 
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
@@ -366,13 +373,15 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
     rv = SECSuccess;
 
 loser:
-    if(pms) PK11_FreeSymKey(pms);
-    if(privKey) SECKEY_DestroyPrivateKey(privKey);
-    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
+    if (pms)
+        PK11_FreeSymKey(pms);
+    if (privKey)
+        SECKEY_DestroyPrivateKey(privKey);
+    if (pubKey)
+        SECKEY_DestroyPublicKey(pubKey);
     return rv;
 }
 
-
 ECName
 tls13_GroupForECDHEKeyShare(ssl3KeyPair *pair)
 {
@@ -440,9 +449,11 @@ ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
 
     if (isTLS12) {
         target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
-    } else if (isTLS) {
+    }
+    else if (isTLS) {
         target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-    } else {
+    }
+    else {
         target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
     }
 
@@ -592,7 +603,8 @@ ssl3_GetCurveNameForServerSocket(sslSocket *ss)
             return ec_noName;
         }
         signatureKeyStrength = curve2bits[ec_curve];
-    } else {
+    }
+    else {
         /* RSA is our signing cert */
         int serverKeyStrengthInBits;
 
@@ -855,7 +867,8 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 
     /* set up EC parameters in peerKey */
     if (ssl3_ECName2Params(arena, ec_params.data[2],
-            &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
+                           &peerKey->u.ec.DEREncodedParams) !=
+        SECSuccess) {
         /* we should never get here since we already
          * checked that we are dealing with a supported curve
          */
@@ -864,8 +877,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     }
 
     /* copy publicValue in peerKey */
-    if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue,  &ec_point))
-    {
+    if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point)) {
         goto no_memory;
     }
     peerKey->pkcs11Slot = NULL;
@@ -919,7 +931,8 @@ ssl3_SendECDHServerKeyExchange(
 
     if (ss->opt.reuseServerECDHEKey) {
         rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
-    } else {
+    }
+    else {
         rv = ssl3_CreateECDHEphemeralKeyPair(curve, &ss->ephemeralECDHKeyPair);
     }
     if (rv != SECSuccess) {
@@ -940,7 +953,8 @@ ssl3_SendECDHServerKeyExchange(
         ec_params.data[0] = ec_type_named;
         ec_params.data[1] = 0x00;
         ec_params.data[2] = curve;
-    } else {
+    }
+    else {
         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
         goto loser;
     }
@@ -1061,6 +1075,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     0 /* end of list marker */
@@ -1072,6 +1087,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     0 /* end of list marker */
@@ -1084,6 +1100,7 @@ static const ssl3CipherSuite ecSuites[] = {
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
@@ -1091,6 +1108,7 @@ static const ssl3CipherSuite ecSuites[] = {
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -1135,7 +1153,8 @@ ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
     if (!svrCert) {
         ssl3_DisableECCSuites(ss, ecdh_suites);
         ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
-    } else {
+    }
+    else {
         SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
 
         switch (sigTag) {
@@ -1244,8 +1263,9 @@ ssl3_SuiteBOnly(sslSocket *ss)
 }
 
 #define APPEND_CURVE(CURVE_ID)                                       \
-    if ((NSS_GetAlgorithmPolicy(ecName2OIDTag[CURVE_ID], &policy) \
-	       == SECFailure) || (policy & NSS_USE_ALG_IN_SSL_KX)) { \
+    if ((NSS_GetAlgorithmPolicy(ecName2OIDTag[CURVE_ID], &policy) == \
+         SECFailure) ||                                              \
+        (policy & NSS_USE_ALG_IN_SSL_KX)) {                          \
         enabledCurves[pos++] = 0;                                    \
         enabledCurves[pos++] = CURVE_ID;                             \
     }
@@ -1275,7 +1295,8 @@ ssl3_SendSupportedCurvesXtn(
             APPEND_CURVE(suiteBECList[i]);
         }
         ecListSize = pos;
-    } else {
+    }
+    else {
         for (i = 0; i < sizeof(tlsECList); i++) {
             APPEND_CURVE(tlsECList[i]);
         }
@@ -1287,7 +1308,6 @@ ssl3_SendSupportedCurvesXtn(
         2 /* elliptic curves length */ +
         ecListSize;
 
-
     if (maxBytes < (PRUint32)extension_length) {
         return 0;
     }
@@ -1323,21 +1343,21 @@ ssl3_GetSupportedECCurveMask(sslSocket *ss)
 
     if (ssl3_SuiteBOnly(ss)) {
         curves = SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
-    } else {
+    }
+    else {
         curves = SSL3_ALL_SUPPORTED_CURVES_MASK;
     }
 
     for (i = ec_noName + 1; i < ec_pastLastName; i++) {
         PRUint32 curve_bit = (1U << i);
         if ((curves & curve_bit) &&
-	   (NSS_GetAlgorithmPolicy(ecName2OIDTag[i], &policyFlags) 
-		== SECSuccess) &&
+            (NSS_GetAlgorithmPolicy(ecName2OIDTag[i], &policyFlags) ==
+             SECSuccess) &&
             !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
             curves &= ~curve_bit;
         }
     }
     return curves;
-	
 }
 
 /* Send our "canned" (precompiled) Supported Point Formats extension,
@@ -1392,13 +1412,13 @@ ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
     return SECSuccess;
 }
 
-
 #define SSL3_GET_SERVER_PUBLICKEY(sock, type)                                          \
-    (ss->serverCerts[type].serverKeyPair ? \
-    ss->serverCerts[type].serverKeyPair->pubKey : NULL)
+    (ss->serverCerts[type].serverKeyPair ? ss->serverCerts[type].serverKeyPair->pubKey \
+                                         : NULL)
 
 /* Extract the TLS curve name for the public key in our EC server cert. */
-ECName ssl3_GetSvrCertCurveName(sslSocket *ss)
+ECName
+ssl3_GetSvrCertCurveName(sslSocket *ss)
 {
     SECKEYPublicKey *srvPublicKey;
     ECName ec_curve = ec_noName;

security/nss/lib/ssl/ssl3ext.c

@@ -160,7 +160,8 @@ ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
     return rv;
 }
 
-static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
+static SECStatus
+ssl3_SessionTicketShutdown(void *appData, void *nssData)
 {
     if (session_ticket_enc_key_pkcs11) {
         PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
@@ -175,7 +176,6 @@ static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
     return SECSuccess;
 }
 
-
 static PRStatus
 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
 {
@@ -214,7 +214,8 @@ ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
                                 PK11SymKey **mac_key)
 {
     if (PR_CallOnceWithArg(&generate_session_keys_once,
-            ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
+                           ssl3_GenerateSessionTicketKeysPKCS11, ss) !=
+        PR_SUCCESS)
         return SECFailure;
 
     if (session_ticket_enc_key_pkcs11 == NULL ||
@@ -315,8 +316,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
-static const
-ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+static const ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] =
+    {
       { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
       { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
 #ifndef NSS_DISABLE_ECC
@@ -336,8 +337,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
       /* any extra entries will appear as { 0, NULL }    */
     };
 
-static const
-ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
+static const ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] =
+    {
       { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
       /* any extra entries will appear as { 0, NULL }    */
     };
@@ -354,14 +355,16 @@ arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
 }
 
 PRBool
-ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
+ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type)
+{
     TLSExtensionData *xtnData = &ss->xtnData;
     return arrayContainsExtension(xtnData->negotiated,
                                   xtnData->numNegotiated, ex_type);
 }
 
 static PRBool
-ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
+ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type)
+{
     TLSExtensionData *xtnData = &ss->xtnData;
     return arrayContainsExtension(xtnData->advertised,
                                   xtnData->numAdvertised, ex_type);
@@ -394,19 +397,24 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
         if (append && maxBytes >= len + 9) {
             /* extension_type */
             rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
-            if (rv != SECSuccess) return -1;
+            if (rv != SECSuccess)
+                return -1;
             /* length of extension_data */
             rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
-            if (rv != SECSuccess) return -1;
+            if (rv != SECSuccess)
+                return -1;
             /* length of server_name_list */
             rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
-            if (rv != SECSuccess) return -1;
+            if (rv != SECSuccess)
+                return -1;
             /* Name Type (sni_host_name) */
             rv = ssl3_AppendHandshake(ss, "\0", 1);
-            if (rv != SECSuccess) return -1;
+            if (rv != SECSuccess)
+                return -1;
             /* HostName (length and value) */
             rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
-            if (rv != SECSuccess) return -1;
+            if (rv != SECSuccess)
+                return -1;
             if (!ss->sec.isServer) {
                 TLSExtensionData *xtnData = &ss->xtnData;
                 xtnData->advertised[xtnData->numAdvertised++] =
@@ -418,10 +426,12 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
     /* Server side */
     if (append && maxBytes >= 4) {
         rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
-        if (rv != SECSuccess)  return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* length of extension_data */
         rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
     }
     return 4;
 }
@@ -560,10 +570,12 @@ ssl3_SendSessionTicketXtn(
         if (session_ticket->ticket.data) {
             if (ss->xtnData.ticketTimestampVerified) {
                 extension_length += session_ticket->ticket.len;
-            } else if (!append &&
+            }
+            else if (!append &&
                      (session_ticket->ticket_lifetime_hint == 0 ||
                       (session_ticket->ticket_lifetime_hint +
-                    session_ticket->received_timestamp > ssl_Time()))) {
+                           session_ticket->received_timestamp >
+                       ssl_Time()))) {
                 extension_length += session_ticket->ticket.len;
                 ss->xtnData.ticketTimestampVerified = PR_TRUE;
             }
@@ -586,7 +598,8 @@ ssl3_SendSessionTicketXtn(
                                               session_ticket->ticket.len, 2);
             ss->xtnData.ticketTimestampVerified = PR_FALSE;
             ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
-        } else {
+        }
+        else {
             rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
         }
         if (rv != SECSuccess)
@@ -893,7 +906,8 @@ ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
             if (i <= len) {
                 memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
                 memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
-            } else {
+            }
+            else {
                 /* This seems to be invalid data so we'll send as-is. */
                 memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
             }
@@ -1001,7 +1015,8 @@ ssl3_ServerSendStatusRequestXtn(
     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
         ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
         effectiveExchKeyType = ssl_kea_rsa;
-    } else {
+    }
+    else {
         effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
@@ -1148,26 +1163,30 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
     ivItem.data = iv;
     ivItem.len = sizeof(iv);
     rv = PK11_GenerateRandom(iv, sizeof(iv));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
                                        &mac_key, &mac_key_length);
-    } else
+    }
+    else
 #endif
     {
         rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
                                              &mac_key_pkcs11);
     }
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
         /* The master secret is available unwrapped. */
         ms_item.data = ss->ssl3.pwSpec->msItem.data;
         ms_item.len = ss->ssl3.pwSpec->msItem.len;
         ms_is_wrapped = PR_FALSE;
-    } else {
+    }
+    else {
         /* Extract the master secret wrapped. */
         sslSessionID sid;
         PORT_Memset(&sid, 0, sizeof(sslSessionID));
@@ -1175,7 +1194,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
         if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
             ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
             effectiveExchKeyType = kt_rsa;
-        } else {
+        }
+        else {
             effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
         }
 
@@ -1189,7 +1209,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
             ms_item.data = wrapped_ms;
             ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
             msWrapMech = sid.u.ssl3.masterWrapMech;
-        } else {
+        }
+        else {
             /* TODO: else send an empty ticket. */
             goto loser;
         }
@@ -1219,7 +1240,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
         + 1                           /* extendedMasterSecretUsed */
         + sizeof(ticket.ticket_lifetime_hint);
     padding_length = AES_BLOCK_SIZE -
-        (ciphertext_length % AES_BLOCK_SIZE);
+                     (ciphertext_length %
+                      AES_BLOCK_SIZE);
     ciphertext_length += padding_length;
 
     message_length =
@@ -1239,86 +1261,110 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
     /* ticket_version */
     rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
                                  sizeof(PRUint16));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* ssl_version */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
                                  sizeof(SSL3ProtocolVersion));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* ciphersuite */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
                                  sizeof(ssl3CipherSuite));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* compression */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* cipher spec parameters */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* master_secret */
     rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
     rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     /* client_identity */
     if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
         rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = ssl3_AppendNumberToItem(&plaintext,
                                      ss->sec.ci.sid->peerCert->derCert.len, 3);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = ssl3_AppendToItem(&plaintext,
                                ss->sec.ci.sid->peerCert->derCert.data,
                                ss->sec.ci.sid->peerCert->derCert.len);
-        if (rv != SECSuccess) goto loser;
-    } else {
+        if (rv != SECSuccess)
+            goto loser;
+    }
+    else {
         rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
     }
 
     /* timestamp */
     now = ssl_Time();
     rv = ssl3_AppendNumberToItem(&plaintext, now,
                                  sizeof(ticket.ticket_lifetime_hint));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     if (srvNameLen) {
         /* Name Type (sni_host_name) */
         rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         /* HostName (length and value) */
         rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
-        if (rv != SECSuccess) goto loser;
-    } else {
+        if (rv != SECSuccess)
+            goto loser;
+    }
+    else {
         /* No Name */
-        rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME,
-                                     1);
-        if (rv != SECSuccess) goto loser;
+        rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1);
+        if (rv != SECSuccess)
+            goto loser;
     }
 
     /* extendedMasterSecretUsed */
     rv = ssl3_AppendNumberToItem(
         &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     PORT_Assert(plaintext.len == padding_length);
     for (i = 0; i < padding_length; i++)
@@ -1335,13 +1381,16 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
         aes_ctx = (AESContext *)aes_ctx_buf;
         rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
                              NSS_AES_CBC, 1, AES_BLOCK_SIZE);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
 
         rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
                          ciphertext.len, plaintext_item.data,
                          plaintext_item.len);
-        if (rv != SECSuccess) goto loser;
-    } else
+        if (rv != SECSuccess)
+            goto loser;
+    }
+    else
 #endif
     {
         aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
@@ -1354,7 +1403,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
                            plaintext_item.data, plaintext_item.len);
         PK11_Finalize(aes_ctx_pkcs11);
         PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
     }
 
     /* Convert ciphertext length to network order. */
@@ -1377,7 +1427,8 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
         HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
         HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
                     sizeof(computed_mac));
-    } else
+    }
+    else
 #endif
     {
         SECItem macParam;
@@ -1389,44 +1440,58 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
             goto loser;
 
         rv = PK11_DigestBegin(hmac_ctx_pkcs11);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
                            SESS_TICKET_KEY_NAME_LEN);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
                               &computed_mac_length, sizeof(computed_mac));
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
     }
 
     /* Serialize the handshake message. */
     rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
                                     sizeof(ticket.ticket_lifetime_hint));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshakeNumber(ss,
-        message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
-    if (rv != SECSuccess) goto loser;
+                                    message_length - sizeof(ticket.ticket_lifetime_hint) - 2,
+                                    2);
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
     rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
-    if (rv != SECSuccess) goto loser;
+    if (rv != SECSuccess)
+        goto loser;
 
 loser:
     if (hmac_ctx_pkcs11)
@@ -1479,7 +1544,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
      */
     if (data->len == 0) {
         ss->xtnData.emptySessionTicket = PR_TRUE;
-    } else {
+    }
+    else {
         PRUint32 i;
         SECItem extension_data;
         EncryptedSessionTicket enc_session_ticket;
@@ -1525,8 +1591,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
         extension_data.data = data->data; /* Keep a copy for future use. */
         extension_data.len = data->len;
 
-        if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
-            != SECSuccess) {
+        if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) !=
+            SECSuccess) {
             return SECSuccess; /* Pretend it isn't there */
         }
 
@@ -1535,7 +1601,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
         if (ss->opt.bypassPKCS11) {
             rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
                                            &mac_key, &mac_key_length);
-        } else
+        }
+        else
 #endif
         {
             rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
@@ -1573,7 +1640,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
             if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
                             sizeof(computed_mac)) != SECSuccess)
                 goto no_ticket;
-        } else
+        }
+        else
 #endif
         {
             SECItem macParam;
@@ -1585,13 +1653,15 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
                          SSL_GETPID(), ss->fd, PORT_GetError()));
                 goto no_ticket;
-            } else {
+            }
+            else {
                 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
                          SSL_GETPID(), ss->fd));
             }
             rv = PK11_DigestBegin(hmac_ctx_pkcs11);
             rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
-                extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+                               extension_data.len -
+                                   TLS_EX_SESS_TICKET_MAC_LENGTH);
             if (rv != SECSuccess) {
                 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
                 goto no_ticket;
@@ -1603,7 +1673,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                 goto no_ticket;
         }
         if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
-                computed_mac_length) != 0) {
+                             computed_mac_length) !=
+            0) {
             SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
                      SSL_GETPID(), ss->fd));
             goto no_ticket;
@@ -1637,7 +1708,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                              enc_session_ticket.encrypted_state.len);
             if (rv != SECSuccess)
                 goto no_ticket;
-        } else
+        }
+        else
 #endif
         {
             SECItem ivItem;
@@ -1685,54 +1757,66 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
 
         /* Read ticket_version and reject if the version is wrong */
         temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-        if (temp != TLS_EX_SESS_TICKET_VERSION) goto no_ticket;
+        if (temp != TLS_EX_SESS_TICKET_VERSION)
+            goto no_ticket;
 
         parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
 
         /* Read SSLVersion. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
 
         /* Read cipher_suite. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
 
         /* Read compression_method. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
 
         /* Read cipher spec parameters. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
         temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->authKeyBits = (PRUint32)temp;
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->keaType = (SSLKEAType)temp;
         temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->keaKeyBits = (PRUint32)temp;
 
         /* Read wrapped master_secret. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
 
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
 
         temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
 
         temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-        if (temp < 0) goto no_ticket;
+        if (temp < 0)
+            goto no_ticket;
         parsed_session_ticket->ms_length = (PRUint16)temp;
         if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
             parsed_session_ticket->ms_length >
@@ -1759,10 +1843,12 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
             case CLIENT_AUTH_CERTIFICATE:
                 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
                                                    &buffer, &buffer_len);
-                if (rv != SECSuccess) goto no_ticket;
+                if (rv != SECSuccess)
+                    goto no_ticket;
                 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
                                       &cert_item);
-                if (rv != SECSuccess) goto no_ticket;
+                if (rv != SECSuccess)
+                    goto no_ticket;
                 break;
             default:
                 goto no_ticket;
@@ -1780,10 +1866,12 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
             SECItem name_item;
             rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
                                                &buffer_len);
-            if (rv != SECSuccess) goto no_ticket;
+            if (rv != SECSuccess)
+                goto no_ticket;
             rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
                                   &name_item);
-            if (rv != SECSuccess) goto no_ticket;
+            if (rv != SECSuccess)
+                goto no_ticket;
             parsed_session_ticket->srvName.type = nameType;
         }
 
@@ -1803,7 +1891,8 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
          */
         if (parsed_session_ticket->timestamp != 0 &&
             parsed_session_ticket->timestamp +
-            TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
+                    TLS_EX_SESS_TICKET_LIFETIME_HINT >
+                ssl_Time()) {
 
             sid = ssl3_NewSessionID(ss, PR_TRUE);
             if (sid == NULL) {
@@ -1840,8 +1929,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                 parsed_session_ticket->ms_is_wrapped;
             sid->u.ssl3.masterValid = PR_TRUE;
             sid->u.ssl3.keys.resumable = PR_TRUE;
-            sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->
-                extendedMasterSecretUsed;
+            sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->extendedMasterSecretUsed;
 
             /* Copy over client cert from session ticket if there is one. */
             if (parsed_session_ticket->peer_cert.data != NULL) {
@@ -1916,16 +2004,20 @@ ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
                                  EncryptedSessionTicket *enc_session_ticket)
 {
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
-            SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
+                             SESS_TICKET_KEY_NAME_LEN) !=
+        SECSuccess)
         return SECFailure;
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
-            AES_BLOCK_SIZE) != SECSuccess)
+                             AES_BLOCK_SIZE) !=
+        SECSuccess)
         return SECFailure;
     if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
-            2, &data->data, &data->len) != SECSuccess)
+                                      2, &data->data, &data->len) !=
+        SECSuccess)
         return SECFailure;
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
-            TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
+                             TLS_EX_SESS_TICKET_MAC_LENGTH) !=
+        SECSuccess)
         return SECFailure;
     if (data->len != 0) /* Make sure that we have consumed all bytes. */
         return SECFailure;
@@ -1958,7 +2050,8 @@ ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length,
         case server_hello:
             if (ss->version > SSL_LIBRARY_VERSION_3_0) {
                 handlers = serverHelloHandlersTLS;
-            } else {
+            }
+            else {
                 handlers = serverHelloHandlersSSL3;
             }
             break;
@@ -1999,8 +2092,7 @@ ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length,
         }
 
         /* Check that this is a legal extension in TLS 1.3 */
-        if (isTLS13 && !tls13_ExtensionAllowed(extension_type,
-                                               handshakeMessage)) {
+        if (isTLS13 && !tls13_ExtensionAllowed(extension_type, handshakeMessage)) {
             if (handshakeMessage == client_hello) {
                 /* Skip extensions not used in TLS 1.3 */
                 continue;
@@ -2039,11 +2131,13 @@ ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
     ssl3HelloExtensionSender *sender;
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         sender = &ss->xtnData.serverHelloSenders[0];
-    } else {
+    }
+    else {
         if (tls13_ExtensionAllowed(ex_type, server_hello)) {
             PORT_Assert(!tls13_ExtensionAllowed(ex_type, encrypted_extensions));
             sender = &ss->xtnData.serverHelloSenders[0];
-        } else {
+        }
+        else {
             PORT_Assert(tls13_ExtensionAllowed(ex_type, encrypted_extensions));
             sender = &ss->xtnData.encryptedExtensionsSenders[0];
         }
@@ -2078,7 +2172,8 @@ ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
     if (!sender) {
         if (ss->version > SSL_LIBRARY_VERSION_3_0) {
             sender = &clientHelloSendersTLS[0];
-        } else {
+        }
+        else {
             sender = &clientHelloSendersSSL3[0];
         }
     }
@@ -2095,7 +2190,6 @@ ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
     return total_exten_len;
 }
 
-
 /* Extension format:
  * Extension number:   2 bytes
  * Extension length:   2 bytes
@@ -2130,14 +2224,17 @@ ssl3_SendRenegotiationInfoXtn(
         SECStatus rv;
         /* extension_type */
         rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* length of extension_data */
         rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* verify_Data from previous Finished message(s) */
         rv = ssl3_AppendHandshakeVariable(ss,
                                           ss->ssl3.hs.finishedMsgs.data, len, 1);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         if (!ss->sec.isServer) {
             TLSExtensionData *xtnData = &ss->xtnData;
             xtnData->advertised[xtnData->numAdvertised++] =
@@ -2212,15 +2309,18 @@ ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
     if (append && maxBytes >= 4 + ext_data_len) {
         /* Extension type */
         rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* Length of extension data */
         rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* Length of the SRTP cipher list */
         rv = ssl3_AppendHandshakeNumber(ss,
                                         2 * ss->ssl3.dtlsSRTPCipherCount,
                                         2);
-        if (rv != SECSuccess) return -1;
+        if (rv != SECSuccess)
+            return -1;
         /* The SRTP ciphers */
         for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
             rv = ssl3_AppendHandshakeNumber(ss,
@@ -2249,16 +2349,20 @@ ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
 
     /* Extension type */
     rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
-    if (rv != SECSuccess) return -1;
+    if (rv != SECSuccess)
+        return -1;
     /* Length of extension data */
     rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
-    if (rv != SECSuccess) return -1;
+    if (rv != SECSuccess)
+        return -1;
     /* Length of the SRTP cipher list */
     rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
-    if (rv != SECSuccess) return -1;
+    if (rv != SECSuccess)
+        return -1;
     /* The selected cipher */
     rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
-    if (rv != SECSuccess) return -1;
+    if (rv != SECSuccess)
+        return -1;
     /* Empty MKI value */
     ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
 
@@ -2713,7 +2817,6 @@ loser:
     return -1;
 }
 
-
 static SECStatus
 ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, PRUint16 ex_type,
                                    SECItem *data)
@@ -2781,7 +2884,8 @@ ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
             goto loser;
         ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
             ssl_signed_cert_timestamp_xtn;
-    } else if (maxBytes < extension_length) {
+    }
+    else if (maxBytes < extension_length) {
         PORT_Assert(0);
         return 0;
     }
@@ -2828,7 +2932,8 @@ ssl3_ServerSendSignedCertTimestampXtn(sslSocket * ss,
     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
         ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
         effectiveExchKeyType = ssl_kea_rsa;
-    } else {
+    }
+    else {
         effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
@@ -2853,10 +2958,12 @@ ssl3_ServerSendSignedCertTimestampXtn(sslSocket * ss,
         rv = ssl3_AppendHandshakeNumber(ss,
                                         ssl_signed_cert_timestamp_xtn,
                                         2);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
         /* extension_data */
         rv = ssl3_AppendHandshakeVariable(ss, scts->data, scts->len, 2);
-        if (rv != SECSuccess) goto loser;
+        if (rv != SECSuccess)
+            goto loser;
     }
 
     return extension_length;
@@ -3137,4 +3244,3 @@ tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append,
 loser:
     return -1;
 }
-

security/nss/lib/ssl/ssl3gthr.c

@@ -59,12 +59,14 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
 
         if (nb > 0) {
             PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
-	} else if (nb == 0) {
+        }
+        else if (nb == 0) {
             /* EOF */
             SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
             rv = 0;
             break;
-	} else /* if (nb < 0) */ {
+        }
+        else /* if (nb < 0) */ {
             SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
                      PR_GetError()));
             rv = SECFailure;
@@ -122,7 +124,6 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
                 }
                 break; /* End this case.  Continue around the loop. */
 
