1diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:06:41.659713513 -0800 3+++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:07:10.270188062 -0800 4@@ -40,6 +40,21 @@ 5 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 6 #endif 7 8+/* This is a bodge to allow this code to be compiled against older NSS 9+ * headers. */ 10+#ifndef CKM_NSS_CHACHA20_POLY1305 11+#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) 12+ 13+typedef struct CK_NSS_AEAD_PARAMS { 14+ CK_BYTE_PTR pIv; /* This is the nonce. */ 15+ CK_ULONG ulIvLen; 16+ CK_BYTE_PTR pAAD; 17+ CK_ULONG ulAADLen; 18+ CK_ULONG ulTagLen; 19+} CK_NSS_AEAD_PARAMS; 20+ 21+#endif 22+ 23 #include <stdio.h> 24 #ifdef NSS_ENABLE_ZLIB 25 #include "zlib.h" 26@@ -104,6 +119,8 @@ static ssl3CipherSuiteCfg cipherSuites[s 27 /* cipher_suite policy enabled isPresent */ 28 29 #ifdef NSS_ENABLE_ECC 30+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 31+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 32 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 33 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 34 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around 35@@ -292,6 +309,7 @@ static const ssl3BulkCipherDef bulk_ciph 36 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, 37 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, 38 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, 39+ {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, 40 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 41 }; 42 43@@ -418,6 +436,8 @@ static const ssl3CipherSuiteDef cipher_s 44 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, 45 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, 46 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, 47+ {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, 48+ {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, 49 50 #ifdef NSS_ENABLE_ECC 51 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 52@@ -483,6 +503,7 @@ static const SSLCipher2Mech alg2Mech[] = 53 { calg_camellia , CKM_CAMELLIA_CBC }, 54 { calg_seed , CKM_SEED_CBC }, 55 { calg_aes_gcm , CKM_AES_GCM }, 56+ { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 }, 57 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 58 }; 59 60@@ -647,6 +668,8 @@ ssl3_CipherSuiteAllowedForVersionRange( 61 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented 62 */ 63 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; 64+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: 65+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: 66 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 67 case TLS_RSA_WITH_AES_256_CBC_SHA256: 68 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 69@@ -2043,6 +2066,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 70 } 71 #endif 72 73+static SECStatus 74+ssl3_ChaCha20Poly1305( 75+ ssl3KeyMaterial *keys, 76+ PRBool doDecrypt, 77+ unsigned char *out, 78+ int *outlen, 79+ int maxout, 80+ const unsigned char *in, 81+ int inlen, 82+ const unsigned char *additionalData, 83+ int additionalDataLen) 84+{ 85+ SECItem param; 86+ SECStatus rv = SECFailure; 87+ unsigned int uOutLen; 88+ CK_NSS_AEAD_PARAMS aeadParams; 89+ static const int tagSize = 16; 90+ 91+ param.type = siBuffer; 92+ param.len = sizeof(aeadParams); 93+ param.data = (unsigned char *) &aeadParams; 94+ memset(&aeadParams, 0, sizeof(aeadParams)); 95+ aeadParams.pIv = (unsigned char *) additionalData; 96+ aeadParams.ulIvLen = 8; 97+ aeadParams.pAAD = (unsigned char *) additionalData; 98+ aeadParams.ulAADLen = additionalDataLen; 99+ aeadParams.ulTagLen = tagSize; 100+ 101+ if (doDecrypt) { 102+ rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 103+ out, &uOutLen, maxout, in, inlen); 104+ } else { 105+ rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 106+ out, &uOutLen, maxout, in, inlen); 107+ } 108+ *outlen = (int) uOutLen; 109+ 110+ return rv; 111+} 112+ 113 /* Initialize encryption and MAC contexts for pending spec. 114 * Master Secret already is derived. 115 * Caller holds Spec write lock. 116@@ -2076,13 +2139,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket 117 pwSpec->client.write_mac_context = NULL; 118 pwSpec->server.write_mac_context = NULL; 119 120- if (calg == calg_aes_gcm) { 121+ if (calg == calg_aes_gcm || calg == calg_chacha20) { 122 pwSpec->encode = NULL; 123 pwSpec->decode = NULL; 124 pwSpec->destroy = NULL; 125 pwSpec->encodeContext = NULL; 126 pwSpec->decodeContext = NULL; 127- pwSpec->aead = ssl3_AESGCM; 128+ if (calg == calg_aes_gcm) { 129+ pwSpec->aead = ssl3_AESGCM; 130+ } else { 131+ pwSpec->aead = ssl3_ChaCha20Poly1305; 132+ } 133 return SECSuccess; 134 } 135 136diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c 137--- a/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:04:43.127747463 -0800 138+++ b/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:07:10.270188062 -0800 139@@ -904,6 +904,7 @@ static const ssl3CipherSuite ecdhe_ecdsa 140 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 141 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 142 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 143+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 144 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 145 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 146 0 /* end of list marker */ 147@@ -915,6 +916,7 @@ static const ssl3CipherSuite ecdhe_rsa_s 148 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 149 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 150 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 151+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 152 TLS_ECDHE_RSA_WITH_NULL_SHA, 153 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 154 0 /* end of list marker */ 155@@ -927,6 +929,7 @@ static const ssl3CipherSuite ecSuites[] 156 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 