-
             case GS_DATA:
                 /*
                 ** SSL3 record has been completely received.
@@ -193,12 +194,14 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
 
         if (nb > 0) {
             PRINT_BUF(60, (ss, "raw gather data:", gs->dtlsPacket.buf, nb));
-        } else if (nb == 0) {
+        }
+        else if (nb == 0) {
             /* EOF */
             SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
             rv = 0;
             return rv;
-        } else /* if (nb < 0) */ {
+        }
+        else /* if (nb < 0) */ {
             SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
                      PR_GetError()));
             rv = SECFailure;
@@ -213,7 +216,8 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
      */
     if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < 13) {
         SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet "
-		 "too short to contain header", SSL_GETPID(), ss->fd));
+                 "too short to contain header",
+                 SSL_GETPID(), ss->fd));
         PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
         gs->dtlsPacketOffset = 0;
         gs->dtlsPacket.len = 0;
@@ -228,7 +232,8 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
 
     if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < gs->remainder) {
         SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet too short "
-		 "to contain rest of body", SSL_GETPID(), ss->fd));
+                 "to contain rest of body",
+                 SSL_GETPID(), ss->fd));
         PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
         gs->dtlsPacketOffset = 0;
         gs->dtlsPacket.len = 0;
@@ -309,7 +314,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
         if (ss->ssl3.hs.msgState.buf) {
             if (ss->ssl3.hs.msgState.len == 0) {
                 ss->ssl3.hs.msgState.buf = NULL;
-	    } else {
+            }
+            else {
                 handleRecordNow = PR_TRUE;
             }
         }
@@ -323,7 +329,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
              * handshake record.
              */
             rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
-	} else {
+        }
+        else {
             /* bring in the next sslv3 record. */
             if (ss->recvdCloseNotify) {
                 /* RFC 5246 Section 7.2.1:
@@ -333,7 +340,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             }
             if (!IS_DTLS(ss)) {
                 rv = ssl3_GatherData(ss, &ss->gs, flags);
-	    } else {
+            }
+            else {
                 rv = dtls_GatherData(ss, &ss->gs, flags);
 
                 /* If we got a would block error, that means that no data was
@@ -366,9 +374,11 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
 
                 cText.version = dtls_DTLSVersionToTLSVersion(cText.version);
                 /* DTLS sequence number */
-		cText.seq_num.high = 0; cText.seq_num.low = 0;
+                cText.seq_num.high = 0;
+                cText.seq_num.low = 0;
                 for (i = 0; i < 4; i++) {
-		    cText.seq_num.high <<= 8; cText.seq_num.low <<= 8;
+                    cText.seq_num.high <<= 8;
+                    cText.seq_num.low <<= 8;
                     cText.seq_num.high |= ss->gs.hdr[3 + i];
                     cText.seq_num.low |= ss->gs.hdr[7 + i];
                 }
@@ -402,7 +412,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             PORT_Assert(ss->firstHsDone);
             PORT_Assert(!ss->ssl3.hs.canFalseStart);
             keepGoing = PR_FALSE;
-	} else if (ss->ssl3.hs.canFalseStart) {
+        }
+        else if (ss->ssl3.hs.canFalseStart) {
             /* Prioritize sending application data over trying to complete
              * the handshake if we're false starting.
              *
@@ -415,7 +426,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
 
             if (ssl3_WaitingForServerSecondRound(ss)) {
                 keepGoing = PR_FALSE;
-	    } else {
+            }
+            else {
                 ss->ssl3.hs.canFalseStart = PR_FALSE;
             }
         }

security/nss/lib/ssl/ssl3prot.h

@@ -76,7 +76,8 @@ typedef struct {
     SSL3ChangeCipherSpecChoice choice;
 } SSL3ChangeCipherSpec;
 
-typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
+typedef enum { alert_warning = 1,
+               alert_fatal = 2 } SSL3AlertLevel;
 
 typedef enum {
     close_notify = 0,

security/nss/lib/ssl/sslauth.c

@@ -90,8 +90,6 @@ SSL_LocalCertificate(PRFileDesc *fd)
     return NULL;
 }
 
-
-
 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
@@ -108,11 +106,16 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
         return SECFailure;
     }
 
-    if (cp) *cp = 0;
-    if (kp0) *kp0 = 0;
-    if (kp1) *kp1 = 0;
-    if (ip) *ip = 0;
-    if (sp) *sp = 0;
+    if (cp)
+        *cp = 0;
+    if (kp0)
+        *kp0 = 0;
+    if (kp1)
+        *kp1 = 0;
+    if (ip)
+        *ip = 0;
+    if (sp)
+        *sp = 0;
     if (op) {
         *op = SSL_SECURITY_STATUS_OFF;
     }
@@ -120,12 +123,14 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
     if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
         if (ss->version < SSL_LIBRARY_VERSION_3_0) {
             cipherName = ssl_cipherName[ss->sec.cipherType];
-	} else {
+        }
+        else {
             cipherName = ssl3_cipherName[ss->sec.cipherType];
         }
         PORT_Assert(cipherName);
         if (cipherName) {
-            if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+            if (PORT_Strstr(cipherName, "DES"))
+                isDes = PR_TRUE;
 
             if (cp) {
                 *cp = PORT_Strdup(cipherName);
@@ -134,19 +139,22 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
 
         if (kp0) {
             *kp0 = ss->sec.keyBits;
-	    if (isDes) *kp0 = (*kp0 * 7) / 8;
+            if (isDes)
+                *kp0 = (*kp0 * 7) / 8;
         }
         if (kp1) {
             *kp1 = ss->sec.secretKeyBits;
-	    if (isDes) *kp1 = (*kp1 * 7) / 8;
+            if (isDes)
+                *kp1 = (*kp1 * 7) / 8;
         }
         if (op) {
             if (ss->sec.keyBits == 0) {
                 *op = SSL_SECURITY_STATUS_OFF;
-	    } else if (ss->sec.secretKeyBits < 90) {
+            }
+            else if (ss->sec.secretKeyBits < 90) {
                 *op = SSL_SECURITY_STATUS_ON_LOW;
-
-	    } else {
+            }
+            else {
                 *op = SSL_SECURITY_STATUS_ON_HIGH;
             }
         }
@@ -162,7 +170,8 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
                 if (sp) {
                     *sp = CERT_NameToAscii(&cert->subject);
                 }
-	    } else {
+            }
+            else {
                 if (ip) {
                     *ip = PORT_Strdup("no certificate");
                 }
@@ -233,7 +242,6 @@ SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
     return SECSuccess;
 }
 
-
 /* This is the "default" authCert callback function.  It is called when a
  * certificate message is received from the peer and the local application
  * has not registered an authCert callback function.
@@ -262,8 +270,8 @@ SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
         PORT_SetError(0);
         if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
                                                   &certStatusArray->items[0],
-						  ss->pkcs11PinArg)
-		!= SECSuccess) {
+                                                  ss->pkcs11PinArg) !=
+            SECSuccess) {
             PORT_Assert(PR_GetError() != 0);
         }
     }

security/nss/lib/ssl/sslcon.c

@@ -29,6 +29,7 @@ static PRBool policyWasSet;
  * are supported by the server.  Unlike allCipherSuites (above), this list
  * is sorted by descending preference, not by cipherSuite number.
  */
+/* clang-format off */
 static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
     SSL_CK_RC4_128_WITH_MD5,                0x00, 0x80,
     SSL_CK_RC2_128_CBC_WITH_MD5,            0x00, 0x80,
@@ -38,6 +39,7 @@ static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] =
     SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,   0x00, 0x80
 };
 
+
 typedef struct ssl2SpecsStr {
     PRUint8 nkm; /* do this many hashes to generate key material. */
     PRUint8 nkd; /* size of readKey and writeKey in bytes. */
@@ -67,6 +69,7 @@ static const ssl2Specs ssl_Specs[] = {
   /* SSL_CK_DES_192_EDE3_CBC_WITH_MD5   */
   { 3, 24, 8, 3, CKM_DES3_CBC,  24,   0, 8 },
 };
+/* clang-format on */
 
 #define SET_ERROR_CODE   /* reminder */
 #define TEST_FOR_FAILURE /* reminder */
@@ -99,7 +102,6 @@ const char * const ssl_cipherName[] = {
     "unknown", /* was fortezza, NO LONGER USED */
 };
 
-
 /* bit-masks, showing which SSLv2 suites are allowed.
  * lsb corresponds to first cipher suite in allCipherSuites[].
  */
@@ -123,7 +125,6 @@ static PRUint16	chosenPreference = 0xff;  /* all on  by default */
      SSL_CB_DES_64_CBC_WITH_MD5 |           \
      SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
 
-
 /* Construct a socket's list of cipher specs from the global default values.
  */
 static SECStatus
@@ -142,7 +143,8 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
     count = 0;
     PORT_Assert(ss != 0);
     allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+                                  (ss->allowedByPolicy &
+                                   ss->chosenPreference & SSL_CB_IMPLEMENTED);
     while (allowed) {
         if (allowed & 1)
             ++count;
@@ -178,7 +180,8 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
 
     /* fill in cipher specs for SSL2 cipher suites */
     allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+                                  (ss->allowedByPolicy &
+                                   ss->chosenPreference & SSL_CB_IMPLEMENTED);
     for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
         const PRUint8 *hs = implementedCipherSuites + i;
         int ok = allowed & (1U << hs[0]);
@@ -264,10 +267,12 @@ ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
     if (policy == SSL_ALLOWED) {
         allowedByPolicy |= bitMask;
         maybeAllowedByPolicy |= bitMask;
-    } else if (policy == SSL_RESTRICTED) {
+    }
+    else if (policy == SSL_RESTRICTED) {
         allowedByPolicy &= ~bitMask;
         maybeAllowedByPolicy |= bitMask;
-    } else {
+    }
+    else {
         allowedByPolicy &= ~bitMask;
         maybeAllowedByPolicy &= ~bitMask;
     }
@@ -296,7 +301,8 @@ ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
 
     if (maybeAllowedByPolicy & bitMask) {
         policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
-    } else {
+    }
+    else {
         policy = SSL_NOT_ALLOWED;
     }
 
@@ -394,7 +400,6 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
     return SECSuccess;
 }
 
-
 /* copy global default policy into socket. */
 void
 ssl2_InitSocketPolicy(sslSocket *ss)
@@ -404,7 +409,6 @@ ssl2_InitSocketPolicy(sslSocket *ss)
     ss->chosenPreference = chosenPreference;
 }
 
-
 /************************************************************************/
 
 /* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
@@ -466,8 +470,8 @@ ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
 
 /* Called from:
  * ssl2_ClientSetupSessionCypher()  <- ssl2_HandleServerHelloMessage()
- * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
- 					ssl_Do1stHandshake()
+ * ssl2_HandleRequestCertificate()  <- ssl2_HandleMessage()
+                                    <- ssl_Do1stHandshake()
  * ssl2_HandleMessage()             <- ssl_Do1stHandshake()
  * ssl2_HandleServerHelloMessage()  <- ssl_Do1stHandshake()
                                     after ssl2_BeginClientHandshake()
@@ -613,7 +617,8 @@ ssl2_SendServerFinishedMessage(sslSocket *ss)
             if (ss->sec.uncache)
                 (*ss->sec.uncache)(sid);
             rv = (SECStatus)sent;
-	} else if (!ss->opt.noCache) {
+        }
+        else if (!ss->opt.noCache) {
             if (sid->cached == never_cached) {
                 (*ss->sec.cache)(sid);
             }
@@ -627,8 +632,7 @@ done:
     return rv;
 }
 
-/* Called from ssl2_ClientSetupSessionCypher() <- 
- *						ssl2_HandleServerHelloMessage() 
+/* Called from ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
  *                                             after ssl2_BeginClientHandshake()
  * Acquires and releases the socket's xmitBufLock.
  */
@@ -869,7 +873,8 @@ ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
         if (rv < 0) {
             if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
                 rv = 0;
-	    } else {
+            }
+            else {
                 /* Return short write if some data already went out... */
                 if (count == 0)
                     count = rv;
@@ -879,10 +884,11 @@ ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
 
         if ((unsigned)rv < (amount + 2)) {
             /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, out + rv, amount + 2 - rv) 
-	        == SECFailure) {
+            if (ssl_SaveWriteData(ss, out + rv, amount + 2 - rv) ==
+                SECFailure) {
                 count = SECFailure;
-	    } else {
+            }
+            else {
                 count += amount;
                 ss->sec.sendSequence++;
             }
@@ -948,11 +954,13 @@ ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
 
         /* Encrypt MAC */
         rv = (*ss->sec.enc)(ss->sec.writecx, out + 2, &nout, macLen, out + 2, macLen);
-	if (rv) goto loser;
+        if (rv)
+            goto loser;
 
         /* Encrypt data from caller */
         rv = (*ss->sec.enc)(ss->sec.writecx, out + 2 + macLen, &nout, amount, in, amount);
-	if (rv) goto loser;
+        if (rv)
+            goto loser;
 
         ssl_ReleaseSpecReadLock(ss); /*************************************/
 
@@ -962,9 +970,11 @@ ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
         if (rv < 0) {
             if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
                 SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
-			     "saving data", SSL_GETPID(), ss->fd));
+                             "saving data",
+                             SSL_GETPID(), ss->fd));
                 rv = 0;
-	    } else {
+            }
+            else {
                 SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
                              SSL_GETPID(), ss->fd, PORT_GetError()));
                 /* Return short write if some data already went out... */
@@ -978,7 +988,8 @@ ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
             /* Short write.  Save the data and return. */
             if (ssl_SaveWriteData(ss, out + rv, buflen - rv) == SECFailure) {
                 count = SECFailure;
-	    } else {
+            }
+            else {
                 count += amount;
                 ss->sec.sendSequence++;
             }
@@ -1037,7 +1048,8 @@ ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
             hlen = 3;
             padding = ss->sec.blockSize - padding;
             nout += padding;
-	} else {
+        }
+        else {
             hlen = 2;
         }
         buflen = hlen + nout;
@@ -1055,7 +1067,8 @@ ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
             *op++ = MSB(nout);
             *op++ = LSB(nout);
             *op++ = padding;
-	} else {
+        }
+        else {
             *op++ = 0x80 | MSB(nout);
             *op++ = LSB(nout);
         }
@@ -1092,7 +1105,8 @@ ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
         if (rv < 0) {
             if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
                 rv = 0;
-	    } else {
+            }
+            else {
                 SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
                              SSL_GETPID(), ss->fd, PORT_GetError()));
                 /* Return short write if some data already went out... */
@@ -1106,7 +1120,8 @@ ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
             /* Short write.  Save the data and return. */
             if (ssl_SaveWriteData(ss, out + rv, op - out - rv) == SECFailure) {
                 count = SECFailure;
-	    } else {
+            }
+            else {
                 count += amount;
                 ss->sec.sendSequence++;
             }
@@ -1211,7 +1226,8 @@ ssl_GatherRecord1stHandshake(sslSocket *ss)
     if ((ss->version >= SSL_LIBRARY_VERSION_3_0) || IS_DTLS(ss)) {
         /* Wait for handshake to complete, or application data to arrive.  */
         rv = ssl3_GatherCompleteHandshake(ss, 0);
-    } else {
+    }
+    else {
         /* See if we have a complete record */
         rv = ssl2_GatherRecord(ss, 0);
     }
@@ -1442,7 +1458,6 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
     SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
                 ssl_cipherName[cipherType]));
 
-
     mechanism = ssl_Specs[cipherType].mechanism;
 
     /* set destructer before we call loser... */
@@ -1487,11 +1502,14 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
 
 loser:
     if (ss->sec.destroy) {
-	if (readcx)  (*ss->sec.destroy)(readcx, PR_TRUE);
-	if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
+        if (readcx)
+            (*ss->sec.destroy)(readcx, PR_TRUE);
+        if (writecx)
+            (*ss->sec.destroy)(writecx, PR_TRUE);
     }
     ss->sec.destroy = NULL;
-    if (slot) PK11_FreeSlot(slot);
+    if (slot)
+        PK11_FreeSlot(slot);
 
 sec_loser:
     rv = SECFailure;
@@ -1868,10 +1886,12 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
         if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
             (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
             PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
-	} else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
+        }
+        else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
                  (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
             PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
-	} else {
+        }
+        else {
             PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
         }
         SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
@@ -1925,7 +1945,6 @@ ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
     return SECSuccess;
 }
 
-
 /*
  * Format one block of data for public/private key encryption using
  * the rules defined in PKCS #1. SSL2 does this itself to handle the
@@ -1969,12 +1988,14 @@ ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
     padLen = modulusLen - data->len - 3;
     PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
     rv = PK11_GenerateRandom(bp, padLen);
-    if (rv == SECFailure) goto loser;
+    if (rv == SECFailure)
+        goto loser;
     /* replace all the 'zero' bytes */
     for (i = 0; i < padLen; i++) {
         while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
             rv = PK11_GenerateRandom(bp + i, 1);
-	    if (rv == SECFailure) goto loser;
+            if (rv == SECFailure)
+                goto loser;
         }
     }
     bp += padLen;
@@ -1983,7 +2004,8 @@ ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
 
     return block;
 loser:
-    if (block) PORT_Free(block);
+    if (block)
+        PORT_Free(block);
     return NULL;
 }
 
@@ -2037,7 +2059,7 @@ ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
 
     ss->sec.authAlgorithm = ssl_sign_rsa;
     ss->sec.keaType = ssl_kea_rsa;
-    ss->sec.keaKeyBits    = \
+    ss->sec.keaKeyBits =
         ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
 
     /* Choose a compatible cipher with the server */
@@ -2156,7 +2178,6 @@ ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
     if (sid->peerCert == NULL) {
         PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
         sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-
     }
     if (!ss->opt.noCache && sid->cached == never_cached)
         (*ss->sec.cache)(sid);
@@ -2202,7 +2223,8 @@ ssl2_TryToFinish(sslSocket *ss)
         if (ss->sec.isServer) {
             /* Send server finished message if we already didn't */
             rv = ssl2_SendServerFinishedMessage(ss);
-	} else {
+        }
+        else {
             /* Send client finished message if we already didn't */
             rv = ssl2_SendClientFinishedMessage(ss);
         }
@@ -2282,7 +2304,6 @@ ssl2_HandleRequestCertificate(sslSocket *ss)
     int ret = 0;
     PRUint8 authType;
 
-
     /*
      * These things all need to be initialized before we can "goto loser".
      */
@@ -2587,11 +2608,12 @@ ssl2_HandleMessage(sslSocket *ss)
                 PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
                 goto loser;
             }
-	if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES 
-	    > ss->gs.recordLen) {
+            if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES >
+                ss->gs.recordLen) {
                 /* prevent overflow crash. */
                 rv = SECFailure;
-	} else
+            }
+            else
                 rv = ssl2_HandleClientCertificate(ss, data[1],
                                                   data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
                                                   certLen,
@@ -2708,7 +2730,6 @@ ssl2_HandleVerifyMessage(sslSocket *ss)
     ss->nextHandshake = ssl2_HandleMessage;
     return SECSuccess;
 
-
 loser:
     ssl_ReleaseRecvBufLock(ss);
     return SECFailure;
@@ -2744,8 +2765,8 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
     DUMP_MSG(29, (ss, data, ss->gs.recordLen));
 
     /* Make sure first message has some data and is the server hello message */
-    if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_SERVER_HELLO)) {
+    if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES) ||
+        (data[0] != SSL_MT_SERVER_HELLO)) {
         if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
             err = (data[1] << 8) | data[2];
             if (err == SSL_PE_NO_CYPHERS) {
@@ -2774,7 +2795,8 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
             SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
                         SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
                         ss->version));
-	} else {
+        }
+        else {
             SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
                         SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
             /* server claims to be newer but does not follow protocol */
@@ -2783,9 +2805,9 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
         }
     }
 
-    if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen 
-                                                  > ss->gs.recordLen)
-	|| (csLen % 3) != 0   
+    if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen >
+         ss->gs.recordLen) ||
+        (csLen % 3) != 0
         /* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32  */
         ) {
         goto bad_server;
@@ -2823,7 +2845,8 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
         if (rv != SECSuccess) {
             goto loser;
         }
-    } else {
+    }
+    else {
         if (certType != SSL_CT_X509_CERTIFICATE) {
             PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
             goto loser;
@@ -2889,10 +2912,12 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
                 if (rv) {
                     if (rv == SECWouldBlock) {
                         SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned "
-			     "SECWouldBlock", SSL_GETPID(), ss->fd));
+                                 "SECWouldBlock",
+                                 SSL_GETPID(), ss->fd));
                         PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
                         rv = SECFailure;
-		} else {
+                    }
+                    else {
                         /* cert is bad */
                         SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
                                  SSL_GETPID(), ss->fd, PORT_GetError()));
@@ -2900,7 +2925,8 @@ ssl2_HandleServerHelloMessage(sslSocket *ss)
                     goto loser;
                 }
                 /* cert is good */
-	} else {
+            }
+            else {
                 SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
                          SSL_GETPID(), ss->fd, PORT_GetError()));
                 goto loser;
@@ -3006,7 +3032,8 @@ ssl2_BeginClientHandshake(sslSocket *ss)
     /* Try to find server in our session-id cache */
     if (ss->opt.noCache) {
         sid = NULL;
-    } else {
+    }
+    else {
         sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID,
                             ss->url);
     }
@@ -3122,8 +3149,8 @@ ssl2_BeginClientHandshake(sslSocket *ss)
     /* Construct client-hello message */
     cp = msg = ss->sec.ci.sendBuf.buf;
     msg[0] = SSL_MT_CLIENT_HELLO;
-    ss->clientHelloVersion = SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) ?
-	SSL_LIBRARY_VERSION_2 : ss->vrange.max;
+    ss->clientHelloVersion = SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) ? SSL_LIBRARY_VERSION_2
+                                                                     : ss->vrange.max;
 
     msg[1] = MSB(ss->clientHelloVersion);
     msg[2] = LSB(ss->clientHelloVersion);
@@ -3209,14 +3236,13 @@ ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
     int cipher;
     SECStatus rv;
 
-
     ssl_GetRecvBufLock(ss);
 
     data = ss->gs.buf.buf + ss->gs.recordOffset;
     DUMP_MSG(29, (ss, data, ss->gs.recordLen));
 
-    if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES) ||
+        (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
         goto bad_client;
     }
     cipher = data[1];
@@ -3237,9 +3263,12 @@ ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
 
     /* Use info from client to setup session key */
     rv = ssl2_ServerSetupSessionCypher(ss, cipher, keyBits,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,                 ckLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,         ekLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
+                                       data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,
+                                       ckLen,
+                                       data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,
+                                       ekLen,
+                                       data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen,
+                                       caLen);
     ss->gs.recordLen = 0; /* we're done with this record. */
 
     ssl_ReleaseRecvBufLock(ss);
@@ -3319,13 +3348,12 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
 
     ssl_GetRecvBufLock(ss);
 
-
     data = ss->gs.buf.buf + ss->gs.recordOffset;
     DUMP_MSG(29, (ss, data, ss->gs.recordLen));
 
     /* Make sure first message has some data and is the client hello message */
-    if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_HELLO)) {
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES) ||
+        (data[0] != SSL_MT_CLIENT_HELLO)) {
         goto bad_client;
     }
 
@@ -3406,7 +3434,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
             ** knows whats up.
             */
             ss->version = SSL_LIBRARY_VERSION_2;
-	} else {
+        }
+        else {
             SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
                         SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
             PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
@@ -3444,7 +3473,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
                     ss->sec.ci.peer.pr_s6_addr32[2],
                     ss->sec.ci.peer.pr_s6_addr32[3]));
         sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
-    } else {
+    }
+    else {
         sid = NULL;
     }
     if (sid) {
@@ -3468,7 +3498,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
         if (rv != SECSuccess) {
             goto loser;
         }
-    } else {
+    }
+    else {
         SECItem *derCert = &serverCert->derCert;
 
         SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
@@ -3505,7 +3536,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
 
         ss->sec.authAlgorithm = ssl_sign_rsa;
         ss->sec.keaType = ssl_kea_rsa;
-	ss->sec.keaKeyBits    = \
+        ss->sec.keaKeyBits =
             ss->sec.authKeyBits = ss->serverCerts[kt_rsa].serverKeyBits;
     }
 
@@ -3525,10 +3556,11 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
     ss->sec.ci.sentElements = 0;
 
     /* Send hello message back to client */
-    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
-	    + SSL_CONNECTIONID_BYTES;
+    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen +
+              SSL_CONNECTIONID_BYTES;
 
-    ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
+    ssl_GetXmitBufLock(ss);
+    gotXmitBufLock = 1;
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv != SECSuccess) {
         goto loser;
@@ -3565,7 +3597,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
     if (sent < 0) {
         goto loser;
     }
-    ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+    ssl_ReleaseXmitBufLock(ss);
+    gotXmitBufLock = 0;
 
     ss->gs.recordLen = 0;
     ss->handshake = ssl_GatherRecord1stHandshake;
@@ -3593,7 +3626,8 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
 
 loser:
     if (gotXmitBufLock) {
-    	ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+        ssl_ReleaseXmitBufLock(ss);
+        gotXmitBufLock = 0;
     }
     SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
                  SSL_GETPID(), ss->fd));

security/nss/lib/ssl/ssldef.c

@@ -10,14 +10,18 @@
 #include "sslimpl.h"
 
 #if defined(WIN32)
-#define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); }
+#define MAP_ERROR(from, to) \
+    if (err == from) {      \
+        PORT_SetError(to);  \
+    }
 #define DEFINE_ERROR PRErrorCode err = PR_GetError();
 #else
 #define MAP_ERROR(from, to)
 #define DEFINE_ERROR
 #endif
 
-int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
+int
+ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -26,7 +30,8 @@ int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
     return rv;
 }
 
-int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
+int
+ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -35,7 +40,8 @@ int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
     return rv;
 }
 
-int ssl_DefListen(sslSocket *ss, int backlog)
+int
+ssl_DefListen(sslSocket *ss, int backlog)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -44,7 +50,8 @@ int ssl_DefListen(sslSocket *ss, int backlog)
     return rv;
 }
 
-int ssl_DefShutdown(sslSocket *ss, int how)
+int
+ssl_DefShutdown(sslSocket *ss, int how)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -53,7 +60,8 @@ int ssl_DefShutdown(sslSocket *ss, int how)
     return rv;
 }
 
-int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
+int
+ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -62,7 +70,8 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
     if (rv < 0) {
         DEFINE_ERROR
         MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
-    } else if (rv > len) {
+    }
+    else if (rv > len) {
         PORT_Assert(rv <= len);
         PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
         rv = SECFailure;
@@ -76,7 +85,8 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
  *   Returns positive count if any data was written, else returns SECFailure.
  *   Short writes may occur.  Does not return SECWouldBlock.
  */
-int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+int
+ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
 {
     PRFileDesc *lower = ss->fd->lower;
     int sent = 0;
@@ -115,7 +125,8 @@ int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
     return sent;
 }
 
-int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
+int
+ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -128,7 +139,8 @@ int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
     return rv;
 }
 
-int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
+int
+ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
 {
     PRFileDesc *lower = ss->fd->lower;
     int sent = 0;
@@ -153,7 +165,8 @@ int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
     return sent;
 }
 
-int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
+int
+ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -162,7 +175,8 @@ int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
     return rv;
 }
 
-int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
+int
+ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
@@ -171,7 +185,8 @@ int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
     return rv;
 }
 
-int ssl_DefClose(sslSocket *ss)
+int
+ssl_DefClose(sslSocket *ss)
 {
     PRFileDesc *fd;
     PRFileDesc *popped;

security/nss/lib/ssl/sslenum.c

@@ -50,6 +50,8 @@ const PRUint16 SSL_ImplementedCiphers[] = {
 #ifndef NSS_DISABLE_ECC
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
      * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
      */
@@ -66,6 +68,7 @@ const PRUint16 SSL_ImplementedCiphers[] = {
 #endif /* NSS_DISABLE_ECC */
 
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

security/nss/lib/ssl/sslerr.h

@@ -7,6 +7,7 @@
 #ifndef __SSL_ERR_H_
 #define __SSL_ERR_H_
 
+/* clang-format off */
 
 #define SSL_ERROR_BASE                          (-0x3000)
 #define SSL_ERROR_LIMIT                         (SSL_ERROR_BASE + 1000)
@@ -218,9 +219,11 @@ SSL_ERROR_MISSING_EXTENSION_ALERT = (SSL_ERROR_BASE + 143),
 
     SSL_ERROR_KEY_EXCHANGE_FAILURE          = (SSL_ERROR_BASE + 144),
     SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 145),
-
+    SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS = (SSL_ERROR_BASE + 146),
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
 
+/* clang-format on */
+
 #endif /* __SSL_ERR_H_ */

security/nss/lib/ssl/sslerrstrs.c

@@ -20,7 +20,8 @@ static const struct PRErrorTable ssl_et = {
 };
 
 static PRStatus
-ssl_InitializePRErrorTableOnce(void) {
+ssl_InitializePRErrorTableOnce(void)
+{
     return PR_ErrorInstallTable(&ssl_et);
 }
 
@@ -30,5 +31,6 @@ SECStatus
 ssl_InitializePRErrorTable(void)
 {
     return (PR_SUCCESS == PR_CallOnce(&once, ssl_InitializePRErrorTableOnce))
-		? SECSuccess : SECFailure;
+               ? SECSuccess
+               : SECFailure;
 }

security/nss/lib/ssl/sslgathr.c

@@ -142,7 +142,8 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                          * be called again by ssl_Do1stHandshake.
                          */
                         return SECWouldBlock;
-		} else if (gs->hdr[0] == content_alert) {
+                    }
+                    else if (gs->hdr[0] == content_alert) {
                         if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
                             /* XXX This is a hack.  We're assuming that any failure
                              * XXX on the client hello is a failure to match
@@ -159,7 +160,8 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                     /* This record has a 2-byte header, and no padding */
                     gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
                     gs->recordPadding = 0;
-	    } else {
+                }
+                else {
                     /* This record has a 3-byte header that is all read in now. */
                     gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
                     /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
@@ -178,7 +180,6 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                     pBuf = gs->buf.buf;
                 }
 
-
                 if (gs->hdr[0] & 0x80) {
                     /* we've already read in the first byte of the body.
                     ** Put it into the buffer.
@@ -186,23 +187,24 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                     pBuf[0] = gs->hdr[2];
                     gs->offset = 1;
                     gs->remainder = gs->count - 1;
-	    } else {
+                }
+                else {
                     gs->offset = 0;
                     gs->remainder = gs->count;
                 }
 
                 if (gs->encrypted) {
                     gs->state = GS_MAC;
-		gs->recordLen = gs->count - gs->recordPadding
-		                          - ss->sec.hash->length;
-	    } else {
+                    gs->recordLen = gs->count - gs->recordPadding -
+                                    ss->sec.hash->length;
+                }
+                else {
                     gs->state = GS_DATA;
                     gs->recordLen = gs->count;
                 }
 
                 break;
 
-
             case GS_MAC:
                 /* Have read in entire rest of the ciphertext.
                 ** Check for valid length.
@@ -248,7 +250,6 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                         goto spec_locked_done;
                     }
 
-
                     /* Have read in all the MAC portion of record
                     **
                     ** Prepare MAC by resetting it and feeding it the shared secret
@@ -285,7 +286,8 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                             rv = SECFailure;
                             goto cleanup;
                         }
-	    } else {
+                    }
+                    else {
                         ssl_ReleaseSpecReadLock(ss); /******************************/
                     }
 
@@ -294,7 +296,8 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
                         gs->readOffset = macLen;
                         gs->writeOffset = gs->offset - gs->recordPadding;
                         rv = 1;
-	    } else {
+                    }
+                    else {
                         PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
                     cleanup:
                         /* nothing in the buffer any more. */
@@ -308,7 +311,6 @@ cleanup:
                     gs->recordPadding = 0; /* forget we did any padding. */
                     gs->state = GS_INIT;
 
-
                     if (rv > 0) {
                         PRINT_BUF(50, (ss, "recv clear record:",
                                        pBuf + gs->recordOffset, gs->recordLen));

security/nss/lib/ssl/sslimpl.h

@@ -50,6 +50,7 @@ typedef SSLMACAlgorithm SSL3MACAlgorithm;
 #define calg_camellia ssl_calg_camellia
 #define calg_seed ssl_calg_seed
 #define calg_aes_gcm ssl_calg_aes_gcm
+#define calg_chacha20 ssl_calg_chacha20
 
 #define mac_null ssl_mac_null
 #define mac_md5 ssl_mac_md5
@@ -79,9 +80,15 @@ extern int Debug;
 #endif
 
 #ifdef TRACE
-#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
-#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
-#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
+#define SSL_TRC(a, b)     \
+    if (ssl_trace >= (a)) \
+    ssl_Trace b
+#define PRINT_BUF(a, b)   \
+    if (ssl_trace >= (a)) \
+    ssl_PrintBuf b
+#define DUMP_MSG(a, b)    \
+    if (ssl_trace >= (a)) \
+    ssl_DumpMsg b
 #else
 #define SSL_TRC(a, b)
 #define PRINT_BUF(a, b)
@@ -89,7 +96,9 @@ extern int Debug;
 #endif
 
 #ifdef DEBUG
-#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
+#define SSL_DBG(b) \
+    if (ssl_debug) \
+    ssl_Trace b
 #else
 #define SSL_DBG(b)
 #endif
@@ -285,9 +294,9 @@ typedef struct {
 } ssl3CipherSuiteCfg;
 
 #ifndef NSS_DISABLE_ECC
-#define ssl_V3_SUITES_IMPLEMENTED 64
+#define ssl_V3_SUITES_IMPLEMENTED 67
 #else
-#define ssl_V3_SUITES_IMPLEMENTED 40
+#define ssl_V3_SUITES_IMPLEMENTED 41
 #endif /* NSS_DISABLE_ECC */
 
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
@@ -297,7 +306,7 @@ typedef struct {
  * doesn't allow space for combinations with MD5). */
 #define MAX_SIGNATURE_ALGORITHMS 15
 
-
+/* clang-format off */
 typedef struct sslOptionsStr {
     /* If SSL_SetNextProtoNego has been called, then this contains the
      * list of supported protocols. */
@@ -334,6 +343,7 @@ typedef struct sslOptionsStr {
     unsigned int enableExtendedMS           : 1;  /* 31 */
     unsigned int enableSignedCertTimestamps : 1;  /* 32 */
 } sslOptions;
+/* clang-format on */
 
 typedef enum { sslHandshakingUndetermined = 0,
                sslHandshakingAsClient,
@@ -448,8 +458,6 @@ struct sslGatherStr {
 #define GS_DATA 3
 #define GS_PAD 4
 
-
-
 /*
 ** ssl3State and CipherSpec structs
 */
@@ -472,11 +480,14 @@ typedef enum {
     cipher_camellia_256,
     cipher_seed,
     cipher_aes_128_gcm,
+    cipher_chacha20,
     cipher_missing /* reserved for no such supported cipher */
     /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
 } SSL3BulkCipher;
 
-typedef enum { type_stream, type_block, type_aead } CipherType;
+typedef enum { type_stream,
+               type_block,
+               type_aead } CipherType;
 
 #define MAX_IV_LENGTH 24
 
@@ -548,8 +559,8 @@ typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
  * right represent the true window, with modular arithmetic used to
  * map them onto the buffer.
  */
-#define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
-				        * Must be divisible by 8
+#define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate   \
+                                        * Must be divisible by 8 \
                                         */
 typedef struct DTLSRecvdRecordsStr {
     unsigned char data[DTLS_RECVD_RECORDS_WINDOW / 8];
@@ -987,8 +998,6 @@ const ssl3CipherSuiteDef *suite_def;
                                         * cannot be greater than 255. */
 } SSL3HandshakeState;
 
-
-
 /*
 ** This is the "ssl3" struct, as in "ss->ssl3".
 ** note:
@@ -1231,7 +1240,6 @@ struct sslSecurityInfoStr {
 
     /* These are used during a connection handshake */
     sslConnectInfo ci; /* ssl 2 & 3 */
-
 };
 
 /*
@@ -1382,8 +1390,6 @@ const unsigned char *  preferredCipher;
     SSLProtocolVariant protocolVariant;
 };
 
-
-
 /* All the global data items declared here should be protected using the
 ** ssl_global_data_lock, which is a reader/writer lock.
 */
@@ -1516,7 +1522,6 @@ extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
 
 extern SECStatus ssl3_ConstrainRangeByPolicy(void);
 
-
 /* Returns PR_TRUE if we are still waiting for the server to complete its
  * response to our client second round. Once we've received the Finished from
  * the server then there is no need to check false start.
@@ -1554,65 +1559,106 @@ extern PRInt32   ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
  */
 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
 
-#define SSL_LOCK_READER(ss)		if (ss->recvLock) PZ_Lock(ss->recvLock)
-#define SSL_UNLOCK_READER(ss)		if (ss->recvLock) PZ_Unlock(ss->recvLock)
-#define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
-#define SSL_UNLOCK_WRITER(ss)		if (ss->sendLock) PZ_Unlock(ss->sendLock)
+#define SSL_LOCK_READER(ss) \
+    if (ss->recvLock)       \
+    PZ_Lock(ss->recvLock)
+#define SSL_UNLOCK_READER(ss) \
+    if (ss->recvLock)         \
+    PZ_Unlock(ss->recvLock)
+#define SSL_LOCK_WRITER(ss) \
+    if (ss->sendLock)       \
+    PZ_Lock(ss->sendLock)
+#define SSL_UNLOCK_WRITER(ss) \
+    if (ss->sendLock)         \
+    PZ_Unlock(ss->sendLock)
 
 /* firstHandshakeLock -> recvBufLock */
 #define ssl_Get1stHandshakeLock(ss)                               \
-    { if (!ss->opt.noLocks) { \
+    {                                                             \
+        if (!ss->opt.noLocks) {                                   \
             PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
                         !ssl_HaveRecvBufLock(ss));                \
             PZ_EnterMonitor((ss)->firstHandshakeLock);            \
-      } }
+        }                                                         \
+    }
 #define ssl_Release1stHandshakeLock(ss)               \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
+    {                                                 \
+        if (!ss->opt.noLocks)                         \
+            PZ_ExitMonitor((ss)->firstHandshakeLock); \
+    }
 #define ssl_Have1stHandshakeLock(ss) \
     (PZ_InMonitor((ss)->firstHandshakeLock))
 
 /* ssl3HandshakeLock -> xmitBufLock */
 #define ssl_GetSSL3HandshakeLock(ss)                  \
-    { if (!ss->opt.noLocks) { \
+    {                                                 \
+        if (!ss->opt.noLocks) {                       \
             PORT_Assert(!ssl_HaveXmitBufLock(ss));    \
             PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
-      } }
+        }                                             \
+    }
 #define ssl_ReleaseSSL3HandshakeLock(ss)             \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
+    {                                                \
+        if (!ss->opt.noLocks)                        \
+            PZ_ExitMonitor((ss)->ssl3HandshakeLock); \
+    }
 #define ssl_HaveSSL3HandshakeLock(ss) \
     (PZ_InMonitor((ss)->ssl3HandshakeLock))
 
 #define ssl_GetSpecReadLock(ss)                 \
-    { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
+    {                                           \
+        if (!ss->opt.noLocks)                   \
+            NSSRWLock_LockRead((ss)->specLock); \
+    }
 #define ssl_ReleaseSpecReadLock(ss)               \
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
+    {                                             \
+        if (!ss->opt.noLocks)                     \
+            NSSRWLock_UnlockRead((ss)->specLock); \
+    }
 /* NSSRWLock_HaveReadLock is not exported so there's no
  * ssl_HaveSpecReadLock macro. */
 
 #define ssl_GetSpecWriteLock(ss)                 \
-    { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
+    {                                            \
+        if (!ss->opt.noLocks)                    \
+            NSSRWLock_LockWrite((ss)->specLock); \
+    }
 #define ssl_ReleaseSpecWriteLock(ss)               \
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
+    {                                              \
+        if (!ss->opt.noLocks)                      \
+            NSSRWLock_UnlockWrite((ss)->specLock); \
+    }
 #define ssl_HaveSpecWriteLock(ss) \
     (NSSRWLock_HaveWriteLock((ss)->specLock))
 
 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
 #define ssl_GetRecvBufLock(ss)                           \
-    { if (!ss->opt.noLocks) { \
+    {                                                    \
+        if (!ss->opt.noLocks) {                          \
             PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
             PORT_Assert(!ssl_HaveXmitBufLock(ss));       \
             PZ_EnterMonitor((ss)->recvBufLock);          \
-      } }
+        }                                                \
+    }
 #define ssl_ReleaseRecvBufLock(ss)             \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
+    {                                          \
+        if (!ss->opt.noLocks)                  \
+            PZ_ExitMonitor((ss)->recvBufLock); \
+    }
 #define ssl_HaveRecvBufLock(ss) \
     (PZ_InMonitor((ss)->recvBufLock))
 
 /* xmitBufLock -> specLock */
 #define ssl_GetXmitBufLock(ss)                  \
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
+    {                                           \
+        if (!ss->opt.noLocks)                   \
+            PZ_EnterMonitor((ss)->xmitBufLock); \
+    }
 #define ssl_ReleaseXmitBufLock(ss)             \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
+    {                                          \
+        if (!ss->opt.noLocks)                  \
+            PZ_ExitMonitor((ss)->xmitBufLock); \
+    }
 #define ssl_HaveXmitBufLock(ss) \
     (PZ_InMonitor((ss)->xmitBufLock))
 
@@ -1699,14 +1745,14 @@ extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
                                        const ssl3CipherSuite *suite);
 extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
 
-
 /* Macro for finding a curve equivalent in strength to RSA key's */
 /* clang-format off */
 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s)                                       \
         ((s <= 1024) ? 160                                                     \
                      : ((s <= 2048) ? 224                                      \
                                     : ((s <= 3072) ? 256                       \
-	      : ((s <= 7168) ? 384 : 521 ) ) ) )
+                                                   : ((s <= 7168) ? 384        \
+                                                                  : 521 ) ) ) )
 /* clang-format on */
 
 /* Types and names of elliptic curves used in TLS */
@@ -1751,7 +1797,6 @@ ECName ssl3_PubKey2ECName(SECKEYPublicKey *pubKey);
 ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
 ECName ssl3_GetCurveNameForServerSocket(sslSocket *ss);
 
-
 #endif /* NSS_DISABLE_ECC */
 
 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
@@ -1917,7 +1962,6 @@ extern void ssl_FreePRSocket(PRFileDesc *fd);
  * various ciphers */
 extern int ssl3_config_match_init(sslSocket *);
 
-
 /* Create a new ref counted key pair object from two keys. */
 extern ssl3KeyPair *ssl3_NewKeyPair(SECKEYPrivateKey *privKey,
                                     SECKEYPublicKey *pubKey);
@@ -1957,7 +2001,6 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
 
 extern SECStatus ssl_FreeSessionCacheLocks(void);
 
-
 /**************** DTLS-specific functions **************/
 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
 extern void dtls_FreeQueuedMessages(PRCList *lst);
@@ -1996,7 +2039,6 @@ dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
 extern PRBool dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *crSpec,
                               const SSL3Ciphertext *cText, PRUint64 *seqNum);
 
-
 CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
 SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss);
 SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);

security/nss/lib/ssl/sslinfo.c

@@ -27,7 +27,10 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
     SSLChannelInfo inf;
     sslSessionID *sid;
 
-    if (!info || len < sizeof inf.length) { 
+    /* Check if we can properly return the length of data written and that
+     * we're not asked to return more information than we know how to provide.
+     */
+    if (!info || len < sizeof inf.length || len > sizeof inf) { 
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
@@ -51,7 +54,8 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
             inf.cipherSuite = ss->sec.cipherType | 0xff00;
             inf.compressionMethod = ssl_compression_null;
             inf.compressionMethodName = "N/A";
-	} else if (ss->ssl3.initialized) { 	/* SSL3 and TLS */
+        }
+        else if (ss->ssl3.initialized) { /* SSL3 and TLS */
             ssl_GetSpecReadLock(ss);
             /* XXX  The cipher suite should be in the specs and this
              * function should get it from cwSpec rather than from the "hs".
@@ -69,14 +73,16 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
             inf.expirationTime = sid->expirationTime;
             inf.extendedMasterSecretUsed =
                 (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
-                     sid->u.ssl3.keys.extendedMasterSecretUsed) ?
-                    PR_TRUE: PR_FALSE;
+                 sid->u.ssl3.keys.extendedMasterSecretUsed)
+                    ? PR_TRUE
+                    : PR_FALSE;
 
             if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
                 inf.sessionIDLength = SSL2_SESSIONID_BYTES;
                 memcpy(inf.sessionID, sid->u.ssl2.sessionID,
                        SSL2_SESSIONID_BYTES);
-	    } else {
+            }
+            else {
                 unsigned int sidLen = sid->u.ssl3.sessionIDLength;
                 sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
                 inf.sessionIDLength = sidLen;
@@ -98,7 +104,10 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
     sslSocket *ss;
     SSLPreliminaryChannelInfo inf;
 
-    if (!info || len < sizeof inf.length) {
+    /* Check if we can properly return the length of data written and that
+     * we're not asked to return more information than we know how to provide.
+     */
+    if (!info || len < sizeof inf.length || len > sizeof inf) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
@@ -126,7 +135,6 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
     return SECSuccess;
 }
 
-
 #define CS(x) x, #x
 #define CK(x) x | 0xff00, #x
 
@@ -151,6 +159,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
 #define C_NULL "NULL", calg_null
 #define C_SJ "SKIPJACK", calg_sj
 #define C_AESGCM "AES-GCM", calg_aes_gcm
+#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20
 
 #define B_256 256, 256, 256
 #define B_128 128, 128, 128
@@ -167,9 +176,11 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
 #define M_MD5 "MD5", ssl_mac_md5, 128
 #define M_NULL "NULL", ssl_mac_null, 0
 
+/* clang-format off */
 static const SSLCipherSuiteInfo suiteInfo[] = {
     /* <------ Cipher suite --------------------> <auth> <KEA>  <bulk cipher> <MAC> <FIPS> */
     {0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256),       S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0 },
+    {0,CS(TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_DHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 },
 
     {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0 },
     {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0 },
@@ -232,6 +243,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
     {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0 },
     {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 },
     {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0 },
+    {0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), S_ECDSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 },
 
     {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0 },
     {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0 },
@@ -245,6 +257,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
     {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0 },
     {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 },
     {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0 },
+    {0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 },
     #endif /* NSS_DISABLE_ECC */
 
     /* SSL 2 table */
@@ -255,20 +268,25 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
     {0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5),      S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0 },
     {0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5),  S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0 }
 };
+/* clang-format on */
 
 #define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
 
-
-SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
+SECStatus
+SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
                        SSLCipherSuiteInfo *info, PRUintn len)
 {
     unsigned int i;
 
-    len = PR_MIN(len, sizeof suiteInfo[0]);
-    if (!info || len < sizeof suiteInfo[0].length) {
+    /* Check if we can properly return the length of data written and that
+     * we're not asked to return more information than we know how to provide.
+     */
+    if (!info || len < sizeof suiteInfo[0].length ||
+        len > sizeof suiteInfo[0]) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
+    len = PR_MIN(len, sizeof suiteInfo[0]);
     for (i = 0; i < NUM_SUITEINFOS; i++) {
         if (suiteInfo[i].cipherSuite == cipherSuite) {
             memcpy(info, &suiteInfo[i], len);
@@ -424,7 +442,8 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd,
     if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) {
         PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
         rv = SECFailure;
-    } else {
+    }
+    else {
         rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
                                          valLen, out, outLen);
     }

security/nss/lib/ssl/sslinit.c

@@ -39,7 +39,6 @@ ssl_InitCallOnce(void *arg)
     return PR_SUCCESS;
 }
 
-
 SECStatus
 ssl_Init(void)
 {

security/nss/lib/ssl/sslmutex.c

@@ -9,7 +9,8 @@
 #include "sslmutex.h"
 #include "prerr.h"
 
-static SECStatus single_process_sslMutex_Init(sslMutex* pMutex)
+static SECStatus
+single_process_sslMutex_Init(sslMutex* pMutex)
 {
     PR_ASSERT(pMutex != 0 && pMutex->u.sslLock == 0);
 
@@ -20,7 +21,8 @@ static SECStatus single_process_sslMutex_Init(sslMutex* pMutex)
     return SECSuccess;
 }
 
-static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex)
+static SECStatus
+single_process_sslMutex_Destroy(sslMutex* pMutex)
 {
     PR_ASSERT(pMutex != 0);
     PR_ASSERT(pMutex->u.sslLock != 0);
@@ -32,7 +34,8 @@ static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex)
     return SECSuccess;
 }
 
-static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex)
+static SECStatus
+single_process_sslMutex_Unlock(sslMutex* pMutex)
 {
     PR_ASSERT(pMutex != 0);
     PR_ASSERT(pMutex->u.sslLock != 0);
@@ -44,7 +47,8 @@ static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex)
     return SECSuccess;
 }
 