157 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 158 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 159+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 160 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 161 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 162 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 163@@ -934,6 +937,7 @@ static const ssl3CipherSuite ecSuites[] 164 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 165 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 166 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 167+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 168 TLS_ECDHE_RSA_WITH_NULL_SHA, 169 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 170 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 171diff -pu a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c 172--- a/nss/lib/ssl/sslenum.c 2014-01-17 17:49:26.072517368 -0800 173+++ b/nss/lib/ssl/sslenum.c 2014-01-17 18:08:43.791739267 -0800 174@@ -37,17 +37,21 @@ 175 * 176 * Exception: Because some servers ignore the high-order byte of the cipher 177 * suite ID, we must be careful about adding cipher suites with IDs larger 178- * than 0x00ff; see bug 946147. For these broken servers, the first four cipher 179+ * than 0x00ff; see bug 946147. For these broken servers, the first six cipher 180 * suites, with the MSB zeroed, look like: 181+ * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 } 182+ * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 } 183 * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B } 184 * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F } 185 * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } 186 * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } 187- * The broken server only supports the third and fourth ones and will select 188- * the third one. 189+ * The broken server only supports the fifth and sixth ones and will select 190+ * the fifth one. 191 */ 192 const PRUint16 SSL_ImplementedCiphers[] = { 193 #ifdef NSS_ENABLE_ECC 194+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 195+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 196 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 197 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 198 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before 199diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h 200--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:03:47.906831535 -0800 201+++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:07:10.270188062 -0800 202@@ -65,6 +65,7 @@ typedef SSLSignType SSL3SignType; 203 #define calg_camellia ssl_calg_camellia 204 #define calg_seed ssl_calg_seed 205 #define calg_aes_gcm ssl_calg_aes_gcm 206+#define calg_chacha20 ssl_calg_chacha20 207 208 #define mac_null ssl_mac_null 209 #define mac_md5 ssl_mac_md5 210@@ -299,7 +300,7 @@ typedef struct { 211 } ssl3CipherSuiteCfg; 212 213 #ifdef NSS_ENABLE_ECC 214-#define ssl_V3_SUITES_IMPLEMENTED 61 215+#define ssl_V3_SUITES_IMPLEMENTED 63 216 #else 217 #define ssl_V3_SUITES_IMPLEMENTED 37 218 #endif /* NSS_ENABLE_ECC */ 219@@ -483,6 +484,7 @@ typedef enum { 220 cipher_camellia_256, 221 cipher_seed, 222 cipher_aes_128_gcm, 223+ cipher_chacha20, 224 cipher_missing /* reserved for no such supported cipher */ 225 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ 226 } SSL3BulkCipher; 227diff -pu a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c 228--- a/nss/lib/ssl/sslinfo.c 2014-01-17 18:00:45.503806125 -0800 229+++ b/nss/lib/ssl/sslinfo.c 2014-01-17 18:07:10.270188062 -0800 230@@ -110,6 +110,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh 231 #define C_NULL "NULL", calg_null 232 #define C_SJ "SKIPJACK", calg_sj 233 #define C_AESGCM "AES-GCM", calg_aes_gcm 234+#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20 235 236 #define B_256 256, 256, 256 237 #define B_128 128, 128, 128 238@@ -188,12 +189,14 @@ static const SSLCipherSuiteInfo suiteInf 239 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, 240 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, 241 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, 242+{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128,0, 0, 0, }, 243 244 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, 245 {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, }, 246 {0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, 247 {0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, }, 248 {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, }, 249+{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305), S_RSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128, 0, 0, 0, }, 250 251 {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, }, 252 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, 253diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h 254--- a/nss/lib/ssl/sslproto.h 2014-01-17 17:49:26.072517368 -0800 255+++ b/nss/lib/ssl/sslproto.h 2014-01-17 18:07:10.270188062 -0800 256@@ -213,6 +213,9 @@ 257 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F 258 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 259 260+#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 0xCC13 261+#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xCC14 262+ 263 /* Netscape "experimental" cipher suites. */ 264 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 265 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 266diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h 267--- a/nss/lib/ssl/sslt.h 2014-01-17 18:03:47.906831535 -0800 268+++ b/nss/lib/ssl/sslt.h 2014-01-17 18:07:10.270188062 -0800 269@@ -94,7 +94,8 @@ typedef enum { 270 ssl_calg_aes = 7, 271 ssl_calg_camellia = 8, 272 ssl_calg_seed = 9, 273- ssl_calg_aes_gcm = 10 274+ ssl_calg_aes_gcm = 10, 275+ ssl_calg_chacha20 = 11 276 } SSLCipherAlgorithm; 277 278 typedef enum { 279