-static SECStatus single_process_sslMutex_Lock(sslMutex* pMutex)
+static SECStatus
+single_process_sslMutex_Lock(sslMutex* pMutex)
 {
     PR_ASSERT(pMutex != 0);
     PR_ASSERT(pMutex->u.sslLock != 0);
@@ -168,7 +172,6 @@ sslMutex_Destroy(sslMutex *pMutex, PRBool processLocal)
 ** count is greater than 1, then you must wait on the pipe.
 */
 
-
 SECStatus
 sslMutex_Unlock(sslMutex* pMutex)
 {
@@ -314,7 +317,8 @@ sslMutex_Lock(sslMutex *pMutex)
 
 #ifdef WINNT
 
-SECStatus sslMutex_2LevelInit(sslMutex *sem)
+SECStatus
+sslMutex_2LevelInit(sslMutex *sem)
 {
     /*  the following adds a PRLock to sslMutex . This is done in each
         process of a multi-process server and is only needed on WINNT, if
@@ -330,7 +334,8 @@ SECStatus sslMutex_2LevelInit(sslMutex *sem)
     return single_process_sslMutex_Init(sem);
 }
 
-static SECStatus sslMutex_2LevelDestroy(sslMutex *sem)
+static SECStatus
+sslMutex_2LevelDestroy(sslMutex *sem)
 {
     return single_process_sslMutex_Destroy(sem);
 }
@@ -348,7 +353,8 @@ sslMutex_Init(sslMutex *pMutex, int shared)
         { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
 
     PR_ASSERT(pMutex != 0 && (pMutex->u.sslMutx == 0 ||
-              pMutex->u.sslMutx == INVALID_HANDLE_VALUE) );
+                              pMutex->u.sslMutx ==
+                                  INVALID_HANDLE_VALUE));
 
     pMutex->isMultiProcess = (PRBool)(shared != 0);
 
@@ -364,7 +370,8 @@ sslMutex_Init(sslMutex *pMutex, int shared)
 #endif
 
     if (!pMutex || ((hMutex = pMutex->u.sslMutx) != 0 &&
-        hMutex != INVALID_HANDLE_VALUE)) {
+                    hMutex !=
+                        INVALID_HANDLE_VALUE)) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
@@ -399,8 +406,8 @@ sslMutex_Destroy(sslMutex *pMutex, PRBool processLocal)
 
     PR_ASSERT(pMutex->u.sslMutx != 0 &&
               pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
-    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 
-        || hMutex == INVALID_HANDLE_VALUE) {
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 ||
+        hMutex == INVALID_HANDLE_VALUE) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }

security/nss/lib/ssl/sslnonce.c

@@ -101,7 +101,8 @@ ssl_FreeSessionCacheLocks()
 static PRCallOnceType lockOnce;
 
 /* free the session cache locks if they were initialized lazily */
-static SECStatus ssl_ShutdownLocks(void* appData, void* nssData)
+static SECStatus
+ssl_ShutdownLocks(void *appData, void *nssData)
 {
     PORT_Assert(PR_FALSE == LocksInitializedEarly);
     if (LocksInitializedEarly) {
@@ -113,7 +114,8 @@ static SECStatus ssl_ShutdownLocks(void* appData, void* nssData)
     return SECSuccess;
 }
 
-static PRStatus initSessionCacheLocksLazily(void)
+static PRStatus
+initSessionCacheLocksLazily(void)
 {
     SECStatus rv = InitSessionCacheLocks();
     if (SECSuccess != rv) {
@@ -139,8 +141,9 @@ ssl_InitSessionCacheLocks(PRBool lazyInit)
 
     if (lazyInit) {
         return (PR_SUCCESS ==
-                PR_CallOnce(&lockOnce, initSessionCacheLocksLazily)) ?
-               SECSuccess : SECFailure;
+                PR_CallOnce(&lockOnce, initSessionCacheLocksLazily))
+                   ? SECSuccess
+                   : SECFailure;
     }
 
     if (SECSuccess == InitSessionCacheLocks()) {
@@ -171,7 +174,8 @@ ssl_DestroySID(sslSessionID *sid)
     if (sid->version < SSL_LIBRARY_VERSION_3_0) {
         SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
         SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
-    } else {
+    }
+    else {
         if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
             SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
                              PR_FALSE);
@@ -276,7 +280,8 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
             *sidp = sid->next;           /* delink it from the list. */
             sid->cached = invalid_cache; /* mark not on list. */
             ssl_FreeLockedSID(sid);      /* drop ref count, free. */
-	} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
+        }
+        else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
                  (sid->port == port) &&                           /* server port matches */
                  /* proxy (peerID) matches */
                  (((peerID == NULL) && (sid->peerID == NULL)) ||
@@ -287,13 +292,13 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
                   sid->u.ssl3.keys.resumable) &&
                  /* server hostname matches. */
                  (sid->urlSvrName != NULL) &&
-		   (0 == PORT_Strcmp(urlSvrName, sid->urlSvrName))
-		  ) {
+                 (0 == PORT_Strcmp(urlSvrName, sid->urlSvrName))) {
             /* Hit */
             sid->lastAccessTime = now;
             sid->references++;
             break;
-	} else {
+        }
+        else {
             sidp = &sid->next;
         }
     }
@@ -333,7 +338,8 @@ CacheSID(sslSessionID *sid)
                       sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len));
         PRINT_BUF(8, (0, "cipherArg:",
                       sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
-    } else {
+    }
+    else {
         if (sid->u.ssl3.sessionIDLength == 0 &&
             sid->u.ssl3.locked.sessionTicket.ticket.data == NULL)
             return;
@@ -432,7 +438,6 @@ LockAndUncacheSID(sslSessionID *zap)
     LOCK_CACHE;
     UncacheSID(zap);
     UNLOCK_CACHE;
-
 }
 
 /* choose client or server cache functions for this sslsocket. */
@@ -442,7 +447,8 @@ ssl_ChooseSessionIDProcs(sslSecurityInfo *sec)
     if (sec->isServer) {
         sec->cache = ssl_sid_cache;
         sec->uncache = ssl_sid_uncache;
-    } else {
+    }
+    else {
         sec->cache = CacheSID;
         sec->uncache = LockAndUncacheSID;
     }

security/nss/lib/ssl/sslproto.h

@@ -10,6 +10,8 @@
 #ifndef __sslproto_h_
 #define __sslproto_h_
 
+/* clang-format off */
+
 /* All versions less than 3_0 are treated as SSL version 2 */
 #define SSL_LIBRARY_VERSION_2                   0x0002
 #define SSL_LIBRARY_VERSION_3_0                 0x0300
@@ -260,6 +262,10 @@
 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256    0xC031
 
+#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8
+#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
+#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA
+
 /* Netscape "experimental" cipher suites. */
 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA   0xffe0
 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA        0xffe1
@@ -275,4 +281,6 @@
 #define SRTP_NULL_HMAC_SHA1_80                  0x0005
 #define SRTP_NULL_HMAC_SHA1_32                  0x0006
 
+/* clang-format on */
+
 #endif /* __sslproto_h_ */

security/nss/lib/ssl/sslreveal.c

@@ -47,7 +47,6 @@ SSL_RevealPinArg(PRFileDesc * fd)
     return PinArg;
 }
 
-
 /* given PRFileDesc, returns a pointer to the URL associated with the socket
  * the caller should free url when done
  */
@@ -65,7 +64,6 @@ SSL_RevealURL(PRFileDesc * fd)
     return url;
 }
 
-
 /* given PRFileDesc, returns status information related to extensions
  * negotiated with peer during the handshake.
  */

security/nss/lib/ssl/sslsecur.c

@@ -221,7 +221,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
     if (asServer) {
         ss->handshake = ssl2_BeginServerHandshake;
         ss->handshaking = sslHandshakingAsServer;
-    } else {
+    }
+    else {
         ss->handshake = ssl2_BeginClientHandshake;
         ss->handshaking = sslHandshakingAsClient;
     }
@@ -282,7 +283,8 @@ SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
         PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
         rv = SECFailure;
-    } else {
+    }
+    else {
         ssl_GetSSL3HandshakeLock(ss);
         rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
         ssl_ReleaseSSL3HandshakeLock(ss);
@@ -296,7 +298,8 @@ SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
 /*
 ** Same as above, but with an I/O timeout.
  */
-SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
+SSL_IMPORT SECStatus
+SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
                            PRBool flushCache,
                            PRIntervalTime timeout)
 {
@@ -459,14 +462,18 @@ SSL_ForceHandshake(PRFileDesc *fd)
         ssl_ReleaseRecvBufLock(ss);
         if (gatherResult > 0) {
             rv = SECSuccess;
-	} else if (gatherResult == 0) {
+        }
+        else if (gatherResult == 0) {
             PORT_SetError(PR_END_OF_FILE_ERROR);
-	} else if (gatherResult == SECWouldBlock) {
+        }
+        else if (gatherResult == SECWouldBlock) {
             PORT_SetError(PR_WOULD_BLOCK_ERROR);
         }
-    } else if (!ss->firstHsDone) {
+    }
+    else if (!ss->firstHsDone) {
         rv = ssl_Do1stHandshake(ss);
-    } else {
+    }
+    else {
         /* tried to force handshake on an SSL 2 socket that has
         ** already completed the handshake. */
         rv = SECSuccess; /* just pretend we did it. */
@@ -480,7 +487,8 @@ SSL_ForceHandshake(PRFileDesc *fd)
 /*
  ** Same as above, but with an I/O timeout.
  */
-SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
+SSL_IMPORT SECStatus
+SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
                               PRIntervalTime timeout)
 {
     if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
@@ -489,7 +497,6 @@ SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
     return SSL_ForceHandshake(fd);
 }
 
-
 /************************************************************************/
 
 /*
@@ -505,7 +512,8 @@ sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
         unsigned char *newBuf;
         if (b->buf) {
             newBuf = (unsigned char *)PORT_Realloc(b->buf, newLen);
-	} else {
+        }
+        else {
             newBuf = (unsigned char *)PORT_Alloc(newLen);
         }
         if (!newBuf) {
@@ -614,7 +622,8 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
         if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
             /* Wait for application data to arrive.  */
             rv = ssl3_GatherAppDataRecord(ss, 0);
-	} else {
+        }
+        else {
             /* See if we have a complete record */
             rv = ssl2_GatherRecord(ss, 0);
         }
@@ -635,7 +644,8 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
             ** Gather record is blocked waiting for more record data to
             ** arrive. Try to process what we have already received
             */
-	} else {
+        }
+        else {
             /* Gather record has finished getting a complete record */
         }
 
@@ -697,7 +707,8 @@ NSS_FindCertKEAType(CERTCertificate * cert)
     SSLKEAType keaType = kt_null;
     int tag;
 
-  if (!cert) goto loser;
+    if (!cert)
+        goto loser;
 
     tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
 
@@ -727,7 +738,8 @@ NSS_FindCertKEAType(CERTCertificate * cert)
 static const PRCallOnceType pristineCallOnce;
 static PRCallOnceType setupServerCAListOnce;
 
-static SECStatus serverCAListShutdown(void* appData, void* nssData)
+static SECStatus
+serverCAListShutdown(void *appData, void *nssData)
 {
     PORT_Assert(ssl3_server_ca_list);
     if (ssl3_server_ca_list) {
@@ -738,7 +750,8 @@ static SECStatus serverCAListShutdown(void* appData, void* nssData)
     return SECSuccess;
 }
 
-static PRStatus serverCAListSetup(void *arg)
+static PRStatus
+serverCAListSetup(void *arg)
 {
     CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg;
     SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL);
@@ -982,7 +995,8 @@ ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
         ss->sec.hashcx = os->sec.hash->clone(os->sec.hashcx);
         if (os->sec.hashcx && !ss->sec.hashcx)
             goto loser;
-    } else {
+    }
+    else {
         ss->sec.hash = NULL;
         ss->sec.hashcx = NULL;
     }
@@ -1032,7 +1046,8 @@ ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
         (*sec->destroy)(sec->writecx, PR_TRUE);
         sec->readcx = NULL;
         sec->writecx = NULL;
-    } else {
+    }
+    else {
         PORT_Assert(sec->readcx == 0);
         PORT_Assert(sec->writecx == 0);
     }
@@ -1060,7 +1075,6 @@ ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
     if (doMemset) {
         memset(&sec->ci, 0, sizeof sec->ci);
     }
-    
 }
 
 /*
@@ -1090,7 +1104,8 @@ ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
     if (ss->opt.handshakeAsServer) {
         ss->securityHandshake = ssl2_BeginServerHandshake;
         ss->handshaking = sslHandshakingAsServer;
-    } else {
+    }
+    else {
         ss->securityHandshake = ssl2_BeginClientHandshake;
         ss->handshaking = sslHandshakingAsClient;
     }
@@ -1099,7 +1114,8 @@ ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
     rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
     if (rv == PR_SUCCESS) {
         ss->TCPconnected = 1;
-    } else {
+    }
+    else {
         int err = PR_GetError();
         SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
                  SSL_GETPID(), ss->fd, err));
@@ -1192,7 +1208,6 @@ ssl_SecureShutdown(sslSocket *ss, int nsprHow)
 
 /************************************************************************/
 
-
 int
 ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
 {
@@ -1232,7 +1247,8 @@ ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
         return rv;
     }
 
-    if (len == 0) return 0;
+    if (len == 0)
+        return 0;
 
     rv = DoRecv(ss, (unsigned char *)buf, len, flags);
     SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
@@ -1341,7 +1357,8 @@ done:
     if (rv < 0) {
         SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count, error %d",
                     SSL_GETPID(), ss->fd, rv, PORT_GetError()));
-    } else {
+    }
+    else {
         SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count",
                     SSL_GETPID(), ss->fd, rv));
     }
@@ -1502,7 +1519,8 @@ SSL_GetSessionID(PRFileDesc *fd)
                     item->len = SSL2_SESSIONID_BYTES;
                     item->data = (unsigned char *)PORT_Alloc(item->len);
                     PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
-		} else {
+                }
+                else {
                     item->len = sid->u.ssl3.sessionIDLength;
                     item->data = (unsigned char *)PORT_Alloc(item->len);
                     PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
@@ -1573,10 +1591,12 @@ SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error)
     if (!ss->ssl3.initialized) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
-    } else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+    }
+    else if (ss->version < SSL_LIBRARY_VERSION_3_0) {
         PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
         rv = SECFailure;
-    } else {
+    }
+    else {
         rv = ssl3_AuthCertificateComplete(ss, error);
     }
 

security/nss/lib/ssl/sslsnce.c

@@ -128,6 +128,7 @@ struct sidCacheEntryStr {
     /*  4 */ PRInt32 srvNameIndex;
     /* 32 */ PRUint8 srvNameHash[SHA256_LENGTH]; /* SHA256 name hash */
 /*108 */} ssl3;
+
 /* force sizeof(sidCacheEntry) to be a multiple of cache line size */
 struct {
     /*120 */ PRUint8 filler[120]; /* 72+120==192, a multiple of 16 */
@@ -174,7 +175,6 @@ struct srvNameCacheEntryStr {
 };
 typedef struct srvNameCacheEntryStr srvNameCacheEntry;
 
-
 struct cacheDescStr {
 
     PRUint32 cacheMemSize;
@@ -237,7 +237,6 @@ static const char envVarName[] = { SSL_ENV_VAR_NAME };
 
 static PRBool isMultiProcess = PR_FALSE;
 
-
 #define DEF_SID_CACHE_ENTRIES 10000
 #define DEF_CERT_CACHE_ENTRIES 250
 #define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
@@ -266,7 +265,6 @@ static PRBool isMultiProcess  = PR_FALSE;
 #define SID_HOWMANY(val, size) (((val) + ((size)-1)) / (size))
 #define SID_ROUNDUP(val, size) ((size)*SID_HOWMANY((val), (size)))
 
-
 static sslPID myPid;
 static PRUint32 ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
 
@@ -276,7 +274,6 @@ static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s,
 static SECStatus LaunchLockPoller(cacheDesc *cache);
 static SECStatus StopLockPoller(cacheDesc *cache);
 
-
 struct inheritanceStr {
     PRUint32 cacheMemSize;
     PRUint32 fmStrLen;
@@ -296,7 +293,6 @@ typedef struct inheritanceStr inheritance;
 
 #endif /* XP_UNIX || XP_BEOS */
 
-
 /************************************************************************/
 
 static PRUint32
@@ -343,7 +339,6 @@ UnlockSet(cacheDesc *cache, PRUint32 set)
 
 /************************************************************************/
 
-
 /* Put a certificate in the cache.  Update the cert index in the sce.
 */
 static PRUint32
@@ -386,7 +381,6 @@ CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce)
         UnlockSidCacheLock(cache->certCacheLock);
     }
     return now;
-
 }
 
 /* Server configuration hash tables need to account the SECITEM.type
@@ -491,12 +485,14 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
                     sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
 #endif
         SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
-		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid,
+                    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
+                    myPid,
                     to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
                     to->creationTime, to->addr.pr_s6_addr32[0],
                     to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
                     to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
-    } else {
+    }
+    else {
         /* This is an SSL v3 session */
 
         to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite;
@@ -570,7 +566,8 @@ ConvertToSID(sidCacheEntry *    from,
                     to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
                     to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
                     to->u.ssl2.cipherType));
-    } else {
+    }
+    else {
         /* This is an SSL v3 session */
 
         to->u.ssl3.sessionIDLength = from->sessionIDLength;
@@ -646,7 +643,8 @@ ConvertToSID(sidCacheEntry *    from,
                 PORT_Free(to->u.ssl2.masterKey.data);
             if (to->u.ssl2.cipherArg.data)
                 PORT_Free(to->u.ssl2.cipherArg.data);
-	} else {
+        }
+        else {
             SECITEM_FreeItem(&to->u.ssl3.srvName, PR_FALSE);
         }
         PORT_Free(to);
@@ -654,8 +652,6 @@ ConvertToSID(sidCacheEntry *    from,
     return NULL;
 }
 
-
-
 /*
 ** Perform some mumbo jumbo on the ip-address and the session-id value to
 ** compute a hash value.
@@ -673,13 +669,11 @@ SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl)
 
     rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^
           addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^
-          x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7])
-	  % cache->numSIDCacheSets;
+          x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7]) %
+         cache->numSIDCacheSets;
     return rv;
 }
 
-
-
 /*
 ** Look something up in the cache. This will invalidate old entries
 ** in the process. Caller has locked the cache set!
@@ -776,7 +770,8 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
                         !PORT_Memcmp(pcce->sessionID, psce->sessionID,
                                      pcce->sessionIDLength)) {
                         cce = *pcce;
-                    } else {
+                    }
+                    else {
                         /* The cert doesen't match the SID cache entry,
                         ** so invalidate the SID cache entry.
                         */
@@ -785,7 +780,8 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
                         pcce = 0;
                     }
                     UnlockSidCacheLock(cache->certCacheLock);
-                } else {
+                }
+                else {
                     /* what the ??.  Didn't get the cert cache lock.
                     ** Don't invalidate the SID cache entry, but don't find it.
                     */
@@ -803,7 +799,8 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
                     if (!PORT_Memcmp(psnce->nameHash, psce->u.ssl3.srvNameHash,
                                      SHA256_LENGTH)) {
                         snce = *psnce;
-                    } else {
+                    }
+                    else {
                         /* The name doesen't match the SID cache entry,
                         ** so invalidate the SID cache entry.
                         */
@@ -812,7 +809,8 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
                         psnce = 0;
                     }
                     UnlockSidCacheLock(cache->srvNameCacheLock);
-                } else {
+                }
+                else {
                     /* what the ??.  Didn't get the cert cache lock.
                     ** Don't invalidate the SID cache entry, but don't find it.
                     */
@@ -820,7 +818,6 @@ ServerSessionIDLookup(const PRIPv6Addr *addr,
                     psce = 0;
                     psnce = 0;
                 }
-                
             }
         }
         if (psce) {
@@ -866,7 +863,8 @@ ServerSessionIDCache(sslSessionID *sid)
              */
             sid->expirationTime = sid->creationTime + cache->ssl2Timeout;
             SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
-			"cipher=%d", myPid, sid->cached,
+                        "cipher=%d",
+                        myPid, sid->cached,
                         sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
                         sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
                         sid->creationTime, sid->u.ssl2.cipherType));
@@ -876,14 +874,15 @@ ServerSessionIDCache(sslSessionID *sid)
                           sid->u.ssl2.masterKey.len));
             PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
                           sid->u.ssl2.cipherArg.len));
-
-	} else {
+        }
+        else {
             /* override caller's expiration time, which uses client timeout
              * duration, not server timeout duration.
              */
             sid->expirationTime = sid->creationTime + cache->ssl3Timeout;
             SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
-			"cipherSuite=%d", myPid, sid->cached,
+                        "cipherSuite=%d",
+                        myPid, sid->cached,
                         sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
                         sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
                         sid->creationTime, sid->u.ssl3.cipherSuite));
@@ -948,7 +947,8 @@ ServerSessionIDUncache(sslSessionID *sid)
         sessionID = sid->u.ssl2.sessionID;
         sessionIDLength = SSL2_SESSIONID_BYTES;
         SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
-		    "cipher=%d", myPid, sid->cached,
+                    "cipher=%d",
+                    myPid, sid->cached,
                     sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
                     sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
                     sid->creationTime, sid->u.ssl2.cipherType));
@@ -957,11 +957,13 @@ ServerSessionIDUncache(sslSessionID *sid)
                       sid->u.ssl2.masterKey.len));
         PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
                       sid->u.ssl2.cipherArg.len));
-    } else {
+    }
+    else {
         sessionID = sid->u.ssl3.sessionID;
         sessionIDLength = sid->u.ssl3.sessionIDLength;
         SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
-		    "cipherSuite=%d", myPid, sid->cached,
+                    "cipherSuite=%d",
+                    myPid, sid->cached,
                     sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
                     sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
                     sid->creationTime, sid->u.ssl3.cipherSuite));
@@ -985,7 +987,8 @@ ServerSessionIDUncache(sslSessionID *sid)
 #define INCL_DOSPROCESS
 #include <os2.h>
 
-long gettid(void)
+long
+gettid(void)
 {
     PTIB ptib;
     PPIB ppib;
@@ -1014,7 +1017,8 @@ CloseCache(cacheDesc *cache)
         }
         if (cache->shared) {
             PR_MemUnmap(cache->cacheMem, cache->cacheMemSize);
-	} else {
+        }
+        else {
             PORT_Free(cache->cacheMem);
         }
         cache->cacheMem = NULL;
@@ -1077,10 +1081,10 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
     cache->numSIDCacheSetsPerLock =
         SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
 
-    cache->numCertCacheEntries = (maxCertCacheEntries > 0) ?
-                                             maxCertCacheEntries : 0;
-    cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ?
-                                             maxSrvNameCacheEntries : DEF_NAME_CACHE_ENTRIES;
+    cache->numCertCacheEntries = (maxCertCacheEntries > 0) ? maxCertCacheEntries
+                                                           : 0;
+    cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ? maxSrvNameCacheEntries
+                                                                  : DEF_NAME_CACHE_ENTRIES;
 
     /* compute size of shared memory, and offsets of all pointers */
     ptr = 0;
@@ -1158,7 +1162,8 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
             ssl2_timeout = MIN_SSL2_TIMEOUT;
         }
         cache->ssl2Timeout = ssl2_timeout;
-    } else {
+    }
+    else {
         cache->ssl2Timeout = DEF_SSL2_TIMEOUT;
     }
 
@@ -1170,7 +1175,8 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
             ssl3_timeout = MIN_SSL3_TIMEOUT;
         }
         cache->ssl3Timeout = ssl3_timeout;
-    } else {
+    }
+    else {
         cache->ssl3Timeout = DEF_SSL3_TIMEOUT;
     }
 
@@ -1205,7 +1211,8 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
         }
 
         cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize);
-    } else {
+    }
+    else {
         cacheMem = PORT_Alloc(cache->cacheMemSize);
     }
 
@@ -1227,32 +1234,19 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
     /* Fix pointers in our private copy of cache descriptor to point to
     ** spaces in shared memory
     */
-    cache->sidCacheLocks = (sidCacheLock *)
-        (cache->cacheMem + (ptrdiff_t)cache->sidCacheLocks);
-    cache->keyCacheLock = (sidCacheLock *)
-        (cache->cacheMem + (ptrdiff_t)cache->keyCacheLock);
-    cache->certCacheLock = (sidCacheLock *)
-        (cache->cacheMem + (ptrdiff_t)cache->certCacheLock);
-    cache->srvNameCacheLock = (sidCacheLock *)
-        (cache->cacheMem + (ptrdiff_t)cache->srvNameCacheLock);
-    cache->sidCacheSets = (sidCacheSet *)
-        (cache->cacheMem + (ptrdiff_t)cache->sidCacheSets);
-    cache->sidCacheData = (sidCacheEntry *)
-        (cache->cacheMem + (ptrdiff_t)cache->sidCacheData);
-    cache->certCacheData = (certCacheEntry *)
-        (cache->cacheMem + (ptrdiff_t)cache->certCacheData);
-    cache->keyCacheData = (SSLWrappedSymWrappingKey *)
-        (cache->cacheMem + (ptrdiff_t)cache->keyCacheData);
-    cache->ticketKeyNameSuffix = (PRUint8 *)
-        (cache->cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
-    cache->ticketEncKey = (encKeyCacheEntry *)
-        (cache->cacheMem + (ptrdiff_t)cache->ticketEncKey);
-    cache->ticketMacKey = (encKeyCacheEntry *)
-        (cache->cacheMem + (ptrdiff_t)cache->ticketMacKey);
-    cache->ticketKeysValid = (PRUint32 *)
-        (cache->cacheMem + (ptrdiff_t)cache->ticketKeysValid);
-    cache->srvNameCacheData = (srvNameCacheEntry *)
-        (cache->cacheMem + (ptrdiff_t)cache->srvNameCacheData);
+    cache->sidCacheLocks = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache->sidCacheLocks);
+    cache->keyCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache->keyCacheLock);
+    cache->certCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache->certCacheLock);
+    cache->srvNameCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache->srvNameCacheLock);
+    cache->sidCacheSets = (sidCacheSet *)(cache->cacheMem + (ptrdiff_t)cache->sidCacheSets);
+    cache->sidCacheData = (sidCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache->sidCacheData);
+    cache->certCacheData = (certCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache->certCacheData);
+    cache->keyCacheData = (SSLWrappedSymWrappingKey *)(cache->cacheMem + (ptrdiff_t)cache->keyCacheData);
+    cache->ticketKeyNameSuffix = (PRUint8 *)(cache->cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
+    cache->ticketEncKey = (encKeyCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache->ticketEncKey);
+    cache->ticketMacKey = (encKeyCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache->ticketMacKey);
+    cache->ticketKeysValid = (PRUint32 *)(cache->cacheMem + (ptrdiff_t)cache->ticketKeysValid);
+    cache->srvNameCacheData = (srvNameCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache->srvNameCacheData);
 
     /* initialize the locks */
     init_time = ssl_Time();
@@ -1481,7 +1475,8 @@ SSL_ConfigServerSessionIDCacheWithOpt(
         return ssl_ConfigServerSessionIDCacheInstanceWithOpt(&globalCache,
                                                              ssl2_timeout, ssl3_timeout, directory, PR_FALSE,
                                                              maxCacheEntries, maxCertCacheEntries, maxSrvNameCacheEntries);
-    } else {
+    }
+    else {
         return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, ssl3_timeout,
                                                  directory, maxCacheEntries, maxCertCacheEntries,
                                                  maxSrvNameCacheEntries);
@@ -1590,32 +1585,19 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString)
     /* Fix pointers in our private copy of cache descriptor to point to
     ** spaces in shared memory, whose address is now in "my".
     */
-    cache->sidCacheLocks = (sidCacheLock *)
-        (my.cacheMem + (ptrdiff_t)cache->sidCacheLocks);
-    cache->keyCacheLock = (sidCacheLock *)
-        (my.cacheMem + (ptrdiff_t)cache->keyCacheLock);
-    cache->certCacheLock = (sidCacheLock *)
-        (my.cacheMem + (ptrdiff_t)cache->certCacheLock);
-    cache->srvNameCacheLock = (sidCacheLock *)
-        (my.cacheMem + (ptrdiff_t)cache->srvNameCacheLock);
-    cache->sidCacheSets = (sidCacheSet *)
-        (my.cacheMem + (ptrdiff_t)cache->sidCacheSets);
-    cache->sidCacheData = (sidCacheEntry *)
-        (my.cacheMem + (ptrdiff_t)cache->sidCacheData);
-    cache->certCacheData = (certCacheEntry *)
-        (my.cacheMem + (ptrdiff_t)cache->certCacheData);
-    cache->keyCacheData = (SSLWrappedSymWrappingKey *)
-        (my.cacheMem + (ptrdiff_t)cache->keyCacheData);
-    cache->ticketKeyNameSuffix = (PRUint8 *)
-        (my.cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
-    cache->ticketEncKey = (encKeyCacheEntry *)
-        (my.cacheMem + (ptrdiff_t)cache->ticketEncKey);
-    cache->ticketMacKey = (encKeyCacheEntry *)
-        (my.cacheMem + (ptrdiff_t)cache->ticketMacKey);
-    cache->ticketKeysValid = (PRUint32 *)
-        (my.cacheMem + (ptrdiff_t)cache->ticketKeysValid);
-    cache->srvNameCacheData = (srvNameCacheEntry *)
-        (my.cacheMem + (ptrdiff_t)cache->srvNameCacheData);
+    cache->sidCacheLocks = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->sidCacheLocks);
+    cache->keyCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->keyCacheLock);
+    cache->certCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->certCacheLock);
+    cache->srvNameCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->srvNameCacheLock);
+    cache->sidCacheSets = (sidCacheSet *)(my.cacheMem + (ptrdiff_t)cache->sidCacheSets);
+    cache->sidCacheData = (sidCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->sidCacheData);
+    cache->certCacheData = (certCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->certCacheData);
+    cache->keyCacheData = (SSLWrappedSymWrappingKey *)(my.cacheMem + (ptrdiff_t)cache->keyCacheData);
+    cache->ticketKeyNameSuffix = (PRUint8 *)(my.cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
+    cache->ticketEncKey = (encKeyCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->ticketEncKey);
+    cache->ticketMacKey = (encKeyCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->ticketMacKey);
+    cache->ticketKeysValid = (PRUint32 *)(my.cacheMem + (ptrdiff_t)cache->ticketKeysValid);
+    cache->srvNameCacheData = (srvNameCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->srvNameCacheData);
 
     cache->cacheMemMap = my.cacheMemMap;
     cache->cacheMem = my.cacheMem;
@@ -1840,7 +1822,8 @@ ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
         (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
         rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk,
                                &globalCache, 0);
-    } else {
+    }
+    else {
         rv = PR_FALSE;
     }
 
@@ -1860,8 +1843,8 @@ WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey,
         return PR_FALSE;
     wrappedKey.data = cacheEntry->bytes;
 
-    if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey)
-	    != SECSuccess) {
+    if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey) !=
+        SECSuccess) {
         SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.",
                  SSL_GETPID(), "unknown", keyName));
         return PR_FALSE;
@@ -1885,12 +1868,14 @@ GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey,
     if (!cache->cacheMem) {
         /* cache is not initalized. Use stack buffer */
         ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
-    } else {
+    }
+    else {
         ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
     }
 
     if (PK11_GenerateRandom(ticketKeyNameSuffix,
-	    SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) {
+                            SESS_TICKET_KEY_VAR_NAME_LEN) !=
+        SECSuccess) {
         SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.",
                  SSL_GETPID(), "unknown"));
         goto loser;
@@ -2057,7 +2042,8 @@ ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
         ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
         ticketEncKeyPtr = ticketEncKey;
         ticketMacKeyPtr = ticketMacKey;
-    } else {
+    }
+    else {
         /* these values have constant memory locations in the cache.
          * Ok to reference them without holding the lock. */
         ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
@@ -2075,7 +2061,8 @@ ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
      * initialized. */
     if (!cacheIsEnabled || !*(cache->ticketKeysValid)) {
         if (PK11_GenerateRandom(ticketKeyNameSuffix,
-		SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess)
+                                SESS_TICKET_KEY_VAR_NAME_LEN) !=
+            SECSuccess)
             goto loser;
         if (PK11_GenerateRandom(ticketEncKeyPtr,
                                 AES_256_KEY_LENGTH) != SECSuccess)
@@ -2147,7 +2134,8 @@ ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
         if (rv) {
             /* we found it on disk, copy it out to the caller. */
             PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
-	} else {
+        }
+        else {
             /* Wasn't on disk, and we're still holding the lock, so write it. */
             cache->keyCacheData[ndx] = *wswk;
         }

security/nss/lib/ssl/sslsock.c

@@ -63,12 +63,14 @@ static sslOptions ssl_defaults = {
     2,                     /* requireCertificate */
     PR_FALSE,              /* handshakeAsClient  */
     PR_FALSE,              /* handshakeAsServer  */
-    PR_FALSE,   /* enableSSL2         */ /* now defaults to off in NSS 3.13 */
+    PR_FALSE,
+    /* enableSSL2         */ /* now defaults to off in NSS 3.13 */
     PR_FALSE,                /* unusedBit9         */
     PR_FALSE,                /* unusedBit10        */
     PR_FALSE,                /* noCache            */
     PR_FALSE,                /* fdx                */
-    PR_FALSE,   /* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
+    PR_FALSE,
+    /* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
     PR_TRUE,                 /* detectRollBack     */
     PR_FALSE,                /* noStepDown         */
     PR_FALSE,                /* bypassPKCS11       */
@@ -250,7 +252,8 @@ ssl_DupSocket(sslSocket *os)
             }
             PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups,
                         sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups);
-        } else {
+        }
+        else {
             ss->ssl3.dheGroups = NULL;
         }
 
@@ -261,7 +264,8 @@ ssl_DupSocket(sslSocket *os)
                             os->sizeCipherSpecs);
             ss->sizeCipherSpecs = os->sizeCipherSpecs;
             ss->preferredCipher = os->preferredCipher;
-        } else {
+        }
+        else {
             ss->cipherSpecs = NULL; /* produced lazily */
             ss->sizeCipherSpecs = 0;
             ss->preferredCipher = NULL;
@@ -280,12 +284,14 @@ ssl_DupSocket(sslSocket *os)
                     sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
                     if (!sc->serverCertChain)
                         goto loser;
-                } else {
+                }
+                else {
                     sc->serverCert = NULL;
                     sc->serverCertChain = NULL;
                 }
                 sc->serverKeyPair = oc->serverKeyPair ?
-                                ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
+                                                      ssl3_GetKeyPairRef(oc->serverKeyPair)
+                                                      : NULL;
                 if (oc->serverKeyPair && !sc->serverKeyPair)
                     goto loser;
                 sc->serverKeyBits = oc->serverKeyBits;
@@ -481,7 +487,8 @@ ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
 
     if (osfd->methods->setsocketoption) {
         rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt);
-    } else {
+    }
+    else {
         PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     }
 
@@ -514,7 +521,8 @@ SSL_Enable(PRFileDesc *fd, int which, PRBool on)
 static const PRCallOnceType pristineCallOnce;
 static PRCallOnceType setupBypassOnce;
 
-static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
+static SECStatus
+SSL_BypassShutdown(void *appData, void *nssData)
 {
     /* unload freeBL shared library from memory */
     BL_Unload();
@@ -522,7 +530,8 @@ static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
     return SECSuccess;
 }
 
-static PRStatus SSL_BypassRegisterShutdown(void)
+static PRStatus
+SSL_BypassRegisterShutdown(void)
 {
     SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
     PORT_Assert(SECSuccess == rv);
@@ -530,7 +539,8 @@ static PRStatus SSL_BypassRegisterShutdown(void)
 }
 #endif
 
-static PRStatus SSL_BypassSetup(void)
+static PRStatus
+SSL_BypassSetup(void)
 {
 #ifdef NO_PKCS11_BYPASS
     /* Guarantee binary compatibility */
@@ -568,11 +578,13 @@ ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
         /* Expand the range of enabled version to include TLS 1.0 */
         vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
         vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0);
-    } else {
+    }
+    else {
         /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */
         if (vrange->min == SSL_LIBRARY_VERSION_3_0) {
             vrange->max = SSL_LIBRARY_VERSION_3_0;
-        } else {
+        }
+        else {
             /* Only TLS was enabled, so now no versions are. */
             vrange->min = SSL_LIBRARY_VERSION_NONE;
             vrange->max = SSL_LIBRARY_VERSION_NONE;
@@ -607,11 +619,13 @@ ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
          * we don't need to change vrange->max.
          */
         vrange->min = SSL_LIBRARY_VERSION_3_0;
-   } else {
+    }
+    else {
         /* Disable SSL 3.0, leaving TLS unaffected. */
         if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
             vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
-        } else {
+        }
+        else {
             /* Only SSL 3.0 was enabled, so now no versions are. */
             vrange->min = SSL_LIBRARY_VERSION_NONE;
             vrange->max = SSL_LIBRARY_VERSION_NONE;
@@ -777,7 +791,8 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
             if (ss->handshakeBegun) {
                 PORT_SetError(PR_INVALID_STATE_ERROR);
                 rv = SECFailure;
-        } else {
+            }
+            else {
                 if (PR_FALSE != on) {
                     if (PR_SUCCESS == SSL_BypassSetup()) {
 #ifdef NO_PKCS11_BYPASS
@@ -785,10 +800,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
 #else
                         ss->opt.bypassPKCS11 = on;
 #endif
-                } else {
+                    }
+                    else {
                         rv = SECFailure;
                     }
-            } else {
+                }
+                else {
                     ss->opt.bypassPKCS11 = PR_FALSE;
                 }
             }
@@ -805,7 +822,8 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
             if (on) {
                 locksEverDisabled = PR_TRUE;
                 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
-        } else if (!holdingLocks) {
+            }
+            else if (!holdingLocks) {
                 rv = ssl_MakeLocks(ss);
                 if (rv != SECSuccess) {
                     ss->opt.noLocks = PR_TRUE;
@@ -908,45 +926,93 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
     ssl_GetSSL3HandshakeLock(ss);
 
     switch (which) {
-    case SSL_SOCKS:               on = PR_FALSE;               break;
-    case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
+        case SSL_SOCKS:
+            on = PR_FALSE;
+            break;
+        case SSL_SECURITY:
+            on = ss->opt.useSecurity;
+            break;
+        case SSL_REQUEST_CERTIFICATE:
+            on = ss->opt.requestCertificate;
+            break;
+        case SSL_REQUIRE_CERTIFICATE:
+            on = ss->opt.requireCertificate;
+            break;
+        case SSL_HANDSHAKE_AS_CLIENT:
+            on = ss->opt.handshakeAsClient;
+            break;
+        case SSL_HANDSHAKE_AS_SERVER:
+            on = ss->opt.handshakeAsServer;
+            break;
         case SSL_ENABLE_TLS:
             on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
             break;
         case SSL_ENABLE_SSL3:
             on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
             break;
-    case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
-    case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
-    case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
-    case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
-    case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
+        case SSL_ENABLE_SSL2:
+            on = ss->opt.enableSSL2;
+            break;
+        case SSL_NO_CACHE:
+            on = ss->opt.noCache;
+            break;
+        case SSL_ENABLE_FDX:
+            on = ss->opt.fdx;
+            break;
+        case SSL_V2_COMPATIBLE_HELLO:
+            on = ss->opt.v2CompatibleHello;
+            break;
+        case SSL_ROLLBACK_DETECTION:
+            on = ss->opt.detectRollBack;
+            break;
+        case SSL_NO_STEP_DOWN:
+            on = ss->opt.noStepDown;
+            break;
+        case SSL_BYPASS_PKCS11:
+            on = ss->opt.bypassPKCS11;
+            break;
+        case SSL_NO_LOCKS:
+            on = ss->opt.noLocks;
+            break;
         case SSL_ENABLE_SESSION_TICKETS:
             on = ss->opt.enableSessionTickets;
             break;
-    case SSL_ENABLE_DEFLATE:      on = ss->opt.enableDeflate;      break;
+        case SSL_ENABLE_DEFLATE:
+            on = ss->opt.enableDeflate;
+            break;
         case SSL_ENABLE_RENEGOTIATION:
-                                  on = ss->opt.enableRenegotiation; break;
+            on = ss->opt.enableRenegotiation;
+            break;
         case SSL_REQUIRE_SAFE_NEGOTIATION:
-                                  on = ss->opt.requireSafeNegotiation; break;
-    case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
-    case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
-    case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-    case SSL_ENABLE_NPN:          on = ss->opt.enableNPN;          break;
-    case SSL_ENABLE_ALPN:         on = ss->opt.enableALPN;         break;
+            on = ss->opt.requireSafeNegotiation;
+            break;
+        case SSL_ENABLE_FALSE_START:
+            on = ss->opt.enableFalseStart;
+            break;
+        case SSL_CBC_RANDOM_IV:
+            on = ss->opt.cbcRandomIV;
+            break;
+        case SSL_ENABLE_OCSP_STAPLING:
+            on = ss->opt.enableOCSPStapling;
+            break;
+        case SSL_ENABLE_NPN:
+            on = ss->opt.enableNPN;
+            break;
+        case SSL_ENABLE_ALPN:
+            on = ss->opt.enableALPN;
+            break;
         case SSL_REUSE_SERVER_ECDHE_KEY:
-                                  on = ss->opt.reuseServerECDHEKey; break;
-    case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
-    case SSL_ENABLE_SERVER_DHE:   on = ss->opt.enableServerDhe; break;
+            on = ss->opt.reuseServerECDHEKey;
+            break;
+        case SSL_ENABLE_FALLBACK_SCSV:
+            on = ss->opt.enableFallbackSCSV;
+            break;
+        case SSL_ENABLE_SERVER_DHE:
+            on = ss->opt.enableServerDhe;
+            break;
         case SSL_ENABLE_EXTENDED_MASTER_SECRET:
-                                  on = ss->opt.enableExtendedMS; break;
+            on = ss->opt.enableExtendedMS;
+            break;
         case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
             on = ss->opt.enableSignedCertTimestamps;
             break;
@@ -977,42 +1043,81 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
     ssl_SetDefaultsFromEnvironment();
 
     switch (which) {
-    case SSL_SOCKS:               on = PR_FALSE;                        break;
-    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
+        case SSL_SOCKS:
+            on = PR_FALSE;
+            break;
+        case SSL_SECURITY:
+            on = ssl_defaults.useSecurity;
+            break;
+        case SSL_REQUEST_CERTIFICATE:
+            on = ssl_defaults.requestCertificate;
+            break;
+        case SSL_REQUIRE_CERTIFICATE:
+            on = ssl_defaults.requireCertificate;
+            break;
+        case SSL_HANDSHAKE_AS_CLIENT:
+            on = ssl_defaults.handshakeAsClient;
+            break;
+        case SSL_HANDSHAKE_AS_SERVER:
+            on = ssl_defaults.handshakeAsServer;
+            break;
         case SSL_ENABLE_TLS:
             on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
             break;
         case SSL_ENABLE_SSL3:
             on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
             break;
-    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ssl_defaults.noCache;            break;
-    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
-    case SSL_NO_STEP_DOWN:        on = ssl_defaults.noStepDown;         break;
-    case SSL_BYPASS_PKCS11:       on = ssl_defaults.bypassPKCS11;       break;
-    case SSL_NO_LOCKS:            on = ssl_defaults.noLocks;            break;
+        case SSL_ENABLE_SSL2:
+            on = ssl_defaults.enableSSL2;
+            break;
+        case SSL_NO_CACHE:
+            on = ssl_defaults.noCache;
+            break;
+        case SSL_ENABLE_FDX:
+            on = ssl_defaults.fdx;
+            break;
+        case SSL_V2_COMPATIBLE_HELLO:
+            on = ssl_defaults.v2CompatibleHello;
+            break;
+        case SSL_ROLLBACK_DETECTION:
+            on = ssl_defaults.detectRollBack;
+            break;
+        case SSL_NO_STEP_DOWN:
+            on = ssl_defaults.noStepDown;
+            break;
+        case SSL_BYPASS_PKCS11:
+            on = ssl_defaults.bypassPKCS11;
+            break;
+        case SSL_NO_LOCKS:
+            on = ssl_defaults.noLocks;
+            break;
         case SSL_ENABLE_SESSION_TICKETS:
             on = ssl_defaults.enableSessionTickets;
             break;
-    case SSL_ENABLE_DEFLATE:      on = ssl_defaults.enableDeflate;      break;
+        case SSL_ENABLE_DEFLATE:
+            on = ssl_defaults.enableDeflate;
+            break;
         case SSL_ENABLE_RENEGOTIATION:
-                                  on = ssl_defaults.enableRenegotiation; break;
+            on = ssl_defaults.enableRenegotiation;
+            break;
         case SSL_REQUIRE_SAFE_NEGOTIATION:
             on = ssl_defaults.requireSafeNegotiation;
             break;
-    case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
-    case SSL_CBC_RANDOM_IV:       on = ssl_defaults.cbcRandomIV;        break;
+        case SSL_ENABLE_FALSE_START:
+            on = ssl_defaults.enableFalseStart;
+            break;
+        case SSL_CBC_RANDOM_IV:
+            on = ssl_defaults.cbcRandomIV;
+            break;
         case SSL_ENABLE_OCSP_STAPLING:
             on = ssl_defaults.enableOCSPStapling;
             break;
-    case SSL_ENABLE_NPN:          on = ssl_defaults.enableNPN;          break;
-    case SSL_ENABLE_ALPN:         on = ssl_defaults.enableALPN;         break;
+        case SSL_ENABLE_NPN:
+            on = ssl_defaults.enableNPN;
+            break;
+        case SSL_ENABLE_ALPN:
+            on = ssl_defaults.enableALPN;
+            break;
         case SSL_REUSE_SERVER_ECDHE_KEY:
             on = ssl_defaults.reuseServerECDHEKey;
             break;
@@ -1152,10 +1257,12 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
 #else
                     ssl_defaults.bypassPKCS11 = on;
 #endif
-            } else {
+                }
+                else {
                     return SECFailure;
                 }
-        } else {
+            }
+            else {
                 ssl_defaults.bypassPKCS11 = PR_FALSE;
             }
             break;
@@ -1277,9 +1384,11 @@ ssl_CipherPolicySet(PRInt32 which, PRInt32 policy)
 
     if (ssl_IsRemovedCipherSuite(which)) {
         rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
+    }
+    else if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_SetPolicy(which, policy);
-    } else {
+    }
+    else {
         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
     }
     return rv;
@@ -1307,9 +1416,11 @@ SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
     if (ssl_IsRemovedCipherSuite(which)) {
         *oPolicy = SSL_NOT_ALLOWED;
         rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
+    }
+    else if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_GetPolicy(which, oPolicy);
-    } else {
+    }
+    else {
         rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
     }
     return rv;
@@ -1348,7 +1459,8 @@ ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
     }
     if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_CipherPrefSetDefault(which, enabled);
-    } else {
+    }
+    else {
         rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
     }
     return rv;
@@ -1377,9 +1489,11 @@ SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
     if (ssl_IsRemovedCipherSuite(which)) {
         *enabled = PR_FALSE;
         rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
+    }
+    else if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_CipherPrefGetDefault(which, enabled);
-    } else {
+    }
+    else {
         rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
     }
     return rv;
@@ -1403,7 +1517,8 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
     }
     if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_CipherPrefSet(ss, which, enabled);
-    } else {
+    }
+    else {
         rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
     }
     return rv;
@@ -1427,9 +1542,11 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
     if (ssl_IsRemovedCipherSuite(which)) {
         *enabled = PR_FALSE;
         rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
+    }
+    else if (SSL_IS_SSL2_CIPHER(which)) {
         rv = ssl2_CipherPrefGet(ss, which, enabled);
-    } else {
+    }
+    else {
         rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
     }
     return rv;
@@ -1505,7 +1622,6 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd,
     return SECSuccess;
 }
 
-
 PRCallOnceType gWeakDHParamsRegisterOnce;
 int gWeakDHParamsRegisterError;
 
@@ -1647,11 +1763,13 @@ ssl3_SelectDHParams(sslSocket *ss)
 
     if (ss->ssl3.dheWeakGroupEnabled) {
         ss->dheParams = gWeakDHParams;
-    } else {
+    }
+    else {
         if (ss->ssl3.dheGroups) {
             selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups,
                                            ss->ssl3.numDHEGroups);
-        } else {
+        }
+        else {
             size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups);
             selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups,
                                            number_of_default_groups);
@@ -1684,7 +1802,8 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
     if (model == NULL) {
         /* Just create a default socket if we're given NULL for the model */
         ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant);
-    } else {
+    }
+    else {
         sslSocket *ss = ssl_FindSocket(model);
         if (ss == NULL || ss->protocolVariant != variant) {
             SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD",
@@ -1857,14 +1976,16 @@ SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf,
         }
         PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
         *bufLen = ss->ssl3.nextProto.len;
-    } else {
+    }
+    else {
         *bufLen = 0;
     }
 
     return SECSuccess;
 }
 
-SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
+SECStatus
+SSL_SetSRTPCiphers(PRFileDesc *fd,
                    const PRUint16 *ciphers,
                    unsigned int numCiphers)
 {
@@ -1896,9 +2017,11 @@ SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
         if (*srtpCipher) {
             ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] =
                 ciphers[i];
-        } else {
+        }
+        else {
             SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
-                    "suite specified: 0x%04hx", SSL_GETPID(), fd,
+                     "suite specified: 0x%04hx",
+                     SSL_GETPID(), fd,
                      ciphers[i]));
         }
     }
@@ -2006,7 +2129,8 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
                 }
                 if (SECITEM_CopyItem(NULL,
                                      &ss->signedCertTimestamps[i],
-                        &sm->signedCertTimestamps[i]) != SECSuccess) {
+                                     &sm->signedCertTimestamps[i]) !=
+                    SECSuccess) {
                     goto loser;
                 }
             }
@@ -2120,7 +2244,8 @@ ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
     vrange.max = PR_MIN(vrange.max, pvrange.max);
     if (vrange.max >= vrange.min) {
         *VERSIONS_DEFAULTS(protocolVariant) = vrange;
-    } else {
+    }
+    else {
         /* there was no overlap, turn off range altogether */
         pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
         *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
@@ -2251,7 +2376,8 @@ SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
                            SSLVersionRange *vrange)
 {
     if ((protocolVariant != ssl_variant_stream &&
-         protocolVariant != ssl_variant_datagram) || !vrange) {
+         protocolVariant != ssl_variant_datagram) ||
+        !vrange) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
@@ -2425,7 +2551,8 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
     if (newfd == NULL) {
         SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
                  SSL_GETPID(), ss->fd, PORT_GetError()));
-    } else {
+    }
+    else {
         /* Create ssl module */
         ns = ssl_DupSocket(ss);
     }
@@ -2450,7 +2577,8 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
         if (ns->opt.handshakeAsClient) {
             ns->handshake = ssl2_BeginClientHandshake;
             ss->handshaking = sslHandshakingAsClient;
-        } else {
+        }
+        else {
             ns->handshake = ssl2_BeginServerHandshake;
             ss->handshaking = sslHandshakingAsServer;
         }
@@ -2701,10 +2829,12 @@ ssl_GetPeerInfo(sslSocket *ss)
     if (sin.inet.family == PR_AF_INET) {
         PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
         ss->sec.ci.port = sin.inet.port;
-    } else if (sin.ipv6.family == PR_AF_INET6) {
+    }
+    else if (sin.ipv6.family == PR_AF_INET6) {
         ss->sec.ci.peer = sin.ipv6.ip;
         ss->sec.ci.port = sin.ipv6.port;
-    } else {
+    }
+    else {
         PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
         return SECFailure;
     }
@@ -2839,10 +2969,12 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
                 new_flags &= ~PR_POLL_RW;
                 if (ss->handshaking == sslHandshakingAsClient) {
                     new_flags |= PR_POLL_WRITE;
-                } else { /* handshaking as server */
+                }
+                else { /* handshaking as server */
                     new_flags |= PR_POLL_READ;
                 }
-            } else
+            }
+            else
                 /* First handshake is in progress */
                 if (ss->lastWriteBlocked) {
                 if (new_flags & PR_POLL_READ) {
@@ -2854,7 +2986,8 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
                     new_flags ^= PR_POLL_READ;  /* don't select on read. */
                     new_flags |= PR_POLL_WRITE; /* do    select on write. */
                 }
-            } else if (new_flags & PR_POLL_WRITE) {
+            }
+            else if (new_flags & PR_POLL_WRITE) {
                 /* The caller is trying to write, but the handshake is
                 ** blocked waiting for data to read, and the first
                 ** handshake has been sent.  So do NOT to poll on write
@@ -2867,10 +3000,12 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
                 new_flags |= PR_POLL_READ; /* do    select on read. */
             }
         }
-    } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
+    }
+    else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
         *p_out_flags = PR_POLL_READ; /* it's ready already. */
         return new_flags;
-    } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
+    }
+    else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
              (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
         new_flags |= PR_POLL_WRITE;       /* also select on write. */
     }
@@ -2889,7 +3024,8 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
              * of the application spinning.
              */
             new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT);
-        } else {
+        }
+        else {
             /* Unfortunately, clearing new_flags will make it impossible for
              * the application to detect errors that it would otherwise be
              * able to detect with PR_POLL_EXCEPT, until the asynchronous
@@ -2916,7 +3052,8 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
                 out_flags |= PR_POLL_READ;
             *p_out_flags = out_flags;
             new_flags = how_flags;
-        } else {
+        }
+        else {
             *p_out_flags = lower_out_flags;
             new_flags = lower_new_flags;
         }
@@ -2943,7 +3080,6 @@ ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
     return sd->methods->sendfile(sd, &sfd, flags, timeout);
 }
 
-
 PRBool
 ssl_FdIsBlocking(PRFileDesc *fd)
 {
@@ -2999,16 +3135,26 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
     blocking = ssl_FdIsBlocking(fd);
 
 #define K16 sizeof(buf)
-#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
-#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
+#define KILL_VECTORS                   \
+    while (vectors && !iov->iov_len) { \
+        ++iov;                         \
+        --vectors;                     \
+    }
+#define GET_VECTOR      \
+    do {                \
+        myIov = *iov++; \
+        --vectors;      \
+        KILL_VECTORS    \
+    } while (0)
 #define HANDLE_ERR(rv, len)                                    \
     if (rv != len) {                                           \
         if (rv < 0) {                                          \
-            if (!blocking \
-                && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
-                && (sent > 0)) { \
+            if (!blocking &&                                   \
+                (PR_GetError() == PR_WOULD_BLOCK_ERROR) &&     \
+                (sent > 0)) {                                  \
                 return sent;                                   \
-            } else { \
+            }                                                  \
+            else {                                             \
                 return -1;                                     \
             }                                                  \
         }                                                      \
@@ -3063,12 +3209,15 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
 
         if (!vectors || myIov.iov_len > limit) {
             addLen = 0;
-        } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
+        }
+        else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
             /* Addlen is already computed. */;
-        } else if (vectors > 1 &&
+        }
+        else if (vectors > 1 &&
                  iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
             addLen = limit - myIov.iov_len;
-        } else
+        }
+        else
             addLen = 0;
 
         if (!addLen) {
@@ -3088,15 +3237,17 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
             left = PR_MIN(limit, K16 - bufLen);
             if (!vectors             /* no more left */
                 || myIov.iov_len > 0 /* we didn't use that one all up */
-            ||  bufLen >= K16           /* it's full. */
-            ) {
+                || bufLen >= K16     /* it's full. */ ) {
                 addLen = 0;
-            } else if ((addLen = iov->iov_len % K16) <= left) {
+            }
+            else if ((addLen = iov->iov_len % K16) <= left) {
                 /* Addlen is already computed. */;
-            } else if (vectors > 1 &&
+            }
+            else if (vectors > 1 &&
                      iov[1].iov_len % K16 + addLen <= left + limit) {
                 addLen = left;
-            } else
+            }
+            else
                 addLen = 0;
 
         } while (addLen);
@@ -3137,14 +3288,16 @@ ssl_FSync(PRFileDesc *fd)
 }
 
 static PRInt32 PR_CALLBACK
-ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
+ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how)
+{
     PORT_Assert(0);
     PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     return SECFailure;
 }
 
 static PRInt64 PR_CALLBACK
-ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
+ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how)
+{
     PRInt64 res;
 
     PORT_Assert(0);
@@ -3226,7 +3379,6 @@ static const PRIOMethods ssl_methods = {
     NULL                  /* reserved for future use */
 };
 
-
 static PRIOMethods combined_methods;
 
 static void
@@ -3267,7 +3419,6 @@ ssl_SetupIOMethods(void)
     /*  new_methods->getsocketoption   = my_methods->getsocketoption;       */
     /*  new_methods->setsocketoption   = my_methods->setsocketoption;       */
     new_methods->sendfile = my_methods->sendfile;
-
 }
 
 static PRCallOnceType initIoLayerOnce;
@@ -3401,7 +3552,8 @@ ssl_SetDefaultsFromEnvironment(void)
             ssl_keylog_iob = fopen(ev, "a");
             if (!ssl_keylog_iob) {
                 SSL_TRACE(("SSL: failed to open key log file"));
-            } else {
+            }
+            else {
                 if (ftell(ssl_keylog_iob) == 0) {
                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
                           ssl_keylog_iob);
@@ -3413,7 +3565,7 @@ ssl_SetDefaultsFromEnvironment(void)
         ev = PR_GetEnvSecure("SSLBYPASS");
         if (ev && ev[0]) {
             ssl_defaults.bypassPKCS11 = (ev[0] == '1');
-            SSL_TRACE(("SSL: bypass default set to %d", \
+            SSL_TRACE(("SSL: bypass default set to %d",
                        ssl_defaults.bypassPKCS11));
         }
 #endif /* NO_PKCS11_BYPASS */

security/nss/lib/ssl/sslt.h

@@ -56,7 +56,6 @@ typedef enum {
 #define kt_ecdh ssl_kea_ecdh
 #define kt_kea_size ssl_kea_size
 
-
 /* Values of this enum match the SignatureAlgorithm enum from
  * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 typedef enum {
@@ -104,7 +103,8 @@ typedef enum {
     ssl_calg_aes = 7,
     ssl_calg_camellia = 8,
     ssl_calg_seed = 9,
-    ssl_calg_aes_gcm  = 10
+    ssl_calg_aes_gcm = 10,
+    ssl_calg_chacha20 = 11
 } SSLCipherAlgorithm;
 
 typedef enum {
@@ -123,6 +123,9 @@ typedef enum {
 } SSLCompressionMethod;
 
 typedef struct SSLChannelInfoStr {
+    /* |length| is obsolete. On return, SSL_GetChannelInfo sets |length| to the
+     * smaller of the |len| argument and the length of the struct. The caller
+     * may ignore |length|. */
     PRUint32 length;
     PRUint16 protocolVersion;
     PRUint16 cipherSuite;
@@ -159,7 +162,9 @@ typedef struct SSLChannelInfoStr {
 #define ssl_preinfo_all (ssl_preinfo_version | ssl_preinfo_cipher_suite)
 
 typedef struct SSLPreliminaryChannelInfoStr {
-    /* This is set to the length of the struct. */
+    /* |length| is obsolete. On return, SSL_GetPreliminaryChannelInfo sets
+     * |length| to the smaller of the |len| argument and the length of the
+     * struct. The caller may ignore |length|. */
     PRUint32 length;
     /* A bitfield over SSLPreliminaryValueSet that describes which
      * preliminary values are set (see ssl_preinfo_*). */
@@ -171,6 +176,9 @@ typedef struct SSLPreliminaryChannelInfoStr {
 } SSLPreliminaryChannelInfo;
 
 typedef struct SSLCipherSuiteInfoStr {
+    /* |length| is obsolete. On return, SSL_GetCipherSuitelInfo sets |length|
+     * to the smaller of the |len| argument and the length of the struct. The
+     * caller may ignore |length|. */
     PRUint16 length;
     PRUint16 cipherSuite;
 

security/nss/lib/ssl/ssltrace.c

@@ -33,7 +33,8 @@ static const char printable[257] = {
     "................"  /* fx */
 };
 
-void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
+void
+ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
 {
     const unsigned char *cp = (const unsigned char *)vp;
     char buf[80];
@@ -43,7 +44,8 @@ void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
     if (ss) {
         SSL_TRACE(("%d: SSL[%d]: %s [Len: %d]", SSL_GETPID(), ss->fd,
                    msg, len));
-    } else {
+    }
+    else {
         SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
     }
     memset(buf, ' ', sizeof buf);
@@ -71,22 +73,24 @@ void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
 
 #define LEN(cp) (((cp)[0] << 8) | ((cp)[1]))
 
-static void PrintType(sslSocket *ss, char *msg)
+static void
+PrintType(sslSocket *ss, char *msg)
 {
     if (ss) {
-	SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd,
-		   msg));
-    } else {
+        SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd, msg));
+    }
+    else {
         SSL_TRACE(("%d: SSL: dump-msg: %s", SSL_GETPID(), msg));
     }
 }
 
-static void PrintInt(sslSocket *ss, char *msg, unsigned v)
+static void
+PrintInt(sslSocket *ss, char *msg, unsigned v)
 {
     if (ss) {
-	SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd,
-		   msg, v));
-    } else {
+        SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd, msg, v));
+    }
+    else {
         SSL_TRACE(("%d: SSL:           %s=%u", SSL_GETPID(), msg, v));
     }
 }
@@ -95,7 +99,8 @@ static void PrintInt(sslSocket *ss, char *msg, unsigned v)
  * a) It prefixes each line of the buffer with "XX: SSL[xxx]           "
  * b) It dumps only hex, not ASCII.
  */
-static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
+static void
+PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
 {
     char buf[80];
     char *bp;
@@ -103,7 +108,8 @@ static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
     if (ss) {
         SSL_TRACE(("%d: SSL[%d]:           %s [Len: %d]",
                    SSL_GETPID(), ss->fd, msg, len));
-    } else {
+    }
+    else {
         SSL_TRACE(("%d: SSL:           %s [Len: %d]",
                    SSL_GETPID(), msg, len));
     }
@@ -118,7 +124,8 @@ static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
             if (ss) {
                 SSL_TRACE(("%d: SSL[%d]:             %s",
                            SSL_GETPID(), ss->fd, buf));
-	    } else {
+            }
+            else {
                 SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
             }
             bp = buf;
@@ -129,13 +136,15 @@ static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
         if (ss) {
             SSL_TRACE(("%d: SSL[%d]:             %s",
                        SSL_GETPID(), ss->fd, buf));
-	} else {
+        }
+        else {
             SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
         }
     }
 }
 
-void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
+void
+ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
 {
     switch (bp[0]) {
         case SSL_MT_ERROR:
@@ -143,8 +152,7 @@ void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
             PrintInt(ss, "error", LEN(bp + 1));
             break;
 
-      case SSL_MT_CLIENT_HELLO:
-	{
+        case SSL_MT_CLIENT_HELLO: {
             unsigned lcs = LEN(bp + 3);
             unsigned ls = LEN(bp + 5);
             unsigned lc = LEN(bp + 7);
@@ -157,10 +165,8 @@ void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
             PrintBuf(ss, "cipher-specs", bp + 9, lcs);
             PrintBuf(ss, "session-id", bp + 9 + lcs, ls);
             PrintBuf(ss, "challenge", bp + 9 + lcs + ls, lc);
-	}
-	break;
-      case SSL_MT_CLIENT_MASTER_KEY:
-	{
+        } break;
+        case SSL_MT_CLIENT_MASTER_KEY: {
             unsigned lck = LEN(bp + 4);
             unsigned lek = LEN(bp + 6);
             unsigned lka = LEN(bp + 8);
@@ -173,14 +179,12 @@ void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
             PrintBuf(ss, "clear-key", bp + 10, lck);
             PrintBuf(ss, "encrypted-key", bp + 10 + lck, lek);
             PrintBuf(ss, "key-arg", bp + 10 + lck + lek, lka);
-	}
-	break;
+        } break;
         case SSL_MT_CLIENT_FINISHED:
             PrintType(ss, "Client-Finished");
             PrintBuf(ss, "connection-id", bp + 1, len - 1);
             break;
-      case SSL_MT_SERVER_HELLO:
-	{
+        case SSL_MT_SERVER_HELLO: {
             unsigned lc = LEN(bp + 5);
             unsigned lcs = LEN(bp + 7);
             unsigned lci = LEN(bp + 9);
@@ -194,8 +198,7 @@ void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
             PrintBuf(ss, "certificate", bp + 11, lc);
             PrintBuf(ss, "cipher-specs", bp + 11 + lc, lcs);
             PrintBuf(ss, "connection-id", bp + 11 + lc + lcs, lci);
-	}
-	break;
+        } break;
         case SSL_MT_SERVER_VERIFY:
             PrintType(ss, "Server-Verify");
             PrintBuf(ss, "challenge", bp + 1, len - 1);
@@ -209,16 +212,14 @@ void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
             PrintInt(ss, "authentication-type", bp[1]);
             PrintBuf(ss, "certificate-challenge", bp + 2, len - 2);
             break;
-      case SSL_MT_CLIENT_CERTIFICATE:
-	{
+        case SSL_MT_CLIENT_CERTIFICATE: {
             unsigned lc = LEN(bp + 2);
             unsigned lr = LEN(bp + 4);
             PrintType(ss, "Client-Certificate");
             PrintInt(ss, "certificate-type", bp[1]);
             PrintBuf(ss, "certificate", bp + 6, lc);
             PrintBuf(ss, "response", bp + 6 + lc, lr);
-	}
-	break;
+        } break;
         default:
             ssl_PrintBuf(ss, "sending *unknown* message type", bp, len);
             return;

security/nss/lib/ssl/tls13con.c

@@ -92,17 +92,20 @@ const char kServerFinishedLabel[] = "server finished";
 
 const SSL3ProtocolVersion kRecordVersion = 0x0301U;
 
-#define FATAL_ERROR(ss, prError, desc) do { \
+#define FATAL_ERROR(ss, prError, desc)                                             \
+    do {                                                                           \
         SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
                     SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
         tls13_FatalError(ss, prError, desc);                                       \
     } while (0)
 
-#define UNIMPLEMENTED() do { \
+#define UNIMPLEMENTED()                                                   \
+    do {                                                                  \
         SSL_TRC(3, ("%d: TLS13[%d]: unimplemented feature in %s (%s:%d)", \
                     SSL_GETPID(), ss->fd, __func__, __FILE__, __LINE__)); \
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);                         \
         PORT_Assert(0);                                                   \
+        return SECFailure;                                                \
     } while (0)
 
 void
@@ -114,7 +117,9 @@ tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc)
 }
 
 #ifdef TRACE
-#define STATE_CASE(a) case a: return #a
+#define STATE_CASE(a) \
+    case a:           \
+        return #a
 static char *
 tls13_HandshakeState(SSL3WaitState st)
 {
@@ -141,8 +146,7 @@ tls13_HandshakeState(SSL3WaitState st)
 
 #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK)
 /* We don't mask idle_handshake because other parts of the code use it*/
-#define TLS13_WAIT_STATE(ws) (ws == idle_handshake ? ws :\
-                              ws | TLS13_WAIT_STATE_MASK)
+#define TLS13_WAIT_STATE(ws) (ws == idle_handshake ? ws : ws | TLS13_WAIT_STATE_MASK)
 #define TLS13_CHECK_HS_STATE(ss, err, ...)                          \
     tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \
                        __VA_ARGS__,                                 \
@@ -257,7 +261,8 @@ tls13_SetupClientHello(sslSocket *ss)
     return SECSuccess;
 }
 
-static SECStatus tls13_HandleECDHEKeyShare(sslSocket *ss,
+static SECStatus
+tls13_HandleECDHEKeyShare(sslSocket *ss,
                           TLS13KeyShareEntry *entry,
                           SECKEYPrivateKey *privKey,
                           SharedSecretType type)
@@ -409,7 +414,6 @@ tls13_HandleClientKeyShare(sslSocket *ss)
     return SECSuccess;
 }
 
-
 /*
  *     [draft-ietf-tls-tls13-11] Section 6.3.3.2
  *
@@ -444,7 +448,6 @@ tls13_SendCertificateRequest(sslSocket *ss)
     SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request",
                 SSL_GETPID(), ss->fd));
 
-
     /* Fixed context value. */
     ss->ssl3.hs.certReqContext[0] = 0;
     ss->ssl3.hs.certReqContextLen = 1;
@@ -456,8 +459,8 @@ tls13_SendCertificateRequest(sslSocket *ss)
     }
 
     ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames);
-    length = 1 + ss->ssl3.hs.certReqContextLen
-             + 2 + sigAlgsLength + 2 + calen + 2;
+    length = 1 + ss->ssl3.hs.certReqContextLen +
+             2 + sigAlgsLength + 2 + calen + 2;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
     if (rv != SECSuccess) {
@@ -642,7 +645,8 @@ tls13_SendServerHelloSequence(sslSocket *ss)
     if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
         (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
         certIndex = kt_rsa;
-    } else {
+    }
+    else {
         certIndex = ss->ssl3.hs.kea_def->exchKeyType;
     }
     rv = ssl3_SendCertificateVerify(ss, ss->serverCerts[certIndex].SERVERKEY);
@@ -663,8 +667,8 @@ tls13_SendServerHelloSequence(sslSocket *ss)
         return rv; /* error code is set. */
     }
 
-    TLS13_SET_HS_STATE(ss, ss->opt.requestCertificate ?
-                       wait_client_cert : wait_finished);
+    TLS13_SET_HS_STATE(ss, ss->opt.requestCertificate ? wait_client_cert
+                                                      : wait_finished);
 
     return SECSuccess;
 }
@@ -744,7 +748,8 @@ tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     if (ss->sec.isServer) {
         rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,
                                   wait_client_cert);
-    } else {
+    }
+    else {
         rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,
                                   wait_cert_request, wait_server_cert);
     }
@@ -762,7 +767,8 @@ tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
                         illegal_parameter);
             return SECFailure;
         }
-    } else {
+    }
+    else {
         if (!context.len || context.len != ss->ssl3.hs.certReqContextLen ||
             (NSS_SecureMemcmp(ss->ssl3.hs.certReqContext,
                               context.data, context.len) != 0)) {
@@ -773,7 +779,6 @@ tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
         context.len = 0; /* Belt and suspenders. Zero out the context. */
     }
 
-
     return ssl3_CompleteHandleCertificate(ss, b, length);
 }
 
@@ -811,25 +816,21 @@ tls13_InstallCipherSpec(sslSocket *ss, InstallCipherSpecDirection direction)
 
     /* Flush out any old stuff in the handshake buffers */
     switch (direction) {
-        case InstallCipherSpecWrite:
-            {
+        case InstallCipherSpecWrite: {
             ssl3CipherSpec *pwSpec;
             pwSpec = ss->ssl3.pwSpec;
 
             ss->ssl3.pwSpec = ss->ssl3.cwSpec;
             ss->ssl3.cwSpec = pwSpec;
             break;
-            }
-            break;
-        case InstallCipherSpecRead:
-            {
+        } break;
+        case InstallCipherSpecRead: {
             ssl3CipherSpec *prSpec;
 
             prSpec = ss->ssl3.prSpec;
             ss->ssl3.prSpec = ss->ssl3.crSpec;
             ss->ssl3.crSpec = prSpec;
-            }
-            break;
+        } break;
         default:
             PORT_Assert(0);
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@@ -868,8 +869,8 @@ tls13_AddContextToHashes(sslSocket *ss, SSL3Hashes *hashes /* IN/OUT */,
     };
     const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify";
     const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify";
-    const char *context_string = (sending ^ ss->sec.isServer) ?
-            client_cert_verify_string : server_cert_verify_string;
+    const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_verify_string
+                                                              : server_cert_verify_string;
     unsigned int hashlength;
 
     /* Double check that we are doing SHA-256 for the handshake hash.*/
@@ -951,7 +952,8 @@ tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *pwSpec,
     char label[256]; /* Arbitrary buffer large enough to hold the label */
     SECStatus rv;
 
-#define FORMAT_LABEL(phase_, purpose_) do { \
+#define FORMAT_LABEL(phase_, purpose_)                                              \
+    do {                                                                            \
         PRUint32 n = PR_snprintf(label, sizeof(label), "%s, %s", phase_, purpose_); \
         /* Check for getting close. */                                              \
         if ((n + 1) >= sizeof(label)) {                                             \
@@ -988,7 +990,6 @@ tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *pwSpec,
         }                                                       \
     } while (0)
 
-
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
@@ -1073,7 +1074,8 @@ tls13_InitCipherSpec(sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirect
     /* Generic behaviors -- common to all crypto methods */
     if (!IS_DTLS(ss)) {
         pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
-    } else {
+    }
+    else {
         if (cwSpec->epoch == PR_UINT16_MAX) {
             /* The problem here is that we have rehandshaked too many
              * times (you are not allowed to wrap the epoch). The
@@ -1208,7 +1210,9 @@ tls13_ComputeSecrets1(sslSocket *ss)
 
 loser:
     PK11_FreeSymKey(ss->ssl3.hs.xSS);
+    ss->ssl3.hs.xSS = NULL;
     PK11_FreeSymKey(ss->ssl3.hs.xES);
+    ss->ssl3.hs.xES = NULL;
 
     if (mSS) {
         PK11_FreeSymKey(mSS);
@@ -1306,7 +1310,8 @@ tls13_AESGCM(ssl3KeyMaterial *keys,
     if (doDecrypt) {
         rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
                           maxout, in, inlen);
-    } else {
+    }
+    else {
         rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
                           maxout, in, inlen);
     }
@@ -1319,6 +1324,7 @@ static SECStatus
 tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus rv;
+    PRInt32 innerLength;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -1332,6 +1338,16 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
         return SECFailure;
     }
 
+    innerLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (innerLength < 0) {
+        return SECFailure; /* Alert already sent. */
+    }
+    if (innerLength != length) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS,
+                    illegal_parameter);
+        return SECFailure;
+    }
+
     rv = ssl3_HandleHelloExtensions(ss, &b, &length, encrypted_extensions);
     if (rv != SECSuccess) {
         return SECFailure; /* Error code set below */
@@ -1358,14 +1374,20 @@ tls13_SendEncryptedExtensions(sslSocket *ss)
     extensions_len = ssl3_CallHelloExtensionSenders(
         ss, PR_FALSE, maxBytes, &ss->xtnData.encryptedExtensionsSenders[0]);
 
-    rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, extensions_len);
+    rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
+                                    extensions_len + 2);
+    if (rv != SECSuccess) {
+        FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
+        return SECFailure;
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
     if (rv != SECSuccess) {
         FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
         return SECFailure;
     }
-
     sent_len = ssl3_CallHelloExtensionSenders(
-        ss, PR_TRUE, extensions_len, &ss->xtnData.encryptedExtensionsSenders[0]);
+        ss, PR_TRUE, extensions_len,
+        &ss->xtnData.encryptedExtensionsSenders[0]);
     PORT_Assert(sent_len == extensions_len);
     if (sent_len != extensions_len) {
         PORT_Assert(sent_len == 0);
@@ -1478,8 +1500,8 @@ tls13_ComputeFinished(sslSocket *ss, const SSL3Hashes *hashes, PRBool sending,
     CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanism(ss);
     SECItem param = { siBuffer, NULL, 0 };
     unsigned int outputLenUint;
-    PK11SymKey *secret = (ss->sec.isServer ^ sending) ?
-            ss->ssl3.hs.clientFinishedSecret : ss->ssl3.hs.serverFinishedSecret;
+    PK11SymKey *secret = (ss->sec.isServer ^ sending) ? ss->ssl3.hs.clientFinishedSecret
+                                                      : ss->ssl3.hs.serverFinishedSecret;
 
     PORT_Assert(secret);
     PRINT_BUF(90, (NULL, "Handshake hash", hashes->u.raw, hashes->len));
@@ -1563,13 +1585,15 @@ tls13_SendFinished(sslSocket *ss)
         goto alert_loser;
     }
 
-    if (!ss->sec.isServer) {
+    if (ss->sec.isServer) {
         rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData,
-                                  InstallCipherSpecBoth);
-        if (rv != SECSuccess) {
-            errCode = PR_GetError();
-            goto alert_loser;
+                                  InstallCipherSpecWrite);
+    } else {
+        rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite);
     }
+    if (rv != SECSuccess) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
 
     /* TODO(ekr@rtfm.com): Record key log */
@@ -1629,21 +1653,28 @@ tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
      */
     /* TODO(ekr@rtfm.com): Send NewSession Ticket if server. */
     if (ss->sec.isServer) {
-        rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData,
-                                  InstallCipherSpecBoth);
+        rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead);
         if (rv != SECSuccess) {
             FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
             return SECFailure;
         }
 
         rv = tls13_FinishHandshake(ss);
-    } else {
+    }
+    else {
         if (ss->ssl3.hs.authCertificatePending) {
             /* TODO(ekr@rtfm.com): Handle pending auth */
             FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
             PORT_Assert(0);
             return SECFailure;
         }
+        rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData,
+                                  InstallCipherSpecRead);
+        if (rv != SECSuccess) {
+            FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
+            return SECFailure;
+        }
+
         rv = tls13_SendClientSecondRound(ss);
         if (rv != SECSuccess)
             return SECFailure; /* Error code and alerts handled below */
@@ -1708,7 +1739,8 @@ tls13_SendClientSecondRound(sslSocket *ss)
         if (rv != SECSuccess) {
             goto loser; /* error code is set. */
         }
-    } else if (sendClientCert) {
+    }
+    else if (sendClientCert) {
         rv = ssl3_SendCertificate(ss);
         if (rv != SECSuccess) {
             goto loser; /* error code is set. */
@@ -1755,77 +1787,49 @@ tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     return SECSuccess;
 }
 
-
 typedef enum {
     ExtensionNotUsed,
     ExtensionClientOnly,
     ExtensionSendClear,
     ExtensionSendEncrypted,
-    ExtensionUnknown,
 } Tls13ExtensionStatus;
 
 static const struct {
     SSLExtensionType ex_value;
     Tls13ExtensionStatus status;
 } KnownExtensions[] = {
-    {
-        ssl_server_name_xtn,
-        ExtensionSendEncrypted
-    },
+    { ssl_server_name_xtn,
+      ExtensionSendEncrypted },
     {
         ssl_cert_status_xtn,
         ExtensionNotUsed /* TODO(ekr@rtfm.com): Disabled because broken
                             in TLS 1.3. */
         /* ExtensionSendEncrypted */
     },
-    {
-        ssl_elliptic_curves_xtn,
-        ExtensionSendClear
-    },
-    {
-        ssl_ec_point_formats_xtn,
-        ExtensionNotUsed
-    },
-    {
-        ssl_signature_algorithms_xtn,
-        ExtensionClientOnly
-    },
-    {
-        ssl_use_srtp_xtn,
-        ExtensionSendEncrypted
-    },
-    {
-        ssl_app_layer_protocol_xtn,
-        ExtensionSendEncrypted
-    },
-    {
-        ssl_padding_xtn,
-        ExtensionNotUsed
-    },
-    {
-        ssl_extended_master_secret_xtn,
-        ExtensionNotUsed
-    },
-    {
-        ssl_session_ticket_xtn,
-        ExtensionClientOnly
-    },
-    {
-        ssl_tls13_key_share_xtn,
-        ExtensionSendClear
-    },
-    {
-        ssl_next_proto_nego_xtn,
-        ExtensionNotUsed
-    },
-    {
-        ssl_renegotiation_info_xtn,
-        ExtensionNotUsed
-    },
-    {
-        ssl_tls13_draft_version_xtn,
-        ExtensionClientOnly
-    }
+    { ssl_elliptic_curves_xtn,
+      ExtensionSendClear },
+    { ssl_ec_point_formats_xtn,
+      ExtensionNotUsed },
+    { ssl_signature_algorithms_xtn,
+      ExtensionClientOnly },
+    { ssl_use_srtp_xtn,
+      ExtensionSendEncrypted },
+    { ssl_app_layer_protocol_xtn,
+      ExtensionSendEncrypted },
+    { ssl_padding_xtn,
+      ExtensionNotUsed },
+    { ssl_extended_master_secret_xtn,
+      ExtensionNotUsed },
+    { ssl_session_ticket_xtn,
+      ExtensionClientOnly },
+    { ssl_tls13_key_share_xtn,
+      ExtensionSendClear },
+    { ssl_next_proto_nego_xtn,
+      ExtensionNotUsed },
+    { ssl_renegotiation_info_xtn,
+      ExtensionNotUsed },
+    { ssl_tls13_draft_version_xtn,
+      ExtensionClientOnly }
 };
 
 PRBool
@@ -1838,9 +1842,13 @@ tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message)
                 (message == encrypted_extensions));
 
     for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) {
-        if (KnownExtensions[i].ex_value == extension) {
+        if (KnownExtensions[i].ex_value == extension)
             break;
     }
+    if (i == PR_ARRAY_SIZE(KnownExtensions)) {
+        /* We have never heard of this extension which is OK on
+         * the server but not the client. */
+        return message == client_hello;
     }
 
     switch (KnownExtensions[i].status) {
@@ -1854,8 +1862,6 @@ tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message)
         case ExtensionSendEncrypted:
             return message == client_hello ||
                    message == encrypted_extensions;
-        case ExtensionUnknown:
-            return PR_TRUE;
     }
 
     PORT_Assert(0);
@@ -1911,8 +1917,7 @@ tls13_ProtectRecord(sslSocket *ss,
     SSL_TRC(3, ("%d: TLS13[%d]: protect record of length %u, seq=0x%0x%0x",
                 SSL_GETPID(), ss->fd, contentLen,
                 cwSpec->write_seq_num.high,
-                cwSpec->write_seq_num.low
-        ));
+                cwSpec->write_seq_num.low));
 
     headerLen = IS_DTLS(ss) ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
 
@@ -1928,7 +1933,8 @@ tls13_ProtectRecord(sslSocket *ss,
     if (cipher_def->calg == ssl_calg_null) {
         /* Shortcut for plaintext */
         cipherBytes = contentLen;
-    } else {
+    }
+    else {
         unsigned char aad[8];
         PORT_Assert(cipher_def->type == type_aead);
 
@@ -1966,7 +1972,8 @@ tls13_ProtectRecord(sslSocket *ss,
         (void)tls13_EncodeUintX(cwSpec->write_seq_num.high, 4, &wrBuf->buf[3]);
         (void)tls13_EncodeUintX(cwSpec->write_seq_num.low, 4, &wrBuf->buf[7]);
         (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[11]);
-    } else {
+    }
+    else {
         (void)tls13_EncodeUintX(kRecordVersion, 2, &wrBuf->buf[1]);
         (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[3]);
     }
@@ -1975,7 +1982,6 @@ tls13_ProtectRecord(sslSocket *ss,
     return SECSuccess;
 }
 
-
 /* Unprotect a TLS 1.3 record and leave the result in plaintext.
  *
  * Called by ssl3_HandleRecord. Caller must hold the spec read lock.
@@ -2006,6 +2012,13 @@ tls13_UnprotectRecord(sslSocket* ss, SSL3Ciphertext *cText, sslBuffer *plaintext
         return SECFailure;
     }
 
+    /* Verify that the content type is right, even though we overwrite it. */
+    if (cText->type != content_application_data) {
+        /* Do we need a better error here? */
+        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+        return SECFailure;
+    }
+
     /* Check the version number in the record */
     if (cText->version != kRecordVersion) {
         /* Do we need a better error here? */
@@ -2017,7 +2030,8 @@ tls13_UnprotectRecord(sslSocket* ss, SSL3Ciphertext *cText, sslBuffer *plaintext
     PORT_Assert(cipher_def->type == type_aead);
     tls13_FormatAdditionalData(aad, sizeof(aad),
                                IS_DTLS(ss) ?
-                               cText->seq_num :
+                                           cText->seq_num
+                                           :
                                            crSpec->read_seq_num);
     rv = crSpec->aead(
         ss->sec.isServer ? &crSpec->client : &crSpec->server,

security/nss/lib/ssl/tls13hkdf.c

@@ -60,7 +60,8 @@ tls13_HkdfExtract(PK11SymKey* ikm1, PK11SymKey* ikm2, SSLHashType baseHash,
         params.pSalt = salt->data;
         params.ulSaltLen = salt->len;
         PORT_Assert(salt->len > 0);
-    } else {
+    }
+    else {
         /* Per documentation for CKM_NSS_HKDF_*:
          *
          *  If the optional salt is given, it is used; otherwise, the salt is
@@ -103,7 +104,8 @@ tls13_HkdfExpandLabel(PK11SymKey* prk, SSLHashType baseHash,
 
     if (handshakeHash) {
         PORT_Assert(handshakeHashLen == kTlsHkdfInfo[baseHash].hashSize);
-    } else {
+    }
+    else {
         PORT_Assert(!handshakeHashLen);
     }
 
@@ -169,7 +171,6 @@ abort:
     return SECFailure;
 }
 
-
 SECStatus
 tls13_HkdfExpandLabelRaw(PK11SymKey *prk, SSLHashType baseHash,
                          const PRUint8 *handshakeHash, unsigned int handshakeHashLen,

security/nss/lib/ssl/unix_err.c

@@ -30,357 +30,547 @@
 /* forward declarations. */
 void nss_MD_unix_map_default_error(int err);
 
-void nss_MD_unix_map_opendir_error(int err)
+void
+nss_MD_unix_map_opendir_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_closedir_error(int err)
+void
+nss_MD_unix_map_closedir_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_readdir_error(int err)
+void
+nss_MD_unix_readdir_error(int err)
 {
     PRErrorCode prError;
 
     switch (err) {
-    case ENOENT:	prError = PR_NO_MORE_FILES_ERROR; break;
+        case ENOENT:
+            prError = PR_NO_MORE_FILES_ERROR;
+            break;
 #ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_IO_ERROR; break;
+        case EOVERFLOW:
+            prError = PR_IO_ERROR;
+            break;
 #endif
-    case EINVAL:	prError = PR_IO_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_IO_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_IO_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_unlink_error(int err)
+void
+nss_MD_unix_map_unlink_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EPERM:		prError = PR_IS_DIRECTORY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EPERM:
+            prError = PR_IS_DIRECTORY_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_stat_error(int err)
+void
+nss_MD_unix_map_stat_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_fstat_error(int err)
+void
+nss_MD_unix_map_fstat_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_rename_error(int err)
+void
+nss_MD_unix_map_rename_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EEXIST:
+            prError = PR_DIRECTORY_NOT_EMPTY_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_access_error(int err)
+void
+nss_MD_unix_map_access_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_mkdir_error(int err)
+void
+nss_MD_unix_map_mkdir_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_rmdir_error(int err)
+void
+nss_MD_unix_map_rmdir_error(int err)
 {
     PRErrorCode prError;
 
     switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case EINVAL:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EEXIST:
+            prError = PR_DIRECTORY_NOT_EMPTY_ERROR;
+            break;
+        case EINVAL:
+            prError = PR_DIRECTORY_NOT_EMPTY_ERROR;
+            break;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_read_error(int err)
+void
+nss_MD_unix_map_read_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_write_error(int err)
+void
+nss_MD_unix_map_write_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_lseek_error(int err)
+void
+nss_MD_unix_map_lseek_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_fsync_error(int err)
+void
+nss_MD_unix_map_fsync_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        case EINVAL:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_close_error(int err)
+void
+nss_MD_unix_map_close_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_socket_error(int err)
+void
+nss_MD_unix_map_socket_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_socketavailable_error(int err)
+void
+nss_MD_unix_map_socketavailable_error(int err)
 {
     PR_SetError(PR_BAD_DESCRIPTOR_ERROR, err);
 }
 
-void nss_MD_unix_map_recv_error(int err)
+void
+nss_MD_unix_map_recv_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_recvfrom_error(int err)
+void
+nss_MD_unix_map_recvfrom_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_send_error(int err)
+void
+nss_MD_unix_map_send_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_sendto_error(int err)
+void
+nss_MD_unix_map_sendto_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_writev_error(int err)
+void
+nss_MD_unix_map_writev_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_accept_error(int err)
+void
+nss_MD_unix_map_accept_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ENODEV:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ENODEV:
+            prError = PR_NOT_TCP_SOCKET_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_connect_error(int err)
+void
+nss_MD_unix_map_connect_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EACCES:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+        case EACCES:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
 #if defined(UNIXWARE) || defined(SNI) || defined(NEC)
         /*
          * On some platforms, if we connect to a port on the local host
          * (the loopback address) that no process is listening on, we get
          * EIO instead of ECONNREFUSED.
          */
-    case EIO:		prError = PR_CONNECT_REFUSED_ERROR; break;
+        case EIO:
+            prError = PR_CONNECT_REFUSED_ERROR;
+            break;
 #endif
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ELOOP:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ENOENT:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_IO_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_bind_error(int err)
+void
+nss_MD_unix_map_bind_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+        case EINVAL:
+            prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR;
+            break;
             /*
              * UNIX domain sockets are not supported in NSPR
              */
-    case EIO:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EISDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOTDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EROFS:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EIO:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case EISDIR:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ELOOP:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ENOENT:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ENOTDIR:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case EROFS:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_listen_error(int err)
+void
+nss_MD_unix_map_listen_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_shutdown_error(int err)
+void
+nss_MD_unix_map_shutdown_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_socketpair_error(int err)
+void
+nss_MD_unix_map_socketpair_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_getsockname_error(int err)
+void
+nss_MD_unix_map_getsockname_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_getpeername_error(int err)
+void
+nss_MD_unix_map_getpeername_error(int err)
 {
     PRErrorCode prError;
 
     switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_getsockopt_error(int err)
+void
+nss_MD_unix_map_getsockopt_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_BUFFER_OVERFLOW_ERROR;
+            break;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_setsockopt_error(int err)
+void
+nss_MD_unix_map_setsockopt_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_BUFFER_OVERFLOW_ERROR;
+            break;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_open_error(int err)
+void
+nss_MD_unix_map_open_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EBUSY:		prError = PR_IO_ERROR; break;
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EAGAIN:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case EBUSY:
+            prError = PR_IO_ERROR;
+            break;
+        case ENODEV:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case ENOMEM:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case ETIMEDOUT:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_mmap_error(int err)
+void
+nss_MD_unix_map_mmap_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EMFILE:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ENODEV:	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EAGAIN:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case EMFILE:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case ENODEV:
+            prError = PR_OPERATION_NOT_SUPPORTED_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_gethostname_error(int err)
+void
+nss_MD_unix_map_gethostname_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
-void nss_MD_unix_map_select_error(int err)
+void
+nss_MD_unix_map_select_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 
 #ifdef _PR_POLL_AVAILABLE
-void nss_MD_unix_map_poll_error(int err)
+void
+nss_MD_unix_map_poll_error(int err)
 {
     PRErrorCode prError;
 
     switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EAGAIN:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_poll_revents_error(int err)
+void
+nss_MD_unix_map_poll_revents_error(int err)
 {
     if (err & POLLNVAL)
         PR_SetError(PR_BAD_DESCRIPTOR_ERROR, EBADF);
@@ -393,125 +583,255 @@ void nss_MD_unix_map_poll_revents_error(int err)
 }
 #endif /* _PR_POLL_AVAILABLE */
 
-
-void nss_MD_unix_map_flock_error(int err)
+void
+nss_MD_unix_map_flock_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case EWOULDBLOCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EINVAL:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
+        case EWOULDBLOCK:
+            prError = PR_FILE_IS_LOCKED_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_unix_map_lockf_error(int err)
+void
+nss_MD_unix_map_lockf_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EACCES:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case EDEADLK:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
+        case EACCES:
+            prError = PR_FILE_IS_LOCKED_ERROR;
+            break;
+        case EDEADLK:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        default:
+            nss_MD_unix_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
 #ifdef HPUX11
-void nss_MD_hpux_map_sendfile_error(int err)
+void
+nss_MD_hpux_map_sendfile_error(int err)
 {
     nss_MD_unix_map_default_error(err);
 }
 #endif /* HPUX11 */
 
-
-void nss_MD_unix_map_default_error(int err)
+void
+nss_MD_unix_map_default_error(int err)
 {
     PRErrorCode prError;
     switch (err) {
-    case EACCES:	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EADDRINUSE:	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case EADDRNOTAVAIL:	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case EAFNOSUPPORT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EAGAIN:	prError = PR_WOULD_BLOCK_ERROR; break;
+        case EACCES:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case EADDRINUSE:
+            prError = PR_ADDRESS_IN_USE_ERROR;
+            break;
+        case EADDRNOTAVAIL:
+            prError = PR_ADDRESS_NOT_AVAILABLE_ERROR;
+            break;
+        case EAFNOSUPPORT:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case EAGAIN:
+            prError = PR_WOULD_BLOCK_ERROR;
+            break;
     /*
      * On QNX and Neutrino, EALREADY is defined as EBUSY.
      */
 #if EALREADY != EBUSY
-    case EALREADY:	prError = PR_ALREADY_INITIATED_ERROR; break;
+        case EALREADY:
+            prError = PR_ALREADY_INITIATED_ERROR;
+            break;
 #endif
-    case EBADF:		prError = PR_BAD_DESCRIPTOR_ERROR; break;
+        case EBADF:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
 #ifdef EBADMSG
-    case EBADMSG:	prError = PR_IO_ERROR; break;
+        case EBADMSG:
+            prError = PR_IO_ERROR;
+            break;
 #endif
-    case EBUSY:		prError = PR_FILESYSTEM_MOUNTED_ERROR; break;
-    case ECONNREFUSED:	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case ECONNRESET:	prError = PR_CONNECT_RESET_ERROR; break;
-    case EDEADLK:	prError = PR_DEADLOCK_ERROR; break;
+        case EBUSY:
+            prError = PR_FILESYSTEM_MOUNTED_ERROR;
+            break;
+        case ECONNREFUSED:
+            prError = PR_CONNECT_REFUSED_ERROR;
+            break;
+        case ECONNRESET:
+            prError = PR_CONNECT_RESET_ERROR;
+            break;
+        case EDEADLK:
+            prError = PR_DEADLOCK_ERROR;
+            break;
 #ifdef EDIRCORRUPTED
-    case EDIRCORRUPTED:	prError = PR_DIRECTORY_CORRUPTED_ERROR; break;
+        case EDIRCORRUPTED:
+            prError = PR_DIRECTORY_CORRUPTED_ERROR;
+            break;
 #endif
 #ifdef EDQUOT
-    case EDQUOT:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+        case EDQUOT:
+            prError = PR_NO_DEVICE_SPACE_ERROR;
+            break;
 #endif
-    case EEXIST:	prError = PR_FILE_EXISTS_ERROR; break;
-    case EFAULT:	prError = PR_ACCESS_FAULT_ERROR; break;
-    case EFBIG:		prError = PR_FILE_TOO_BIG_ERROR; break;
-    case EINPROGRESS:	prError = PR_IN_PROGRESS_ERROR; break;
-    case EINTR:		prError = PR_PENDING_INTERRUPT_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case EIO:		prError = PR_IO_ERROR; break;
-    case EISCONN:	prError = PR_IS_CONNECTED_ERROR; break;
-    case EISDIR:	prError = PR_IS_DIRECTORY_ERROR; break;
-    case ELOOP:		prError = PR_LOOP_ERROR; break;
-    case EMFILE:	prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case EMLINK:	prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break;
-    case EMSGSIZE:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+        case EEXIST:
+            prError = PR_FILE_EXISTS_ERROR;
+            break;
+        case EFAULT:
+            prError = PR_ACCESS_FAULT_ERROR;
+            break;
+        case EFBIG:
+            prError = PR_FILE_TOO_BIG_ERROR;
+            break;
+        case EINPROGRESS:
+            prError = PR_IN_PROGRESS_ERROR;
+            break;
+        case EINTR:
+            prError = PR_PENDING_INTERRUPT_ERROR;
+            break;
+        case EINVAL:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case EIO:
+            prError = PR_IO_ERROR;
+            break;
+        case EISCONN:
+            prError = PR_IS_CONNECTED_ERROR;
+            break;
+        case EISDIR:
+            prError = PR_IS_DIRECTORY_ERROR;
+            break;
+        case ELOOP:
+            prError = PR_LOOP_ERROR;
+            break;
+        case EMFILE:
+            prError = PR_PROC_DESC_TABLE_FULL_ERROR;
+            break;
+        case EMLINK:
+            prError = PR_MAX_DIRECTORY_ENTRIES_ERROR;
+            break;
+        case EMSGSIZE:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
 #ifdef EMULTIHOP
-    case EMULTIHOP:	prError = PR_REMOTE_FILE_ERROR; break;
+        case EMULTIHOP:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
 #endif
-    case ENAMETOOLONG:	prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ENETUNREACH:	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case ENFILE:	prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
+        case ENAMETOOLONG:
+            prError = PR_NAME_TOO_LONG_ERROR;
+            break;
+        case ENETUNREACH:
+            prError = PR_NETWORK_UNREACHABLE_ERROR;
+            break;
+        case ENFILE:
+            prError = PR_SYS_DESC_TABLE_FULL_ERROR;
+            break;
 #if !defined(SCO)
-    case ENOBUFS:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+        case ENOBUFS:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
 #endif
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOENT:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOLCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+        case ENODEV:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case ENOENT:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case ENOLCK:
+            prError = PR_FILE_IS_LOCKED_ERROR;
+            break;
 #ifdef ENOLINK
-    case ENOLINK:	prError = PR_REMOTE_FILE_ERROR; break;
+        case ENOLINK:
+            prError = PR_REMOTE_FILE_ERROR;
+            break;
 #endif
-    case ENOMEM:	prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ENOPROTOOPT:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ENOSPC:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+        case ENOMEM:
+            prError = PR_OUT_OF_MEMORY_ERROR;
+            break;
+        case ENOPROTOOPT:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case ENOSPC:
+            prError = PR_NO_DEVICE_SPACE_ERROR;
+            break;
 #ifdef ENOSR
-    case ENOSR:		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+        case ENOSR:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
 #endif
-    case ENOTCONN:	prError = PR_NOT_CONNECTED_ERROR; break;
-    case ENOTDIR:	prError = PR_NOT_DIRECTORY_ERROR; break;
-    case ENOTSOCK:	prError = PR_NOT_SOCKET_ERROR; break;
-    case ENXIO:		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case EOPNOTSUPP:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
+        case ENOTCONN:
+            prError = PR_NOT_CONNECTED_ERROR;
+            break;
+        case ENOTDIR:
+            prError = PR_NOT_DIRECTORY_ERROR;
+            break;
+        case ENOTSOCK:
+            prError = PR_NOT_SOCKET_ERROR;
+            break;
+        case ENXIO:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case EOPNOTSUPP:
+            prError = PR_NOT_TCP_SOCKET_ERROR;
+            break;
 #ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+        case EOVERFLOW:
+            prError = PR_BUFFER_OVERFLOW_ERROR;
+            break;
 #endif
-    case EPERM:		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EPIPE:		prError = PR_CONNECT_RESET_ERROR; break;
+        case EPERM:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case EPIPE:
+            prError = PR_CONNECT_RESET_ERROR;
+            break;
 #ifdef EPROTO
-    case EPROTO:	prError = PR_IO_ERROR; break;
+        case EPROTO:
+            prError = PR_IO_ERROR;
+            break;
 #endif
-    case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case EPROTOTYPE:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ERANGE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case EROFS:		prError = PR_READ_ONLY_FILESYSTEM_ERROR; break;
-    case ESPIPE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_IO_TIMEOUT_ERROR; break;
+        case EPROTONOSUPPORT:
+            prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR;
+            break;
+        case EPROTOTYPE:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case ERANGE:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        case EROFS:
+            prError = PR_READ_ONLY_FILESYSTEM_ERROR;
+            break;
+        case ESPIPE:
+            prError = PR_INVALID_METHOD_ERROR;
+            break;
+        case ETIMEDOUT:
+            prError = PR_IO_TIMEOUT_ERROR;
+            break;
 #if EWOULDBLOCK != EAGAIN
-    case EWOULDBLOCK:	prError = PR_WOULD_BLOCK_ERROR; break;
+        case EWOULDBLOCK:
+            prError = PR_WOULD_BLOCK_ERROR;
+            break;
 #endif
-    case EXDEV:		prError = PR_NOT_SAME_DEVICE_ERROR; break;
+        case EXDEV:
+            prError = PR_NOT_SAME_DEVICE_ERROR;
+            break;
 
-    default:		prError = PR_UNKNOWN_ERROR; break;
+        default:
+            prError = PR_UNKNOWN_ERROR;
+            break;
     }
     PR_SetError(prError, err);
 }

security/nss/lib/ssl/win32err.c

@@ -33,79 +33,94 @@
 /* forward declaration. */
 void nss_MD_win32_map_default_error(PRInt32 err);
 
-void nss_MD_win32_map_opendir_error(PRInt32 err)
+void
+nss_MD_win32_map_opendir_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_closedir_error(PRInt32 err)
+void
+nss_MD_win32_map_closedir_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_readdir_error(PRInt32 err)
+void
+nss_MD_win32_map_readdir_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_delete_error(PRInt32 err)
+void
+nss_MD_win32_map_delete_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
 /* The error code for stat() is in errno. */
-void nss_MD_win32_map_stat_error(PRInt32 err)
+void
+nss_MD_win32_map_stat_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_fstat_error(PRInt32 err)
+void
+nss_MD_win32_map_fstat_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_rename_error(PRInt32 err)
+void
+nss_MD_win32_map_rename_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
 /* The error code for access() is in errno. */
-void nss_MD_win32_map_access_error(PRInt32 err)
+void
+nss_MD_win32_map_access_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_mkdir_error(PRInt32 err)
+void
+nss_MD_win32_map_mkdir_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_rmdir_error(PRInt32 err)
+void
+nss_MD_win32_map_rmdir_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_read_error(PRInt32 err)
+void
+nss_MD_win32_map_read_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_transmitfile_error(PRInt32 err)
+void
+nss_MD_win32_map_transmitfile_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_write_error(PRInt32 err)
+void
+nss_MD_win32_map_write_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_lseek_error(PRInt32 err)
+void
+nss_MD_win32_map_lseek_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_fsync_error(PRInt32 err)
+void
+nss_MD_win32_map_fsync_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
@@ -113,132 +128,186 @@ void nss_MD_win32_map_fsync_error(PRInt32 err)
 /*
  * For both CloseHandle() and closesocket().
  */
-void nss_MD_win32_map_close_error(PRInt32 err)
+void
+nss_MD_win32_map_close_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_socket_error(PRInt32 err)
+void
+nss_MD_win32_map_socket_error(PRInt32 err)
 {
     PR_ASSERT(err != WSANOTINITIALISED);
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_recv_error(PRInt32 err)
+void
+nss_MD_win32_map_recv_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_recvfrom_error(PRInt32 err)
+void
+nss_MD_win32_map_recvfrom_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_send_error(PRInt32 err)
+void
+nss_MD_win32_map_send_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEMSGSIZE:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_sendto_error(PRInt32 err)
+void
+nss_MD_win32_map_sendto_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEMSGSIZE:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_accept_error(PRInt32 err)
+void
+nss_MD_win32_map_accept_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEOPNOTSUPP:
+            prError = PR_NOT_TCP_SOCKET_ERROR;
+            break;
+        case WSAEINVAL:
+            prError = PR_INVALID_STATE_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_acceptex_error(PRInt32 err)
+void
+nss_MD_win32_map_acceptex_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_connect_error(PRInt32 err)
+void
+nss_MD_win32_map_connect_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
-    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEWOULDBLOCK:
+            prError = PR_IN_PROGRESS_ERROR;
+            break;
+        case WSAEINVAL:
+            prError = PR_ALREADY_INITIATED_ERROR;
+            break;
+        case WSAETIMEDOUT:
+            prError = PR_IO_TIMEOUT_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_bind_error(PRInt32 err)
+void
+nss_MD_win32_map_bind_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEINVAL:
+            prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_listen_error(PRInt32 err)
+void
+nss_MD_win32_map_listen_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEOPNOTSUPP:
+            prError = PR_NOT_TCP_SOCKET_ERROR;
+            break;
+        case WSAEINVAL:
+            prError = PR_INVALID_STATE_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_shutdown_error(PRInt32 err)
+void
+nss_MD_win32_map_shutdown_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_getsockname_error(PRInt32 err)
+void
+nss_MD_win32_map_getsockname_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAEINVAL:
+            prError = PR_INVALID_STATE_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_getpeername_error(PRInt32 err)
+void
+nss_MD_win32_map_getpeername_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_getsockopt_error(PRInt32 err)
+void
+nss_MD_win32_map_getsockopt_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_setsockopt_error(PRInt32 err)
+void
+nss_MD_win32_map_setsockopt_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_open_error(PRInt32 err)
+void
+nss_MD_win32_map_open_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-void nss_MD_win32_map_gethostname_error(PRInt32 err)
+void
+nss_MD_win32_map_gethostname_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
@@ -246,98 +315,236 @@ void nss_MD_win32_map_gethostname_error(PRInt32 err)
 /* Win32 select() only works on sockets.  So in this
 ** context, WSAENOTSOCK is equivalent to EBADF on Unix.
 */
-void nss_MD_win32_map_select_error(PRInt32 err)
+void
+nss_MD_win32_map_select_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
+        case WSAENOTSOCK:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
+        default:
+            nss_MD_win32_map_default_error(err);
+            return;
     }
     PR_SetError(prError, err);
 }
 
-void nss_MD_win32_map_lockf_error(PRInt32 err)
+void
+nss_MD_win32_map_lockf_error(PRInt32 err)
 {
     nss_MD_win32_map_default_error(err);
 }
 
-
-
-void nss_MD_win32_map_default_error(PRInt32 err)
+void
+nss_MD_win32_map_default_error(PRInt32 err)
 {
     PRErrorCode prError;
 
     switch (err) {
-    case EACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
-    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+        case EACCES:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case ENOENT:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case ERROR_ACCESS_DENIED:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case ERROR_ALREADY_EXISTS:
+            prError = PR_FILE_EXISTS_ERROR;
+            break;
+        case ERROR_DISK_CORRUPT:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_DISK_FULL:
+            prError = PR_NO_DEVICE_SPACE_ERROR;
+            break;
+        case ERROR_DISK_OPERATION_FAILED:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_DRIVE_LOCKED:
+            prError = PR_FILE_IS_LOCKED_ERROR;
+            break;
+        case ERROR_FILENAME_EXCED_RANGE:
+            prError = PR_NAME_TOO_LONG_ERROR;
+            break;
+        case ERROR_FILE_CORRUPT:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_FILE_EXISTS:
+            prError = PR_FILE_EXISTS_ERROR;
+            break;
+        case ERROR_FILE_INVALID:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
 #if ERROR_FILE_NOT_FOUND != ENOENT
-    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+        case ERROR_FILE_NOT_FOUND:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
 #endif
-    case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_INVALID_HANDLE: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case ERROR_INVALID_NAME: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_LOCKED:	 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break;
-    case ERROR_NOACCESS: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ERROR_NOT_READY: 	prError = PR_IO_ERROR; break;
-    case ERROR_NO_MORE_FILES: 	prError = PR_NO_MORE_FILES_ERROR; break;
-    case ERROR_OPEN_FAILED: 	prError = PR_IO_ERROR; break;
-    case ERROR_OPEN_FILES: 	prError = PR_IO_ERROR; break;
-    case ERROR_OUTOFMEMORY: 	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_PATH_BUSY: 	prError = PR_IO_ERROR; break;
-    case ERROR_PATH_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_SEEK_ON_DEVICE: 	prError = PR_IO_ERROR; break;
-    case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break;
-    case ERROR_STACK_OVERFLOW: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
-    case ERROR_WRITE_PROTECT: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEADDRINUSE: 	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case WSAEADDRNOTAVAIL: 	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case WSAEAFNOSUPPORT: 	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case WSAEALREADY: 		prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAEBADF: 		prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case WSAECONNABORTED: 	prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAECONNREFUSED: 	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case WSAECONNRESET: 	prError = PR_CONNECT_RESET_ERROR; break;
-    case WSAEDESTADDRREQ: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEFAULT: 		prError = PR_ACCESS_FAULT_ERROR; break;
-    case WSAEHOSTUNREACH: 	prError = PR_HOST_UNREACHABLE_ERROR; break;
-    case WSAEINVAL: 		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEISCONN: 		prError = PR_IS_CONNECTED_ERROR; break;
-    case WSAEMFILE: 		prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case WSAEMSGSIZE: 		prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case WSAENETDOWN: 		prError = PR_NETWORK_DOWN_ERROR; break;
-    case WSAENETRESET: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAENETUNREACH: 	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case WSAENOBUFS: 		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case WSAENOPROTOOPT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAENOTCONN: 		prError = PR_NOT_CONNECTED_ERROR; break;
-    case WSAENOTSOCK: 		prError = PR_NOT_SOCKET_ERROR; break;
-    case WSAEOPNOTSUPP: 	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTONOSUPPORT: 	prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTOTYPE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAESHUTDOWN: 		prError = PR_SOCKET_SHUTDOWN_ERROR; break;
-    case WSAESOCKTNOSUPPORT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAETIMEDOUT: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAEWOULDBLOCK: 	prError = PR_WOULD_BLOCK_ERROR; break;
-    default: 			prError = PR_UNKNOWN_ERROR; break;
+        case ERROR_HANDLE_DISK_FULL:
+            prError = PR_NO_DEVICE_SPACE_ERROR;
+            break;
+        case ERROR_INVALID_ADDRESS:
+            prError = PR_ACCESS_FAULT_ERROR;
+            break;
+        case ERROR_INVALID_HANDLE:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
+        case ERROR_INVALID_NAME:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case ERROR_INVALID_PARAMETER:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case ERROR_INVALID_USER_BUFFER:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case ERROR_LOCKED:
+            prError = PR_FILE_IS_LOCKED_ERROR;
+            break;
+        case ERROR_NETNAME_DELETED:
+            prError = PR_CONNECT_RESET_ERROR;
+            break;
+        case ERROR_NOACCESS:
+            prError = PR_ACCESS_FAULT_ERROR;
+            break;
+        case ERROR_NOT_ENOUGH_MEMORY:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case ERROR_NOT_ENOUGH_QUOTA:
+            prError = PR_OUT_OF_MEMORY_ERROR;
+            break;
+        case ERROR_NOT_READY:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_NO_MORE_FILES:
+            prError = PR_NO_MORE_FILES_ERROR;
+            break;
+        case ERROR_OPEN_FAILED:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_OPEN_FILES:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_OUTOFMEMORY:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case ERROR_PATH_BUSY:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_PATH_NOT_FOUND:
+            prError = PR_FILE_NOT_FOUND_ERROR;
+            break;
+        case ERROR_SEEK_ON_DEVICE:
+            prError = PR_IO_ERROR;
+            break;
+        case ERROR_SHARING_VIOLATION:
+            prError = PR_FILE_IS_BUSY_ERROR;
+            break;
+        case ERROR_STACK_OVERFLOW:
+            prError = PR_ACCESS_FAULT_ERROR;
+            break;
+        case ERROR_TOO_MANY_OPEN_FILES:
+            prError = PR_SYS_DESC_TABLE_FULL_ERROR;
+            break;
+        case ERROR_WRITE_PROTECT:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case WSAEACCES:
+            prError = PR_NO_ACCESS_RIGHTS_ERROR;
+            break;
+        case WSAEADDRINUSE:
+            prError = PR_ADDRESS_IN_USE_ERROR;
+            break;
+        case WSAEADDRNOTAVAIL:
+            prError = PR_ADDRESS_NOT_AVAILABLE_ERROR;
+            break;
+        case WSAEAFNOSUPPORT:
+            prError = PR_ADDRESS_NOT_SUPPORTED_ERROR;
+            break;
+        case WSAEALREADY:
+            prError = PR_ALREADY_INITIATED_ERROR;
+            break;
+        case WSAEBADF:
+            prError = PR_BAD_DESCRIPTOR_ERROR;
+            break;
+        case WSAECONNABORTED:
+            prError = PR_CONNECT_ABORTED_ERROR;
+            break;
+        case WSAECONNREFUSED:
+            prError = PR_CONNECT_REFUSED_ERROR;
+            break;
+        case WSAECONNRESET:
+            prError = PR_CONNECT_RESET_ERROR;
+            break;
+        case WSAEDESTADDRREQ:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case WSAEFAULT:
+            prError = PR_ACCESS_FAULT_ERROR;
+            break;
+        case WSAEHOSTUNREACH:
+            prError = PR_HOST_UNREACHABLE_ERROR;
+            break;
+        case WSAEINVAL:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case WSAEISCONN:
+            prError = PR_IS_CONNECTED_ERROR;
+            break;
+        case WSAEMFILE:
+            prError = PR_PROC_DESC_TABLE_FULL_ERROR;
+            break;
+        case WSAEMSGSIZE:
+            prError = PR_BUFFER_OVERFLOW_ERROR;
+            break;
+        case WSAENETDOWN:
+            prError = PR_NETWORK_DOWN_ERROR;
+            break;
+        case WSAENETRESET:
+            prError = PR_CONNECT_ABORTED_ERROR;
+            break;
+        case WSAENETUNREACH:
+            prError = PR_NETWORK_UNREACHABLE_ERROR;
+            break;
+        case WSAENOBUFS:
+            prError = PR_INSUFFICIENT_RESOURCES_ERROR;
+            break;
+        case WSAENOPROTOOPT:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case WSAENOTCONN:
+            prError = PR_NOT_CONNECTED_ERROR;
+            break;
+        case WSAENOTSOCK:
+            prError = PR_NOT_SOCKET_ERROR;
+            break;
+        case WSAEOPNOTSUPP:
+            prError = PR_OPERATION_NOT_SUPPORTED_ERROR;
+            break;
+        case WSAEPROTONOSUPPORT:
+            prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR;
+            break;
+        case WSAEPROTOTYPE:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case WSAESHUTDOWN:
+            prError = PR_SOCKET_SHUTDOWN_ERROR;
+            break;
+        case WSAESOCKTNOSUPPORT:
+            prError = PR_INVALID_ARGUMENT_ERROR;
+            break;
+        case WSAETIMEDOUT:
+            prError = PR_CONNECT_ABORTED_ERROR;
+            break;
+        case WSAEWOULDBLOCK:
+            prError = PR_WOULD_BLOCK_ERROR;
+            break;
+        default:
+            prError = PR_UNKNOWN_ERROR;
+            break;
     }
     PR_SetError(prError, err);
 }
-

security/nss/lib/util/pkcs11n.h

@@ -51,6 +51,8 @@
 #define CKK_NSS_JPAKE_ROUND1       (CKK_NSS + 2)
 #define CKK_NSS_JPAKE_ROUND2       (CKK_NSS + 3)
 
+#define CKK_NSS_CHACHA20           (CKK_NSS + 4)
+
 /*
  * NSS-defined certificate types
  *
@@ -218,6 +220,9 @@
 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE    (CKM_NSS + 25)
 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26)
 
+#define CKM_NSS_CHACHA20_KEY_GEN                (CKM_NSS + 27)
+#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 28)
+
 /*
  * HISTORICAL:
  * Do not attempt to use these. They are only used by NETSCAPE's internal
@@ -285,6 +290,14 @@ typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
     CK_ULONG ulHeaderLen;       /* in */
 } CK_NSS_MAC_CONSTANT_TIME_PARAMS;
 
+typedef struct CK_NSS_AEAD_PARAMS {
+    CK_BYTE_PTR  pNonce;
+    CK_ULONG     ulNonceLen;
+    CK_BYTE_PTR  pAAD;
+    CK_ULONG     ulAADLen;
+    CK_ULONG     ulTagLen;
+} CK_NSS_AEAD_PARAMS;
+
 /*
  * NSS-defined return values
  *

security/nss/lib/util/secasn1d.c

@@ -14,6 +14,8 @@
 #define PR_Assert sec_asn1d_Assert
 #endif
 
+#include <limits.h>
+
 #include "secasn1.h"
 #include "secerr.h"
 
@@ -1593,6 +1595,7 @@ sec_asn1d_parse_leaf (sec_asn1d_state *state,
 
     item = (SECItem *)(state->dest);
     if (item != NULL && item->data != NULL) {
+	unsigned long offset;
 	/* Strip leading zeroes when target is unsigned integer */
 	if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER   */
 	    item->len == 0 &&                             /* MSB       */
@@ -1603,9 +1606,43 @@ sec_asn1d_parse_leaf (sec_asn1d_state *state,
 		len--;
 	    }
 	}
-	PORT_Memcpy (item->data + item->len, buf, len);
+        offset = item->len;
+        if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
+            // The previous bit string must have no unused bits.
+            if (item->len & 0x7) {
+                PORT_SetError (SEC_ERROR_BAD_DER);
+                state->top->status = decodeError;
+                return 0;
+            }
+            // If this is a bit string, the length is bits, not bytes.
+            offset = item->len >> 3;
+        }
+        if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
+            unsigned long len_in_bits;
+            // Protect against overflow during the bytes-to-bits conversion.
+            if (len >= (ULONG_MAX >> 3) + 1) {
+                PORT_SetError (SEC_ERROR_BAD_DER);
+                state->top->status = decodeError;
+                return 0;
+            }
+            len_in_bits = (len << 3) - state->bit_string_unused_bits;
+            // Protect against overflow when computing the total length in bits.
+            if (UINT_MAX - item->len < len_in_bits) {
+                PORT_SetError (SEC_ERROR_BAD_DER);
+                state->top->status = decodeError;
+                return 0;
+            }
+            item->len += len_in_bits;
+        } else {
+            if (UINT_MAX - item->len < len) {
+                PORT_SetError (SEC_ERROR_BAD_DER);
+                state->top->status = decodeError;
+                return 0;
+            }
             item->len += len;
         }
+        PORT_Memcpy (item->data + offset, buf, len);
+    }
     state->pending -= bufLen;
     if (state->pending == 0)
 	state->place = beforeEndOfContents;
@@ -1671,14 +1708,6 @@ sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
     }
 
     len = sec_asn1d_parse_leaf (state, buf, len);
-    if (state->place == beforeEndOfContents && state->dest != NULL) {
-	SECItem *item;
-
-	item = (SECItem *)(state->dest);
-	if (item->len)
-	    item->len = (item->len << 3) - state->bit_string_unused_bits;
-    }
-
     return len;
 }
 
@@ -2208,7 +2237,7 @@ sec_asn1d_concat_substrings (sec_asn1d_state *state)
 	     * All bit-string substrings except the last one should be
 	     * a clean multiple of 8 bits.
 	     */
-	    if (is_bit_string && (substring->next == NULL)
+	    if (is_bit_string && (substring->next != NULL)
 			      && (substring->len & 0x7)) {
 		PORT_SetError (SEC_ERROR_BAD_DER);
 		state->top->status = decodeError;

security/nss/lib/util/secoid.c

@@ -1652,7 +1652,6 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
     OD( x520Name, SEC_OID_AVA_NAME,
     	"X520 Name",    CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
 
-
     OD( aes128_GCM, SEC_OID_AES_128_GCM,
 	"AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
     OD( aes192_GCM, SEC_OID_AES_192_GCM,
@@ -1710,6 +1709,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
 	"TLS DH-ANON-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
     ODE( SEC_OID_APPLY_SSL_POLICY,
 	"Apply SSL policy (pseudo-OID)", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    ODE( SEC_OID_CHACHA20_POLY1305,
+	"ChaCha20-Poly1305", CKM_NSS_CHACHA20_POLY1305, INVALID_CERT_EXTENSION ),
 
 };
 

security/nss/lib/util/secoidt.h

@@ -479,6 +479,8 @@ typedef enum {
     SEC_OID_TLS_DH_ANON_EXPORT         = 344,
     SEC_OID_APPLY_SSL_POLICY           = 345,
 
+    SEC_OID_CHACHA20_POLY1305          = 346,
+
     SEC_OID_TOTAL
 } SECOidTag;
 

security/nss/lib/util/utf8.c

@@ -321,8 +321,8 @@ sec_port_ucs2_utf8_conversion_function
     for( i = 0; i < inBufLen; i += 2 ) {
       if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_1] & 0x80) == 0x00) ) len += 1;
       else if( inBuf[i+H_0] < 0x08 ) len += 2;
-      else if( ((inBuf[i+0+H_0] & 0xDC) == 0xD8) ) {
-        if( ((inBufLen - i) > 2) && ((inBuf[i+2+H_0] & 0xDC) == 0xDC) ) {
+      else if( ((inBuf[i+0+H_0] & 0xFC) == 0xD8) ) {
+        if( ((inBufLen - i) > 2) && ((inBuf[i+2+H_0] & 0xFC) == 0xDC) ) {
           i += 2;
           len += 4;
         } else {
@@ -356,10 +356,10 @@ sec_port_ucs2_utf8_conversion_function
         outBuf[len+1] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
 
         len += 2;
-      } else if( (inBuf[i+H_0] & 0xDC) == 0xD8 ) {
+      } else if( (inBuf[i+H_0] & 0xFC) == 0xD8 ) {
         int abcde, BCDE;
 
-        PORT_Assert(((inBufLen - i) > 2) && ((inBuf[i+2+H_0] & 0xDC) == 0xDC) );
+        PORT_Assert(((inBufLen - i) > 2) && ((inBuf[i+2+H_0] & 0xFC) == 0xDC) );
 
         /* D800-DBFF DC00-DFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
         /* 110110BC DEfghijk 110111lm nopqrstu ->
@@ -852,6 +852,7 @@ struct ucs2 ucs2[] = {
   { 0x9000, "\xE9\x80\x80" },
   { 0xA000, "\xEA\x80\x80" },
   { 0xC000, "\xEC\x80\x80" },
+  { 0xFB01, "\xEF\xAC\x81" },
   { 0xFFFF, "\xEF\xBF\xBF" }
 
 };
@@ -1161,6 +1162,8 @@ uint16_t utf16_bad[][3] = {
   { 0xD800, 0xfe, 0 },
   { 0xD800, 0x3bb, 0 },
   { 0xD800, 0xD800, 0 },
+  { 0xD800, 0xFEFF, 0 },
+  { 0xD800, 0xFFFD, 0 },
 };
 
 static void

security/nss/tests/cipher/cipher.txt

@@ -31,6 +31,8 @@
 	0	seed_ecb_-D	SEED_ECB_Decrypt
 	0	seed_cbc_-E	SEED_CBC_Encrypt
 	0	seed_cbc_-D	SEED_CBC_Decrypt
+	0	chacha20_poly1305_-E ChaCha20_Poly1305_Encrypt
+	0	chacha20_poly1305_-D ChaCha20_Poly1305_Decrypt
 	0	rc2_ecb_-E	RC2_ECB_Encrypt
 	0	rc2_ecb_-D	RC2_ECB_Decrypt
 	0	rc2_cbc_-E	RC2_CBC_Encrypt

security/nss/tests/ssl/ssl.sh

@@ -85,12 +85,14 @@ ssl_init()
 
   if [ -z "$NSS_DISABLE_ECC" ] ; then
       ECC_STRING=" - with ECC"
+      # List of cipher suites to test, including ECC cipher suites.
+      CIPHER_SUITES="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
   else
       ECC_STRING=""
+      # List of cipher suites to test, excluding ECC cipher suites.
+      CIPHER_SUITES="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz"
   fi
 
-  CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
-  CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
 
   if [ "${OS_ARCH}" != "WINNT" ]; then
       ulimit -n 1000 # make sure we have enough file descriptors
@@ -260,11 +262,7 @@ ssl_cov()
   html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 
   testname=""
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      sparam="$CLONG"
-  else
-      sparam="$CSHORT"
-  fi
+  sparam="$CIPHER_SUITES"
 
   mixed=0
   start_selfserv # Launch the server
@@ -731,11 +729,7 @@ ssl_policy()
   html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 
   testname=""
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      sparam="$CLONG"
-  else
-      sparam="$CSHORT"
-  fi
+  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       return;

security/nss/tests/ssl/sslcov.txt

@@ -101,6 +101,7 @@
   noECC  TLS12 :009C  TLS12_RSA_WITH_AES_128_GCM_SHA256
   noECC  TLS12 :009E  TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
   noECC  TLS12 :00A2  TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+  noECC  TLS12 :CCAA  TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 #
 # ECC ciphers (TLS)
 #
@@ -170,3 +171,5 @@
    ECC   TLS12  :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    ECC   TLS12  :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+   ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+   ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256